honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

EQL: Re-enable correctness tests (#65041) 

Enable previously disabled tests - only two type of queries remain
disabled: one that does pattern matching and another one for
case-insensitivity.

Fix #63742

(cherry picked from commit 20210cc43b34438c40b8b5aebf0aa2b8161c4104)
(cherry picked from commit 95d08f2c8d0aac52cc1ed470fa489c239ee25159)
This commit is contained in:
Costin Leau 2020-11-14 16:06:46 +02:00 committed by Costin Leau
parent 76e73fec79
commit f7cc570c4f
1 changed files with 40 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml
View File

@ -146,24 +146,24 @@ sequence by hostname with maxspan=1s
time = 7.880767107009888 time = 7.880767107009888
type = "sequence" type = "sequence"
#[[queries]] [[queries]]
#queryNo = 10 queryNo = 10
#case_insensitive = true case_insensitive = true
#count = 10 count = 10
#expected_event_ids = [3940731, 3940732, 3941991, 3941995, 3942330, 3942334, 3942862, 3942863, 3943079, 3943083, 3943496, 3943501, 3943887, 3943893, 3944253, 3944254, 3945063, 3945071, 3945287, 3945292] expected_event_ids = [3940731, 3940732, 3941991, 3941995, 3942330, 3942334, 3942862, 3942863, 3943079, 3943083, 3943496, 3943501, 3943887, 3943893, 3944253, 3944254, 3945063, 3945071, 3945287, 3945292]
#filter_counts = [64209, 56911] filter_counts = [64209, 56911]
#filters = [ filters = [
# 'network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)', 'network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)',
# 'security where hostname == "newyork" and event_id == 4624' 'security where hostname == "newyork" and event_id == 4624'
#] ]
#query = ''' query = '''
#sequence by hostname with maxspan=1m sequence by hostname with maxspan=1m
# [network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address [network where hostname == "newyork" and destination_port in (135, 139, 445, 3389)] by source_port, source_address
# [security where hostname == "newyork" and event_id == 4624] by source_port, ip_address [security where hostname == "newyork" and event_id == 4624] by source_port, ip_address
#| tail 10 | tail 10
#''' '''
#time = 11.688340187072754 time = 11.688340187072754
#type = "sequence" type = "sequence"
[[queries]] [[queries]]
queryNo = 11 queryNo = 11
@ -599,25 +599,25 @@ type = "sequence"
#time = 8.868574619293213 #time = 8.868574619293213
#type = "sequence" #type = "sequence"
# #
#[[queries]] [[queries]]
#queryNo = 34 queryNo = 34
#case_insensitive = true case_insensitive = true
#count = 0 count = 0
#expected_event_ids = [] expected_event_ids = []
#filter_counts = [4, 2, 54954, 394] filter_counts = [4, 2, 54954, 394]
#filters = [ filters = [
# 'process where process_name == "net.exe"', 'process where process_name == "net.exe"',
# 'process where process_name == "net1.exe"', 'process where process_name == "net1.exe"',
# "network where destination_port == 445", "network where destination_port == 445",
# "file where pid == 4" "file where pid == 4"
#] ]
#query = """ query = """
#sequence with maxspan=10s sequence with maxspan=10s
# [process where process_name == "net.exe"] [process where process_name == "net.exe"]
# [process where process_name == "net1.exe"] [process where process_name == "net1.exe"]
# [network where destination_port == 445] [network where destination_port == 445]
# [file where pid == 4] [file where pid == 4]
#| tail 3 | tail 3
#""" """
#time = 5.871383905410767 time = 5.871383905410767
#type = "sequence" type = "sequence"