github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Updates test plans for importing and exporting prebuilt rules (#204889)

Browse source 
## Summary

Addresses https://github.com/elastic/kibana/issues/202079

Updates the existing import and export rule test plans to include front
end tests as well as more exhaustive coverage of the prebuilt rule
customization milestone 3 epic
This commit is contained in:
Davis Plumlee 2025-01-20 08:10:01 -05:00 committed by GitHub
parent 1b167d9dc2
commit 4b5f46619e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 153 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

100
x-pack/solutions/security/plugins/security_solution/docs/testing/test_plans/detection_response/prebuilt_rules/exporting.md
View file

@ -1,8 +1,8 @@
# Prebuilt Rule Export
# Detection Rule Export
This is a test plan for the exporting of prebuilt rules. This feature is an aspect of `Milestone 2` of the [Rule Immutability/Customization](https://github.com/elastic/security-team/issues/1974) epic.
This is a test plan for the exporting of prebuilt and custom rules. This feature is an aspect of `Milestone 3` of the [Rule Immutability/Customization](https://github.com/elastic/security-team/issues/1974) epic.
Status: `in progress`.
Status: `in progress`.
## Useful information
@ -22,42 +22,118 @@ Status: `in progress`.
### Core Functionality
#### Scenario: Exporting prebuilt rule individually
#### Scenario: Exporting prebuilt rule individually from rule details page
**Automation**: 2 cypress tests.
```Gherkin
Given a space with prebuilt rules installed
When the user selects "Export rule" from the "All actions" dropdown on the rule's page
Given a space with a <rule_type> rule installed
When the user selects "Export rule" from the "All actions" dropdown on the rule's detail page
Then the rule should be exported as an NDJSON file
And it should include an "immutable" field with a value of true
And its "ruleSource" "type" should be "external"
And its "ruleSource" "isCustomized" value should depend on whether the rule was customized
And its "ruleSource" "isCustomized" value should be <is_customized>
Examples:
| rule_type | is_customized |
| prebuilt customized | true |
| prebuilt non-customized | false |
```
#### Scenario: Exporting custom rule individually from rule details page
**Automation**: 1 cypress test.
```Gherkin
Given a space with a custom rule installed
When the user selects "Export rule" from the "All actions" dropdown on the rule's detail page
Then the rule should be exported as an NDJSON file
And it should include an "immutable" field with a value of false
And its "ruleSource" "type" should be "internal"
```
#### Scenario: Exporting prebuilt rule individually from rules management table
**Automation**: 2 cypress tests.
```Gherkin
Given a space with a <rule_type> rule installed
When the user selects "Export rule" from the rule's overflow dropdown on the rules management page
Then the rule should be exported as an NDJSON file
And it should include an "immutable" field with a value of true
And its "ruleSource" "type" should be "external"
And its "ruleSource" "isCustomized" value should be <is_customized>
Examples:
| rule_type | is_customized |
| prebuilt customized | true |
| prebuilt non-customized | false |
```
#### Scenario: Exporting custom rule individually from rules management table
**Automation**: 1 cypress test.
```Gherkin
Given a space with a custom rule installed
When the user selects "Export rule" from the rule's overflow dropdown on the rules management page
Then the rule should be exported as an NDJSON file
And it should include an "immutable" field with a value of false
And its "ruleSource" "type" should be "internal"
```
#### Scenario: Exporting prebuilt rules in bulk
**Automation**: 2 cypress tests.
```Gherkin
Given a space with prebuilt rules installed
When the user selects prebuilt rules in the alerts table
Given a space with multiple <rule_type> rules installed
When the user selects rules in the rules table
And chooses "Export" from bulk actions
Then the selected rules should be exported as an NDJSON file
And they should include an "immutable" field with a value of true
And their "ruleSource" "type" should be "external"
And their "ruleSource" "isCustomized" should depend on whether the rule was customized
And their "ruleSource" "isCustomized" should depend be <is_customized>
Examples:
| rule_type | is_customized |
| prebuilt customized | true |
| prebuilt non-customized | false |
```
#### Scenario: Exporting custom rules in bulk
**Automation**: 1 cypress test.
```Gherkin
Given a space with multiple custom rules installed
When the user selects rules in the rules table
And chooses "Export" from bulk actions
Then the selected rules should be exported as an NDJSON file
And they should include an "immutable" field with a value of false
And their "ruleSource" "type" should be "internal"
```
#### Scenario: Exporting both prebuilt and custom rules in bulk
**Automation**: 1 cypress test.
```Gherkin
Given a space with prebuilt and custom rules installed
When the user selects prebuilt rules in the alerts table
Given a space with customized prebuilt, non-customized prebuilt and custom rules installed
When the user selects rules from each type in the rules table
And chooses "Export" from bulk actions
Then the selected rules should be exported as an NDJSON file
And the prebuilt rules should include an "immutable" field with a value of true
And the custom rules should include an "immutable" field with a value of false
And the prebuilt rules' "ruleSource" "type" should be "external"
And the custom rules' "ruleSource" "type" should be "internal"
And the customized prebuilt rules' "isCustomized" value should be true
```
### Error Handling
#### Scenario: Exporting beyond the export limit
```Gherkin
Given a space with prebuilt and custom rules installed
And the number of rules is greater than the export limit (defaults to 10_000)

68
x-pack/solutions/security/plugins/security_solution/docs/testing/test_plans/detection_response/prebuilt_rules/importing.md
View file

@ -1,6 +1,6 @@
# Prebuilt Rule Import
# Detections Rule Import
This is a test plan for the importing of prebuilt rules. This feature is an aspect of `Milestone 2` of the [Rule Immutability/Customization](https://github.com/elastic/security-team/issues/1974) epic.
This is a test plan for the importing of prebuilt and custom rules. This feature is an aspect of `Milestone 3` of the [Rule Immutability/Customization](https://github.com/elastic/security-team/issues/1974) epic.
Status: `in progress`.
@ -24,6 +24,8 @@ Status: `in progress`.
#### Scenario: Importing an unmodified prebuilt rule with a matching rule_id and version
**Automation**: 1 cypress test and 1 integration test.
```Gherkin
Given the import payload contains a prebuilt rule with a matching rule_id and version, identical to the published rule
When the user imports the rule
@ -34,26 +36,48 @@ And isCustomized should be false
#### Scenario: Importing a customized prebuilt rule with a matching rule_id and version
**Automation**: 1 cypress test and 1 integration test.
```Gherkin
Given the import payload contains a prebuilt rule with a matching rule_id and version, modified from the published version
And the overwrite flag is set to true
When the user imports the rule
Then the rule should be created or updated
And the ruleSource type should be "external"
And isCustomized should be true
CASE: Should work with older, newer, or identical version numbers
```
#### Scenario: Importing a custom rule with a matching rule_id and version
**Automation**: 1 cypress test and 1 integration test.
```Gherkin
Given the import payload contains a custom rule with a matching rule_id and version
And the overwrite flag is set to true
When the user imports the rule
Then the rule should be updated
And the ruleSource type should be "internal"
```
#### Scenario: Importing a prebuilt rule with a matching rule_id but no matching version
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a prebuilt rule with a matching rule_id but no matching version
And the overwrite flag is set to true
When the user imports the rule
Then the rule should be created or updated
Then the rule should be created
And the ruleSource type should be "external"
And isCustomized should be true
```
#### Scenario: Importing a prebuilt rule with a non-existent rule_id
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a prebuilt rule with a non-existent rule_id
When the user imports the rule
@ -63,6 +87,8 @@ And the ruleSource type should be "internal"
#### Scenario: Importing a prebuilt rule without a rule_id field
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a prebuilt rule without a rule_id field
When the user imports the rule
@ -71,6 +97,8 @@ Then the import should be rejected with a message "rule_id field is required"
#### Scenario: Importing a prebuilt rule with a matching rule_id but missing a version field
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a prebuilt rule without a version field
When the user imports the rule
@ -79,6 +107,8 @@ Then the import should be rejected with a message "version field is required"
#### Scenario: Importing an existing custom rule missing a version field
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains an existing custom rule without a version field
When the user imports the rule
@ -89,6 +119,8 @@ And the "version" field should be set to the existing rule's "version"
#### Scenario: Importing a new custom rule missing a version field
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a new custom rule without a version field
When the user imports the rule
@ -99,6 +131,8 @@ And the "version" field should be set to 1
#### Scenario: Importing a rule with overwrite flag set to true
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a rule with an existing rule_id
And the overwrite flag is set to true
@ -109,15 +143,21 @@ And the ruleSource type should be calculated based on the rule_id and version
#### Scenario: Importing a rule with overwrite flag set to false
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains a rule with an existing rule_id
And the overwrite flag is set to false
When the user imports the rule
Then the import should be rejected with a message "rule_id already exists"
CASE: should have the same outcome for all rule types
```
#### Scenario: Importing both custom and prebuilt rules
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains modified and unmodified, custom and prebuilt rules
When the user imports the rule
@ -125,3 +165,25 @@ Then custom rules should be created or updated, with versions defaulted to 1
And prebuilt rules should be created or updated,
And prebuilt rules missing versions should be rejected
```
#### Scenario: Importing prebuilt rules when the rules package is not installed
**Automation**: 1 integration test.
```Gherkin
Given the import payload contains prebuilt rules
And no rules package has been installed locally
When the user imports the rule
Then all rules should be created or updated as custom rules
```
#### Scenario: User imports a custom rule before a prebuilt rule asset is created with the same rule_id
**Automation**: 1 integration test.
```Gherkin
Given the environment contains an imported custom rule
And this rule has a rule_id of X
When a prebuilt rule asset is added with a rule_id of X
Then the imported custom rule should be upgradeable as if it were a prebuilt rule
```