[SIEM] Adds 'Create new rule' Cypress test (#59790) (#59825)

* adds 'Creates and activates new rule' * loads data using es_archive * refactor test
elastic · Mar 11, 2020 · 0f29eee · 0f29eee
1 parent 0283819
commit 0f29eee
Show file tree

Hide file tree

Showing 18 changed files with 482 additions and 13 deletions.
diff --git a/x-pack/legacy/plugins/siem/cypress/integration/signal_detection_rules.spec.ts b/x-pack/legacy/plugins/siem/cypress/integration/signal_detection_rules.spec.ts
@@ -4,10 +4,46 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { ELASTIC_RULES_BTN, RULES_TABLE, RULES_ROW } from '../screens/signal_detection_rules';
+import { newRule } from '../objects/rule';
 
+import {
+  ABOUT_DESCRIPTION,
+  ABOUT_EXPECTED_URLS,
+  ABOUT_FALSE_POSITIVES,
+  ABOUT_MITRE,
+  ABOUT_RISK,
+  ABOUT_RULE_DESCRIPTION,
+  ABOUT_SEVERITY,
+  ABOUT_TAGS,
+  ABOUT_TIMELINE,
+  DEFINITION_CUSTOM_QUERY,
+  DEFINITION_DESCRIPTION,
+  DEFINITION_INDEX_PATTERNS,
+  RULE_NAME_HEADER,
+  SCHEDULE_DESCRIPTION,
+  SCHEDULE_LOOPBACK,
+  SCHEDULE_RUNS,
+} from '../screens/rule_details';
+import {
+  CUSTOM_RULES_BTN,
+  ELASTIC_RULES_BTN,
+  RISK_SCORE,
+  RULE_NAME,
+  RULES_TABLE,
+  RULES_ROW,
+  SEVERITY,
+} from '../screens/signal_detection_rules';
+
+import {
+  createAndActivateRule,
+  fillAboutRuleAndContinue,
+  fillDefineRuleAndContinue,
+} from '../tasks/create_new_rule';
 import {
   changeToThreeHundredRowsPerPage,
+  filterByCustomRules,
+  goToCreateNewRule,
+  goToRuleDetails,
   loadPrebuiltDetectionRules,
   waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded,
   waitForPrebuiltDetectionRulesToBeLoaded,
@@ -18,19 +54,26 @@ import {
   waitForSignalsIndexToBeCreated,
   waitForSignalsPanelToBeLoaded,
 } from '../tasks/detections';
+import { esArchiverLoadEmptyKibana, esArchiverUnloadEmptyKibana } from '../tasks/es_archiver';
 import { loginAndWaitForPageWithoutDateRange } from '../tasks/login';
 
 import { DETECTIONS } from '../urls/navigation';
 
 describe('Signal detection rules', () => {
   before(() => {
+    esArchiverLoadEmptyKibana();
     loginAndWaitForPageWithoutDateRange(DETECTIONS);
-  });
-  it('Loads prebuilt rules', () => {
     waitForSignalsPanelToBeLoaded();
     waitForSignalsIndexToBeCreated();
     goToManageSignalDetectionRules();
     waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded();
+  });
+
+  after(() => {
+    esArchiverUnloadEmptyKibana();
+  });
+
+  it('Loads prebuilt rules', () => {
     loadPrebuiltDetectionRules();
     waitForPrebuiltDetectionRulesToBeLoaded();
 
@@ -47,4 +90,128 @@ describe('Signal detection rules', () => {
       cy.wrap($table.find(RULES_ROW).length).should('eql', expectedNumberOfRules);
     });
   });
+
+  it('Creates and activates new rule', () => {
+    goToCreateNewRule();
+    fillDefineRuleAndContinue(newRule);
+    fillAboutRuleAndContinue(newRule);
+    createAndActivateRule();
+
+    cy.get(CUSTOM_RULES_BTN)
+      .invoke('text')
+      .should('eql', 'Custom rules (1)');
+
+    changeToThreeHundredRowsPerPage();
+    waitForRulesToBeLoaded();
+
+    const expectedNumberOfRules = 93;
+    cy.get(RULES_TABLE).then($table => {
+      cy.wrap($table.find(RULES_ROW).length).should('eql', expectedNumberOfRules);
+    });
+
+    filterByCustomRules();
+
+    cy.get(RULES_TABLE).then($table => {
+      cy.wrap($table.find(RULES_ROW).length).should('eql', 1);
+    });
+    cy.get(RULE_NAME)
+      .invoke('text')
+      .should('eql', newRule.name);
+    cy.get(RISK_SCORE)
+      .invoke('text')
+      .should('eql', newRule.riskScore);
+    cy.get(SEVERITY)
+      .invoke('text')
+      .should('eql', newRule.severity);
+    cy.get('[data-test-subj="rule-switch"]').should('have.attr', 'aria-checked', 'true');
+
+    goToRuleDetails();
+
+    cy.get(RULE_NAME_HEADER)
+      .invoke('text')
+      .should('eql', `${newRule.name} Beta`);
+
+    const expectedIndexPatterns = [
+      'apm-*-transaction*',
+      'auditbeat-*',
+      'endgame-*',
+      'filebeat-*',
+      'packetbeat-*',
+      'winlogbeat-*',
+    ];
+    cy.get(DEFINITION_INDEX_PATTERNS).then(patterns => {
+      cy.wrap(patterns).each((pattern, index) => {
+        cy.wrap(pattern)
+          .invoke('text')
+          .should('eql', expectedIndexPatterns[index]);
+      });
+    });
+    cy.get(DEFINITION_DESCRIPTION)
+      .eq(DEFINITION_CUSTOM_QUERY)
+      .invoke('text')
+      .should('eql', `${newRule.customQuery} `);
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_RULE_DESCRIPTION)
+      .invoke('text')
+      .should('eql', newRule.description);
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_SEVERITY)
+      .invoke('text')
+      .should('eql', newRule.severity);
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_RISK)
+      .invoke('text')
+      .should('eql', newRule.riskScore);
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_TIMELINE)
+      .invoke('text')
+      .should('eql', 'Default blank timeline');
+
+    let expectedUrls = '';
+    newRule.referenceUrls.forEach(url => {
+      expectedUrls = expectedUrls + url;
+    });
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_EXPECTED_URLS)
+      .invoke('text')
+      .should('eql', expectedUrls);
+
+    let expectedFalsePositives = '';
+    newRule.falsePositivesExamples.forEach(falsePositive => {
+      expectedFalsePositives = expectedFalsePositives + falsePositive;
+    });
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_FALSE_POSITIVES)
+      .invoke('text')
+      .should('eql', expectedFalsePositives);
+
+    let expectedMitre = '';
+    newRule.mitre.forEach(mitre => {
+      expectedMitre = expectedMitre + mitre.tactic;
+      mitre.techniques.forEach(technique => {
+        expectedMitre = expectedMitre + technique;
+      });
+    });
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_MITRE)
+      .invoke('text')
+      .should('eql', expectedMitre);
+
+    let expectedTags = '';
+    newRule.tags.forEach(tag => {
+      expectedTags = expectedTags + tag;
+    });
+    cy.get(ABOUT_DESCRIPTION)
+      .eq(ABOUT_TAGS)
+      .invoke('text')
+      .should('eql', expectedTags);
+    cy.get(SCHEDULE_DESCRIPTION)
+      .eq(SCHEDULE_RUNS)
+      .invoke('text')
+      .should('eql', '5m');
+    cy.get(SCHEDULE_DESCRIPTION)
+      .eq(SCHEDULE_LOOPBACK)
+      .invoke('text')
+      .should('eql', '1m');
+  });
 });
diff --git a/x-pack/legacy/plugins/siem/cypress/objects/rule.ts b/x-pack/legacy/plugins/siem/cypress/objects/rule.ts
@@ -0,0 +1,45 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+interface Mitre {
+  tactic: string;
+  techniques: string[];
+}
+
+export interface Rule {
+  customQuery: string;
+  name: string;
+  description: string;
+  severity: string;
+  riskScore: string;
+  tags: string[];
+  timelineTemplate?: string;
+  referenceUrls: string[];
+  falsePositivesExamples: string[];
+  mitre: Mitre[];
+}
+
+const mitre1: Mitre = {
+  tactic: 'Discovery (TA0007)',
+  techniques: ['Cloud Service Discovery (T1526)', 'File and Directory Discovery (T1083)'],
+};
+
+const mitre2: Mitre = {
+  tactic: 'Execution (TA0002)',
+  techniques: ['CMSTP (T1191)'],
+};
+
+export const newRule: Rule = {
+  customQuery: 'hosts.name: *',
+  name: 'New Rule Test',
+  description: 'The new rule description.',
+  severity: 'High',
+  riskScore: '17',
+  tags: ['test', 'newRule'],
+  referenceUrls: ['https://www.google.com/', 'https://elastic.co/'],
+  falsePositivesExamples: ['False1', 'False2'],
+  mitre: [mitre1, mitre2],
+};
diff --git a/x-pack/legacy/plugins/siem/cypress/screens/create_new_rule.ts b/x-pack/legacy/plugins/siem/cypress/screens/create_new_rule.ts
@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const ABOUT_CONTINUE_BTN = '[data-test-subj="about-continue"]';
+
+export const ADD_FALSE_POSITIVE_BTN =
+  '[data-test-subj="detectionEngineStepAboutRuleFalsePositives"] .euiButtonEmpty__text';
+
+export const ADD_REFERENCE_URL_BTN =
+  '[data-test-subj="detectionEngineStepAboutRuleReferenceUrls"] .euiButtonEmpty__text';
+
+export const MITRE_BTN = '[data-test-subj="addMitre"]';
+
+export const ADVANCED_SETTINGS_BTN = '[data-test-subj="advancedSettings"] .euiAccordion__button';
+
+export const CREATE_AND_ACTIVATE_BTN = '[data-test-subj="create-activate"]';
+
+export const CUSTOM_QUERY_INPUT = '[data-test-subj="queryInput"]';
+
+export const DEFINE_CONTINUE_BUTTON = '[data-test-subj="continue"]';
+
+export const FALSE_POSITIVES_INPUT =
+  '[data-test-subj="detectionEngineStepAboutRuleFalsePositives"] input';
+
+export const MITRE_TACTIC = '.euiContextMenuItem__text';
+
+export const MITRE_TACTIC_DROPDOWN = '[data-test-subj="mitreTactic"]';
+
+export const MITRE_TECHNIQUES_INPUT =
+  '[data-test-subj="mitreTechniques"] [data-test-subj="comboBoxSearchInput"]';
+
+export const REFERENCE_URLS_INPUT =
+  '[data-test-subj="detectionEngineStepAboutRuleReferenceUrls"] input';
+
+export const RISK_INPUT = '.euiRangeInput';
+
+export const RULE_DESCRIPTION_INPUT =
+  '[data-test-subj="detectionEngineStepAboutRuleDescription"] [data-test-subj="input"]';
+
+export const RULE_NAME_INPUT =
+  '[data-test-subj="detectionEngineStepAboutRuleName"] [data-test-subj="input"]';
+
+export const SEVERITY_DROPDOWN = '[data-test-subj="select"]';
+
+export const TAGS_INPUT =
+  '[data-test-subj="detectionEngineStepAboutRuleTags"] [data-test-subj="comboBoxSearchInput"]';
diff --git a/x-pack/legacy/plugins/siem/cypress/screens/rule_details.ts b/x-pack/legacy/plugins/siem/cypress/screens/rule_details.ts
@@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export const ABOUT_DESCRIPTION = '[data-test-subj="aboutRule"] .euiDescriptionList__description';
+
+export const ABOUT_EXPECTED_URLS = 4;
+
+export const ABOUT_FALSE_POSITIVES = 5;
+
+export const ABOUT_MITRE = 6;
+
+export const ABOUT_RULE_DESCRIPTION = 0;
+
+export const ABOUT_RISK = 2;
+
+export const ABOUT_SEVERITY = 1;
+
+export const ABOUT_TAGS = 7;
+
+export const ABOUT_TIMELINE = 3;
+
+export const DEFINITION_CUSTOM_QUERY = 1;
+
+export const DEFINITION_DESCRIPTION =
+  '[data-test-subj="definition"] .euiDescriptionList__description';
+
+export const DEFINITION_INDEX_PATTERNS =
+  '[data-test-subj="definition"] .euiDescriptionList__description .euiBadge__text';
+
+export const RULE_NAME_HEADER = '[data-test-subj="header-page-title"]';
+
+export const SCHEDULE_DESCRIPTION = '[data-test-subj="schedule"]  .euiDescriptionList__description';
+
+export const SCHEDULE_RUNS = 0;
+
+export const SCHEDULE_LOOPBACK = 1;
diff --git a/x-pack/legacy/plugins/siem/cypress/screens/signal_detection_rules.ts b/x-pack/legacy/plugins/siem/cypress/screens/signal_detection_rules.ts
@@ -4,6 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export const CREATE_NEW_RULE_BTN = '[data-test-subj="create-new-rule"]';
+
+export const CUSTOM_RULES_BTN = '[data-test-subj="show-custom-rules-filter-button"]';
+
 export const ELASTIC_RULES_BTN = '[data-test-subj="show-elastic-rules-filter-button"]';
 
 export const LOAD_PREBUILT_RULES_BTN = '[data-test-subj="load-prebuilt-rules"]';
@@ -15,8 +19,14 @@ export const LOADING_SPINNER = '[data-test-subj="loading-spinner"]';
 
 export const PAGINATION_POPOVER_BTN = '[data-test-subj="tablePaginationPopoverButton"]';
 
+export const RISK_SCORE = '[data-test-subj="riskScore"]';
+
+export const RULE_NAME = '[data-test-subj="ruleName"]';
+
 export const RULES_TABLE = '[data-test-subj="rules-table"]';
 
 export const RULES_ROW = '.euiTableRow';
 
+export const SEVERITY = '[data-test-subj="severity"]';
+
 export const THREE_HUNDRED_ROWS = '[data-test-subj="tablePagination-300-rows"]';