github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Upgrade tests for DE rule types - alerts on legacy alerts (#125331)

Browse source 
* Add integration tests for alerts-on-legacy-alerts

* Remove query rule tests from prior location - they were moved

* Remove 'kibana' field from alerts on legacy alerts

* Fix tests

* Delete alerts before proceeding from compatibility tests

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Madison Caldwell 2022-02-15 13:51:44 -05:00 committed by GitHub
parent 07e645764c
commit 7d186f945b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 4903 additions and 163 deletions
Download patch file Download diff file Expand all files Collapse all files

2
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/filter_source.ts
View file

@ -13,12 +13,14 @@ export const filterSource = (doc: SignalSourceHit): Partial<RACAlert> => {
const docSource = doc._source ?? {};
const {
event,
kibana,
signal,
threshold_result: siemSignalsThresholdResult,
[ALERT_THRESHOLD_RESULT]: alertThresholdResult,
...filteredSource
} = docSource || {
event: null,
kibana: null,
signal: null,
threshold_result: null,
[ALERT_THRESHOLD_RESULT]: null,

570
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/alerts/alerts_compatibility.ts
View file

@ -13,22 +13,54 @@ import {
DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL,
} from '../../../../../plugins/security_solution/common/constants';
import {
createRule,
createSignalsIndex,
deleteAllAlerts,
deleteSignalsIndex,
finalizeSignalsMigration,
getEqlRuleForSignalTesting,
getRuleForSignalTesting,
getSavedQueryRuleForSignalTesting,
getSignalsByIds,
getThreatMatchRuleForSignalTesting,
getThresholdRuleForSignalTesting,
startSignalsMigration,
waitFor,
waitForRuleSuccessOrStatus,
waitForSignalsToBePresent,
} from '../../../utils';
import { FtrProviderContext } from '../../../common/ftr_provider_context';
import { ThreatEcs } from '../../../../../plugins/security_solution/common/ecs/threat';
import {
EqlCreateSchema,
QueryCreateSchema,
SavedQueryCreateSchema,
ThreatMatchCreateSchema,
ThresholdCreateSchema,
} from '../../../../../plugins/security_solution/common/detection_engine/schemas/request';
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const log = getService('log');
const supertest = getService('supertest');
describe('Alerts Compatibility', function () {
beforeEach(async () => {
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('CTI', () => {
const expectedDomain = 'elastic.local';
const expectedProvider = 'provider1';
@ -40,20 +72,6 @@ export default ({ getService }: FtrProviderContext) => {
type: 'indicator_match_rule',
};
beforeEach(async () => {
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await deleteSignalsIndex(supertest, log);
});
it('allows querying of legacy enriched signals by threat.indicator', async () => {
const {
body: {
@ -161,6 +179,528 @@ export default ({ getService }: FtrProviderContext) => {
);
expect(enrichmentProviders).to.eql([expectedProvider, expectedProvider]);
});
it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
const rule: ThreatMatchCreateSchema = getThreatMatchRuleForSignalTesting([
'.siem-signals-*',
]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
const rule: ThreatMatchCreateSchema = getThreatMatchRuleForSignalTesting([
`.alerts-security.alerts-default`,
]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
});
describe('Query', () => {
it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
const rule: QueryCreateSchema = getRuleForSignalTesting([`.siem-signals-*`]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
const {
'@timestamp': timestamp,
'kibana.version': kibanaVersion,
'kibana.alert.rule.created_at': createdAt,
'kibana.alert.rule.updated_at': updatedAt,
'kibana.alert.rule.execution.uuid': executionUuid,
'kibana.alert.uuid': alertId,
...source
} = hit._source!;
expect(source).to.eql({
'kibana.alert.rule.category': 'Custom Query Rule',
'kibana.alert.rule.consumer': 'siem',
'kibana.alert.rule.name': 'Signal Testing Query',
'kibana.alert.rule.producer': 'siem',
'kibana.alert.rule.rule_type_id': 'siem.queryRule',
'kibana.alert.rule.uuid': id,
'kibana.space_ids': ['default'],
'kibana.alert.rule.tags': [],
agent: {
ephemeral_id: '07c24b1e-3663-4372-b982-f2d831e033eb',
hostname: 'elastic.local',
id: 'ce7741d9-3f0a-466d-8ae6-d7d8f883fcec',
name: 'elastic.local',
type: 'auditbeat',
version: '7.14.0',
},
ecs: { version: '1.10.0' },
host: {
architecture: 'x86_64',
hostname: 'elastic.local',
id: '1633D595-A115-5BF5-870B-A471B49446C3',
ip: ['192.168.1.1'],
mac: ['aa:bb:cc:dd:ee:ff'],
name: 'elastic.local',
os: {
build: '20G80',
family: 'darwin',
kernel: '20.6.0',
name: 'Mac OS X',
platform: 'darwin',
type: 'macos',
version: '10.16',
},
},
message: 'Process mdworker_shared (PID: 32306) by user elastic STARTED',
process: {
args: [
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
'-s',
'mdworker',
'-c',
'MDSImporterWorker',
'-m',
'com.apple.mdworker.shared',
],
entity_id: 'wfc7zUuEinqxUbZ6',
executable:
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
hash: { sha1: '5f3233fd75c14b315731684d59b632df36a731a6' },
name: 'mdworker_shared',
pid: 32306,
ppid: 1,
start: '2021-08-04T04:14:48.830Z',
working_directory: '/',
},
service: { type: 'system' },
threat: {
indicator: [
{
domain: 'elastic.local',
event: {
category: 'threat',
created: '2021-08-04T03:53:30.761Z',
dataset: 'ti_abusech.malware',
ingested: '2021-08-04T03:53:37.514040Z',
kind: 'enrichment',
module: 'threatintel',
reference: 'https://urlhaus.abuse.ch/url/12345/',
type: 'indicator',
},
first_seen: '2021-08-03T20:35:17.000Z',
matched: {
atomic: 'elastic.local',
field: 'host.name',
id: '_tdUD3sBcVT20cvWAkpd',
index: 'filebeat-7.14.0-2021.08.04-000001',
type: 'indicator_match_rule',
},
provider: 'provider1',
type: 'url',
url: {
domain: 'elastic.local',
extension: 'php',
full: 'http://elastic.local/thing',
original: 'http://elastic.local/thing',
path: '/thing',
scheme: 'http',
},
},
],
},
user: {
effective: { group: { id: '20' }, id: '501' },
group: { id: '20', name: 'staff' },
id: '501',
name: 'elastic',
saved: { group: { id: '20' }, id: '501' },
},
'event.action': 'process_started',
'event.category': ['process'],
'event.dataset': 'process',
'event.kind': 'signal',
'event.module': 'system',
'event.type': ['start'],
'kibana.alert.ancestors': [
{
depth: 0,
id: 'yNdfD3sBcVT20cvWFEs2',
index: 'auditbeat-7.14.0-2021.08.04-000001',
type: 'event',
},
{
id: '0527411874b23bcea85daf5bf7dcacd144536ba6d92d3230a4a0acfb7de7f512',
type: 'signal',
index: '.siem-signals-default-000001',
depth: 1,
rule: '832f86f0-f4da-11eb-989d-b758d09dbc85',
},
],
'kibana.alert.status': 'active',
'kibana.alert.workflow_status': 'open',
'kibana.alert.depth': 2,
'kibana.alert.reason':
'process event with process mdworker_shared, by elastic on elastic.local created high alert Signal Testing Query.',
'kibana.alert.severity': 'high',
'kibana.alert.risk_score': 1,
'kibana.alert.rule.parameters': {
description: 'Tests a simple query',
risk_score: 1,
severity: 'high',
author: [],
false_positives: [],
from: '1900-01-01T00:00:00.000Z',
rule_id: 'rule-1',
max_signals: 100,
risk_score_mapping: [],
severity_mapping: [],
threat: [],
to: 'now',
references: [],
version: 1,
exceptions_list: [],
immutable: false,
type: 'query',
language: 'kuery',
index: ['.siem-signals-*'],
query: '*:*',
},
'kibana.alert.rule.actions': [],
'kibana.alert.rule.created_by': 'elastic',
'kibana.alert.rule.enabled': true,
'kibana.alert.rule.interval': '5m',
'kibana.alert.rule.updated_by': 'elastic',
'kibana.alert.rule.type': 'query',
'kibana.alert.rule.description': 'Tests a simple query',
'kibana.alert.rule.risk_score': 1,
'kibana.alert.rule.severity': 'high',
'kibana.alert.rule.author': [],
'kibana.alert.rule.false_positives': [],
'kibana.alert.rule.from': '1900-01-01T00:00:00.000Z',
'kibana.alert.rule.rule_id': 'rule-1',
'kibana.alert.rule.max_signals': 100,
'kibana.alert.rule.risk_score_mapping': [],
'kibana.alert.rule.severity_mapping': [],
'kibana.alert.rule.threat': [],
'kibana.alert.rule.to': 'now',
'kibana.alert.rule.references': [],
'kibana.alert.rule.version': 1,
'kibana.alert.rule.exceptions_list': [],
'kibana.alert.rule.immutable': false,
'kibana.alert.original_time': '2021-08-04T04:14:58.973Z',
'kibana.alert.original_event.action': 'process_started',
'kibana.alert.original_event.category': ['process'],
'kibana.alert.original_event.dataset': 'process',
'kibana.alert.original_event.kind': 'signal',
'kibana.alert.original_event.module': 'system',
'kibana.alert.original_event.type': ['start'],
});
});
it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
const rule: QueryCreateSchema = getRuleForSignalTesting([
`.alerts-security.alerts-default`,
]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
const {
'@timestamp': timestamp,
'kibana.version': kibanaVersion,
'kibana.alert.rule.created_at': createdAt,
'kibana.alert.rule.updated_at': updatedAt,
'kibana.alert.rule.execution.uuid': executionUuid,
'kibana.alert.uuid': alertId,
...source
} = hit._source!;
expect(source).to.eql({
'kibana.alert.rule.category': 'Custom Query Rule',
'kibana.alert.rule.consumer': 'siem',
'kibana.alert.rule.name': 'Signal Testing Query',
'kibana.alert.rule.producer': 'siem',
'kibana.alert.rule.rule_type_id': 'siem.queryRule',
'kibana.alert.rule.uuid': id,
'kibana.space_ids': ['default'],
'kibana.alert.rule.tags': [],
agent: {
ephemeral_id: '07c24b1e-3663-4372-b982-f2d831e033eb',
hostname: 'elastic.local',
id: 'ce7741d9-3f0a-466d-8ae6-d7d8f883fcec',
name: 'elastic.local',
type: 'auditbeat',
version: '7.14.0',
},
ecs: { version: '1.10.0' },
host: {
architecture: 'x86_64',
hostname: 'elastic.local',
id: '1633D595-A115-5BF5-870B-A471B49446C3',
ip: ['192.168.1.1'],
mac: ['aa:bb:cc:dd:ee:ff'],
name: 'elastic.local',
os: {
build: '20G80',
family: 'darwin',
kernel: '20.6.0',
name: 'Mac OS X',
platform: 'darwin',
type: 'macos',
version: '10.16',
},
},
message: 'Process mdworker_shared (PID: 32306) by user elastic STARTED',
process: {
args: [
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
'-s',
'mdworker',
'-c',
'MDSImporterWorker',
'-m',
'com.apple.mdworker.shared',
],
entity_id: 'wfc7zUuEinqxUbZ6',
executable:
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
hash: { sha1: '5f3233fd75c14b315731684d59b632df36a731a6' },
name: 'mdworker_shared',
pid: 32306,
ppid: 1,
start: '2021-08-04T04:14:48.830Z',
working_directory: '/',
},
service: { type: 'system' },
threat: {
indicator: [
{
domain: 'elastic.local',
event: {
category: 'threat',
created: '2021-08-04T03:53:30.761Z',
dataset: 'ti_abusech.malware',
ingested: '2021-08-04T03:53:37.514040Z',
kind: 'enrichment',
module: 'threatintel',
reference: 'https://urlhaus.abuse.ch/url/12345/',
type: 'indicator',
},
first_seen: '2021-08-03T20:35:17.000Z',
matched: {
atomic: 'elastic.local',
field: 'host.name',
id: '_tdUD3sBcVT20cvWAkpd',
index: 'filebeat-7.14.0-2021.08.04-000001',
type: 'indicator_match_rule',
},
provider: 'provider1',
type: 'url',
url: {
domain: 'elastic.local',
extension: 'php',
full: 'http://elastic.local/thing',
original: 'http://elastic.local/thing',
path: '/thing',
scheme: 'http',
},
},
],
},
user: {
effective: { group: { id: '20' }, id: '501' },
group: { id: '20', name: 'staff' },
id: '501',
name: 'elastic',
saved: { group: { id: '20' }, id: '501' },
},
'event.action': 'process_started',
'event.category': ['process'],
'event.dataset': 'process',
'event.kind': 'signal',
'event.module': 'system',
'event.type': ['start'],
'kibana.alert.ancestors': [
{
depth: 0,
id: 'yNdfD3sBcVT20cvWFEs2',
index: 'auditbeat-7.14.0-2021.08.04-000001',
type: 'event',
},
{
id: '0527411874b23bcea85daf5bf7dcacd144536ba6d92d3230a4a0acfb7de7f512',
type: 'signal',
index: '.siem-signals-default-000001',
depth: 1,
rule: '832f86f0-f4da-11eb-989d-b758d09dbc85',
},
],
'kibana.alert.status': 'active',
'kibana.alert.workflow_status': 'open',
'kibana.alert.depth': 2,
'kibana.alert.reason':
'process event with process mdworker_shared, by elastic on elastic.local created high alert Signal Testing Query.',
'kibana.alert.severity': 'high',
'kibana.alert.risk_score': 1,
'kibana.alert.rule.parameters': {
description: 'Tests a simple query',
risk_score: 1,
severity: 'high',
author: [],
false_positives: [],
from: '1900-01-01T00:00:00.000Z',
rule_id: 'rule-1',
max_signals: 100,
risk_score_mapping: [],
severity_mapping: [],
threat: [],
to: 'now',
references: [],
version: 1,
exceptions_list: [],
immutable: false,
type: 'query',
language: 'kuery',
index: ['.alerts-security.alerts-default'],
query: '*:*',
},
'kibana.alert.rule.actions': [],
'kibana.alert.rule.created_by': 'elastic',
'kibana.alert.rule.enabled': true,
'kibana.alert.rule.interval': '5m',
'kibana.alert.rule.updated_by': 'elastic',
'kibana.alert.rule.type': 'query',
'kibana.alert.rule.description': 'Tests a simple query',
'kibana.alert.rule.risk_score': 1,
'kibana.alert.rule.severity': 'high',
'kibana.alert.rule.author': [],
'kibana.alert.rule.false_positives': [],
'kibana.alert.rule.from': '1900-01-01T00:00:00.000Z',
'kibana.alert.rule.rule_id': 'rule-1',
'kibana.alert.rule.max_signals': 100,
'kibana.alert.rule.risk_score_mapping': [],
'kibana.alert.rule.severity_mapping': [],
'kibana.alert.rule.threat': [],
'kibana.alert.rule.to': 'now',
'kibana.alert.rule.references': [],
'kibana.alert.rule.version': 1,
'kibana.alert.rule.exceptions_list': [],
'kibana.alert.rule.immutable': false,
'kibana.alert.original_time': '2021-08-04T04:14:58.973Z',
'kibana.alert.original_event.action': 'process_started',
'kibana.alert.original_event.category': ['process'],
'kibana.alert.original_event.dataset': 'process',
'kibana.alert.original_event.kind': 'signal',
'kibana.alert.original_event.module': 'system',
'kibana.alert.original_event.type': ['start'],
});
});
});
describe('Saved Query', () => {
it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
const rule: SavedQueryCreateSchema = getSavedQueryRuleForSignalTesting([`.siem-signals-*`]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
const rule: SavedQueryCreateSchema = getSavedQueryRuleForSignalTesting([
`.alerts-security.alerts-default`,
]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
});
describe('EQL', () => {
it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
const rule: EqlCreateSchema = getEqlRuleForSignalTesting(['.siem-signals-*']);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
const rule: EqlCreateSchema = getEqlRuleForSignalTesting([
`.alerts-security.alerts-default`,
]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
});
describe('Threshold', () => {
it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
const baseRule: ThresholdCreateSchema = getThresholdRuleForSignalTesting([
'.siem-signals-*',
]);
const rule: ThresholdCreateSchema = {
...baseRule,
threshold: {
...baseRule.threshold,
value: 1,
},
};
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
const baseRule: ThresholdCreateSchema = getThresholdRuleForSignalTesting([
`.alerts-security.alerts-default`,
]);
const rule: ThresholdCreateSchema = {
...baseRule,
threshold: {
...baseRule.threshold,
value: 1,
},
};
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
const hit = signalsOpen.hits.hits[0];
expect(hit._source?.kibana).to.eql(undefined);
});
});
});
};

43
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
View file

@ -941,49 +941,6 @@ export default ({ getService }: FtrProviderContext) => {
});
});
/**
* Here we test that 8.0.x alerts can be generated on legacy (pre-8.x) alerts.
*/
describe('Signals generated from legacy signals', async () => {
beforeEach(async () => {
await deleteSignalsIndex(supertest, log);
await createSignalsIndex(supertest, log);
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
});
afterEach(async () => {
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should generate a signal-on-legacy-signal with legacy index pattern', async () => {
const rule: QueryCreateSchema = {
...getRuleForSignalTesting([`.siem-signals-*`]),
};
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
});
it('should generate a signal-on-legacy-signal with AAD index pattern', async () => {
const rule: QueryCreateSchema = {
...getRuleForSignalTesting([`.alerts-security.alerts-default`]),
};
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
});
});
/**
* Here we test the functionality of Severity and Risk Score overrides (also called "mappings"
* in the code). If the rule specifies a mapping, then the final Severity or Risk Score

56
x-pack/test/detection_engine_api_integration/utils.ts
View file

@ -36,6 +36,7 @@ import {
PreviewRulesSchema,
ThreatMatchCreateSchema,
RulePreviewLogs,
SavedQueryCreateSchema,
} from '../../plugins/security_solution/common/detection_engine/schemas/request';
import { signalsMigrationType } from '../../plugins/security_solution/server/lib/detection_engine/migrations/saved_objects';
import {
@ -131,7 +132,7 @@ export const getSimplePreviewRule = (
/**
* This is a typical signal testing rule that is easy for most basic testing of output of signals.
* It starts out in an enabled true state. The from is set very far back to test the basics of signal
* It starts out in an enabled true state. The 'from' is set very far back to test the basics of signal
* creation and testing by getting all the signals at once.
* @param ruleId The optional ruleId which is rule-1 by default.
* @param enabled Enables the rule on creation or not. Defaulted to true.
@ -153,9 +154,26 @@ export const getRuleForSignalTesting = (
from: '1900-01-01T00:00:00.000Z',
});
/**
* This is a typical signal testing rule that is easy for most basic testing of output of Saved Query signals.
* It starts out in an enabled true state. The 'from' is set very far back to test the basics of signal
* creation for SavedQuery and testing by getting all the signals at once.
* @param ruleId The optional ruleId which is threshold-rule by default.
* @param enabled Enables the rule on creation or not. Defaulted to true.
*/
export const getSavedQueryRuleForSignalTesting = (
index: string[],
ruleId = 'saved-query-rule',
enabled = true
): SavedQueryCreateSchema => ({
...getRuleForSignalTesting(index, ruleId, enabled),
type: 'saved_query',
saved_id: 'abcd',
});
/**
* This is a typical signal testing rule that is easy for most basic testing of output of EQL signals.
* It starts out in an enabled true state. The from is set very far back to test the basics of signal
* It starts out in an enabled true state. The 'from' is set very far back to test the basics of signal
* creation for EQL and testing by getting all the signals at once.
* @param ruleId The optional ruleId which is eql-rule by default.
* @param enabled Enables the rule on creation or not. Defaulted to true.
@ -171,9 +189,41 @@ export const getEqlRuleForSignalTesting = (
query: 'any where true',
});
/**
* This is a typical signal testing rule that is easy for most basic testing of output of Threat Match signals.
* It starts out in an enabled true state. The 'from' is set very far back to test the basics of signal
* creation for Threat Match and testing by getting all the signals at once.
* @param ruleId The optional ruleId which is threshold-rule by default.
* @param enabled Enables the rule on creation or not. Defaulted to true.
*/
export const getThreatMatchRuleForSignalTesting = (
index: string[],
ruleId = 'threat-match-rule',
enabled = true
): ThreatMatchCreateSchema => ({
...getRuleForSignalTesting(index, ruleId, enabled),
type: 'threat_match',
language: 'kuery',
query: '*:*',
threat_query: '*:*',
threat_mapping: [
// We match host.name against host.name
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threat_index: index, // match against same index for simplicity
});
/**
* This is a typical signal testing rule that is easy for most basic testing of output of Threshold signals.
* It starts out in an enabled true state. The from is set very far back to test the basics of signal
* It starts out in an enabled true state. The 'from' is set very far back to test the basics of signal
* creation for Threshold and testing by getting all the signals at once.
* @param ruleId The optional ruleId which is threshold-rule by default.
* @param enabled Enables the rule on creation or not. Defaulted to true.

4395
x-pack/test/functional/es_archives/security_solution/legacy_cti_signals/mappings.json
View file

File diff suppressed because it is too large Load diff