Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] [Platform] Adds support for data views and runtime field mappings in rule creation, exceptions, and during execution #130929

Merged
merged 107 commits into from
Jun 16, 2022
Merged

[Security Solution] [Platform] Adds support for data views and runtime field mappings in rule creation, exceptions, and during execution #130929

Show file tree
Hide file tree
Changes from 62 commits
Commits
Show all changes
107 commits
Select commit Hold shift + click to select a range
4ab6be4
WIP
dhurley14 Feb 9, 2022
195480b
WIP - reset me
dhurley14 Feb 14, 2022
c29db7d
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Feb 24, 2022
1e5de0d
more WIP, added runtime_mappings field to search after function in ru…
dhurley14 Mar 7, 2022
452e7ea
data view id saved on rule creation, then pull runtime mappings from …
dhurley14 Mar 8, 2022
818e0eb
fix bug where runtime mappings were not parsed
dhurley14 Mar 9, 2022
51c9db1
merge with master
dhurley14 Mar 17, 2022
111e7c0
Merge branch 'main' into dataview-rule-exec
dhurley14 Mar 21, 2022
c241aa6
undo me - combo box. not working / funtional / demo-able right now
dhurley14 Mar 22, 2022
e3c0d21
merge with main
dhurley14 Mar 31, 2022
a463132
working data view selector
dhurley14 Apr 1, 2022
628e7e7
adds radio group buttons, need to update callback to disable when one…
dhurley14 Apr 5, 2022
1744714
on change of radio selection we update which index patterns to use
dhurley14 Apr 5, 2022
603b72c
more working stuff, need to fix rule preview and getIsRulePreviewDisa…
dhurley14 Apr 11, 2022
47c9baf
WIP - undo me
dhurley14 Apr 13, 2022
95bebf0
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 13, 2022
9f554de
when editing a rule, the data view id stored on that rules params wil…
dhurley14 Apr 13, 2022
b684a26
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 15, 2022
1c51bea
add dataViewId to preview rule route + preview rule state
dhurley14 Apr 21, 2022
8ab0609
fixes types
dhurley14 Apr 25, 2022
864c178
fix test
dhurley14 Apr 25, 2022
2e7381a
fixes linting errors
dhurley14 Apr 25, 2022
c77ec73
remove extra console.log
dhurley14 Apr 25, 2022
d68a8b9
remove unnecessary new line
dhurley14 Apr 25, 2022
c6088f2
possibly fixed everything
dhurley14 Apr 26, 2022
bad4c7e
we do not use this field anymore so we can probably get rid of it.
dhurley14 Apr 26, 2022
b152cf8
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 27, 2022
52985b2
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Apr 27, 2022
9966b44
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 27, 2022
120e02f
Merge remote-tracking branch 'origin/dataview-rule-exec' into datavie…
dhurley14 Apr 27, 2022
9b2b7d9
fixes cypress tests, updates response validation from server to inclu…
dhurley14 Apr 27, 2022
113c937
updates validation
dhurley14 Apr 28, 2022
e48bb65
update validation logic and updates import rule route validations to …
dhurley14 Apr 28, 2022
f754090
WIP - using dataview services
dhurley14 May 2, 2022
d734c12
fixes missing fields in rule overrides in about rule section
dhurley14 May 3, 2022
cab37f3
WIP -fixed exception flyout, fixed threshold rule input selector
dhurley14 May 4, 2022
c36ccae
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine May 4, 2022
b57ed3a
merge with master
dhurley14 May 9, 2022
60328cc
fix jest test for about rule
dhurley14 May 9, 2022
28de147
Merge remote-tracking branch 'origin/dataview-rule-exec' into datavie…
dhurley14 May 9, 2022
362a3e1
working EQL runtime mapping fields
dhurley14 May 9, 2022
5f94d20
fixes double exceptions viewer and fixes bug where data viewer select…
dhurley14 May 10, 2022
c2776c6
use dataViewId injected by saved objects references, not the one stor…
dhurley14 May 13, 2022
3f416bb
remove data view id during bulk update of rules + changing index patt…
dhurley14 May 16, 2022
b2c5586
fixed a test
dhurley14 May 16, 2022
14a6c55
remove console.errors
dhurley14 May 16, 2022
bb97d75
fixes type check errors, need to replace ruleIndices prop in exceptio…
dhurley14 May 16, 2022
f272d37
adds runtime mappings parameters to threshold and threat match rule t…
dhurley14 May 17, 2022
1c1b8fa
update pre-execution checks to work with data views and runtime mappings
dhurley14 May 17, 2022
4774d8f
bug fixes, cleanup, still trying to figure out how to get the default…
dhurley14 May 17, 2022
6a5e490
merge main with master
dhurley14 May 17, 2022
7fd22fb
fixes last typescript error
dhurley14 May 17, 2022
c39e57d
return undefined instead of empty string when a data view is not foun…
dhurley14 May 18, 2022
58b2432
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 May 18, 2022
3722a4a
[Data View Rule Creation] - Update UI and data view check on rule run…
yctercero May 19, 2022
a4c90b4
possible test fixes
dhurley14 May 19, 2022
d0fbb9b
Merge branch 'dataview-rule-exec' of github.com:dhurley14/kibana into…
dhurley14 May 19, 2022
b9e8656
fixes data view bug with indicator and threshold rules
dhurley14 May 19, 2022
bdddbce
resolve type check failures
dhurley14 May 19, 2022
0696ce8
fix cypress
dhurley14 May 19, 2022
1bb5867
fix exceptions cypress test and update typecheck error
dhurley14 May 19, 2022
c076b76
forgot to uncomment tests
dhurley14 May 19, 2022
b873b55
do not block displaying / selection of options when fetching the data…
dhurley14 May 19, 2022
d91afd4
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 May 19, 2022
110f277
[Data Views for Rules] - adding unit tests (#24)
yctercero May 20, 2022
51cd358
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine May 20, 2022
2ce7c44
updates with type fixes from review and test re-names. I still need t…
dhurley14 May 20, 2022
3ff1d99
Merge branch 'dataview-rule-exec' of github.com:dhurley14/kibana into…
dhurley14 May 20, 2022
34dd775
display data view title in rule details, not the id
dhurley14 May 20, 2022
da37d23
fixes bug where validation was failing and users could not reset/clea…
dhurley14 May 20, 2022
471d9fb
fix type check errors
dhurley14 May 20, 2022
39d1f3d
adds data view id to patch rules and patch rules bulk route, also add…
dhurley14 May 23, 2022
e8bb209
fix jest tests and type failuers
dhurley14 May 23, 2022
7b8e62a
update jest tests and fix bug found by saved query integration test
dhurley14 May 23, 2022
a8a8d98
fix code + tests related to bulk editing rules + dataviews
dhurley14 May 23, 2022
8974a8f
update snapshot
dhurley14 May 23, 2022
d27f613
remove console.logs, clean up logic for get input indices
dhurley14 May 24, 2022
45a6f70
skipping related_cases tests as they are timing out
dhurley14 May 24, 2022
1b4a9c6
fix e2e test
dhurley14 May 24, 2022
f26eeae
remove null from type
dhurley14 May 24, 2022
9c85a3f
remove changes from useFetchIndex
dhurley14 May 24, 2022
e35a168
merge with main
dhurley14 May 24, 2022
e8e9e5a
skipping add exceptions flyout as possible root cause for timeouts in…
dhurley14 May 24, 2022
5be1079
remove unnecessary useEffect which was causing jest test to hang in CI
dhurley14 May 25, 2022
7754d84
undo changes while trying to figure out why jest tests were hanging i…
dhurley14 May 25, 2022
c9d18ad
undo cypress changes
dhurley14 May 26, 2022
ebeed1f
merge with main
dhurley14 May 26, 2022
6954036
undo changes to query_bar test
dhurley14 May 26, 2022
9baef65
intermediary work for resolving cypress failures with exceptions
dhurley14 Jun 2, 2022
f5e0989
merge with main
dhurley14 Jun 2, 2022
24d181a
fix missed merge conflict
dhurley14 Jun 2, 2022
357121e
update jest test
dhurley14 Jun 3, 2022
c1bb307
do not reset querybar
dhurley14 Jun 3, 2022
b5954cc
set the rule indices state in rule details page if the rule has a non…
dhurley14 Jun 3, 2022
4f69c78
undo change made while debugging t_grid
dhurley14 Jun 6, 2022
b535d5c
exports Ancestor830 from alerts schema, removes fetching of data view…
dhurley14 Jun 6, 2022
ef10521
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Jun 6, 2022
3b39205
undo changes to endpoint data loader while testing
dhurley14 Jun 7, 2022
2b2e531
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Jun 13, 2022
6ef4f2a
removes commented out useEffect
dhurley14 Jun 13, 2022
6637e05
fix bug where rule form was blowing up because of a missing index fie…
dhurley14 Jun 14, 2022
5d069c8
fix validation logic in eql validator
dhurley14 Jun 15, 2022
645ca2b
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Jun 15, 2022
594b1c0
fix logic for only adding data_view_id to rule form if ml rule type
dhurley14 Jun 15, 2022
56bed04
remove commented out code
dhurley14 Jun 15, 2022
bebc731
Revert "fix bug where rule form was blowing up because of a missing i…
dhurley14 Jun 16, 2022
d2da1da
Revert "fix validation logic in eql validator"
dhurley14 Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,12 @@ export type IdOrUndefined = t.TypeOf<typeof idOrUndefined>;
export const index = t.array(t.string);
export type Index = t.TypeOf<typeof index>;

export const data_view_id = t.string;
export type DataViewId = t.TypeOf<typeof data_view_id>;

export const dataViewIdOrUndefined = t.union([data_view_id, t.undefined]);
export type DataViewIdOrUndefined = t.TypeOf<typeof dataViewIdOrUndefined>;
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved

export const indexOrUndefined = t.union([index, t.undefined]);
export type IndexOrUndefined = t.TypeOf<typeof indexOrUndefined>;

Expand Down
2 changes: 2 additions & 0 deletions .../plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ import {
filters,
RuleId,
index,
data_view_id,
output_index,
saved_id,
timeline_id,
Expand Down Expand Up @@ -116,6 +117,7 @@ export const importRulesSchema = t.intersection([
filters, // defaults to undefined if not set during decode
from: DefaultFromString, // defaults to "now-6m" if not set during decode
index, // defaults to undefined if not set during decode
data_view_id, // defaults to undefined if not set during decode
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved
immutable: OnlyFalseAllowed, // defaults to "false" if not set during decode
interval: DefaultIntervalString, // defaults to "5m" if not set during decode
query, // defaults to undefined if not set during decode
Expand Down
2 changes: 1 addition & 1 deletion ...ck/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.mock.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ export const getCreateThreatMatchRulesSchemaMock = (
language: 'kuery',
rule_id: ruleId,
threat_query: '*:*',
threat_index: ['list-index'],
threat_index: ['auditbeat-*'],
threat_indicator_path: DEFAULT_INDICATOR_SOURCE_PATH,
interval: '5m',
from: 'now-6m',
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import { version } from '@kbn/securitysolution-io-ts-types';
import {
id,
index,
data_view_id,
filters,
event_category_override,
building_block_type,
Expand Down Expand Up @@ -146,6 +147,7 @@ const baseParams = {
},
optional: {
building_block_type,
data_view_id,
note,
license,
outcome,
Expand Down Expand Up @@ -209,6 +211,7 @@ const eqlRuleParams = {
},
optional: {
index,
data_view_id,
filters,
event_category_override,
},
Expand All @@ -231,6 +234,7 @@ const threatMatchRuleParams = {
},
optional: {
index,
data_view_id,
filters,
saved_id,
threat_filters,
Expand All @@ -256,6 +260,7 @@ const queryRuleParams = {
},
optional: {
index,
data_view_id,
filters,
saved_id,
},
Expand All @@ -281,6 +286,7 @@ const savedQueryRuleParams = {
// Having language, query, and filters possibly defined adds more code confusion and probably user confusion
// if the saved object gets deleted for some reason
index,
data_view_id,
query,
filters,
},
Expand All @@ -304,6 +310,7 @@ const thresholdRuleParams = {
},
optional: {
index,
data_view_id,
filters,
saved_id,
},
Expand Down
2 changes: 1 addition & 1 deletion .../plugins/security_solution/common/detection_engine/schemas/response/rules_schema.mocks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ export const getThreatMatchingSchemaPartialMock = (enabled = false): Partial<Rul
query: 'user.name: root or user.name: admin',
language: 'kuery',
threat_query: '*:*',
threat_index: ['list-index'],
threat_index: ['auditbeat-*'],
threat_indicator_path: DEFAULT_INDICATOR_SOURCE_PATH,
threat_mapping: [
{
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/security_solution/common/detection_engine/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,14 @@ export const hasEqlSequenceQuery = (ruleQuery: string | undefined): boolean => {
return false;
};

// these functions should be typeguards and accept an entire rule.
export const isEqlRule = (ruleType: Type | undefined): boolean => ruleType === 'eql';
export const isThresholdRule = (ruleType: Type | undefined): boolean => ruleType === 'threshold';
export const isQueryRule = (ruleType: Type | undefined): boolean =>
ruleType === 'query' || ruleType === 'saved_query';
export const isThreatMatchRule = (ruleType: Type | undefined): boolean =>
ruleType === 'threat_match';
export const isMlRule = (ruleType: Type | undefined): boolean => ruleType === 'machine_learning';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Looks like we're starting to define these in numerous places - could probably be moved to kbn-securitysolution-utils.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've got one over here:

kibana/x-pack/plugins/security_solution/common/machine_learning/helpers.ts

Line 27 in e15b887

export const isMlRule = (ruleType: Type | undefined) => ruleType === 'machine_learning';

and here as well too btw:

kibana/x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/preview_histogram.tsx

Line 83 in 5ee7c3d

const isMlRule = useMemo(() => ruleType === 'machine_learning', [ruleType]);


export const normalizeThresholdField = (
thresholdField: string | string[] | null | undefined
Expand Down
6 changes: 4 additions & 2 deletions x-pack/plugins/security_solution/common/endpoint/data_loaders/index_endpoint_hosts.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,9 @@ export async function indexEndpointHostDocs({
generator.updateHostData();
generator.updateHostPolicyData();

// timestamp - timeBetweenDocs * (numDocs - j - 1),
hostMetadata = generator.generateHostMetadata(
timestamp - timeBetweenDocs * (numDocs - j - 1),
timestamp,
EndpointDocGenerator.createDataStreamFromIndex(metadataIndex)
);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems like a strange change cc @paul-tavares

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember copying code similar to this from/to another place in the data loaders. I had to do it in order for the documents to get picked up by the transforms (I think @joeypoon also had to do something similar). It had something to do with ensuring that we did not send a document whose timestamp had lapse the transform process windows

@joeypoon do you remember? I also know we use these data loaders from FTR and you were just making changes there recently to improve it.

Also - if there is a better way to do this, we should change it. Maybe Stop the transform, then restart it? 🤷‍♂️

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For some reason the script was loading alerts into the future? This fixed that.. Not sure if you've also seen that or if it was a design feature or me not using it properly...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I remember seeing that @dhurley14 . But now I wonder if your change broke the loading of the Endpoints.

@joeypoon , @pzl - can you checkout this PR and test it? Load some endpoints (ensure you use the --fleet flag) and then validate that they all show up on the Endpoint List.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't recall this specific piece of code but the '@timestamp': hostMetadata['@timestamp'] + 60000 slightly below this I definitely added to get around the transform checkpoint times as you mentioned @paul-tavares. We do actually use the stop transform, insert, then start transform instead in some places now too as you mentioned. I agree that this is a better solution.

Will test this out locally.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To my slight confusion, loading endpoints still works. I got 30/30 loaded. I'd need to dig a bit deeper to see why it's working without the offset now. We did change the transform delay back to 4s recently from 1s but IIRC, when this offset was initially added, we were already at a 4s delay.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth removing with this PR, even if it is a change needed for endpoint. That way we don't increase the surface level of possible bugs here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joeypoon I undid these changes here 3b39205

I think this was the only piece of code that triggered the code owners from OLM right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that's correct.


Expand Down Expand Up @@ -198,7 +199,8 @@ export async function indexEndpointHostDocs({
// there is an extra delay and fleet-agents gets populated much sooner.
// we manually add a delay to the time sync field so that the united transform
// will pick up the latest metadata doc.
'@timestamp': hostMetadata['@timestamp'] + 60000,
// hostMetadata['@timestamp'] + 60000,
'@timestamp': hostMetadata['@timestamp'],
};
await client
.index({
Expand Down
65 changes: 64 additions & 1 deletion x-pack/plugins/security_solution/cypress/integration/detection_rules/bulk_edit_rules.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ import {
typeTags,
} from '../../tasks/rules_bulk_edit';

import { hasIndexPatterns } from '../../tasks/rule_details';
import { hasIndexPatterns, doesNotHaveDataView } from '../../tasks/rule_details';
import { login, visitWithoutDateRange } from '../../tasks/login';

import { SECURITY_DETECTIONS_RULES_URL } from '../../urls/navigation';
Expand All @@ -61,6 +61,7 @@ import {
import { esArchiverResetKibana } from '../../tasks/es_archiver';

const RULE_NAME = 'Custom rule for bulk actions';
const DATA_VIEW_RULE_NAME = 'Custom rule for bulk actions + data view';

const CUSTOM_INDEX_PATTERN_1 = 'custom-cypress-test-*';
const DEFAULT_INDEX_PATTERNS = ['index-1-*', 'index-2-*'];
Expand All @@ -73,6 +74,13 @@ const customRule = {
name: RULE_NAME,
};

const customRuleWithDataViewId = {
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved
...getNewRule(),
index: DEFAULT_INDEX_PATTERNS,
dataViewId: 'myfakedataview',
name: DATA_VIEW_RULE_NAME,
};

describe('Detection rules, bulk edit', () => {
before(() => {
cleanKibana();
Expand Down Expand Up @@ -123,6 +131,61 @@ describe('Detection rules, bulk edit', () => {
hasIndexPatterns([...DEFAULT_INDEX_PATTERNS, CUSTOM_INDEX_PATTERN_1].join(''));
});

it('should warn before add/delete/overwrite index patterns in rules when rule with dataview id is selected', () => {
cy.log('Creates custom rule with dataViewId');
createCustomRule(customRuleWithDataViewId, 'rule with dataview id');
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved

cy.log('Adds index patterns');
// Switch to 5 rules per page, so we can edit all existing rules, not only ones on a page
// this way we will use underlying bulk edit API with query parameter, which update all rules based on query search results
changeRowsPerPageTo(5);
selectAllRules();

openBulkEditAddIndexPatternsForm();
typeIndexPatterns([CUSTOM_INDEX_PATTERN_1]);
confirmBulkEditForm();
waitForBulkEditActionToFinish({ rulesCount: 7 });

// check if rule has been updated
changeRowsPerPageTo(20);
goToTheRuleDetailsOf(DATA_VIEW_RULE_NAME);
hasIndexPatterns([...DEFAULT_INDEX_PATTERNS, CUSTOM_INDEX_PATTERN_1].join(''));
cy.go('back');

cy.log('Deletes index patterns');
// select all rules on page (as page displays all existing rules).
// this way we will use underlying bulk edit API with ids parameter, which updates rules based their ids
cy.get(SELECT_ALL_RULES_ON_PAGE_CHECKBOX).click();
openBulkEditDeleteIndexPatternsForm();
typeIndexPatterns([CUSTOM_INDEX_PATTERN_1]);
confirmBulkEditForm();
waitForBulkEditActionToFinish({ rulesCount: 7 });

// check if rule has been updated
goToTheRuleDetailsOf(DATA_VIEW_RULE_NAME);
hasIndexPatterns(DEFAULT_INDEX_PATTERNS.join(''));
cy.go('back');

cy.log('Overwrites index patterns');
cy.get(SELECT_ALL_RULES_ON_PAGE_CHECKBOX).click();
openBulkEditAddIndexPatternsForm();
cy.get(RULES_BULK_EDIT_OVERWRITE_INDEX_PATTERNS_CHECKBOX)
.should('have.text', 'Overwrite all selected rules index patterns')
.click();
cy.get(RULES_BULK_EDIT_INDEX_PATTERNS_WARNING).should(
'have.text',
'You’re about to overwrite index patterns for 7 selected rules, press Save to apply changes.'
);
typeIndexPatterns(OVERWRITE_INDEX_PATTERNS);
confirmBulkEditForm();
waitForBulkEditActionToFinish({ rulesCount: 7 });

// check if rule has been updated
goToTheRuleDetailsOf(DATA_VIEW_RULE_NAME);
hasIndexPatterns(OVERWRITE_INDEX_PATTERNS.join(''));
doesNotHaveDataView();
});

it('should add/delete/overwrite index patterns in rules', () => {
cy.log('Adds index patterns');
// Switch to 5 rules per page, so we can edit all existing rules, not only ones on a page
Expand Down
4 changes: 4 additions & 0 deletions ...k/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,10 @@ describe('Custom query rules', () => {
// expect define step to populate
cy.get(CUSTOM_QUERY_INPUT).should('have.value', getExistingRule().customQuery);
if (getExistingRule().index && getExistingRule().index.length > 0) {
// cy.get('[id="indexPatterns"]').click({ force: true });
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved
// cy.get('[data-test-subj="detectionEngineStepDefineRuleIndexPatternsAccordion"]').click({
// force: true,
// });
cy.get(DEFINE_INDEX_INPUT).should('have.text', getExistingRule().index.join(''));
}

Expand Down
6 changes: 3 additions & 3 deletions x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,8 +169,8 @@ describe('Detection rules, override', () => {
cy.get(NUMBER_OF_ALERTS)
.invoke('text')
.should('match', /^[1-9].+$/); // Any number of alerts
cy.get(ALERT_GRID_CELL).contains('auditbeat');
cy.get(ALERT_GRID_CELL).contains('critical');
cy.get(ALERT_GRID_CELL).contains('80');
cy.get(ALERT_GRID_CELL).contains('siem-kibana');
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved
cy.get(ALERT_GRID_CELL).contains('test');
cy.get(ALERT_GRID_CELL).contains('zsh');
});
});
37 changes: 27 additions & 10 deletions x-pack/plugins/security_solution/cypress/integration/exceptions/exceptions_flyout.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,12 +130,12 @@ describe('Exceptions flyout', () => {
cy.get(ADD_AND_BTN).click();
addExceptionEntryFieldValue('@timestamp', 1);
cy.get(ADD_AND_BTN).click();
addExceptionEntryFieldValue('c', 2);
addExceptionEntryFieldValue('agent.hostname', 2);
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved

// delete second item, invalid values 'a' and 'c' should remain
cy.get(ENTRY_DELETE_BTN).eq(1).click();
cy.get(FIELD_INPUT).eq(0).should('have.text', 'agent.name');
cy.get(FIELD_INPUT).eq(1).should('have.text', 'c');
cy.get(FIELD_INPUT).eq(1).should('have.text', 'agent.hostname');

closeExceptionBuilderFlyout();
});
Expand All @@ -158,7 +158,7 @@ describe('Exceptions flyout', () => {
cy.get(ADD_AND_BTN).click();
addExceptionEntryFieldValueOfItemX('user.last', 1, 1);
cy.get(ADD_AND_BTN).click();
addExceptionEntryFieldValueOfItemX('e', 1, 2);
addExceptionEntryFieldValueOfItemX('host.architecture', 1, 2);

// delete single entry from exception item 2
cy.get(ENTRY_DELETE_BTN).eq(3).click();
Expand All @@ -177,7 +177,11 @@ describe('Exceptions flyout', () => {
.find(FIELD_INPUT)
.eq(0)
.should('have.text', 'user.first');
cy.get(EXCEPTION_ITEM_CONTAINER).eq(1).find(FIELD_INPUT).eq(1).should('have.text', 'e');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(1)
.find(FIELD_INPUT)
.eq(1)
.should('have.text', 'host.architecture');

// delete remaining entries in exception item 2
cy.get(ENTRY_DELETE_BTN).eq(2).click();
Expand Down Expand Up @@ -210,9 +214,9 @@ describe('Exceptions flyout', () => {
cy.get(ADD_OR_BTN).click();
addExceptionEntryFieldValueOfItemX('agent.name', 1, 0);
cy.get(ADD_NESTED_BTN).click();
addExceptionEntryFieldValueOfItemX('user.id{downarrow}{enter}', 1, 1);
addExceptionEntryFieldValueOfItemX('file.elf.sections{downArrow}{enter}', 1, 1);
cy.get(ADD_AND_BTN).click();
addExceptionEntryFieldValueOfItemX('last{downarrow}{enter}', 1, 3);
addExceptionEntryFieldValueOfItemX('chi2{downArrow}{enter}', 1, 3);
// This button will now read `Add non-nested button`
cy.get(ADD_NESTED_BTN).scrollIntoView();
cy.get(ADD_NESTED_BTN).focus().click();
Expand All @@ -225,14 +229,22 @@ describe('Exceptions flyout', () => {
.find(FIELD_INPUT)
.eq(0)
.should('have.text', 'agent.name');
cy.get(EXCEPTION_ITEM_CONTAINER).eq(0).find(FIELD_INPUT).eq(1).should('have.text', 'b');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(0)
.find(FIELD_INPUT)
.eq(1)
.should('have.text', 'agent.build.original');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(1)
.find(FIELD_INPUT)
.eq(0)
.should('have.text', 'agent.name');
cy.get(EXCEPTION_ITEM_CONTAINER).eq(1).find(FIELD_INPUT).eq(1).should('have.text', 'user');
cy.get(EXCEPTION_ITEM_CONTAINER).eq(1).find(FIELD_INPUT).eq(2).should('have.text', 'last');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(1)
.find(FIELD_INPUT)
.eq(1)
.should('have.text', 'file.elf.sections');
cy.get(EXCEPTION_ITEM_CONTAINER).eq(1).find(FIELD_INPUT).eq(2).should('have.text', 'chi2');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(1)
.find(FIELD_INPUT)
Expand All @@ -246,7 +258,11 @@ describe('Exceptions flyout', () => {
.find(FIELD_INPUT)
.eq(0)
.should('have.text', 'agent.name');
cy.get(EXCEPTION_ITEM_CONTAINER).eq(0).find(FIELD_INPUT).eq(1).should('have.text', 'b');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(0)
.find(FIELD_INPUT)
.eq(1)
.should('have.text', 'agent.build.original');
cy.get(EXCEPTION_ITEM_CONTAINER)
.eq(1)
.find(FIELD_INPUT)
Expand All @@ -268,6 +284,7 @@ describe('Exceptions flyout', () => {
return $el.find(ADD_AND_BTN);
})
.should('be.visible');
addExceptionEntryFieldValueOfItemX('unique_value.test', 0, 0);
cy.get(FIELD_INPUT).eq(0).click({ force: true });
cy.get(EXCEPTION_FIELD_LIST).contains('unique_value.test');

Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/security_solution/cypress/screens/rule_details.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ export const FALSE_POSITIVES_DETAILS = 'False positive examples';

export const INDEX_PATTERNS_DETAILS = 'Index patterns';

export const DATA_VIEW_DETAILS = 'Data View';

export const INDICATOR_INDEX_PATTERNS = 'Indicator index patterns';

export const INDICATOR_INDEX_QUERY = 'Indicator index query';
Expand Down
Loading