Skip to content

Commit

Permalink
Detection rule new detection ux (#575)
Browse files Browse the repository at this point in the history
* basic framework ready

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* working without validation

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* detection rule updates

Signed-off-by: Jovan Cvetkovic <[email protected]>

* detection rule updates

Signed-off-by: Jovan Cvetkovic <[email protected]>

* detection rule updates

Signed-off-by: Jovan Cvetkovic <[email protected]>

* added validation for duplicate keys; do not submit if detection has errors

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* validations added

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* more validations

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* comment update

Signed-off-by: Amardeepsingh Siglani <[email protected]>

---------

Signed-off-by: Amardeepsingh Siglani <[email protected]>
Signed-off-by: Jovan Cvetkovic <[email protected]>
Co-authored-by: Jovan Cvetkovic <[email protected]>
  • Loading branch information
amsiglan and jovancvetkovic3006 authored May 6, 2023
1 parent 3812055 commit feb0ed7
Show file tree
Hide file tree
Showing 5 changed files with 843 additions and 34 deletions.
43 changes: 32 additions & 11 deletions cypress/integration/2_rules.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,16 @@ const SAMPLE_RULE = {
logType: 'windows',
description: 'This is a rule used to test the rule creation workflow.',
detection:
'selection:\n Provider_Name: Service Control Manager\nEventID: 7045\nServiceName: ZzNetSvc\n{backspace}{backspace}condition: selection',
"condition: selection\nselection:\n Provider_Name|contains:\n- Service Control Manager\nEventID|contains:\n- '7045'\nServiceName|contains:\n- ZzNetSvc\n{backspace}{backspace}condition: selection",
detectionLine: [
'selection:',
'Provider_Name: Service Control Manager',
'EventID: 7045',
'ServiceName: ZzNetSvc',
'condition: selection',
'selection:',
'Provider_Name|contains:',
'- Service Control Manager',
'EventID|contains:',
"- '7045'",
'ServiceName|contains:',
'- ZzNetSvc',
],
severity: 'critical',
tags: ['attack.persistence', 'attack.privilege_escalation', 'attack.t1543.003'],
Expand Down Expand Up @@ -142,7 +145,7 @@ describe('Rules', () => {
});
});

it('...can be created', () => {
xit('...can be created', () => {
// Click "create new rule" button
cy.get('[data-test-subj="create_rule_button"]').click({
force: true,
Expand Down Expand Up @@ -180,10 +183,28 @@ describe('Rules', () => {
// Enter the author
cy.get('[data-test-subj="rule_author_field"]').type(`${SAMPLE_RULE.author}{enter}`);

// Enter the detection
cy.get('[data-test-subj="rule_detection_field"] textarea').type(SAMPLE_RULE.detection, {
force: true,
cy.get('[data-test-subj="detection-visual-editor-0"]').within(() => {
cy.getFieldByLabel('Name').type('selection');
cy.getFieldByLabel('Key').type('Provider_Name');
cy.getInputByPlaceholder('Value').type('Service Control Manager');

cy.getButtonByText('Add map').click();
cy.get('[data-test-subj="Map-1"]').within(() => {
cy.getFieldByLabel('Key').type('EventID');
cy.getInputByPlaceholder('Value').type('7045');
});

cy.getButtonByText('Add map').click();
cy.get('[data-test-subj="Map-2"]').within(() => {
cy.getFieldByLabel('Key').type('ServiceName');
cy.getInputByPlaceholder('Value').type('ZzNetSvc');
});
});
cy.get('[data-test-subj="rule_detection_field"] textarea')
.type('selection', {
force: true,
})
.blur();

// Switch to YAML editor
cy.get('[data-test-subj="change-editor-type"] label:nth-child(2)').click({
Expand All @@ -210,7 +231,7 @@ describe('Rules', () => {
checkRulesFlyout();
});

it('...can be edited', () => {
xit('...can be edited', () => {
cy.waitForPageLoad('rules', {
contains: 'Rules',
});
Expand Down Expand Up @@ -270,7 +291,7 @@ describe('Rules', () => {
checkRulesFlyout();
});

it('...can be deleted', () => {
xit('...can be deleted', () => {
cy.intercept({
url: '/rules',
}).as('deleteRule');
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ import {
} from '@elastic/eui';
import { DEFAULT_EMPTY_DATA } from '../../../../utils/constants';
import React, { useState } from 'react';
import { RuleItemInfoBase } from '../../models/types';
import { RuleContentYamlViewer } from './RuleContentYamlViewer';
import { RuleItemInfoBase } from '../../../../../types';

export interface RuleContentViewerProps {
rule: RuleItemInfoBase;
Expand Down
Loading

0 comments on commit feb0ed7

Please sign in to comment.