[SIEM][Detection Engine] Final final rule changes

[FrankHassanabad]

Summary

• Final, final, Rule changes

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11

- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support

- [ ] Documentation was added for features that require explanation or tutorials

- [ ] Unit or functional tests were updated or added to match the most common scenarios

- [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

- [ ] This was checked for breaking API changes and was labeled appropriately

- [ ] This includes a feature addition or change that requires a release note and was labeled appropriately

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[randomuserid]

yes these two were cut because they did not test well.

[randomuserid]

zomg, ze rules!

[kibanamachine]

💛 Build succeeded, but was flaky

• continuous-integration/kibana-ci/pull-request
• Commit: dbcf6ab
• Flaky suites:
  • xpack-kibana-ciGroup1

---

Test Failures

Kibana Pipeline / kibana-xpack-agent / Chrome X-Pack UI Functional Tests.x-pack/test/functional/apps/rollup_job/tsvb·js.rollup app tsvb integration create rollup tsvb

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://github.com/elastic/kibana/issues/56816

[00:00:00]       │
[00:28:29]         └-: rollup app
[00:28:29]           └-> "before all" hook
[00:29:51]           └-: tsvb integration
[00:29:51]             └-> "before all" hook
[00:29:51]             └-> "before all" hook
[00:29:51]               │ info [visualize/default] Loading "mappings.json"
[00:29:51]               │ info [visualize/default] Loading "data.json"
[00:29:51]               │ info [o.e.c.m.MetaDataDeleteIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/rA-LyRiWSQ-yjPbceNKvog] deleting index
[00:29:52]               │ info [o.e.c.m.MetaDataDeleteIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_1/XMN_yvFQTmqeQYN7mpQ9KA] deleting index
[00:29:52]               │ info [visualize/default] Deleted existing index [".kibana_2",".kibana_1"]
[00:29:52]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana] creating index, cause [api], templates [], shards [1]/[0], mappings [_doc]
[00:29:52]               │ info [visualize/default] Created index ".kibana"
[00:29:52]               │ debg [visualize/default] ".kibana" settings {"index":{"number_of_shards":"1","auto_expand_replicas":"0-1","number_of_replicas":"0"}}
[00:29:52]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [metricbeat-7] creating index, cause [auto(bulk api)], templates [], shards [1]/[1], mappings []
[00:29:52]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [metricbeat-7/9QUq8cqtTM-P6FJBBRejAA] create_mapping
[00:29:52]               │ info [visualize/default] Indexed 8 docs into ".kibana"
[00:29:52]               │ info [visualize/default] Indexed 1 docs into "metricbeat-7"
[00:29:53]               │ info Creating index .kibana_2.
[00:29:53]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]
[00:29:53]               │ info [o.e.c.r.a.AllocationService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] updating number_of_replicas to [0] for indices [.kibana_2]
[00:29:53]               │ info Reindexing .kibana to .kibana_1
[00:29:53]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_1] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]
[00:29:53]               │ info [o.e.c.r.a.AllocationService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] updating number_of_replicas to [0] for indices [.kibana_1]
[00:29:53]               │ info [o.e.t.LoggingTaskListener] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] 68878 finished with response BulkByScrollResponse[took=148.7ms,timed_out=false,sliceId=null,updated=0,created=8,deleted=0,batches=1,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[00:29:53]               │ info [o.e.c.m.MetaDataDeleteIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana/Myt6RUnGQCm3gITauURAow] deleting index
[00:29:53]               │ info Migrating .kibana_1 saved objects to .kibana_2
[00:29:54]               │ debg Migrating saved objects space:default, index-pattern:metricbeat-*, custom-space:index-pattern:metricbeat-*, index-pattern:logstash-*, custom_space:index-pattern:logstash-*, visualization:i-exist, custom_space:visualization:i-exist, query:okjpgs
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:54]               │ info Pointing alias .kibana to .kibana_2.
[00:29:54]               │ info Finished in 895ms.
[00:29:54]               │ debg applying update to kibana config: {"accessibility:disableAnimations":true,"dateFormat:tz":"UTC"}
[00:29:54]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:29:55]             └-> create rollup tsvb
[00:29:55]               └-> "before each" hook: global before each
[00:29:55]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-source-data] creating index, cause [auto(bulk api)], templates [], shards [1]/[1], mappings []
[00:29:55]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-source-data/YY7vaLIHQxubkgnBoh9Phg] create_mapping
[00:29:55]               │ info [o.e.c.m.MetaDataCreateIndexService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-target-data] creating index, cause [api], templates [], shards [1]/[1], mappings [_doc]
[00:29:55]               │ debg navigating to visualize url: http://localhost:6121/app/kibana#/visualize
[00:29:55]               │ debg Navigate to: http://localhost:6121/app/kibana#/visualize
[00:29:55]               │ info [o.e.x.r.j.RollupJobTask] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] Rollup job [tsvb-test-rollup-job-1580860173065] created.
[00:29:55]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [rollup-target-data/LvOSCCpPQT2pw_qdxCR6Ww] update_mapping [_doc]
[00:29:56]               │ debg ... sleep(700) start
[00:29:56]               │ debg browser[INFO] http://localhost:6121/app/kibana?_t=1580861970473#/visualize 350 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:56]               │
[00:29:56]               │ debg browser[INFO] http://localhost:6121/bundles/app/kibana/bootstrap.js 8:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:56]               │ debg ... sleep(700) end
[00:29:56]               │ debg returned from get, calling refresh
[00:29:56]               │ debg browser[INFO] http://localhost:6121/app/kibana?_t=1580861970473#/visualize 350 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:56]               │
[00:29:56]               │ debg browser[INFO] http://localhost:6121/bundles/app/kibana/bootstrap.js 8:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:56]               │ debg currentUrl = http://localhost:6121/app/kibana#/visualize
[00:29:56]               │          appUrl = http://localhost:6121/app/kibana#/visualize
[00:29:56]               │ debg Find.findByCssSelector('[data-test-subj="kibanaChrome"]') with timeout=60000
[00:30:01]               │ debg TestSubjects.find(kibanaChrome)
[00:30:01]               │ debg Find.findByCssSelector('[data-test-subj="kibanaChrome"]') with timeout=10000
[00:30:01]               │ debg browser[INFO] http://localhost:6121/built_assets/dlls/vendors_2.bundle.dll.js 92:138197 "INFO: 2020-02-05T00:19:34Z
[00:30:01]               │        Adding connection to http://localhost:6121/elasticsearch
[00:30:01]               │
[00:30:01]               │      "
[00:30:01]               │ debg ... sleep(501) start
[00:30:01]               │ info [o.e.c.m.MetaDataMappingService] [kibana-ci-immutable-ubuntu-tests-xl-1580858528622471691] [.kibana_2/nsPvAIlmTtm_hcOtw36d5w] update_mapping [_doc]
[00:30:02]               │ debg ... sleep(501) end
[00:30:02]               │ debg in navigateTo url = http://localhost:6121/app/kibana#/visualize?_g=(refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))
[00:30:02]               │ debg TestSubjects.exists(statusPageContainer)
[00:30:02]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="statusPageContainer"]') with timeout=2500
[00:30:04]               │ debg --- retry.tryForTime error: [data-test-subj="statusPageContainer"] is not displayed
[00:30:05]               │ debg TestSubjects.exists(newItemButton)
[00:30:05]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="newItemButton"]') with timeout=2500
[00:30:05]               │ debg TestSubjects.click(newItemButton)
[00:30:05]               │ debg Find.clickByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:30:05]               │ debg Find.findByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:30:05]               │ debg TestSubjects.find(visNewDialogTypes)
[00:30:05]               │ debg Find.findByCssSelector('[data-test-subj="visNewDialogTypes"]') with timeout=10000
[00:30:05]               │ debg TestSubjects.click(visType-metrics)
[00:30:05]               │ debg Find.clickByCssSelector('[data-test-subj="visType-metrics"]') with timeout=10000
[00:30:05]               │ debg Find.findByCssSelector('[data-test-subj="visType-metrics"]') with timeout=10000
[00:30:06]               │ debg isGlobalLoadingIndicatorVisible
[00:30:06]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:06]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:07]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:08]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:08]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:08]               │ debg TestSubjects.exists(tvbVisEditor)
[00:30:08]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="tvbVisEditor"]') with timeout=10000
[00:30:08]               │ debg openQuickSelectTimeMenu
[00:30:08]               │ debg TestSubjects.exists(superDatePickerQuickMenu)
[00:30:08]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="superDatePickerQuickMenu"]') with timeout=2500
[00:30:10]               │ debg --- retry.tryForTime error: [data-test-subj="superDatePickerQuickMenu"] is not displayed
[00:30:11]               │ debg opening quick select menu
[00:30:11]               │ debg TestSubjects.click(superDatePickerToggleQuickMenuButton)
[00:30:11]               │ debg Find.clickByCssSelector('[data-test-subj="superDatePickerToggleQuickMenuButton"]') with timeout=10000
[00:30:11]               │ debg Find.findByCssSelector('[data-test-subj="superDatePickerToggleQuickMenuButton"]') with timeout=10000
[00:30:11]               │ debg TestSubjects.click(superDatePickerCommonlyUsed_Last_24 hours)
[00:30:11]               │ debg Find.clickByCssSelector('[data-test-subj="superDatePickerCommonlyUsed_Last_24 hours"]') with timeout=10000
[00:30:11]               │ debg Find.findByCssSelector('[data-test-subj="superDatePickerCommonlyUsed_Last_24 hours"]') with timeout=10000
[00:30:11]               │ debg TestSubjects.find(metricTsvbTypeBtn)
[00:30:11]               │ debg Find.findByCssSelector('[data-test-subj="metricTsvbTypeBtn"]') with timeout=10000
[00:30:11]               │ debg TestSubjects.exists(tsvbMetricValue)
[00:30:11]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="tsvbMetricValue"]') with timeout=10000
[00:30:12]               │ debg TestSubjects.click(metricEditorPanelOptionsBtn)
[00:30:12]               │ debg Find.clickByCssSelector('[data-test-subj="metricEditorPanelOptionsBtn"]') with timeout=10000
[00:30:12]               │ debg Find.findByCssSelector('[data-test-subj="metricEditorPanelOptionsBtn"]') with timeout=10000
[00:30:12]               │ debg isGlobalLoadingIndicatorVisible
[00:30:12]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:12]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:14]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:14]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:14]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:14]               │ debg TestSubjects.find(metricsIndexPatternInput)
[00:30:14]               │ debg Find.findByCssSelector('[data-test-subj="metricsIndexPatternInput"]') with timeout=10000
[00:30:15]               │ debg isGlobalLoadingIndicatorVisible
[00:30:15]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:15]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:16]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:17]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:17]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:17]               │ debg TestSubjects.find(metricsIndexPatternInterval)
[00:30:17]               │ debg Find.findByCssSelector('[data-test-subj="metricsIndexPatternInterval"]') with timeout=10000
[00:30:17]               │ debg isGlobalLoadingIndicatorVisible
[00:30:17]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:17]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:19]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:19]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:19]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:19]               │ debg TestSubjects.find(metricsDropLastBucket-no)
[00:30:19]               │ debg Find.findByCssSelector('[data-test-subj="metricsDropLastBucket-no"]') with timeout=10000
[00:30:19]               │ debg isGlobalLoadingIndicatorVisible
[00:30:19]               │ debg TestSubjects.exists(globalLoadingIndicator)
[00:30:19]               │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:30:21]               │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:30:21]               │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:30:21]               │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:30:21]               │ debg ... sleep(3000) start
[00:30:24]               │ debg ... sleep(3000) end
[00:30:24]               │ debg Waiting up to 20000ms for rendering count to stabilize...
[00:30:24]               │ debg TestSubjects.find(visualizationLoader)
[00:30:24]               │ debg Find.findByCssSelector('[data-test-subj="visualizationLoader"]') with timeout=10000
[00:30:24]               │ debg -- firstCount=7
[00:30:24]               │ debg ... sleep(1000) start
[00:30:25]               │ debg ... sleep(1000) end
[00:30:25]               │ debg TestSubjects.find(visualizationLoader)
[00:30:25]               │ debg Find.findByCssSelector('[data-test-subj="visualizationLoader"]') with timeout=10000
[00:30:25]               │ debg -- secondCount=7
[00:30:25]               │ debg Find.findByCssSelector('.tvbVisMetric__value--primary') with timeout=10000
[00:30:25]               │ info Taking screenshot "/dev/shm/workspace/kibana/x-pack/test/functional/screenshots/failure/rollup app tsvb integration create rollup tsvb.png"
[00:30:26]               │ info Current URL is: http://localhost:6121/app/kibana#/visualize/create?type=metrics&_g=(refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(filters:!(),linked:!f,query:(language:kuery,query:%27%27),uiState:(),vis:(aggs:!(),params:(axis_formatter:number,axis_position:left,axis_scale:normal,background_color_rules:!((id:%273703ed60-47ad-11ea-a429-d763ffebc10f%27)),default_index_pattern:%27metricbeat-*%27,default_timefield:%27@timestamp%27,drop_last_bucket:0,id:%2761ca57f0-469d-11e7-af02-69e470af7417%27,index_pattern:rollup-target-data,interval:%271d%27,isModelInvalid:!f,series:!((axis_position:right,chart_type:line,color:%2368BC00,fill:0.5,formatter:number,id:%2761ca57f1-469d-11e7-af02-69e470af7417%27,line_width:1,metrics:!((id:%2761ca57f2-469d-11e7-af02-69e470af7417%27,type:count)),point_size:1,separate_axis:0,split_mode:everything,stacked:none)),show_grid:1,show_legend:1,time_field:%27%27,type:metric),title:%27%27,type:metrics))
[00:30:26]               │ info Saving page source to: /dev/shm/workspace/kibana/x-pack/test/functional/failure_debug/html/rollup app tsvb integration create rollup tsvb.html
[00:30:26]               └- ✖ fail: "rollup app tsvb integration create rollup tsvb"
[00:30:26]               │

Stack Trace

{ Error: expected '0' to sort of equal '3'
    at Assertion.assert (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/kibana/packages/kbn-expect/expect.js:244:8)
    at Context.it (test/functional/apps/rollup_job/tsvb.js:90:27)
    at process._tickCallback (internal/process/next_tick.js:68:7) actual: '0', expected: '3', showDiff: true }

---

History

• 💔 Build #24450 failed cb5dfa4

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[rylnd]

@FrankHassanabad @randomuserid should this be www-data, not wwww-data?

[randomuserid]

Yes that is a typo and IDK how that got through. IDK if we have any options at this point but either fixing it as suggested or reverting to the earlier search version without the www-data user would seem valid. If it is not too late. Thanks very much for catching this!