[Security Solution][Alerts] refactor rule execution tests #145406
Labels
refactoring
Team:Detection Alerts
Security Detection Alerts Area Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.7.0
v8.8.0
Comments
vitaliidm
added
refactoring
Team:Detections and Resp
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Example how test written in ticket can be formatted according to draft PR Before it('should generate 1 alert for unique combination of terms, one of which is a number', async () => {
const rule: NewTermsRuleCreateProps = {
...getCreateNewTermsRulesSchemaMock('rule-1', true),
index: ['new_terms'],
new_terms_fields: ['user.name', 'user.id'],
from: '2020-10-19T05:00:04.000Z',
history_window_start: '2020-10-13T05:00:04.000Z',
};
const { previewId } = await previewRule({ supertest, rule });
const previewAlerts = await getPreviewAlerts({ es, previewId });
expect(previewAlerts.length).eql(1);
expect(previewAlerts[0]._source?.['kibana.alert.new_terms']).eql(['user-0', '1']);
});AftertSingle test it('should generate 1 alert for unique combination of terms, one of which is a number', async () => {
const historicalWindowStart = '2020-10-13T05:00:04.000Z';
const ruleExecutionStart = '2020-10-19T05:00:04.000Z';
const testId = 'test-1';
// historical window documents
const historicalDocuments = [
{ user: { name: 'user-0', id: 0 } },
{ user: { name: 'user-1', id: 1 } },
];
await indexEnhancedDocuments({
interval: [historicalWindowStart, ruleExecutionStart],
id: testId,
documents: historicalDocuments,
});
// rule execution documents
const ruleExecutionDocuments = [{ user: { name: 'user-0', id: 1 } }];
await indexEnhancedDocuments({
id: testId,
documents: ruleExecutionDocuments,
});
const rule: NewTermsRuleCreateProps = {
...getCreateNewTermsRulesSchemaMock('rule-1', true),
index: ['new_terms_refactored'],
new_terms_fields: ['user.name', 'user.id'],
from:ruleExecutionStart,
history_window_start: historicalWindowStart,
query: `id: "${testId}"`,
};
const { previewId } = await previewRule({ supertest, rule });
const previewAlerts = await getPreviewAlerts({ es, previewId });
expect(previewAlerts.length).eql(1);
expect(previewAlerts[0]._source?.['kibana.alert.new_terms']).eql(['user-0', '1']);
});Multiple testsWhen multiple tests needed to be run, additional boilerplate can be reduced to something like this: it.only('should generate 1 alert for unique combination of terms, one of which is a number', async () => {
const testId = 'test-2';
const historicalDocuments = [
{ user: { name: 'user-0', id: 0 } },
{ user: { name: 'user-1', id: 1 } },
];
const ruleExecutionDocuments = [{ user: { name: 'user-0', id: 1 } }];
await newTermsTestExecutionSetup({
historicalDocuments,
ruleExecutionDocuments,
testId,
});
const rule: NewTermsRuleCreateProps = {
...getCreateNewTermsRulesSchemaMock('rule-1', true),
index: ['new_terms_refactored'],
new_terms_fields: ['user.name', 'user.id'],
from: ruleExecutionStart,
history_window_start: historicalWindowStart,
query: `id: "${testId}"`,
};
const { previewId } = await previewRule({ supertest, rule });
const previewAlerts = await getPreviewAlerts({ es, previewId });
expect(previewAlerts.length).eql(1);
expect(previewAlerts[0]._source?.['kibana.alert.new_terms']).eql(['user-0', '1']);
});
where const historicalWindowStart = '2020-10-13T05:00:04.000Z';
const ruleExecutionStart = '2020-10-19T05:00:04.000Z';
const newTermsTestExecutionSetup = async ({
historicalDocuments,
ruleExecutionDocuments,
testId,
}: {
historicalDocuments: Array<Record<string, unknown>>;
ruleExecutionDocuments: Array<Record<string, unknown>>;
testId: string;
}) => {
await indexEnhancedDocuments({
interval: [historicalWindowStart, ruleExecutionStart],
id: testId,
documents: historicalDocuments,
});
await indexEnhancedDocuments({
id: testId,
documents: ruleExecutionDocuments,
});
}; |
vitaliidm
added a commit
that referenced
this issue
Mar 6, 2023
…151192) ## Summary - partially addresses #145406 by adding dataGenerator - once dataGenerator API agreed, we can proceed with tests refactoring if needed - added README how to use data generating tools - https://github.com/vitaliidm/kibana/blob/alerts/functional-tests-data-generator/x-pack/test/detection_engine_api_integration/utils/data_generator/README.md - partially migrated a few `new terms` tests, to give an example how to use the created tool
bmorelli25
pushed a commit
to bmorelli25/kibana
that referenced
this issue
Mar 10, 2023
…lastic#151192) ## Summary - partially addresses elastic#145406 by adding dataGenerator - once dataGenerator API agreed, we can proceed with tests refactoring if needed - added README how to use data generating tools - https://github.com/vitaliidm/kibana/blob/alerts/functional-tests-data-generator/x-pack/test/detection_engine_api_integration/utils/data_generator/README.md - partially migrated a few `new terms` tests, to give an example how to use the created tool
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, functional rule executions tests use mock documents that stored in json and ingested into indices
Random test looks something like this:
For this test to work, particular document should exist that satisfy multiple conditions:
fromvalueuser.nameanduser.idin comparison with history window itemsGiven that a number of tests could be quite big, it becomes difficult to maintain data set and add new tests that could possibly break existing
Proposal
Provision test indices with documents during test run, so it will be easy to see how many documents are present and which fields will be asserted.
Possible solution could be something like this:
Where
addDocumentcould be helper method that would add document to indexDepends on implementation or performance, there could be different ways to setup indices
The text was updated successfully, but these errors were encountered: