updates test

elastic · Aug 10, 2021 · b52d640 · b52d640
1 parent 43e8732
commit b52d640
Showing 1 changed file with 111 additions and 5 deletions.
diff --git a/...lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts b/...lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.test.ts
@@ -5,12 +5,16 @@
  * 2.0.
  */
 
+import { v4 } from 'uuid';
+
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { elasticsearchClientMock } from 'src/core/server/elasticsearch/client/mocks';
 
 import { allowedExperimentalValues } from '../../../../../common/experimental_features';
 import { createRuleTypeMocks } from '../__mocks__/rule_type';
 import { createIndicatorMatchAlertType } from './create_indicator_match_alert_type';
+import { sampleDocNoSortId } from '../../signals/__mocks__/es_results';
+import { CountResponse } from 'kibana/server';
 
 jest.mock('../utils/get_list_client', () => ({
   getListClient: jest.fn().mockReturnValue({
@@ -90,8 +94,67 @@ describe('Indicator Match Alerts', () => {
     expect(dependencies.ruleDataClient.getWriter).not.toBeCalled();
   });
 
-  // TODO: fix with mock enrichment
-  // it('sends a properly formatted alert when events are found', async () => {
+  it('does not send an alert when no enrichments are found', async () => {
+    const { services, dependencies, executor } = createRuleTypeMocks();
+    const indicatorMatchAlertType = createIndicatorMatchAlertType({
+      experimentalFeatures: allowedExperimentalValues,
+      indexAlias: 'alerts.security-alerts',
+      lists: dependencies.lists,
+      logger: dependencies.logger,
+      mergeStrategy: 'allFields',
+      ruleDataClient: dependencies.ruleDataClient,
+      ruleDataService: dependencies.ruleDataService,
+      version: '1.0.0',
+    });
+
+    dependencies.alerting.registerType(indicatorMatchAlertType);
+
+    const params = {
+      from: 'now-1m',
+      index: ['*'],
+      threatIndex: ['filebeat-*'],
+      threatLanguage: 'kuery',
+      threatMapping: [
+        {
+          entries: [
+            {
+              field: 'file.hash.md5',
+              type: 'mapping',
+              value: 'threatintel.indicator.file.hash.md5',
+            },
+          ],
+        },
+      ],
+      threatQuery: '*:*',
+      to: 'now',
+    };
+
+    services.scopedClusterClient.asCurrentUser.search.mockReturnValue(
+      elasticsearchClientMock.createSuccessTransportRequestPromise({
+        hits: {
+          hits: [sampleDocNoSortId(v4()), sampleDocNoSortId(v4()), sampleDocNoSortId(v4())],
+          total: {
+            relation: 'eq',
+            value: 3,
+          },
+        },
+        took: 0,
+        timed_out: false,
+        _shards: {
+          failed: 0,
+          skipped: 0,
+          successful: 1,
+          total: 1,
+        },
+      })
+    );
+
+    await executor({ params });
+    expect(dependencies.ruleDataClient.getWriter).not.toBeCalled();
+  });
+
+  // TODO: fix
+  // it('sends an alert when enrichments are found', async () => {
   //   const { services, dependencies, executor } = createRuleTypeMocks();
   //   const indicatorMatchAlertType = createIndicatorMatchAlertType({
   //     experimentalFeatures: allowedExperimentalValues,
@@ -126,13 +189,56 @@ describe('Indicator Match Alerts', () => {
   //     to: 'now',
   //   };
   //
-  //   services.scopedClusterClient.asCurrentUser.search.mockReturnValue(
+  //   // threat list count
+  //   services.scopedClusterClient.asCurrentUser.count.mockReturnValue(
+  //     elasticsearchClientMock.createSuccessTransportRequestPromise({ count: 1 } as CountResponse)
+  //   );
+  //
+  //   // threat list doc
+  //   services.scopedClusterClient.asCurrentUser.search.mockReturnValueOnce(
+  //     elasticsearchClientMock.createSuccessTransportRequestPromise({
+  //       hits: {
+  //         hits: [
+  //           {
+  //             ...sampleDocNoSortId(v4()),
+  //             fields: {
+  //               ...sampleDocNoSortId(v4()).fields,
+  //               'threatintel.indicator.file.hash.md5': 'a1b2c3',
+  //             },
+  //           },
+  //         ],
+  //         total: {
+  //           relation: 'eq',
+  //           value: 1,
+  //         },
+  //       },
+  //       took: 0,
+  //       timed_out: false,
+  //       _shards: {
+  //         failed: 0,
+  //         skipped: 0,
+  //         successful: 1,
+  //         total: 1,
+  //       },
+  //     })
+  //   );
+  //
+  //   // alert
+  //   services.scopedClusterClient.asCurrentUser.search.mockReturnValueOnce(
   //     elasticsearchClientMock.createSuccessTransportRequestPromise({
   //       hits: {
-  //         hits: [sampleDocNoSortId(v4()), sampleDocNoSortId(v4()), sampleDocNoSortId(v4())],
+  //         hits: [
+  //           {
+  //             ...sampleDocNoSortId(v4()),
+  //             fields: {
+  //               ...sampleDocNoSortId(v4()).fields,
+  //               'file.hash.md5': 'a1b2c3',
+  //             },
+  //           },
+  //         ],
   //         total: {
   //           relation: 'eq',
-  //           value: 3,
+  //           value: 1,
   //         },
   //       },
   //       took: 0,