Merge branch 'master' into feat/siem-untitled-timeline

elasticmachine · web-flow · commit 2a07837a90ff · 2020-05-05T22:08:40.000-04:00
diff --git a/x-pack/plugins/endpoint/common/generate_data.test.ts b/x-pack/plugins/endpoint/common/generate_data.test.ts
@@ -101,20 +101,38 @@ describe('data generator', () => {
     });
 
     it('with n-1 process events', () => {
-      for (let i = 1; i < events.length - 1; i++) {
-        expect(events[i].process.parent?.entity_id).toEqual(events[i - 1].process.entity_id);
-        expect(events[i].event.kind).toEqual('event');
-        expect(events[i].event.category).toEqual('process');
+      for (let i = events.length - 2; i > 0; ) {
+        const parentEntityIdOfChild = events[i].process.parent?.entity_id;
+        for (
+          ;
+          --i >= -1 && (events[i].event.kind !== 'event' || events[i].event.category !== 'process');
+
+        ) {
+          // related event - skip it
+        }
+        expect(i).toBeGreaterThanOrEqual(0);
+        expect(parentEntityIdOfChild).toEqual(events[i].process.entity_id);
       }
     });
 
     it('with a corresponding alert at the end', () => {
+      let previousProcessEventIndex = events.length - 2;
+      for (
+        ;
+        previousProcessEventIndex >= -1 &&
+        (events[previousProcessEventIndex].event.kind !== 'event' ||
+          events[previousProcessEventIndex].event.category !== 'process');
+        previousProcessEventIndex--
+      ) {
+        // related event - skip it
+      }
+      expect(previousProcessEventIndex).toBeGreaterThanOrEqual(0);
       // The alert should be last and have the same entity_id as the previous process event
       expect(events[events.length - 1].process.entity_id).toEqual(
-        events[events.length - 2].process.entity_id
+        events[previousProcessEventIndex].process.entity_id
       );
       expect(events[events.length - 1].process.parent?.entity_id).toEqual(
-        events[events.length - 2].process.parent?.entity_id
+        events[previousProcessEventIndex].process.parent?.entity_id
       );
       expect(events[events.length - 1].event.kind).toEqual('alert');
       expect(events[events.length - 1].event.category).toEqual('malware');
diff --git a/x-pack/plugins/endpoint/common/generate_data.ts b/x-pack/plugins/endpoint/common/generate_data.ts
@@ -339,13 +339,17 @@ export class EndpointDocGenerator {
     percentNodesWithRelated?: number,
     percentChildrenTerminated?: number
   ) {
-    const ancestry = this.createAlertEventAncestry(alertAncestors);
+    const ancestry = this.createAlertEventAncestry(
+      alertAncestors,
+      relatedEventsPerNode,
+      percentNodesWithRelated
+    );
     for (let i = 0; i < ancestry.length; i++) {
       yield ancestry[i];
     }
-    // ancestry will always have at least 2 elements, and the second to last element will be the process associated with the alert
+    // ancestry will always have at least 2 elements, and the last element will be the alert
     yield* this.descendantsTreeGenerator(
-      ancestry[ancestry.length - 2],
+      ancestry[ancestry.length - 1],
       childGenerations,
       maxChildrenPerNode,
       relatedEventsPerNode,
@@ -358,18 +362,44 @@ export class EndpointDocGenerator {
    * Creates an alert event and associated process ancestry. The alert event will always be the last event in the return array.
    * @param alertAncestors - number of ancestor generations to create
    */
-  public createAlertEventAncestry(alertAncestors = 3): Event[] {
+  public createAlertEventAncestry(
+    alertAncestors = 3,
+    relatedEventsPerNode = 5,
+    pctWithRelated = 30
+  ): Event[] {
     const events = [];
     const startDate = new Date().getTime();
     const root = this.generateEvent({ timestamp: startDate + 1000 });
     events.push(root);
     let ancestor = root;
+    // generate related alerts for root
+    const processDuration: number = 6 * 3600;
+    if (this.randomN(100) < pctWithRelated) {
+      for (const relatedEvent of this.relatedEventsGenerator(
+        ancestor,
+        relatedEventsPerNode,
+        processDuration
+      )) {
+        events.push(relatedEvent);
+      }
+    }
     for (let i = 0; i < alertAncestors; i++) {
       ancestor = this.generateEvent({
         timestamp: startDate + 1000 * (i + 1),
         parentEntityID: ancestor.process.entity_id,
       });
       events.push(ancestor);
+
+      // generate related alerts for ancestor
+      if (this.randomN(100) < pctWithRelated) {
+        for (const relatedEvent of this.relatedEventsGenerator(
+          ancestor,
+          relatedEventsPerNode,
+          processDuration
+        )) {
+          events.push(relatedEvent);
+        }
+      }
     }
     events.push(
       this.generateAlert(
diff --git a/x-pack/test/functional/apps/machine_learning/anomaly_detection/single_metric_job.ts b/x-pack/test/functional/apps/machine_learning/anomaly_detection/single_metric_job.ts
@@ -71,7 +71,8 @@ export default function({ getService }: FtrProviderContext) {
 
   const calendarId = `wizard-test-calendar_${Date.now()}`;
 
-  describe('single metric', function() {
+  // Breaking latest ES snapshots: https://github.com/elastic/kibana/issues/65377
+  describe.skip('single metric', function() {
     this.tags(['mlqa']);
     before(async () => {
       await esArchiver.loadIfNeeded('ml/farequote');
@@ -325,8 +326,7 @@ export default function({ getService }: FtrProviderContext) {
       await ml.jobWizardCommon.advanceToValidationSection();
     });
 
-    // https://github.com/elastic/kibana/issues/65377
-    it.skip('job cloning displays the summary step', async () => {
+    it('job cloning displays the summary step', async () => {
       await ml.jobWizardCommon.advanceToSummarySection();
     });
 
