Skip to content

[ML] Add tooltips for actual and typical in anomalies table#97549

Merged
lcawl merged 2 commits intoelastic:masterfrom
lcawl:anomalies-tooltip2
Apr 20, 2021
Merged

[ML] Add tooltips for actual and typical in anomalies table#97549
lcawl merged 2 commits intoelastic:masterfrom
lcawl:anomalies-tooltip2

Conversation

@lcawl
Copy link
Copy Markdown
Contributor

@lcawl lcawl commented Apr 19, 2021
edited
Loading

Related to #97350

This PR adds tooltips for the "Typical" and "Actual" columns in the machine learning anomaly detection results table.

image

@lcawl lcawl added WIP Work in progress enhancement New value added to drive a business result Feature:Anomaly Detection ML anomaly detection release_note:skip Skip the PR/issue when compiling release notes v7.13.0 v8.0.0 and removed WIP Work in progress labels Apr 19, 2021
@lcawl lcawl marked this pull request as ready for review April 20, 2021 00:58
@lcawl lcawl requested a review from a team as a code owner April 20, 2021 00:58
@lcawl lcawl requested a review from szabosteve April 20, 2021 00:58
lcawl
lcawl commented Apr 20, 2021
View reviewed changes
Comment thread x-pack/plugins/ml/public/application/components/anomalies_table/anomalies_table_columns.js Outdated
name: (
<EuiToolTip
content={i18n.translate('xpack.ml.overview.anomalyDetection.tableActualTooltip', {
defaultMessage: 'The actual values in the record results.',
Copy link
Copy Markdown
Contributor Author

@lcawl lcawl Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

      defaultMessage: 'The actual values in the record results.',

The API documentation says "The actual value for the bucket", but I found this confusing since I thought there could be multiple record results per bucket.

Copy link
Copy Markdown
Contributor

@peteharverson peteharverson Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, there can be multiple record results for each bucket. actual and typical refer to the values seen for the record.

Copy link
Copy Markdown
Contributor

@peteharverson peteharverson Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it worth adding anomaly in here - The actual values for the anomaly record results. ?

Copy link
Copy Markdown
Contributor Author

@lcawl lcawl Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've added that in 3907ff4

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 20, 2021

Pinging @elastic/ml-ui (:ml)

peteharverson
peteharverson approved these changes Apr 20, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@peteharverson peteharverson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 20, 2021

💛 Build succeeded, but was flaky

Test Failures

Kibana Pipeline / general / X-Pack Detection Engine API Integration Tests.x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals·ts.detection engine api security and spaces enabled Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates signals from Threshold rules when bucketing by multiple fields

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/97584

[00:00:00]       │
[00:00:00]         └-: detection engine api security and spaces enabled
[00:00:00]           └-> "before all" hook in "detection engine api security and spaces enabled"
[00:00:00]           └-: 
[00:00:00]             └-> "before all" hook in ""
[00:17:20]             └-: Generating signals from source indexes
[00:17:20]               └-> "before all" hook in "Generating signals from source indexes"
[00:17:20]               └-: Signals from audit beat are of the expected structure
[00:17:20]                 └-> "before all" hook for "should have the specific audit record for _id or none of these tests below will pass"
[00:17:20]                 └-> should have the specific audit record for _id or none of these tests below will pass
[00:17:20]                   └-> "before each" hook: global before each for "should have the specific audit record for _id or none of these tests below will pass"
[00:17:20]                   └-> "before each" hook for "should have the specific audit record for _id or none of these tests below will pass"
[00:17:20]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:17:20]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:17:20]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:17:21]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:17:21]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:17:21]                   └-> "before each" hook for "should have the specific audit record for _id or none of these tests below will pass"
[00:17:21]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:17:21]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:17:21]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:17:21]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:17:21]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:21]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:17:21]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:17:21]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:17:28]                   │ proc [kibana]   log   [16:13:51.131] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:17:28]                   │ proc [kibana]   {
[00:17:28]                   │ proc [kibana]     "to": "2021-04-20T16:13:50.116Z",
[00:17:28]                   │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:17:28]                   │ proc [kibana]     "maxSignals": 100
[00:17:28]                   │ proc [kibana]   }
[00:17:28]                   │ proc [kibana] ] name: "Signal Testing Query" id: "60dec870-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "rule-1" signals index: ".siem-signals-default"
[00:17:28]                   │ proc [kibana]   log   [16:13:51.140] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:13:48.080Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:13:48.080Z","outcome":"success","end":"2021-04-20T16:13:51.140Z","duration":3060000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"60dec870-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:60dec870-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:17:28]                   └- ✓ pass  (7.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure should have the specific audit record for _id or none of these tests below will pass"
[00:17:28]                 └-> "after each" hook for "should have the specific audit record for _id or none of these tests below will pass"
[00:17:28]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:17:28]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/sXlxFL_BQym70O_oTcYZnA] deleting index
[00:17:28]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:28]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:17:29]                 └-> "after each" hook for "should have the specific audit record for _id or none of these tests below will pass"
[00:17:29]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/TVEPvakyQv2yGDuBvVcOGQ] deleting index
[00:17:29]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:17:31]                 └-> should abide by max_signals > 100
[00:17:31]                   └-> "before each" hook: global before each for "should abide by max_signals > 100"
[00:17:31]                   └-> "before each" hook for "should abide by max_signals > 100"
[00:17:31]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:17:31]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:17:31]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:17:32]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:17:32]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:17:32]                   └-> "before each" hook for "should abide by max_signals > 100"
[00:17:32]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:17:32]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:17:32]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:17:32]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:17:32]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:32]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:17:32]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:17:32]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:17:36]                   │ proc [kibana]   log   [16:13:59.219] [info][plugins][securitySolution] [+] Finished indexing 500  signals searched between date ranges [
[00:17:36]                   │ proc [kibana]   {
[00:17:36]                   │ proc [kibana]     "to": "2021-04-20T16:13:58.206Z",
[00:17:36]                   │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:17:36]                   │ proc [kibana]     "maxSignals": 500
[00:17:36]                   │ proc [kibana]   }
[00:17:36]                   │ proc [kibana] ] name: "Signal Testing Query" id: "676f89e0-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "rule-1" signals index: ".siem-signals-default"
[00:17:36]                   │ proc [kibana]   log   [16:13:59.229] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:13:57.079Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:13:57.079Z","outcome":"success","end":"2021-04-20T16:13:59.228Z","duration":2149000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"676f89e0-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:676f89e0-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:17:37]                   └- ✓ pass  (4.7s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure should abide by max_signals > 100"
[00:17:37]                 └-> "after each" hook for "should abide by max_signals > 100"
[00:17:37]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:17:37]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/z7YsCdUiRguQIwZdQNHd2A] deleting index
[00:17:37]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:37]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:17:37]                 └-> "after each" hook for "should abide by max_signals > 100"
[00:17:37]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/xRGKf3fQQTK4aHn4uMqx7A] deleting index
[00:17:37]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:17:40]                 └-> should have recorded the rule_id within the signal
[00:17:40]                   └-> "before each" hook: global before each for "should have recorded the rule_id within the signal"
[00:17:40]                   └-> "before each" hook for "should have recorded the rule_id within the signal"
[00:17:40]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:17:40]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:17:40]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:17:40]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:17:40]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:17:40]                   └-> "before each" hook for "should have recorded the rule_id within the signal"
[00:17:40]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:17:40]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:17:40]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:17:40]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:17:40]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:40]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:17:40]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:17:40]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:17:45]                   │ proc [kibana]   log   [16:14:08.312] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:17:45]                   │ proc [kibana]   {
[00:17:45]                   │ proc [kibana]     "to": "2021-04-20T16:14:07.303Z",
[00:17:45]                   │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:17:45]                   │ proc [kibana]     "maxSignals": 100
[00:17:45]                   │ proc [kibana]   }
[00:17:45]                   │ proc [kibana] ] name: "Signal Testing Query" id: "6c494c80-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "rule-1" signals index: ".siem-signals-default"
[00:17:45]                   │ proc [kibana]   log   [16:14:08.321] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:14:06.083Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:14:06.083Z","outcome":"success","end":"2021-04-20T16:14:08.321Z","duration":2238000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"6c494c80-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:6c494c80-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:17:46]                   └- ✓ pass  (5.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure should have recorded the rule_id within the signal"
[00:17:46]                 └-> "after each" hook for "should have recorded the rule_id within the signal"
[00:17:46]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:17:46]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/aTJNhw5vSRqqvCtw5pnHsQ] deleting index
[00:17:46]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:46]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:17:46]                 └-> "after each" hook for "should have recorded the rule_id within the signal"
[00:17:46]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/k-suBDqFRlWjRXZC2rEHPA] deleting index
[00:17:46]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:17:49]                 └-> should query and get back expected signal structure using a basic KQL query
[00:17:49]                   └-> "before each" hook: global before each for "should query and get back expected signal structure using a basic KQL query"
[00:17:49]                   └-> "before each" hook for "should query and get back expected signal structure using a basic KQL query"
[00:17:49]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:17:49]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:17:49]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:17:49]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:17:49]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:17:49]                   └-> "before each" hook for "should query and get back expected signal structure using a basic KQL query"
[00:17:49]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:17:49]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:17:49]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:17:49]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:17:49]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:49]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:17:49]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:17:49]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:17:55]                   │ proc [kibana]   log   [16:14:17.403] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:17:55]                   │ proc [kibana]   {
[00:17:55]                   │ proc [kibana]     "to": "2021-04-20T16:14:16.395Z",
[00:17:55]                   │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:17:55]                   │ proc [kibana]     "maxSignals": 100
[00:17:55]                   │ proc [kibana]   }
[00:17:55]                   │ proc [kibana] ] name: "Signal Testing Query" id: "71a7cf80-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "rule-1" signals index: ".siem-signals-default"
[00:17:55]                   │ proc [kibana]   log   [16:14:17.411] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:14:15.079Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:14:15.079Z","outcome":"success","end":"2021-04-20T16:14:17.410Z","duration":2331000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"71a7cf80-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:71a7cf80-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:17:55]                   └- ✓ pass  (5.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure should query and get back expected signal structure using a basic KQL query"
[00:17:55]                 └-> "after each" hook for "should query and get back expected signal structure using a basic KQL query"
[00:17:55]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:17:55]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/xfvNd2GDQmyn2h3wBkZ42g] deleting index
[00:17:55]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:55]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:17:55]                 └-> "after each" hook for "should query and get back expected signal structure using a basic KQL query"
[00:17:55]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/Gu3CiJ7rQFqx3euU2BN1Tg] deleting index
[00:17:55]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:17:58]                 └-> should query and get back expected signal structure when it is a signal on a signal
[00:17:58]                   └-> "before each" hook: global before each for "should query and get back expected signal structure when it is a signal on a signal"
[00:17:58]                   └-> "before each" hook for "should query and get back expected signal structure when it is a signal on a signal"
[00:17:58]                     │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:17:58]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:17:58]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:17:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:17:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:17:58]                   └-> "before each" hook for "should query and get back expected signal structure when it is a signal on a signal"
[00:17:58]                     │ info [auditbeat/hosts] Loading "mappings.json"
[00:17:58]                     │ info [auditbeat/hosts] Loading "data.json.gz"
[00:17:58]                     │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:17:58]                     │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:17:58]                     │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:17:58]                     │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:17:58]                     │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:17:58]                     │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:18:04]                   │ proc [kibana]   log   [16:14:26.525] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:18:04]                   │ proc [kibana]   {
[00:18:04]                   │ proc [kibana]     "to": "2021-04-20T16:14:25.507Z",
[00:18:04]                   │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:18:04]                   │ proc [kibana]     "maxSignals": 100
[00:18:04]                   │ proc [kibana]   }
[00:18:04]                   │ proc [kibana] ] name: "Signal Testing Query" id: "771a9dd0-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "rule-1" signals index: ".siem-signals-default"
[00:18:04]                   │ proc [kibana]   log   [16:14:26.531] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:14:24.077Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:14:24.077Z","outcome":"success","end":"2021-04-20T16:14:26.530Z","duration":2453000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"771a9dd0-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:771a9dd0-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:18:10]                   │ proc [kibana]   log   [16:14:32.586] [info][plugins][securitySolution] [+] Finished indexing 1  signals searched between date ranges [
[00:18:10]                   │ proc [kibana]   {
[00:18:10]                   │ proc [kibana]     "to": "2021-04-20T16:14:31.578Z",
[00:18:10]                   │ proc [kibana]     "from": "1900-01-01T00:00:00.000Z",
[00:18:10]                   │ proc [kibana]     "maxSignals": 100
[00:18:10]                   │ proc [kibana]   }
[00:18:10]                   │ proc [kibana] ] name: "Signal Testing Query" id: "7a54ba30-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "signal-on-signal" signals index: ".siem-signals-default"
[00:18:10]                   │ proc [kibana]   log   [16:14:32.593] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:14:30.080Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:14:30.080Z","outcome":"success","end":"2021-04-20T16:14:32.592Z","duration":2512000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"7a54ba30-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:7a54ba30-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:18:10]                   └- ✓ pass  (11.5s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure should query and get back expected signal structure when it is a signal on a signal"
[00:18:10]                 └-> "after each" hook for "should query and get back expected signal structure when it is a signal on a signal"
[00:18:10]                   │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:18:10]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/CttLtTtKTcaAX2Cu8x_tcQ] deleting index
[00:18:10]                   │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:18:10]                   │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:18:10]                 └-> "after each" hook for "should query and get back expected signal structure when it is a signal on a signal"
[00:18:10]                   │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/oIty22fPQhSicmWhW8XdBQ] deleting index
[00:18:10]                   │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:18:13]                 └-: EQL Rules
[00:18:13]                   └-> "before all" hook for "generates a correctly formatted signal from EQL non-sequence queries"
[00:19:07]                 └-: Threshold Rules
[00:19:07]                   └-> "before all" hook for "generates 1 signal from Threshold rules when threshold is met"
[00:19:07]                   └-> generates 1 signal from Threshold rules when threshold is met
[00:19:07]                     └-> "before each" hook: global before each for "generates 1 signal from Threshold rules when threshold is met"
[00:19:07]                     └-> "before each" hook for "generates 1 signal from Threshold rules when threshold is met"
[00:19:07]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:19:08]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:19:08]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:19:08]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:19:08]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:19:08]                     └-> "before each" hook for "generates 1 signal from Threshold rules when threshold is met"
[00:19:08]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:19:08]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:19:08]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:19:08]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:19:08]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:08]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:19:08]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:19:08]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:19:12]                     │ proc [kibana]   log   [16:15:35.243] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Signal Testing Query" id: "a0b58e70-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:19:12]                     │ proc [kibana]   log   [16:15:35.261] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:15:33.108Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:15:33.108Z","outcome":"success","end":"2021-04-20T16:15:35.260Z","duration":2152000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"a0b58e70-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:a0b58e70-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:19:12]                     └- ✓ pass  (4.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates 1 signal from Threshold rules when threshold is met"
[00:19:12]                   └-> "after each" hook for "generates 1 signal from Threshold rules when threshold is met"
[00:19:13]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:19:13]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/tAbOb2ChQwGi_O-xKtTeMw] deleting index
[00:19:13]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:13]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:19:13]                   └-> "after each" hook for "generates 1 signal from Threshold rules when threshold is met"
[00:19:13]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/zHWAxh3qR5uPBmm6vkDlnA] deleting index
[00:19:13]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:19:16]                   └-> generates 2 signals from Threshold rules when threshold is met
[00:19:16]                     └-> "before each" hook: global before each for "generates 2 signals from Threshold rules when threshold is met"
[00:19:16]                     └-> "before each" hook for "generates 2 signals from Threshold rules when threshold is met"
[00:19:16]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:19:16]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:19:16]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:19:16]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:19:16]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:19:16]                     └-> "before each" hook for "generates 2 signals from Threshold rules when threshold is met"
[00:19:16]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:19:16]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:19:16]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:19:16]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:19:16]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:16]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:19:16]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:19:16]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:19:21]                     │ proc [kibana]   log   [16:15:44.340] [info][plugins][securitySolution] [+] Finished indexing 2   name: "Signal Testing Query" id: "a590fec0-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:19:22]                     │ proc [kibana]   log   [16:15:44.348] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:15:42.109Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:15:42.109Z","outcome":"success","end":"2021-04-20T16:15:44.348Z","duration":2239000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"a590fec0-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:a590fec0-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:19:22]                     └- ✓ pass  (5.3s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates 2 signals from Threshold rules when threshold is met"
[00:19:22]                   └-> "after each" hook for "generates 2 signals from Threshold rules when threshold is met"
[00:19:22]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:19:22]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/rUN7SriEQmq3aVdFNG-9lw] deleting index
[00:19:22]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:22]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:19:22]                   └-> "after each" hook for "generates 2 signals from Threshold rules when threshold is met"
[00:19:22]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/kHwHpMMuSvSXArFozIu08Q] deleting index
[00:19:22]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:19:25]                   └-> applies the provided query before bucketing 
[00:19:25]                     └-> "before each" hook: global before each for "applies the provided query before bucketing "
[00:19:25]                     └-> "before each" hook for "applies the provided query before bucketing "
[00:19:25]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:19:25]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:19:25]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:19:25]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:19:25]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:19:25]                     └-> "before each" hook for "applies the provided query before bucketing "
[00:19:25]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:19:25]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:19:25]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:19:25]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:19:25]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:25]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:19:25]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:19:25]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:19:31]                     │ proc [kibana]   log   [16:15:53.435] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Signal Testing Query" id: "aafb1a80-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:19:31]                     │ proc [kibana]   log   [16:15:53.441] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:15:51.117Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:15:51.117Z","outcome":"success","end":"2021-04-20T16:15:53.440Z","duration":2323000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"aafb1a80-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:aafb1a80-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:19:31]                     └- ✓ pass  (5.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules applies the provided query before bucketing "
[00:19:31]                   └-> "after each" hook for "applies the provided query before bucketing "
[00:19:31]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:19:31]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/AL00LCOBQoOl_kCnAFSrKg] deleting index
[00:19:31]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:31]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:19:31]                   └-> "after each" hook for "applies the provided query before bucketing "
[00:19:31]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/z2lHB8KrTaGdrQJtkuBpeQ] deleting index
[00:19:31]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:19:34]                   └-> generates no signals from Threshold rules when threshold is met and cardinality is not met
[00:19:34]                     └-> "before each" hook: global before each for "generates no signals from Threshold rules when threshold is met and cardinality is not met"
[00:19:34]                     └-> "before each" hook for "generates no signals from Threshold rules when threshold is met and cardinality is not met"
[00:19:34]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:19:34]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:19:34]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:19:34]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:19:34]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:19:34]                     └-> "before each" hook for "generates no signals from Threshold rules when threshold is met and cardinality is not met"
[00:19:34]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:19:34]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:19:34]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:19:34]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:19:34]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:34]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:19:34]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:19:34]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:19:40]                     │ proc [kibana]   log   [16:16:02.538] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Signal Testing Query" id: "b069ca20-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:19:40]                     │ proc [kibana]   log   [16:16:02.549] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:16:00.117Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:16:00.117Z","outcome":"success","end":"2021-04-20T16:16:02.548Z","duration":2431000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"b069ca20-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:b069ca20-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:19:40]                     └- ✓ pass  (5.3s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates no signals from Threshold rules when threshold is met and cardinality is not met"
[00:19:40]                   └-> "after each" hook for "generates no signals from Threshold rules when threshold is met and cardinality is not met"
[00:19:40]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:19:40]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/_onfwyRKSGCrPTwjeaYRZg] deleting index
[00:19:40]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:40]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:19:40]                   └-> "after each" hook for "generates no signals from Threshold rules when threshold is met and cardinality is not met"
[00:19:40]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/GT3zSptqT8OL47nfeZAnUQ] deleting index
[00:19:40]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:19:43]                   └-> generates no signals from Threshold rules when cardinality is met and threshold is not met
[00:19:43]                     └-> "before each" hook: global before each for "generates no signals from Threshold rules when cardinality is met and threshold is not met"
[00:19:43]                     └-> "before each" hook for "generates no signals from Threshold rules when cardinality is met and threshold is not met"
[00:19:43]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:19:43]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:19:43]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:19:43]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:19:43]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:19:43]                     └-> "before each" hook for "generates no signals from Threshold rules when cardinality is met and threshold is not met"
[00:19:43]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:19:43]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:19:43]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:19:43]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:19:43]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:43]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:19:43]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:19:43]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:19:49]                     │ proc [kibana]   log   [16:16:11.649] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Signal Testing Query" id: "b5cae530-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:19:49]                     │ proc [kibana]   log   [16:16:11.656] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:16:09.106Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:16:09.106Z","outcome":"success","end":"2021-04-20T16:16:11.656Z","duration":2550000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"b5cae530-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:b5cae530-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:19:49]                     └- ✓ pass  (5.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates no signals from Threshold rules when cardinality is met and threshold is not met"
[00:19:49]                   └-> "after each" hook for "generates no signals from Threshold rules when cardinality is met and threshold is not met"
[00:19:49]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:19:49]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/HWlt7QhQQX6vmignfja2Bw] deleting index
[00:19:49]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:49]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:19:49]                   └-> "after each" hook for "generates no signals from Threshold rules when cardinality is met and threshold is not met"
[00:19:49]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/K2hSIxMrQl2vgdI_EE6pMw] deleting index
[00:19:49]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:19:52]                   └-> generates signals from Threshold rules when threshold and cardinality are both met
[00:19:52]                     └-> "before each" hook: global before each for "generates signals from Threshold rules when threshold and cardinality are both met"
[00:19:52]                     └-> "before each" hook for "generates signals from Threshold rules when threshold and cardinality are both met"
[00:19:52]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:19:52]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:19:52]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:19:52]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:19:52]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:19:52]                     └-> "before each" hook for "generates signals from Threshold rules when threshold and cardinality are both met"
[00:19:52]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:19:52]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:19:52]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:19:52]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:19:52]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:52]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:19:53]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:19:53]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:19:58]                     │ proc [kibana]   log   [16:16:20.742] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Signal Testing Query" id: "bb3c2ce0-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:19:58]                     │ proc [kibana]   log   [16:16:20.752] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:16:18.122Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:16:18.122Z","outcome":"success","end":"2021-04-20T16:16:20.752Z","duration":2630000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"bb3c2ce0-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:bb3c2ce0-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:19:58]                     └- ✓ pass  (5.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates signals from Threshold rules when threshold and cardinality are both met"
[00:19:58]                   └-> "after each" hook for "generates signals from Threshold rules when threshold and cardinality are both met"
[00:19:58]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:19:58]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/BhCi6shdThyFT36VsdT95A] deleting index
[00:19:58]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:19:58]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:19:58]                   └-> "after each" hook for "generates signals from Threshold rules when threshold and cardinality are both met"
[00:19:58]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/6ryDW4y3R9WJPCE6h1W3Kw] deleting index
[00:19:58]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:20:01]                   └-> should not generate signals if only one field meets the threshold requirement
[00:20:01]                     └-> "before each" hook: global before each for "should not generate signals if only one field meets the threshold requirement"
[00:20:01]                     └-> "before each" hook for "should not generate signals if only one field meets the threshold requirement"
[00:20:01]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:20:01]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:20:01]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:20:01]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:20:01]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:20:01]                     └-> "before each" hook for "should not generate signals if only one field meets the threshold requirement"
[00:20:01]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:20:01]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:20:01]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:20:01]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:20:01]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:20:01]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:20:02]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:20:02]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:20:07]                     │ proc [kibana]   log   [16:16:29.833] [info][plugins][securitySolution] [+] Finished indexing 0   name: "Signal Testing Query" id: "c09ef5a0-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:20:07]                     │ proc [kibana]   log   [16:16:29.844] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:16:27.129Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:16:27.129Z","outcome":"success","end":"2021-04-20T16:16:29.843Z","duration":2714000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"c09ef5a0-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:c09ef5a0-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:20:07]                     └- ✓ pass  (5.4s) "detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules should not generate signals if only one field meets the threshold requirement"
[00:20:07]                   └-> "after each" hook for "should not generate signals if only one field meets the threshold requirement"
[00:20:07]                     │ info [auditbeat/hosts] Unloading indices from "mappings.json"
[00:20:07]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001/OpQjSWH7Q02_1u2NQHsbEg] deleting index
[00:20:07]                     │ info [auditbeat/hosts] Deleted existing index "auditbeat-8.0.0-2019.02.19-000001"
[00:20:07]                     │ info [auditbeat/hosts] Unloading indices from "data.json.gz"
[00:20:07]                   └-> "after each" hook for "should not generate signals if only one field meets the threshold requirement"
[00:20:07]                     │ info [o.e.c.m.MetadataDeleteIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001/su2ss9eESiSBhY1kf1f2fQ] deleting index
[00:20:07]                     │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] removing template [.siem-signals-default]
[00:20:10]                   └-> generates signals from Threshold rules when bucketing by multiple fields
[00:20:10]                     └-> "before each" hook: global before each for "generates signals from Threshold rules when bucketing by multiple fields"
[00:20:10]                     └-> "before each" hook for "generates signals from Threshold rules when bucketing by multiple fields"
[00:20:10]                       │ info [o.e.x.i.a.TransportPutLifecycleAction] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding index lifecycle policy [.siem-signals-default]
[00:20:10]                       │ info [o.e.c.m.MetadataIndexTemplateService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] adding template [.siem-signals-default] for index patterns [.siem-signals-default-*]
[00:20:10]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [.siem-signals-default-000001] creating index, cause [api], templates [.siem-signals-default], shards [1]/[1]
[00:20:10]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [.siem-signals-default]
[00:20:10]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [.siem-signals-default]
[00:20:10]                     └-> "before each" hook for "generates signals from Threshold rules when bucketing by multiple fields"
[00:20:10]                       │ info [auditbeat/hosts] Loading "mappings.json"
[00:20:10]                       │ info [auditbeat/hosts] Loading "data.json.gz"
[00:20:10]                       │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] [auditbeat-8.0.0-2019.02.19-000001] creating index, cause [api], templates [], shards [1]/[1]
[00:20:10]                       │ info [auditbeat/hosts] Created index "auditbeat-8.0.0-2019.02.19-000001"
[00:20:10]                       │ debg [auditbeat/hosts] "auditbeat-8.0.0-2019.02.19-000001" settings {"index":{"lifecycle":{"name":"auditbeat-8.0.0","rollover_alias":"auditbeat-8.0.0"},"mapping":{"total_fields":{"limit":"10000"}},"number_of_replicas":"1","number_of_shards":"1","query":{"default_field":["tags","message","agent.version","agent.name","agent.type","agent.id","agent.ephemeral_id","client.address","client.mac","client.domain","client.geo.continent_name","client.geo.country_name","client.geo.region_name","client.geo.city_name","client.geo.country_iso_code","client.geo.region_iso_code","client.geo.name","cloud.provider","cloud.availability_zone","cloud.region","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.account.id","container.runtime","container.id","container.image.name","container.image.tag","container.name","destination.address","destination.mac","destination.domain","destination.geo.continent_name","destination.geo.country_name","destination.geo.region_name","destination.geo.city_name","destination.geo.country_iso_code","destination.geo.region_iso_code","destination.geo.name","ecs.version","error.id","error.message","error.code","event.id","event.kind","event.category","event.action","event.outcome","event.type","event.module","event.dataset","event.hash","event.timezone","file.path","file.target_path","file.extension","file.type","file.device","file.inode","file.uid","file.owner","file.gid","file.group","file.mode","group.id","group.name","host.hostname","host.name","host.id","host.mac","host.type","host.architecture","host.os.platform","host.os.name","host.os.full","host.os.family","host.os.version","host.os.kernel","host.geo.continent_name","host.geo.country_name","host.geo.region_name","host.geo.city_name","host.geo.country_iso_code","host.geo.region_iso_code","host.geo.name","http.request.method","http.request.body.content","http.request.referrer","http.response.body.content","http.version","log.level","network.name","network.type","network.iana_number","network.transport","network.application","network.protocol","network.direction","network.community_id","observer.mac","observer.hostname","observer.vendor","observer.version","observer.serial_number","observer.type","observer.os.platform","observer.os.name","observer.os.full","observer.os.family","observer.os.version","observer.os.kernel","observer.geo.continent_name","observer.geo.country_name","observer.geo.region_name","observer.geo.city_name","observer.geo.country_iso_code","observer.geo.region_iso_code","observer.geo.name","organization.name","organization.id","os.platform","os.name","os.full","os.family","os.version","os.kernel","process.name","process.args","process.executable","process.title","process.working_directory","server.address","server.mac","server.domain","server.geo.continent_name","server.geo.country_name","server.geo.region_name","server.geo.city_name","server.geo.country_iso_code","server.geo.region_iso_code","server.geo.name","service.id","service.name","service.type","service.state","service.version","service.ephemeral_id","source.address","source.mac","source.domain","source.geo.continent_name","source.geo.country_name","source.geo.region_name","source.geo.city_name","source.geo.country_iso_code","source.geo.region_iso_code","source.geo.name","url.original","url.full","url.scheme","url.domain","url.path","url.query","url.fragment","url.username","url.password","user.id","user.name","user.full_name","user.email","user.hash","user.group.id","user.group.name","user_agent.original","user_agent.name","user_agent.version","user_agent.device.name","user_agent.os.platform","user_agent.os.name","user_agent.os.full","user_agent.os.family","user_agent.os.version","user_agent.os.kernel","agent.hostname","error.type","cloud.project.id","kubernetes.pod.name","kubernetes.pod.uid","kubernetes.namespace","kubernetes.node.name","kubernetes.container.name","kubernetes.container.image","file.origin","raw","file.selinux.user","file.selinux.role","file.selinux.domain","file.selinux.level","user.audit.id","user.audit.name","user.effective.id","user.effective.name","user.effective.group.id","user.effective.group.name","user.filesystem.id","user.filesystem.name","user.filesystem.group.id","user.filesystem.group.name","user.saved.id","user.saved.name","user.saved.group.id","user.saved.group.name","user.selinux.user","user.selinux.role","user.selinux.domain","user.selinux.level","user.selinux.category","source.path","destination.path","auditd.message_type","auditd.session","auditd.result","auditd.summary.actor.primary","auditd.summary.actor.secondary","auditd.summary.object.type","auditd.summary.object.primary","auditd.summary.object.secondary","auditd.summary.how","auditd.paths.inode","auditd.paths.dev","auditd.paths.obj_user","auditd.paths.obj_role","auditd.paths.obj_domain","auditd.paths.obj_level","auditd.paths.objtype","auditd.paths.ouid","auditd.paths.rdev","auditd.paths.nametype","auditd.paths.ogid","auditd.paths.item","auditd.paths.mode","auditd.paths.name","auditd.data.action","auditd.data.minor","auditd.data.acct","auditd.data.addr","auditd.data.cipher","auditd.data.id","auditd.data.entries","auditd.data.kind","auditd.data.ksize","auditd.data.spid","auditd.data.arch","auditd.data.argc","auditd.data.major","auditd.data.unit","auditd.data.table","auditd.data.terminal","auditd.data.grantors","auditd.data.direction","auditd.data.op","auditd.data.tty","auditd.data.syscall","auditd.data.data","auditd.data.family","auditd.data.mac","auditd.data.pfs","auditd.data.items","auditd.data.a0","auditd.data.a1","auditd.data.a2","auditd.data.a3","auditd.data.hostname","auditd.data.lport","auditd.data.rport","auditd.data.exit","auditd.data.fp","auditd.data.laddr","auditd.data.sport","auditd.data.capability","auditd.data.nargs","auditd.data.new-enabled","auditd.data.audit_backlog_limit","auditd.data.dir","auditd.data.cap_pe","auditd.data.model","auditd.data.new_pp","auditd.data.old-enabled","auditd.data.oauid","auditd.data.old","auditd.data.banners","auditd.data.feature","auditd.data.vm-ctx","auditd.data.opid","auditd.data.seperms","auditd.data.seresult","auditd.data.new-rng","auditd.data.old-net","auditd.data.sigev_signo","auditd.data.ino","auditd.data.old_enforcing","auditd.data.old-vcpu","auditd.data.range","auditd.data.res","auditd.data.added","auditd.data.fam","auditd.data.nlnk-pid","auditd.data.subj","auditd.data.a[0-3]","auditd.data.cgroup","auditd.data.kernel","auditd.data.ocomm","auditd.data.new-net","auditd.data.permissive","auditd.data.class","auditd.data.compat","auditd.data.fi","auditd.data.changed","auditd.data.msg","auditd.data.dport","auditd.data.new-seuser","auditd.data.invalid_context","auditd.data.dmac","auditd.data.ipx-net","auditd.data.iuid","auditd.data.macproto","auditd.data.obj","auditd.data.ipid","auditd.data.new-fs","auditd.data.vm-pid","auditd.data.cap_pi","auditd.data.old-auid","auditd.data.oses","auditd.data.fd","auditd.data.igid","auditd.data.new-disk","auditd.data.parent","auditd.data.len","auditd.data.oflag","auditd.data.uuid","auditd.data.code","auditd.data.nlnk-grp","auditd.data.cap_fp","auditd.data.new-mem","auditd.data.seperm","auditd.data.enforcing","auditd.data.new-chardev","auditd.data.old-rng","auditd.data.outif","auditd.data.cmd","auditd.data.hook","auditd.data.new-level","auditd.data.sauid","auditd.data.sig","auditd.data.audit_backlog_wait_time","auditd.data.printer","auditd.data.old-mem","auditd.data.perm","auditd.data.old_pi","auditd.data.state","auditd.data.format","auditd.data.new_gid","auditd.data.tcontext","auditd.data.maj","auditd.data.watch","auditd.data.device","auditd.data.grp","auditd.data.bool","auditd.data.icmp_type","auditd.data.new_lock","auditd.data.old_prom","auditd.data.acl","auditd.data.ip","auditd.data.new_pi","auditd.data.default-context","auditd.data.inode_gid","auditd.data.new-log_passwd","auditd.data.new_pe","auditd.data.selected-context","auditd.data.cap_fver","auditd.data.file","auditd.data.net","auditd.data.virt","auditd.data.cap_pp","auditd.data.old-range","auditd.data.resrc","auditd.data.new-range","auditd.data.obj_gid","auditd.data.proto","auditd.data.old-disk","auditd.data.audit_failure","auditd.data.inif","auditd.data.vm","auditd.data.flags","auditd.data.nlnk-fam","auditd.data.old-fs","auditd.data.old-ses","auditd.data.seqno","auditd.data.fver","auditd.data.qbytes","auditd.data.seuser","auditd.data.cap_fe","auditd.data.new-vcpu","auditd.data.old-level","auditd.data.old_pp","auditd.data.daddr","auditd.data.old-role","auditd.data.ioctlcmd","auditd.data.smac","auditd.data.apparmor","auditd.data.fe","auditd.data.perm_mask","auditd.data.ses","auditd.data.cap_fi","auditd.data.obj_uid","auditd.data.reason","auditd.data.list","auditd.data.old_lock","auditd.data.bus","auditd.data.old_pe","auditd.data.new-role","auditd.data.prom","auditd.data.uri","auditd.data.audit_enabled","auditd.data.old-log_passwd","auditd.data.old-seuser","auditd.data.per","auditd.data.scontext","auditd.data.tclass","auditd.data.ver","auditd.data.new","auditd.data.val","auditd.data.img-ctx","auditd.data.old-chardev","auditd.data.old_val","auditd.data.success","auditd.data.inode_uid","auditd.data.removed","auditd.data.socket.port","auditd.data.socket.saddr","auditd.data.socket.addr","auditd.data.socket.family","auditd.data.socket.path","geoip.continent_name","geoip.city_name","geoip.region_name","geoip.country_iso_code","hash.blake2b_256","hash.blake2b_384","hash.blake2b_512","hash.md5","hash.sha1","hash.sha224","hash.sha256","hash.sha384","hash.sha3_224","hash.sha3_256","hash.sha3_384","hash.sha3_512","hash.sha512","hash.sha512_224","hash.sha512_256","hash.xxh64","event.origin","user.entity_id","user.terminal","process.entity_id","socket.entity_id","system.audit.host.timezone.name","system.audit.host.hostname","system.audit.host.id","system.audit.host.architecture","system.audit.host.mac","system.audit.host.os.platform","system.audit.host.os.name","system.audit.host.os.family","system.audit.host.os.version","system.audit.host.os.kernel","system.audit.package.entity_id","system.audit.package.name","system.audit.package.version","system.audit.package.release","system.audit.package.arch","system.audit.package.license","system.audit.package.summary","system.audit.package.url","system.audit.user.name","system.audit.user.uid","system.audit.user.gid","system.audit.user.dir","system.audit.user.shell","system.audit.user.user_information","system.audit.user.password.type","fields.*"]},"refresh_interval":"5s"}}
[00:20:10]                       │ info [o.e.x.i.IndexLifecycleTransition] [kibana-ci-immutable-ubuntu-18-tests-xxl-1618931839216218627] moving index [.siem-signals-default-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [.siem-signals-default]
[00:20:11]                       │ info [auditbeat/hosts] Indexed 1751 docs into "auditbeat-8.0.0-2019.02.19-000001"
[00:20:11]                       │ info [auditbeat/hosts] Indexed 1 docs into "winlogbeat-8.0.0-2019.02.19-000001"
[00:20:16]                     │ proc [kibana]   log   [16:16:38.930] [info][plugins][securitySolution] [+] Finished indexing 1   name: "Signal Testing Query" id: "c604f2b0-a1f3-11eb-9c64-77be5d8d6e2a" rule id: "threshold-rule" signals index: ".siem-signals-default"
[00:20:16]                     │ proc [kibana]   log   [16:16:38.936] [info][eventLog][plugins] event logged: {"@timestamp":"2021-04-20T16:16:36.131Z","event":{"provider":"alerting","action":"execute","start":"2021-04-20T16:16:36.131Z","outcome":"success","end":"2021-04-20T16:16:38.936Z","duration":2805000000},"kibana":{"saved_objects":[{"rel":"primary","type":"alert","id":"c604f2b0-a1f3-11eb-9c64-77be5d8d6e2a"}],"alerting":{"status":"ok"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d"},"message":"alert executed: siem.signals:c604f2b0-a1f3-11eb-9c64-77be5d8d6e2a: 'Signal Testing Query'","ecs":{"version":"1.8.0"}}
[00:20:16]                     └- ✖ fail: detection engine api security and spaces enabled  Generating signals from source indexes Signals from audit beat are of the expected structure Threshold Rules generates signals from Threshold rules when bucketing by multiple fields
[00:20:16]                     │       Error: expected 0 to sort of equal 1
[00:20:16]                     │       + expected - actual
[00:20:16]                     │ 
[00:20:16]                     │       -0
[00:20:16]                     │       +1
[00:20:16]                     │       
[00:20:16]                     │       at Assertion.assert (/dev/shm/workspace/parallel/14/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:20:16]                     │       at Assertion.eql (/dev/shm/workspace/parallel/14/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:20:16]                     │       at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts:838:48)
[00:20:16]                     │       at Object.apply (/dev/shm/workspace/parallel/14/kibana/node_modules/@kbn/test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16)
[00:20:16]                     │ 
[00:20:16]                     │

Stack Trace

Error: expected 0 to sort of equal 1
    at Assertion.assert (/dev/shm/workspace/parallel/14/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/14/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts:838:48)
    at Object.apply (/dev/shm/workspace/parallel/14/kibana/node_modules/@kbn/test/src/functional_test_runner/lib/mocha/wrap_function.js:73:16) {
  actual: '0',
  expected: '1',
  showDiff: true
}

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
ml 6.0MB 6.0MB +1.0KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@lcawl lcawl merged commit d7c6e27 into elastic:master Apr 20, 2021
@lcawl lcawl deleted the anomalies-tooltip2 branch April 20, 2021 17:23
lcawl added a commit to lcawl/kibana that referenced this pull request Apr 20, 2021
@lcawl
[ML] Add tooltips for actual and typical in anomalies table (elastic#…
73e512e 
…97549)
@lcawl lcawl mentioned this pull request Apr 20, 2021
Merged
lcawl added a commit that referenced this pull request Apr 20, 2021
@lcawl
[ML] Add tooltips for actual and typical in anomalies table (#97549) (#…
fad8a00 
…97685)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peteharverson peteharverson peteharverson approved these changes

@szabosteve szabosteve Awaiting requested review from szabosteve

Assignees

No one assigned

Labels

enhancement New value added to drive a business result Feature:Anomaly Detection ML anomaly detection :ml release_note:skip Skip the PR/issue when compiling release notes v7.13.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lcawl @elasticmachine @kibanamachine @peteharverson