Skip to content

Commit

Permalink
adds EQL sequence rule test (#79287)
Browse files Browse the repository at this point in the history
Co-authored-by: Kibana Machine <[email protected]>
  • Loading branch information
MadameSheema and kibanamachine committed Oct 5, 2020
1 parent 67cfa50 commit 86dc27c
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/

import { eqlRule, indexPatterns } from '../objects/rule';
import { eqlRule, eqlSequenceRule, indexPatterns } from '../objects/rule';

import {
ALERT_RULE_METHOD,
Expand Down Expand Up @@ -85,6 +85,7 @@ const expectedMitre = eqlRule.mitre
.join('');
const expectedNumberOfRules = 1;
const expectedNumberOfAlerts = 7;
const expectedNumberOfSequenceAlerts = 1;

describe('Detection rules, EQL', () => {
before(() => {
Expand Down Expand Up @@ -172,4 +173,43 @@ describe('Detection rules, EQL', () => {
cy.get(ALERT_RULE_SEVERITY).first().should('have.text', eqlRule.severity.toLowerCase());
cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', eqlRule.riskScore);
});

it('Creates and activates a new EQL rule with a sequence', () => {
loginAndWaitForPageWithoutDateRange(DETECTIONS_URL);
waitForAlertsPanelToBeLoaded();
waitForAlertsIndexToBeCreated();
goToManageAlertsDetectionRules();
waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded();
goToCreateNewRule();
selectEqlRuleType();
fillDefineEqlRuleAndContinue(eqlSequenceRule);
fillAboutRuleAndContinue(eqlSequenceRule);
fillScheduleRuleAndContinue(eqlSequenceRule);
createAndActivateRule();

cy.get(CUSTOM_RULES_BTN).should('have.text', 'Custom rules (1)');

changeToThreeHundredRowsPerPage();
waitForRulesToBeLoaded();

cy.get(RULES_TABLE).then(($table) => {
cy.wrap($table.find(RULES_ROW).length).should('eql', expectedNumberOfRules);
});

filterByCustomRules();
goToRuleDetails();
refreshPage();
waitForTheRuleToBeExecuted();

cy.get(NUMBER_OF_ALERTS)
.invoke('text')
.then((numberOfAlertsText) => {
cy.wrap(parseInt(numberOfAlertsText, 10)).should('eql', expectedNumberOfSequenceAlerts);
});
cy.get(ALERT_RULE_NAME).first().should('have.text', eqlSequenceRule.name);
cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql');
cy.get(ALERT_RULE_SEVERITY).first().should('have.text', eqlSequenceRule.severity.toLowerCase());
cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', eqlSequenceRule.riskScore);
});
});
19 changes: 19 additions & 0 deletions x-pack/plugins/security_solution/cypress/objects/rule.ts
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,25 @@ export const eqlRule: CustomRule = {
lookBack,
};

export const eqlSequenceRule: CustomRule = {
customQuery:
'sequence with maxspan=30s\
[any where process.name == "which"]\
[any where process.name == "xargs"]',
name: 'New EQL Sequence Rule',
description: 'New EQL rule description.',
severity: 'High',
riskScore: '17',
tags: ['test', 'newRule'],
referenceUrls: ['https://www.google.com/', 'https://elastic.co/'],
falsePositivesExamples: ['False1', 'False2'],
mitre: [mitre1, mitre2],
note: '# test markdown',
timelineId: '0162c130-78be-11ea-9718-118a926974a4',
runsEvery,
lookBack,
};

export const indexPatterns = [
'apm-*-transaction*',
'auditbeat-*',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,6 @@ export const fillDefineThresholdRuleAndContinue = (rule: ThresholdRule) => {

export const fillDefineEqlRuleAndContinue = (rule: CustomRule) => {
cy.get(EQL_QUERY_INPUT).type(rule.customQuery);
cy.get(EQL_QUERY_INPUT).invoke('text').should('eq', rule.customQuery);
cy.get(DEFINE_CONTINUE_BUTTON).should('exist').click({ force: true });

cy.get(EQL_QUERY_INPUT).should('not.exist');
Expand Down

0 comments on commit 86dc27c

Please sign in to comment.