github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solutions] Replaces console logging with the correct e2e logger in the e2e tests (#116872) (#117553)

Browse source 
## Summary

This replaces the `console.log` we have with `ToolingLog` which is what the e2e tests want to use. Right now they're producing a lot of `console.log` debugging information and noise which we don't want. Instead we want to use the standard tool logging that e2e has for the FTR tests.

The two most important files with changes are:
* x-pack/test/detection_engine_api_integration/utils.ts 
* x-pack/test/lists_api_integration/utils.ts

From there everything else is just a repeating pattern of:

```ts
const log = getService('log');
```

And then pushing the log into the utilities:

such as:

```ts
await deleteListsIndex(supertest, log);
```

For reviewers, if you want to, checkout this branch and just ensure I didn't miss a `console.log` statement within the e2e tests anywhere. Also double check I did the correct `log.debug` vs `log.error` or if you think I misinterpreted one, point it out. I use `log.debug` where I have retries and then I use `log.error` where I thought it would be most useful to call out a very probable or unexpected statement happening when the tests begin to go sideways or have issues.

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
This commit is contained in:
Kibana Machine 2021-11-04 14:23:58 -04:00 committed by GitHub
parent adeb8adcb5
commit ee2bd97618
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
99 changed files with 3051 additions and 2631 deletions
Download patch file Download diff file Expand all files Collapse all files

39
x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts
View file

@ -67,6 +67,7 @@ export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const es = getService('es');
const log = getService('log');
describe('patch_cases', () => {
afterEach(async () => {
@ -792,12 +793,12 @@ export default ({ getService }: FtrProviderContext): void => {
describe('detections rule', () => {
beforeEach(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
});
@ -805,10 +806,10 @@ export default ({ getService }: FtrProviderContext): void => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const postedCase = await createCase(supertest, postCaseReq);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open');
@ -865,10 +866,10 @@ export default ({ getService }: FtrProviderContext): void => {
settings: { syncAlerts: false },
});
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open');
@ -918,10 +919,10 @@ export default ({ getService }: FtrProviderContext): void => {
settings: { syncAlerts: false },
});
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open');
@ -987,10 +988,10 @@ export default ({ getService }: FtrProviderContext): void => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const postedCase = await createCase(supertest, postCaseReq);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open');

23
x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/post_comment.ts
View file

@ -69,6 +69,7 @@ export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const es = getService('es');
const log = getService('log');
describe('post_comment', () => {
afterEach(async () => {
@ -339,12 +340,12 @@ export default ({ getService }: FtrProviderContext): void => {
describe('alerts', () => {
beforeEach(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
});
@ -366,10 +367,10 @@ export default ({ getService }: FtrProviderContext): void => {
})
.expect(200);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open');
@ -421,10 +422,10 @@ export default ({ getService }: FtrProviderContext): void => {
})
.expect(200);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
expect(alert._source?.[ALERT_WORKFLOW_STATUS]).eql('open');

15
x-pack/test/case_api_integration/security_and_spaces/tests/common/connectors/case.ts
View file

@ -31,6 +31,7 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('case_connector', () => {
let createdActionId = '';
@ -708,21 +709,21 @@ export default ({ getService }: FtrProviderContext): void => {
describe('adding alerts using a connector', () => {
beforeEach(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
});
it('should add a comment of type alert', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const alert = signals.hits.hits[0];
const { body: createdAction } = await supertest

75
x-pack/test/detection_engine_api_integration/basic/tests/add_prepackaged_rules.ts
View file

@ -23,32 +23,37 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const es = getService('es');
const supertest = getService('supertest');
const log = getService('log');
describe('add_prepackaged_rules', () => {
describe('creating prepackaged rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest);
await deleteAllAlerts(supertest, log);
await deleteAllTimelines(es);
});
it('should create the prepackaged rules and return a count greater than zero, rules_updated to be zero, and contain the correct keys', async () => {
let responseBody: unknown;
await waitFor(async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
}, DETECTION_ENGINE_PREPACKAGED_URL);
await waitFor(
async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
},
DETECTION_ENGINE_PREPACKAGED_URL,
log
);
const prepackagedRules = responseBody as PrePackagedRulesAndTimelinesSchema;
expect(prepackagedRules.rules_installed).to.be.greaterThan(0);
@ -62,29 +67,37 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should be possible to call the API twice and the second time the number of rules installed should be zero as well as timeline', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// NOTE: I call the GET call until eventually it becomes consistent and that the number of rules to install are zero.
// This is to reduce flakiness where it can for a short period of time try to install the same rule twice.
await waitFor(async () => {
const { body } = await supertest
.get(`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`)
.set('kbn-xsrf', 'true')
.expect(200);
return body.rules_not_installed === 0;
}, `${DETECTION_ENGINE_PREPACKAGED_URL}/_status`);
await waitFor(
async () => {
const { body } = await supertest
.get(`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`)
.set('kbn-xsrf', 'true')
.expect(200);
return body.rules_not_installed === 0;
},
`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`,
log
);
let responseBody: unknown;
await waitFor(async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
}, DETECTION_ENGINE_PREPACKAGED_URL);
await waitFor(
async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
},
DETECTION_ENGINE_PREPACKAGED_URL,
log
);
const prepackagedRules = responseBody as PrePackagedRulesAndTimelinesSchema;
expect(prepackagedRules.rules_installed).to.eql(0);

7
x-pack/test/detection_engine_api_integration/basic/tests/create_rules.ts
View file

@ -27,6 +27,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const log = getService('log');
describe('create_rules', () => {
describe('creating rules', () => {
@ -39,12 +40,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should create a single rule with a rule_id', async () => {

7
x-pack/test/detection_engine_api_integration/basic/tests/create_rules_bulk.ts
View file

@ -25,6 +25,7 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const log = getService('log');
describe('create_rules_bulk', () => {
describe('creating rules in bulk', () => {
@ -37,12 +38,12 @@ export default ({ getService }: FtrProviderContext): void => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should create a single rule with a rule_id', async () => {

13
x-pack/test/detection_engine_api_integration/basic/tests/delete_rules.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_rules', () => {
describe('deleting rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should delete a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// delete the rule by its rule_id
const { body } = await supertest
@ -51,7 +52,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
// delete that rule by its auto-generated rule_id
const { body } = await supertest
@ -64,7 +65,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRule());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRule());
// delete that rule by its auto-generated id
const { body } = await supertest

29
x-pack/test/detection_engine_api_integration/basic/tests/delete_rules_bulk.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_rules_bulk', () => {
describe('deleting rules bulk using DELETE', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should delete a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
// delete the rule in bulk
const { body } = await supertest
@ -52,7 +53,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
// delete that rule by its rule_id
const { body } = await supertest
@ -66,7 +67,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRule());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRule());
// delete that rule by its id
const { body } = await supertest
@ -116,7 +117,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id but give an error if the second rule does not exist', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
const { body } = await supertest
.delete(`${DETECTION_ENGINE_RULES_URL}/_bulk_delete`)
@ -141,16 +142,16 @@ export default ({ getService }: FtrProviderContext): void => {
// This is a repeat of the tests above but just using POST instead of DELETE
describe('deleting rules bulk using POST', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should delete a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
// delete the rule in bulk
const { body } = await supertest
@ -164,7 +165,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
// delete that rule by its rule_id
const { body } = await supertest
@ -178,7 +179,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRule());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRule());
// delete that rule by its id
const { body } = await supertest
@ -228,7 +229,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id but give an error if the second rule does not exist', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_bulk_delete`)

17
x-pack/test/detection_engine_api_integration/basic/tests/export_rules.ts
View file

@ -23,20 +23,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('export_rules', () => {
describe('exporting rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should set the response content types to be expected', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -48,7 +49,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should export a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -64,7 +65,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should export a exported count with a single rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -90,8 +91,8 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should export exactly two rules given two rules', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, getSimpleRule('rule-2'));
await createRule(supertest, log, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-2'));
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)

9
x-pack/test/detection_engine_api_integration/basic/tests/find_rules.ts
View file

@ -24,15 +24,16 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('find_rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should return an empty find body correctly if no rules are loaded', async () => {
@ -51,7 +52,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should return a single rule when a single rule is loaded from a find with defaults added', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
// query the single rule from _find
const { body } = await supertest

13
x-pack/test/detection_engine_api_integration/basic/tests/find_statuses.ts
View file

@ -24,6 +24,7 @@ export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const es = getService('es');
const log = getService('log');
describe('find_statuses', () => {
before(async () => {
@ -35,13 +36,13 @@ export default ({ getService }: FtrProviderContext): void => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllRulesStatuses(es);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllRulesStatuses(es, log);
});
it('should return an empty find statuses body correctly if no statuses are loaded', async () => {
@ -55,9 +56,9 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should return a single rule status when a single rule is loaded from a find status with defaults added', async () => {
const resBody = await createRule(supertest, getSimpleRule('rule-1', true));
const resBody = await createRule(supertest, log, getSimpleRule('rule-1', true));
await waitForRuleSuccessOrStatus(supertest, resBody.id);
await waitForRuleSuccessOrStatus(supertest, log, resBody.id);
// query the single rule from _find
const { body } = await supertest

7
x-pack/test/detection_engine_api_integration/basic/tests/get_prepackaged_rules_status.ts
View file

@ -24,16 +24,17 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const es = getService('es');
const log = getService('log');
describe('get_prepackaged_rules_status', () => {
describe('getting prepackaged rules status', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllTimelines(es);
});

7
x-pack/test/detection_engine_api_integration/basic/tests/import_rules.ts
View file

@ -23,16 +23,17 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('import_rules', () => {
describe('importing rules with an index', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should set the response content types to be expected', async () => {

25
x-pack/test/detection_engine_api_integration/basic/tests/install_prepackaged_timelines.ts
View file

@ -21,16 +21,17 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const es = getService('es');
const log = getService('log');
describe('install_prepackaged_timelines', () => {
describe('creating prepackaged rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllTimelines(es);
});
@ -67,13 +68,17 @@ export default ({ getService }: FtrProviderContext): void => {
it('should be possible to call the API twice and the second time the number of timelines installed should be zero', async () => {
await supertest.put(TIMELINE_PREPACKAGED_URL).set('kbn-xsrf', 'true').send().expect(200);
await waitFor(async () => {
const { body } = await supertest
.get(`${TIMELINE_PREPACKAGED_URL}/_status`)
.set('kbn-xsrf', 'true')
.expect(200);
return body.timelines_not_installed === 0;
}, `${TIMELINE_PREPACKAGED_URL}/_status`);
await waitFor(
async () => {
const { body } = await supertest
.get(`${TIMELINE_PREPACKAGED_URL}/_status`)
.set('kbn-xsrf', 'true')
.expect(200);
return body.timelines_not_installed === 0;
},
`${TIMELINE_PREPACKAGED_URL}/_status`,
log
);
const { body } = await supertest
.put(TIMELINE_PREPACKAGED_URL)

41
x-pack/test/detection_engine_api_integration/basic/tests/open_close_signals.ts
View file

@ -32,6 +32,7 @@ import { RACAlert } from '../../../../plugins/security_solution/server/lib/detec
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe.skip('open_close_signals', () => {
describe('tests with auditbeat data', () => {
@ -44,30 +45,30 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await deleteAllAlerts(supertest);
await createSignalsIndex(supertest);
await deleteAllAlerts(supertest, log);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to execute and get 10 signals', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(10);
});
it('should be have set the signals in an open state initially', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const everySignalOpen = signalsOpen.hits.hits.every(
(hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open'
);
@ -76,10 +77,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able to get a count of 10 closed signals when closing 10', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of closed. There is no reason to use a waitUntil here
@ -101,10 +102,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able close 10 signals immediately and they all should be closed', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of closed. There is no reason to use a waitUntil here

21
x-pack/test/detection_engine_api_integration/basic/tests/patch_rules.ts
View file

@ -24,20 +24,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('patch_rules', () => {
describe('patch rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should patch a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -54,7 +55,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should return a "403 forbidden" using a rule_id of type "machine learning"', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's type to machine learning
const { body } = await supertest
@ -73,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => {
// create a simple rule
const rule = getSimpleRule('rule-1');
delete rule.rule_id;
const createRuleBody = await createRule(supertest, rule);
const createRuleBody = await createRule(supertest, log, rule);
// patch a simple rule's name
const { body } = await supertest
@ -90,7 +91,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -107,7 +108,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change the version of a rule when it patches only enabled', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false
const { body } = await supertest
@ -124,7 +125,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it patches enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false and another property
const { body } = await supertest
@ -143,7 +144,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change other properties when it does patches', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's timeline_title
await supertest

31
x-pack/test/detection_engine_api_integration/basic/tests/patch_rules_bulk.ts
View file

@ -24,20 +24,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('patch_rules_bulk', () => {
describe('patch rules bulk', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should patch a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -54,8 +55,8 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch two rule properties of name using the two rules rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, getSimpleRule('rule-2'));
await createRule(supertest, log, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-2'));
// patch both rule names
const { body } = await supertest
@ -82,7 +83,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using an id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRule('rule-1'));
const createRuleBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -99,8 +100,8 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch two rule properties of name using the two rules id', async () => {
const createRule1 = await createRule(supertest, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, getSimpleRule('rule-2'));
const createRule1 = await createRule(supertest, log, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, log, getSimpleRule('rule-2'));
// patch both rule names
const { body } = await supertest
@ -127,7 +128,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -144,7 +145,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change the version of a rule when it patches only enabled', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false
const { body } = await supertest
@ -161,7 +162,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it patches enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false and another property
const { body } = await supertest
@ -180,7 +181,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change other properties when it does patches', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's timeline_title
await supertest
@ -240,7 +241,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch one rule property and give an error about a second fake rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch one rule name and give a fake id for the second
const { body } = await supertest
@ -270,7 +271,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch one rule property and give an error about a second fake id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch one rule name and give a fake id for the second
const { body } = await supertest

17
x-pack/test/detection_engine_api_integration/basic/tests/query_signals.ts
View file

@ -18,6 +18,7 @@ import { getSignalStatus, createSignalsIndex, deleteSignalsIndex } from '../../u
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('query_signals_route and find_alerts_route', () => {
describe('validation checks', () => {
@ -39,7 +40,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it.skip('should not give errors when querying and the signals index does exist and is empty', async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
const { body } = await supertest
.post(DETECTION_ENGINE_QUERY_SIGNALS_URL)
.set('kbn-xsrf', 'true')
@ -58,18 +59,18 @@ export default ({ getService }: FtrProviderContext) => {
},
});
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
});
describe('backwards compatibility', () => {
before(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/endpoint/resolver/signals');
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
after(async () => {
await esArchiver.unload('x-pack/test/functional/es_archives/endpoint/resolver/signals');
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('should be able to filter old signals on host.os.name.caseless using runtime field', async () => {
@ -125,7 +126,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it.skip('should not give errors when querying and the signals index does exist and is empty', async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
const { body } = await supertest
.post(ALERTS_AS_DATA_FIND_URL)
.set('kbn-xsrf', 'true')
@ -144,11 +145,11 @@ export default ({ getService }: FtrProviderContext) => {
},
});
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('should not give errors when executing security solution histogram aggs', async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
await supertest
.post(ALERTS_AS_DATA_FIND_URL)
.set('kbn-xsrf', 'true')
@ -209,7 +210,7 @@ export default ({ getService }: FtrProviderContext) => {
})
.expect(200);
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
});
});

13
x-pack/test/detection_engine_api_integration/basic/tests/read_rules.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('read_rules', () => {
describe('reading rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to read a single rule using rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?rule_id=rule-1`)
@ -51,7 +52,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to read a single rule using id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRule());
const createRuleBody = await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?id=${createRuleBody.id}`)
@ -64,7 +65,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to read a single rule with an auto-generated rule_id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRuleWithoutRuleId());
const createRuleBody = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?rule_id=${createRuleBody.rule_id}`)

49
x-pack/test/detection_engine_api_integration/basic/tests/update_rac_alerts.ts
View file

@ -29,6 +29,7 @@ import { RACAlert } from '../../../../plugins/security_solution/server/lib/detec
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('open_close_signals', () => {
describe('tests with auditbeat data', () => {
@ -39,29 +40,29 @@ export default ({ getService }: FtrProviderContext) => {
await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
});
beforeEach(async () => {
await deleteAllAlerts(supertest);
await createSignalsIndex(supertest);
await deleteAllAlerts(supertest, log);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to execute and get 10 signals', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(10);
});
it('should be have set the signals in an open state initially', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const everySignalOpen = signalsOpen.hits.hits.every(
(hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open'
);
@ -70,10 +71,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able to get a count of 10 closed signals when closing 10', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of closed. There is no reason to use a waitUntil here
@ -95,10 +96,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able close 10 signals immediately and they all should be closed', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of closed. There is no reason to use a waitUntil here
@ -124,10 +125,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able mark 10 signals as acknowledged immediately and they all should be acknowledged', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of acknowledged. There is no reason to use a waitUntil here

19
x-pack/test/detection_engine_api_integration/basic/tests/update_rules.ts
View file

@ -26,20 +26,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_rules', () => {
describe('update rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should update a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -61,7 +62,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should return a 403 forbidden if it is a machine learning job', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's type to try to be a machine learning job type
const updatedRule = getSimpleMlRuleUpdate('rule-1');
@ -84,7 +85,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should update a single rule property of name using an auto-generated rule_id', async () => {
const rule = getSimpleRule('rule-1');
delete rule.rule_id;
const createRuleBody = await createRule(supertest, rule);
const createRuleBody = await createRule(supertest, log, rule);
// update a simple rule's name
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -106,7 +107,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -128,7 +129,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it updates enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's enabled to false and another property
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -151,7 +152,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change other properties when it does updates and effectively delete them such as timeline_title', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
const ruleUpdate = getSimpleRuleUpdate('rule-1');
ruleUpdate.timeline_title = 'some title';

27
x-pack/test/detection_engine_api_integration/basic/tests/update_rules_bulk.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_rules_bulk', () => {
describe('update rules bulk', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should update a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
const updatedRule = getSimpleRuleUpdate('rule-1');
updatedRule.name = 'some other name';
@ -58,7 +59,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update two rule properties of name using the two rules rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// create a second simple rule
await supertest
@ -95,7 +96,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using an id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRule('rule-1'));
const createRuleBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -117,8 +118,8 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update two rule properties of name using the two rules id', async () => {
const createRule1 = await createRule(supertest, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, getSimpleRule('rule-2'));
const createRule1 = await createRule(supertest, log, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, log, getSimpleRule('rule-2'));
// update both rule names
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -152,7 +153,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -174,7 +175,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it updates enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's enabled to false and another property
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -197,7 +198,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change other properties when it does updates and effectively delete them such as timeline_title', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's timeline_title
const ruleUpdate = getSimpleRuleUpdate('rule-1');
@ -270,7 +271,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update one rule property and give an error about a second fake rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
const ruleUpdate = getSimpleRuleUpdate('rule-1');
ruleUpdate.name = 'some other name';
@ -305,7 +306,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update one rule property and give an error about a second fake id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update one rule name and give a fake id for the second
const rule1 = getSimpleRuleUpdate();

21
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/add_actions.ts
View file

@ -26,6 +26,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('add_actions', () => {
describe('adding actions', () => {
@ -38,12 +39,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to create a new webhook action and attach it to a rule', async () => {
@ -54,7 +55,7 @@ export default ({ getService }: FtrProviderContext) => {
.send(getWebHookAction())
.expect(200);
const rule = await createRule(supertest, getRuleWithWebHookAction(hookAction.id));
const rule = await createRule(supertest, log, getRuleWithWebHookAction(hookAction.id));
const bodyToCompare = removeServerGeneratedProperties(rule);
expect(bodyToCompare).to.eql(
getSimpleRuleOutputWithWebHookAction(`${bodyToCompare?.actions?.[0].id}`)
@ -69,8 +70,12 @@ export default ({ getService }: FtrProviderContext) => {
.send(getWebHookAction())
.expect(200);
const rule = await createRule(supertest, getRuleWithWebHookAction(hookAction.id, true));
await waitForRuleSuccessOrStatus(supertest, rule.id);
const rule = await createRule(
supertest,
log,
getRuleWithWebHookAction(hookAction.id, true)
);
await waitForRuleSuccessOrStatus(supertest, log, rule.id);
// expected result for status should be 'succeeded'
const { body } = await supertest
@ -95,8 +100,8 @@ export default ({ getService }: FtrProviderContext) => {
meta: {},
};
const rule = await createRule(supertest, ruleWithAction);
await waitForRuleSuccessOrStatus(supertest, rule.id);
const rule = await createRule(supertest, log, ruleWithAction);
await waitForRuleSuccessOrStatus(supertest, log, rule.id);
// expected result for status should be 'succeeded'
const { body } = await supertest

75
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/add_prepackaged_rules.ts
View file

@ -23,31 +23,36 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const es = getService('es');
const supertest = getService('supertest');
const log = getService('log');
describe('add_prepackaged_rules', () => {
describe('creating prepackaged rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllTimelines(es);
});
it('should create the prepackaged rules and return a count greater than zero, rules_updated to be zero, and contain the correct keys', async () => {
let responseBody: unknown;
await waitFor(async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
}, DETECTION_ENGINE_PREPACKAGED_URL);
await waitFor(
async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
},
DETECTION_ENGINE_PREPACKAGED_URL,
log
);
const prepackagedRules = responseBody as PrePackagedRulesAndTimelinesSchema;
expect(prepackagedRules.rules_installed).to.be.greaterThan(0);
@ -61,29 +66,37 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should be possible to call the API twice and the second time the number of rules installed should be zero as well as timeline', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// NOTE: I call the GET call until eventually it becomes consistent and that the number of rules to install are zero.
// This is to reduce flakiness where it can for a short period of time try to install the same rule twice.
await waitFor(async () => {
const { body } = await supertest
.get(`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`)
.set('kbn-xsrf', 'true')
.expect(200);
return body.rules_not_installed === 0;
}, `${DETECTION_ENGINE_PREPACKAGED_URL}/_status`);
await waitFor(
async () => {
const { body } = await supertest
.get(`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`)
.set('kbn-xsrf', 'true')
.expect(200);
return body.rules_not_installed === 0;
},
`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`,
log
);
let responseBody: unknown;
await waitFor(async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
}, DETECTION_ENGINE_PREPACKAGED_URL);
await waitFor(
async () => {
const { body, status } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status === 200) {
responseBody = body;
}
return status === 200;
},
DETECTION_ENGINE_PREPACKAGED_URL,
log
);
const prepackagedRules = responseBody as PrePackagedRulesAndTimelinesSchema;
expect(prepackagedRules.rules_installed).to.eql(0);

30
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/alerts/alerts_compatibility.ts
View file

@ -26,6 +26,7 @@ import { ThreatEcs } from '../../../../../plugins/security_solution/common/ecs/t
export default ({ getService }: FtrProviderContext) => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const log = getService('log');
describe('Alerts Compatibility', function () {
describe('CTI', () => {
@ -43,14 +44,14 @@ export default ({ getService }: FtrProviderContext) => {
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/legacy_cti_signals'
);
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('allows querying of legacy enriched signals by threat.indicator', async () => {
@ -103,14 +104,23 @@ export default ({ getService }: FtrProviderContext) => {
expect(indices.length).to.eql(1);
expect(indices[0].is_outdated).to.eql(true);
const [migration] = await startSignalsMigration({ indices: [indices[0].index], supertest });
await waitFor(async () => {
const [{ completed }] = await finalizeSignalsMigration({
migrationIds: [migration.migration_id],
supertest,
});
return completed === true;
}, `polling finalize_migration until complete`);
const [migration] = await startSignalsMigration({
indices: [indices[0].index],
supertest,
log,
});
await waitFor(
async () => {
const [{ completed }] = await finalizeSignalsMigration({
migrationIds: [migration.migration_id],
supertest,
log,
});
return completed === true;
},
`polling finalize_migration until complete`,
log
);
const {
body: {

24
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts
View file

@ -23,6 +23,8 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
interface HostAlias {
name: string;
}
@ -37,20 +39,20 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should keep the original alias value such as "host_alias" from a source index when the value is indexed', async () => {
const rule = getRuleForSignalTesting(['host_alias']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((signal) => (signal._source?.host_alias as HostAlias).name)
.sort();
@ -59,10 +61,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should copy alias data from a source index into the signals index in the same position when the target is ECS compatible', async () => {
const rule = getRuleForSignalTesting(['host_alias']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((signal) => (signal._source?.host as HostAlias).name)
.sort();

13
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/check_privileges.ts
View file

@ -26,26 +26,27 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('check_privileges', () => {
before(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/auditbeat/hosts');
await esArchiver.load('x-pack/test/functional/es_archives/security_solution/alias');
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
after(async () => {
await esArchiver.unload('x-pack/test/functional/es_archives/auditbeat/hosts');
await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/alias');
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
beforeEach(async () => {
await deleteAllAlerts(supertest);
await deleteAllAlerts(supertest, log);
});
afterEach(async () => {
await deleteAllAlerts(supertest);
await deleteAllAlerts(supertest, log);
});
describe('should set status to partial failure when user has no access', () => {
@ -63,7 +64,7 @@ export default ({ getService }: FtrProviderContext) => {
user: ROLES.detections_admin,
pass: 'changeme',
});
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
.set('kbn-xsrf', 'true')
@ -89,7 +90,7 @@ export default ({ getService }: FtrProviderContext) => {
user: ROLES.detections_admin,
pass: 'changeme',
});
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
.set('kbn-xsrf', 'true')

159
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_endpoint_exceptions.ts
View file

@ -5,6 +5,7 @@
* 2.0.
*/
import { ToolingLog } from '@kbn/dev-utils';
import expect from '@kbn/expect';
import type SuperTest from 'supertest';
@ -42,9 +43,10 @@ interface Host {
*/
export const getHostHits = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
id: string
): Promise<Host[]> => {
const signalsOpen = await getSignalsById(supertest, id);
const signalsOpen = await getSignalsById(supertest, log, id);
return signalsOpen.hits.hits
.map<Host>((hit) => hit._source?.host as Host)
.sort((a, b) => {
@ -69,6 +71,7 @@ export const getHostHits = async (
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for endpoints', () => {
before(async () => {
@ -86,24 +89,24 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('no exceptions set', () => {
it('should find all the "hosts" from a "agent" index when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const hits = await getHostHits(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -122,10 +125,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should find all the "hosts" from a "endpoint_without_host_type" index when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['endpoint_without_host_type']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const hits = await getHostHits(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { name: 'Linux' },
@ -149,6 +152,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -165,9 +169,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { name: 'Linux' },
@ -185,6 +189,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -201,9 +206,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { name: 'Linux' },
@ -221,6 +226,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -248,9 +254,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { name: 'Linux' },
@ -265,6 +271,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -292,9 +299,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { name: 'Linux' },
@ -311,6 +318,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -327,9 +335,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -347,6 +355,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -363,9 +372,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -383,6 +392,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -410,9 +420,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -427,6 +437,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -454,9 +465,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -473,6 +484,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent', 'endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -489,9 +501,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 6, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 6, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -518,6 +530,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent', 'endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -534,9 +547,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 6, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 6, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -563,6 +576,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent', 'endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -590,9 +604,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -613,6 +627,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent', 'endpoint_without_host_type']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -640,9 +655,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -666,6 +681,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[
[
@ -691,9 +707,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'macos' },
@ -705,6 +721,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[
[
@ -730,9 +747,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'macos' },
@ -746,6 +763,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -762,9 +780,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -782,6 +800,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -798,9 +817,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -815,6 +834,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -831,9 +851,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },
@ -848,6 +868,7 @@ export default ({ getService }: FtrProviderContext) => {
const rule = getRuleForSignalTesting(['agent']);
const { id } = await createRuleWithExceptionEntries(
supertest,
log,
rule,
[],
[
@ -864,9 +885,9 @@ export default ({ getService }: FtrProviderContext) => {
},
]
);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const hits = await getHostHits(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const hits = await getHostHits(supertest, log, id);
expect(hits).to.eql([
{
os: { type: 'linux' },

174
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_exceptions.ts
View file

@ -60,6 +60,7 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const esArchiver = getService('esArchiver');
const log = getService('log');
const es = getService('es');
describe('create_rules_with_exceptions', () => {
@ -73,13 +74,13 @@ export default ({ getService }: FtrProviderContext) => {
describe('creating rules with exceptions', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
});
describe('elastic admin', () => {
@ -104,7 +105,7 @@ export default ({ getService }: FtrProviderContext) => {
],
};
const rule = await createRule(supertest, ruleWithException);
const rule = await createRule(supertest, log, ruleWithException);
const expected: Partial<RulesSchema> = {
...getSimpleRuleOutput(),
exceptions_list: [
@ -142,8 +143,8 @@ export default ({ getService }: FtrProviderContext) => {
],
};
const rule = await createRule(supertest, ruleWithException);
await waitForRuleSuccessOrStatus(supertest, rule.id);
const rule = await createRule(supertest, log, ruleWithException);
await waitForRuleSuccessOrStatus(supertest, log, rule.id);
const bodyToCompare = removeServerGeneratedProperties(rule);
const expected: Partial<RulesSchema> = {
@ -162,12 +163,16 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should allow removing an exception list from an immutable rule through patch', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to use
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one exceptions_list
// remove the exceptions list as a user is allowed to remove it from an immutable rule
@ -179,23 +184,29 @@ export default ({ getService }: FtrProviderContext) => {
const immutableRuleSecondTime = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRuleSecondTime.exceptions_list.length).to.eql(0);
});
it('should allow adding a second exception list to an immutable rule through patch', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to use
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one
// add a second exceptions list as a user is allowed to add a second list to an immutable rule
@ -218,6 +229,7 @@ export default ({ getService }: FtrProviderContext) => {
const immutableRuleSecondTime = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
@ -225,12 +237,16 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should override any updates to pre-packaged rules if the user removes the exception list through the API but the new version of a rule has an exception list again', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to use
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one
await supertest
@ -239,10 +255,11 @@ export default ({ getService }: FtrProviderContext) => {
.send({ rule_id: '9a1a2dae-0b5f-4c3d-8305-a268d404c306', exceptions_list: [] })
.expect(200);
await downgradeImmutableRule(es, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest);
await downgradeImmutableRule(es, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest, log);
const immutableRuleSecondTime = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
@ -252,17 +269,22 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should merge back an exceptions_list if it was removed from the immutable rule through PATCH', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one
// remove the exception list and only have a single list that is not an endpoint_list
@ -282,10 +304,11 @@ export default ({ getService }: FtrProviderContext) => {
})
.expect(200);
await downgradeImmutableRule(es, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest);
await downgradeImmutableRule(es, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest, log);
const immutableRuleSecondTime = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
@ -301,19 +324,24 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should NOT add an extra exceptions_list that already exists on a rule during an upgrade', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one
await downgradeImmutableRule(es, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest);
await downgradeImmutableRule(es, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest, log);
const immutableRuleSecondTime = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
@ -325,17 +353,22 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should NOT allow updates to pre-packaged rules to overwrite existing exception based rules when the user adds an additional exception list', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
// add a second exceptions list as a user is allowed to add a second list to an immutable rule
await supertest
@ -355,10 +388,11 @@ export default ({ getService }: FtrProviderContext) => {
})
.expect(200);
await downgradeImmutableRule(es, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest);
await downgradeImmutableRule(es, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await installPrePackagedRules(supertest, log);
const immutableRuleSecondTime = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
@ -375,18 +409,23 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not remove any exceptions added to a pre-packaged/immutable rule during an update if that rule has no existing exception lists', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Create a new exception list
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
// Rule id of "eb079c62-4481-4d6e-9643-3ca499df7aaa" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/external_alerts.json
// since this rule does not have existing exceptions_list that we are going to use for tests
const immutableRule = await getRule(supertest, 'eb079c62-4481-4d6e-9643-3ca499df7aaa');
const immutableRule = await getRule(
supertest,
log,
'eb079c62-4481-4d6e-9643-3ca499df7aaa'
);
expect(immutableRule.exceptions_list.length).eql(0); // make sure we have no exceptions_list
// add a second exceptions list as a user is allowed to add a second list to an immutable rule
@ -406,10 +445,11 @@ export default ({ getService }: FtrProviderContext) => {
})
.expect(200);
await downgradeImmutableRule(es, 'eb079c62-4481-4d6e-9643-3ca499df7aaa');
await installPrePackagedRules(supertest);
await downgradeImmutableRule(es, log, 'eb079c62-4481-4d6e-9643-3ca499df7aaa');
await installPrePackagedRules(supertest, log);
const immutableRuleSecondTime = await getRule(
supertest,
log,
'eb079c62-4481-4d6e-9643-3ca499df7aaa'
);
@ -424,17 +464,22 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change the immutable tags when adding a second exception list to an immutable rule through patch', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to use
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one
// add a second exceptions list as a user is allowed to add a second list to an immutable rule
@ -457,6 +502,7 @@ export default ({ getService }: FtrProviderContext) => {
const body = await findImmutableRuleById(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(body.data.length).to.eql(1); // should have only one length to the data set, otherwise we have duplicates or the tags were removed and that is incredibly bad.
@ -468,17 +514,22 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change count of prepacked rules when adding a second exception list to an immutable rule through patch. If this fails, suspect the immutable tags are not staying on the rule correctly.', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
// This rule has an existing exceptions_list that we are going to use
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const immutableRule = await getRule(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(immutableRule.exceptions_list.length).greaterThan(0); // make sure we have at least one
// add a second exceptions list as a user is allowed to add a second list to an immutable rule
@ -499,7 +550,7 @@ export default ({ getService }: FtrProviderContext) => {
})
.expect(200);
const status = await getPrePackagedRulesStatus(supertest);
const status = await getPrePackagedRulesStatus(supertest, log);
expect(status.rules_not_installed).to.eql(0);
});
});
@ -544,18 +595,19 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
});
it('should be able to execute against an exception list that does not include valid entries and get back 10 signals', async () => {
const { id, list_id, namespace_type, type } = await createExceptionList(
supertest,
log,
getCreateExceptionListMinimalSchemaMock()
);
@ -570,7 +622,7 @@ export default ({ getService }: FtrProviderContext) => {
},
],
};
await createExceptionListItem(supertest, exceptionListItem);
await createExceptionListItem(supertest, log, exceptionListItem);
const ruleWithException: CreateRulesSchema = {
name: 'Simple Rule Query',
@ -592,10 +644,10 @@ export default ({ getService }: FtrProviderContext) => {
},
],
};
const { id: createdId } = await createRule(supertest, ruleWithException);
await waitForRuleSuccessOrStatus(supertest, createdId);
await waitForSignalsToBePresent(supertest, 10, [createdId]);
const signalsOpen = await getSignalsByIds(supertest, [createdId]);
const { id: createdId } = await createRule(supertest, log, ruleWithException);
await waitForRuleSuccessOrStatus(supertest, log, createdId);
await waitForSignalsToBePresent(supertest, log, 10, [createdId]);
const signalsOpen = await getSignalsByIds(supertest, log, [createdId]);
expect(signalsOpen.hits.hits.length).equal(10);
});
@ -612,7 +664,7 @@ export default ({ getService }: FtrProviderContext) => {
from: '1900-01-01T00:00:00.000Z',
query: 'host.name: "suricata-sensor-amsterdam"',
};
const createdRule = await createRuleWithExceptionEntries(supertest, rule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'host.name', // This matches the query above which will exclude everything
@ -622,7 +674,7 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
@ -631,7 +683,7 @@ export default ({ getService }: FtrProviderContext) => {
...getEqlRuleForSignalTesting(['auditbeat-*']),
query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"',
};
const createdRule = await createRuleWithExceptionEntries(supertest, rule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'host.id',
@ -641,7 +693,7 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
@ -653,7 +705,7 @@ export default ({ getService }: FtrProviderContext) => {
value: 700,
},
};
const createdRule = await createRuleWithExceptionEntries(supertest, rule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'host.id',
@ -663,7 +715,7 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
@ -696,7 +748,7 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const createdRule = await createRuleWithExceptionEntries(supertest, rule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'source.ip',
@ -706,21 +758,21 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
describe('rules with value list exceptions', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('generates no signals when a value list exception is added for a query rule', async () => {
const valueListId = 'value-list-id';
await importFile(supertest, 'keyword', ['suricata-sensor-amsterdam'], valueListId);
await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId);
const rule: QueryCreateSchema = {
name: 'Simple Rule Query',
description: 'Simple Rule Query',
@ -733,7 +785,7 @@ export default ({ getService }: FtrProviderContext) => {
from: '1900-01-01T00:00:00.000Z',
query: 'host.name: "suricata-sensor-amsterdam"',
};
const createdRule = await createRuleWithExceptionEntries(supertest, rule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'host.name',
@ -746,13 +798,13 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
it('generates no signals when a value list exception is added for a threat match rule', async () => {
const valueListId = 'value-list-id';
await importFile(supertest, 'keyword', ['zeek-sensor-amsterdam'], valueListId);
await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId);
const rule: ThreatMatchCreateSchema = {
description: 'Detecting root and admin users',
name: 'Query with a rule id',
@ -781,7 +833,7 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const createdRule = await createRuleWithExceptionEntries(supertest, rule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'host.name',
@ -794,7 +846,7 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
});

3
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts
View file

@ -19,10 +19,11 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const es = getService('es');
const log = getService('log');
describe('create_index', () => {
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
describe('elastic admin', () => {

30
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts
View file

@ -44,6 +44,8 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const es = getService('es');
const log = getService('log');
const siemModule = 'siem_auditbeat';
const mlJobId = 'linux_anomalous_network_activity_ecs';
const testRule: MachineLearningCreateSchema = {
@ -102,12 +104,12 @@ export default ({ getService }: FtrProviderContext) => {
});
afterEach(async () => {
await deleteAllAlerts(supertest);
await deleteAllAlerts(supertest, log);
});
it('should create 1 alert from ML rule when record meets anomaly_threshold', async () => {
const createdRule = await createRule(supertest, testRule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, testRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(1);
const signal = signalsOpen.hits.hits[0];
if (!signal._source) {
@ -208,17 +210,17 @@ export default ({ getService }: FtrProviderContext) => {
...testRule,
anomaly_threshold: 20,
};
const createdRule = await createRule(supertest, rule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, rule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(7);
});
describe('with non-value list exception', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('generates no signals when an exception is added for an ML rule', async () => {
const createdRule = await createRuleWithExceptionEntries(supertest, testRule, [
const createdRule = await createRuleWithExceptionEntries(supertest, log, testRule, [
[
{
field: 'host.name',
@ -228,25 +230,25 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
});
describe('with value list exception', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest, log);
await deleteAllExceptions(supertest, log);
});
it('generates no signals when a value list exception is added for an ML rule', async () => {
const valueListId = 'value-list-id';
await importFile(supertest, 'keyword', ['mothra'], valueListId);
const createdRule = await createRuleWithExceptionEntries(supertest, testRule, [
await importFile(supertest, log, 'keyword', ['mothra'], valueListId);
const createdRule = await createRuleWithExceptionEntries(supertest, log, testRule, [
[
{
field: 'host.name',
@ -259,7 +261,7 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).equal(0);
});
});

27
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules.ts
View file

@ -44,6 +44,7 @@ export default ({ getService }: FtrProviderContext) => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('create_rules', () => {
describe('creating rules', () => {
@ -56,12 +57,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('elastic admin', () => {
@ -103,7 +104,7 @@ export default ({ getService }: FtrProviderContext) => {
.send(simpleRule)
.expect(200);
await waitForRuleSuccessOrStatus(supertest, body.id);
await waitForRuleSuccessOrStatus(supertest, log, body.id);
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)
@ -123,7 +124,7 @@ export default ({ getService }: FtrProviderContext) => {
.send(simpleRule)
.expect(200);
await waitForRuleSuccessOrStatus(supertest, body.id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, body.id, 'partial failure');
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)
@ -145,7 +146,7 @@ export default ({ getService }: FtrProviderContext) => {
.send(simpleRule)
.expect(200);
await waitForRuleSuccessOrStatus(supertest, body.id, 'succeeded');
await waitForRuleSuccessOrStatus(supertest, log, body.id, 'succeeded');
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)
@ -289,7 +290,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('missing timestamps', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
// to edit these files run the following script
// cd $HOME/kibana/x-pack && nvm use && node ../scripts/es_archiver edit security_solution/timestamp_override
await esArchiver.load(
@ -297,8 +298,8 @@ export default ({ getService }: FtrProviderContext) => {
);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/timestamp_override'
);
@ -316,8 +317,8 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const bodyId = body.id;
await waitForAlertToComplete(supertest, bodyId);
await waitForRuleSuccessOrStatus(supertest, bodyId, 'partial failure');
await waitForAlertToComplete(supertest, log, bodyId);
await waitForRuleSuccessOrStatus(supertest, log, bodyId, 'partial failure');
await sleep(5000);
const { body: statusBody } = await supertest
@ -348,9 +349,9 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const bodyId = body.id;
await waitForRuleSuccessOrStatus(supertest, bodyId, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, bodyId, 'partial failure');
await sleep(5000);
await waitForSignalsToBePresent(supertest, 2, [bodyId]);
await waitForSignalsToBePresent(supertest, log, 2, [bodyId]);
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)

9
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_rules_bulk.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('create_rules_bulk', () => {
describe('creating rules in bulk', () => {
@ -42,12 +43,12 @@ export default ({ getService }: FtrProviderContext): void => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should create a single rule with a rule_id', async () => {
@ -88,7 +89,7 @@ export default ({ getService }: FtrProviderContext): void => {
.send([simpleRule])
.expect(200);
await waitForRuleSuccessOrStatus(supertest, body[0].id);
await waitForRuleSuccessOrStatus(supertest, log, body[0].id);
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)

7
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_signals_migrations.ts
View file

@ -42,6 +42,7 @@ export default ({ getService }: FtrProviderContext): void => {
const kbnClient = getService('kibanaServer');
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('Creating signals migrations', () => {
let createdMigrations: CreateResponse[];
@ -57,7 +58,7 @@ export default ({ getService }: FtrProviderContext): void => {
outdatedSignalsIndexName = getIndexNameFromLoad(
await esArchiver.load('x-pack/test/functional/es_archives/signals/outdated_signals_index')
);
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
@ -76,7 +77,7 @@ export default ({ getService }: FtrProviderContext): void => {
kbnClient,
ids: createdMigrations.filter((m) => m?.migration_id).map((m) => m.migration_id),
});
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('returns the information necessary to finalize the migration', async () => {
@ -110,7 +111,7 @@ export default ({ getService }: FtrProviderContext): void => {
createResponses.forEach((response) => expect(response.migration_id).to.be.a('string'));
const [{ migration_index: newIndex }] = createResponses;
await waitForIndexToPopulate(es, newIndex);
await waitForIndexToPopulate(es, log, newIndex);
const migrationResults = await es.search<{ signal: Signal }>({ index: newIndex });
expect(migrationResults.hits.hits).length(1);

86
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts
View file

@ -67,6 +67,7 @@ const assertContains = (subject: unknown[], expected: unknown[]) =>
export default ({ getService }: FtrProviderContext) => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const log = getService('log');
/**
* Specific api integration tests for threat matching rule type
@ -82,16 +83,20 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should create a single rule with a rule_id', async () => {
const ruleResponse = await createRule(supertest, getCreateThreatMatchRulesSchemaMock());
const ruleResponse = await createRule(
supertest,
log,
getCreateThreatMatchRulesSchemaMock()
);
const bodyToCompare = removeServerGeneratedProperties(ruleResponse);
expect(bodyToCompare).to.eql(getThreatMatchingSchemaPartialMock());
});
@ -99,10 +104,11 @@ export default ({ getService }: FtrProviderContext) => {
it('should create a single rule with a rule_id and validate it ran successfully', async () => {
const ruleResponse = await createRule(
supertest,
log,
getCreateThreatMatchRulesSchemaMock('rule-1', true)
);
await waitForRuleSuccessOrStatus(supertest, ruleResponse.id, 'succeeded');
await waitForRuleSuccessOrStatus(supertest, log, ruleResponse.id, 'succeeded');
const { body: statusBody } = await supertest
.post(DETECTION_ENGINE_RULES_STATUS_URL)
@ -126,13 +132,13 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await deleteAllAlerts(supertest);
await createSignalsIndex(supertest);
await deleteAllAlerts(supertest, log);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to execute and get 10 signals when doing a specific query', async () => {
@ -164,10 +170,10 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const createdRule = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, createdRule.id);
await waitForSignalsToBePresent(supertest, 10, [createdRule.id]);
const signalsOpen = await getSignalsByIds(supertest, [createdRule.id]);
const createdRule = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, createdRule.id);
await waitForSignalsToBePresent(supertest, log, 10, [createdRule.id]);
const signalsOpen = await getSignalsByIds(supertest, log, [createdRule.id]);
expect(signalsOpen.hits.hits.length).equal(10);
const fullSource = signalsOpen.hits.hits.find(
(signal) =>
@ -368,9 +374,9 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const ruleResponse = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, ruleResponse.id);
const signalsOpen = await getSignalsByIds(supertest, [ruleResponse.id]);
const ruleResponse = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, ruleResponse.id);
const signalsOpen = await getSignalsByIds(supertest, log, [ruleResponse.id]);
expect(signalsOpen.hits.hits.length).equal(0);
});
@ -407,9 +413,9 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const ruleResponse = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, ruleResponse.id);
const signalsOpen = await getSignalsByIds(supertest, [ruleResponse.id]);
const ruleResponse = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, ruleResponse.id);
const signalsOpen = await getSignalsByIds(supertest, log, [ruleResponse.id]);
expect(signalsOpen.hits.hits.length).equal(0);
});
@ -446,9 +452,9 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const ruleResponse = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, ruleResponse.id);
const signalsOpen = await getSignalsByIds(supertest, [ruleResponse.id]);
const ruleResponse = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, ruleResponse.id);
const signalsOpen = await getSignalsByIds(supertest, log, [ruleResponse.id]);
expect(signalsOpen.hits.hits.length).equal(0);
});
@ -485,8 +491,8 @@ export default ({ getService }: FtrProviderContext) => {
items_per_search: 1, // iterate only 1 threat item per loop to ensure we're slow
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id, 'failed');
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id, 'failed');
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
@ -537,10 +543,10 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(2);
const { hits } = signalsOpen.hits;
@ -626,10 +632,10 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(1);
const { hits } = signalsOpen.hits;
@ -713,10 +719,10 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(1);
const { hits } = signalsOpen.hits;
@ -827,10 +833,10 @@ export default ({ getService }: FtrProviderContext) => {
threat_filters: [],
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(2);
const { hits } = signalsOpen.hits;

13
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/delete_rules.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_rules', () => {
describe('deleting rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should delete a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// delete the rule by its rule_id
const { body } = await supertest
@ -51,7 +52,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
// delete that rule by its auto-generated rule_id
const { body } = await supertest
@ -64,7 +65,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRule());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRule());
// delete that rule by its auto-generated id
const { body } = await supertest

29
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/delete_rules_bulk.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_rules_bulk', () => {
describe('deleting rules bulk using DELETE', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should delete a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
// delete the rule in bulk
const { body } = await supertest
@ -52,7 +53,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
// delete that rule by its rule_id
const { body } = await supertest
@ -66,7 +67,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRule());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRule());
// delete that rule by its id
const { body } = await supertest
@ -116,7 +117,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id but give an error if the second rule does not exist', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
const { body } = await supertest
.delete(`${DETECTION_ENGINE_RULES_URL}/_bulk_delete`)
@ -141,16 +142,16 @@ export default ({ getService }: FtrProviderContext): void => {
// This is a repeat of the tests above but just using POST instead of DELETE
describe('deleting rules bulk using POST', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should delete a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
// delete the rule in bulk
const { body } = await supertest
@ -164,7 +165,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
// delete that rule by its rule_id
const { body } = await supertest
@ -178,7 +179,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated id', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRule());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRule());
// delete that rule by its id
const { body } = await supertest
@ -228,7 +229,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should delete a single rule using an auto generated rule_id but give an error if the second rule does not exist', async () => {
const bodyWithCreatedRule = await createRule(supertest, getSimpleRuleWithoutRuleId());
const bodyWithCreatedRule = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_bulk_delete`)

33
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/delete_signals_migrations.ts
View file

@ -34,6 +34,7 @@ export default ({ getService }: FtrProviderContext): void => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('deleting signals migrations', () => {
let outdatedSignalsIndexName: string;
@ -45,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
await esArchiver.load('x-pack/test/functional/es_archives/signals/outdated_signals_index')
);
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
({
body: {
@ -57,24 +58,28 @@ export default ({ getService }: FtrProviderContext): void => {
.send({ index: [outdatedSignalsIndexName] })
.expect(200));
await waitFor(async () => {
({
body: {
migrations: [finalizedMigration],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200));
await waitFor(
async () => {
({
body: {
migrations: [finalizedMigration],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200));
return finalizedMigration.completed ?? false;
}, `polling finalize_migration until all complete`);
return finalizedMigration.completed ?? false;
},
`polling finalize_migration until all complete`,
log
);
});
afterEach(async () => {
await esArchiver.unload('x-pack/test/functional/es_archives/signals/outdated_signals_index');
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('returns the deleted migration SavedObjects', async () => {

183
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/date.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type date', () => {
before(async () => {
@ -41,24 +42,24 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the dates from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([
'2020-10-01T05:08:53.000Z',
@ -70,7 +71,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 1 single date if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -80,9 +81,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([
'2020-10-02T05:08:53.000Z',
@ -93,7 +94,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 dates if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -111,16 +112,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-03T05:08:53.000Z', '2020-10-04T05:08:53.000Z']);
});
it('should filter 3 dates if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -146,16 +147,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-04T05:08:53.000Z']);
});
it('should filter 4 dates if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -189,8 +190,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
@ -199,7 +200,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -209,15 +210,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -227,16 +228,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-01T05:08:53.000Z']);
});
it('will return 0 results if we exclude two dates', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -254,8 +255,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
@ -264,7 +265,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single date if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -274,9 +275,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([
'2020-10-02T05:08:53.000Z',
@ -287,7 +288,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 dates if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -297,16 +298,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-03T05:08:53.000Z', '2020-10-04T05:08:53.000Z']);
});
it('should filter 3 dates if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -320,16 +321,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-04T05:08:53.000Z']);
});
it('should filter 4 dates if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -344,8 +345,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
@ -354,7 +355,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -364,15 +365,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -382,9 +383,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-01T05:08:53.000Z', '2020-10-04T05:08:53.000Z']);
});
@ -393,7 +394,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against date', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -402,8 +403,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
@ -412,7 +413,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against date', async () => {
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -421,9 +422,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([
'2020-10-01T05:08:53.000Z',
@ -436,9 +437,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
it('will return 3 results if we have a list that includes 1 date', async () => {
await importFile(supertest, 'date', ['2020-10-01T05:08:53.000Z'], 'list_items.txt');
await importFile(supertest, log, 'date', ['2020-10-01T05:08:53.000Z'], 'list_items.txt');
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -451,9 +452,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([
'2020-10-02T05:08:53.000Z',
@ -465,12 +466,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 2 results if we have a list that includes 2 dates', async () => {
await importFile(
supertest,
log,
'date',
['2020-10-01T05:08:53.000Z', '2020-10-03T05:08:53.000Z'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -483,9 +485,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-02T05:08:53.000Z', '2020-10-04T05:08:53.000Z']);
});
@ -493,6 +495,7 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 0 results if we have a list that includes all dates', async () => {
await importFile(
supertest,
log,
'date',
[
'2020-10-01T05:08:53.000Z',
@ -503,7 +506,7 @@ export default ({ getService }: FtrProviderContext) => {
'list_items.txt'
);
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -516,8 +519,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([]);
});
@ -525,9 +528,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
it('will return 1 result if we have a list that excludes 1 date', async () => {
await importFile(supertest, 'date', ['2020-10-01T05:08:53.000Z'], 'list_items.txt');
await importFile(supertest, log, 'date', ['2020-10-01T05:08:53.000Z'], 'list_items.txt');
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -540,9 +543,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-01T05:08:53.000Z']);
});
@ -550,12 +553,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 2 results if we have a list that excludes 2 dates', async () => {
await importFile(
supertest,
log,
'date',
['2020-10-01T05:08:53.000Z', '2020-10-03T05:08:53.000Z'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -568,9 +572,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql(['2020-10-01T05:08:53.000Z', '2020-10-03T05:08:53.000Z']);
});
@ -578,6 +582,7 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 4 results if we have a list that excludes all dates', async () => {
await importFile(
supertest,
log,
'date',
[
'2020-10-01T05:08:53.000Z',
@ -588,7 +593,7 @@ export default ({ getService }: FtrProviderContext) => {
'list_items.txt'
);
const rule = getRuleForSignalTesting(['date']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'date',
@ -601,9 +606,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.date).sort();
expect(hits).to.eql([
'2020-10-01T05:08:53.000Z',

289
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/double.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type double', () => {
before(async () => {
@ -45,31 +46,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the double from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
it('should filter 1 single double if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -79,16 +80,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('should filter 2 double if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -106,16 +107,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.2', '1.3']);
});
it('should filter 3 double if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -141,16 +142,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.3']);
});
it('should filter 4 double if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -184,8 +185,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
@ -194,7 +195,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -204,15 +205,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -222,16 +223,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0']);
});
it('will return 0 results if we exclude two double', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -249,8 +250,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
@ -259,7 +260,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single double if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -269,16 +270,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('should filter 2 double if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -288,16 +289,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.2', '1.3']);
});
it('should filter 3 double if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -307,16 +308,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.3']);
});
it('should filter 4 double if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -326,8 +327,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
@ -336,7 +337,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -346,15 +347,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -364,9 +365,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.3']);
});
@ -375,7 +376,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against double', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -384,8 +385,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
@ -394,7 +395,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against double', async () => {
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -403,9 +404,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
@ -414,9 +415,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
describe('working against double values in the data set', () => {
it('will return 3 results if we have a list that includes 1 double', async () => {
await importFile(supertest, 'double', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -429,17 +430,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('will return 2 results if we have a list that includes 2 double', async () => {
await importFile(supertest, 'double', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -452,17 +453,23 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.1', '1.3']);
});
it('will return 0 results if we have a list that includes all double', async () => {
await importFile(supertest, 'double', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(
supertest,
log,
'double',
['1.0', '1.1', '1.2', '1.3'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -475,8 +482,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
@ -484,9 +491,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 3 results if we have a list that includes 1 double', async () => {
await importFile(supertest, 'double', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -499,17 +506,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('will return 2 results if we have a list that includes 2 double', async () => {
await importFile(supertest, 'double', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -522,17 +529,23 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.1', '1.3']);
});
it('will return 0 results if we have a list that includes all double', async () => {
await importFile(supertest, 'double', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(
supertest,
log,
'double',
['1.0', '1.1', '1.2', '1.3'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -545,19 +558,19 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql([]);
});
it('will return 1 result if we have a list which contains the double range of 1.0-1.2', async () => {
await importFile(supertest, 'double_range', ['1.0-1.2'], 'list_items.txt', [
await importFile(supertest, log, 'double_range', ['1.0-1.2'], 'list_items.txt', [
'1.0',
'1.2',
]);
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -570,9 +583,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.3']);
});
@ -582,9 +595,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
describe('working against double values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 double', async () => {
await importFile(supertest, 'double', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -597,17 +610,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0']);
});
it('will return 2 results if we have a list that excludes 2 double', async () => {
await importFile(supertest, 'double', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -620,17 +633,23 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.2']);
});
it('will return 4 results if we have a list that excludes all double', async () => {
await importFile(supertest, 'double', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(
supertest,
log,
'double',
['1.0', '1.1', '1.2', '1.3'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['double']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -643,9 +662,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
@ -653,9 +672,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 double', async () => {
await importFile(supertest, 'double', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -668,17 +687,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0']);
});
it('will return 2 results if we have a list that excludes 2 double', async () => {
await importFile(supertest, 'double', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'double', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -691,17 +710,23 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.2']);
});
it('will return 4 results if we have a list that excludes all double', async () => {
await importFile(supertest, 'double', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(
supertest,
log,
'double',
['1.0', '1.1', '1.2', '1.3'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -714,20 +739,20 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
it('will return 3 results if we have a list which contains the double range of 1.0-1.2', async () => {
await importFile(supertest, 'double_range', ['1.0-1.2'], 'list_items.txt', [
await importFile(supertest, log, 'double_range', ['1.0-1.2'], 'list_items.txt', [
'1.0',
'1.2',
]);
const rule = getRuleForSignalTesting(['double_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'double',
@ -740,9 +765,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.double).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2']);
});

271
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/float.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type float', () => {
before(async () => {
@ -43,31 +44,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the float from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
it('should filter 1 single float if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -77,16 +78,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('should filter 2 float if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -104,16 +105,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.2', '1.3']);
});
it('should filter 3 float if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -139,16 +140,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.3']);
});
it('should filter 4 float if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -182,8 +183,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
@ -192,7 +193,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -202,15 +203,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -220,16 +221,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0']);
});
it('will return 0 results if we exclude two float', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -247,8 +248,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
@ -257,7 +258,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single float if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -267,16 +268,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('should filter 2 float if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -286,16 +287,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.2', '1.3']);
});
it('should filter 3 float if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -305,16 +306,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.3']);
});
it('should filter 4 float if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -324,8 +325,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
@ -334,7 +335,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -344,15 +345,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -362,9 +363,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.3']);
});
@ -373,7 +374,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against float', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -382,8 +383,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
@ -392,7 +393,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against float', async () => {
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -401,9 +402,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
@ -412,9 +413,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
describe('working against float values in the data set', () => {
it('will return 3 results if we have a list that includes 1 float', async () => {
await importFile(supertest, 'float', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -427,17 +428,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('will return 2 results if we have a list that includes 2 float', async () => {
await importFile(supertest, 'float', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -450,17 +451,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.1', '1.3']);
});
it('will return 0 results if we have a list that includes all float', async () => {
await importFile(supertest, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -473,8 +474,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
@ -482,9 +483,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 3 results if we have a list that includes 1 float', async () => {
await importFile(supertest, 'float', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -497,17 +498,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.1', '1.2', '1.3']);
});
it('will return 2 results if we have a list that includes 2 float', async () => {
await importFile(supertest, 'float', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -520,17 +521,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.1', '1.3']);
});
it('will return 0 results if we have a list that includes all float', async () => {
await importFile(supertest, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -543,16 +544,19 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql([]);
});
it('will return 1 result if we have a list which contains the float range of 1.0-1.2', async () => {
await importFile(supertest, 'float_range', ['1.0-1.2'], 'list_items.txt', ['1.0', '1.2']);
await importFile(supertest, log, 'float_range', ['1.0-1.2'], 'list_items.txt', [
'1.0',
'1.2',
]);
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -565,9 +569,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.3']);
});
@ -577,9 +581,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
describe('working against float values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 float', async () => {
await importFile(supertest, 'float', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -592,17 +596,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0']);
});
it('will return 2 results if we have a list that excludes 2 float', async () => {
await importFile(supertest, 'float', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -615,17 +619,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.2']);
});
it('will return 4 results if we have a list that excludes all float', async () => {
await importFile(supertest, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -638,9 +642,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
@ -648,9 +652,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 float', async () => {
await importFile(supertest, 'float', ['1.0'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -663,17 +667,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0']);
});
it('will return 2 results if we have a list that excludes 2 float', async () => {
await importFile(supertest, 'float', ['1.0', '1.2'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.2'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -686,17 +690,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.2']);
});
it('will return 4 results if we have a list that excludes all float', async () => {
await importFile(supertest, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
await importFile(supertest, log, 'float', ['1.0', '1.1', '1.2', '1.3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -709,17 +713,20 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2', '1.3']);
});
it('will return 3 results if we have a list which contains the float range of 1.0-1.2', async () => {
await importFile(supertest, 'float_range', ['1.0-1.2'], 'list_items.txt', ['1.0', '1.2']);
await importFile(supertest, log, 'float_range', ['1.0-1.2'], 'list_items.txt', [
'1.0',
'1.2',
]);
const rule = getRuleForSignalTesting(['float_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'float',
@ -732,9 +739,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.float).sort();
expect(hits).to.eql(['1.0', '1.1', '1.2']);
});

269
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/integer.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type integer', () => {
before(async () => {
@ -45,31 +46,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the integer from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
it('should filter 1 single integer if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -79,16 +80,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('should filter 2 integer if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -106,16 +107,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['3', '4']);
});
it('should filter 3 integer if all 3 are as exceptions', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -141,16 +142,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['4']);
});
it('should filter 4 integer if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -184,8 +185,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
@ -194,7 +195,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -204,15 +205,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -222,16 +223,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1']);
});
it('will return 0 results if we exclude two integer', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -249,8 +250,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
@ -259,7 +260,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single integer if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -269,16 +270,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('should filter 2 integer if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -288,16 +289,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['3', '4']);
});
it('should filter 3 integer if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -307,16 +308,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['4']);
});
it('should filter 4 integer if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -326,8 +327,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
@ -336,7 +337,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -346,15 +347,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -364,9 +365,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '4']);
});
@ -375,7 +376,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against integer', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -384,8 +385,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
@ -394,7 +395,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against integer', async () => {
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -403,9 +404,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
@ -414,9 +415,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
describe('working against integer values in the data set', () => {
it('will return 3 results if we have a list that includes 1 integer', async () => {
await importFile(supertest, 'integer', ['1'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -429,17 +430,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('will return 2 results if we have a list that includes 2 integer', async () => {
await importFile(supertest, 'integer', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -452,17 +453,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['2', '4']);
});
it('will return 0 results if we have a list that includes all integer', async () => {
await importFile(supertest, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -475,8 +476,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
@ -484,9 +485,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 3 results if we have a list that includes 1 integer', async () => {
await importFile(supertest, 'integer', ['1'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -499,17 +500,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('will return 2 results if we have a list that includes 2 integer', async () => {
await importFile(supertest, 'integer', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -522,17 +523,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['2', '4']);
});
it('will return 0 results if we have a list that includes all integer', async () => {
await importFile(supertest, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -545,16 +546,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql([]);
});
it('will return 1 result if we have a list which contains the integer range of 1-3', async () => {
await importFile(supertest, 'integer_range', ['1-3'], 'list_items.txt', ['1', '2']);
await importFile(supertest, log, 'integer_range', ['1-3'], 'list_items.txt', ['1', '2']);
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -567,9 +568,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['4']);
});
@ -579,9 +580,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
describe('working against integer values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 integer', async () => {
await importFile(supertest, 'integer', ['1'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -594,17 +595,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1']);
});
it('will return 2 results if we have a list that excludes 2 integer', async () => {
await importFile(supertest, 'integer', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -617,17 +618,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '3']);
});
it('will return 4 results if we have a list that excludes all integer', async () => {
await importFile(supertest, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -640,9 +641,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
@ -650,9 +651,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 integer', async () => {
await importFile(supertest, 'integer', ['1'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -665,17 +666,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1']);
});
it('will return 2 results if we have a list that excludes 2 integer', async () => {
await importFile(supertest, 'integer', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -688,17 +689,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '3']);
});
it('will return 4 results if we have a list that excludes all integer', async () => {
await importFile(supertest, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'integer', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -711,17 +712,21 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
it('will return 3 results if we have a list which contains the integer range of 1-3', async () => {
await importFile(supertest, 'integer_range', ['1-3'], 'list_items.txt', ['1', '2', '3']);
await importFile(supertest, log, 'integer_range', ['1-3'], 'list_items.txt', [
'1',
'2',
'3',
]);
const rule = getRuleForSignalTesting(['integer_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'integer',
@ -734,9 +739,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.integer).sort();
expect(hits).to.eql(['1', '2', '3']);
});

242
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/ip.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type ip', () => {
before(async () => {
@ -41,31 +42,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the ips from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4']);
});
it('should filter 1 single ip if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -75,16 +76,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.2', '127.0.0.3', '127.0.0.4']);
});
it('should filter 2 ips if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -102,16 +103,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.3', '127.0.0.4']);
});
it('should filter 3 ips if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -137,16 +138,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.4']);
});
it('should filter 4 ips if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -180,15 +181,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
it('should filter a CIDR range of "127.0.0.1/30"', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -198,9 +199,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.4']);
});
@ -209,7 +210,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -219,15 +220,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -237,16 +238,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1']);
});
it('will return 0 results if we exclude two ips', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -264,8 +265,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
@ -274,7 +275,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single ip if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -284,16 +285,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.2', '127.0.0.3', '127.0.0.4']);
});
it('should filter 2 ips if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -303,16 +304,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.3', '127.0.0.4']);
});
it('should filter 3 ips if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -322,16 +323,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.4']);
});
it('should filter 4 ips if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -341,8 +342,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
@ -351,7 +352,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -361,15 +362,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -379,9 +380,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.4']);
});
@ -390,7 +391,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against ip', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -399,8 +400,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
@ -409,7 +410,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against ip', async () => {
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -418,9 +419,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4']);
});
@ -428,9 +429,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
it('will return 3 results if we have a list that includes 1 ip', async () => {
await importFile(supertest, 'ip', ['127.0.0.1'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -443,17 +444,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.2', '127.0.0.3', '127.0.0.4']);
});
it('will return 2 results if we have a list that includes 2 ips', async () => {
await importFile(supertest, 'ip', ['127.0.0.1', '127.0.0.3'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1', '127.0.0.3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -466,9 +467,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.2', '127.0.0.4']);
});
@ -476,12 +477,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 0 results if we have a list that includes all ips', async () => {
await importFile(
supertest,
log,
'ip',
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -494,20 +496,20 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
it('will return 1 result if we have a list which contains the CIDR range of "127.0.0.1/30"', async () => {
await importFile(supertest, 'ip_range', ['127.0.0.1/30'], 'list_items.txt', [
await importFile(supertest, log, 'ip_range', ['127.0.0.1/30'], 'list_items.txt', [
'127.0.0.1',
'127.0.0.2',
'127.0.0.3',
]);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -520,21 +522,21 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.4']);
});
it('will return 1 result if we have a list which contains the range syntax of "127.0.0.1-127.0.0.3"', async () => {
await importFile(supertest, 'ip_range', ['127.0.0.1-127.0.0.3'], 'list_items.txt', [
await importFile(supertest, log, 'ip_range', ['127.0.0.1-127.0.0.3'], 'list_items.txt', [
'127.0.0.1',
'127.0.0.2',
'127.0.0.3',
]);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -547,9 +549,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.4']);
});
@ -557,13 +559,14 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 1 result if we have a list which contains the range mixed syntax of "127.0.0.1/32,127.0.0.2-127.0.0.3"', async () => {
await importFile(
supertest,
log,
'ip_range',
['127.0.0.1/32', '127.0.0.2-127.0.0.3'],
'list_items.txt',
['127.0.0.1', '127.0.0.2', '127.0.0.3']
);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -576,9 +579,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.4']);
});
@ -586,9 +589,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
it('will return 1 result if we have a list that excludes 1 ip', async () => {
await importFile(supertest, 'ip', ['127.0.0.1'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -601,17 +604,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1']);
});
it('will return 2 results if we have a list that excludes 2 ips', async () => {
await importFile(supertest, 'ip', ['127.0.0.1', '127.0.0.3'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1', '127.0.0.3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -624,9 +627,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.3']);
});
@ -634,12 +637,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 4 results if we have a list that excludes all ips', async () => {
await importFile(
supertest,
log,
'ip',
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -652,21 +656,21 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4']);
});
it('will return 3 results if we have a list which contains the CIDR range of "127.0.0.1/30"', async () => {
await importFile(supertest, 'ip_range', ['127.0.0.1/30'], 'list_items.txt', [
await importFile(supertest, log, 'ip_range', ['127.0.0.1/30'], 'list_items.txt', [
'127.0.0.1',
'127.0.0.2',
'127.0.0.3',
]);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -679,21 +683,21 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.2', '127.0.0.3']);
});
it('will return 3 results if we have a list which contains the range syntax of "127.0.0.1-127.0.0.3"', async () => {
await importFile(supertest, 'ip_range', ['127.0.0.1-127.0.0.3'], 'list_items.txt', [
await importFile(supertest, log, 'ip_range', ['127.0.0.1-127.0.0.3'], 'list_items.txt', [
'127.0.0.1',
'127.0.0.2',
'127.0.0.3',
]);
const rule = getRuleForSignalTesting(['ip']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -706,9 +710,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql(['127.0.0.1', '127.0.0.2', '127.0.0.3']);
});

239
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/ip_array.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type ip', () => {
before(async () => {
@ -41,24 +42,24 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the ips from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
[],
@ -70,7 +71,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 1 single ip if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -80,9 +81,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
[],
@ -93,7 +94,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 ips if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -111,16 +112,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([[], ['127.0.0.8', '127.0.0.9', '127.0.0.10']]);
});
it('should filter 3 ips if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -146,16 +147,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
it('should filter a CIDR range of "127.0.0.1/30"', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -165,9 +166,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
[],
@ -178,7 +179,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter a CIDR range of "127.0.0.4/31"', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -188,9 +189,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([[], ['127.0.0.8', '127.0.0.9', '127.0.0.10']]);
});
@ -199,7 +200,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -209,15 +210,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -227,16 +228,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4']]);
});
it('will return just 1 result we excluded 2 from the same array elements', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -252,16 +253,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4']]);
});
it('will return 0 results if we exclude two ips', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -279,8 +280,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
@ -289,7 +290,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single ip if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -299,9 +300,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
[],
@ -312,7 +313,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 ips if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -322,16 +323,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([[], ['127.0.0.8', '127.0.0.9', '127.0.0.10']]);
});
it('should filter 3 ips if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -341,9 +342,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -352,7 +353,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -362,15 +363,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -380,9 +381,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
@ -394,7 +395,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 1 empty result if matching against ip', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -403,9 +404,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -414,7 +415,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 3 results if matching against ip', async () => {
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -423,9 +424,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
@ -437,9 +438,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
it('will return 3 results if we have a list that includes 1 ip', async () => {
await importFile(supertest, 'ip', ['127.0.0.1'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -452,9 +453,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
[],
@ -464,9 +465,9 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 2 results if we have a list that includes 2 ips', async () => {
await importFile(supertest, 'ip', ['127.0.0.1', '127.0.0.5'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1', '127.0.0.5'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -479,9 +480,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([[], ['127.0.0.8', '127.0.0.9', '127.0.0.10']]);
});
@ -489,12 +490,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 1 result if we have a list that includes all ips', async () => {
await importFile(
supertest,
log,
'ip',
['127.0.0.1', '127.0.0.5', '127.0.0.8'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -507,9 +509,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -517,6 +519,7 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 2 results if we have a list which contains the CIDR ranges of "127.0.0.1/32, 127.0.0.2/31, 127.0.0.4/30"', async () => {
await importFile(
supertest,
log,
'ip_range',
['127.0.0.1/32', '127.0.0.2/31', '127.0.0.4/30'],
'list_items.txt',
@ -531,7 +534,7 @@ export default ({ getService }: FtrProviderContext) => {
]
);
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -544,15 +547,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([[], ['127.0.0.8', '127.0.0.9', '127.0.0.10']]);
});
it('will return 2 results if we have a list which contains the range syntax of "127.0.0.1-127.0.0.7', async () => {
await importFile(supertest, 'ip_range', ['127.0.0.1-127.0.0.7'], 'list_items.txt', [
await importFile(supertest, log, 'ip_range', ['127.0.0.1-127.0.0.7'], 'list_items.txt', [
'127.0.0.1',
'127.0.0.2',
'127.0.0.3',
@ -562,7 +565,7 @@ export default ({ getService }: FtrProviderContext) => {
'127.0.0.7',
]);
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -575,9 +578,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([[], ['127.0.0.8', '127.0.0.9', '127.0.0.10']]);
});
@ -585,9 +588,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
it('will return 1 result if we have a list that excludes 1 ip', async () => {
await importFile(supertest, 'ip', ['127.0.0.1'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -600,17 +603,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4']]);
});
it('will return 2 results if we have a list that excludes 2 ips', async () => {
await importFile(supertest, 'ip', ['127.0.0.1', '127.0.0.5'], 'list_items.txt');
await importFile(supertest, log, 'ip', ['127.0.0.1', '127.0.0.5'], 'list_items.txt');
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -623,9 +626,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
@ -636,12 +639,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 3 results if we have a list that excludes all ips', async () => {
await importFile(
supertest,
log,
'ip',
['127.0.0.1', '127.0.0.5', '127.0.0.8'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -654,9 +658,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
@ -668,6 +672,7 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 3 results if we have a list which contains the CIDR ranges of "127.0.0.1/32, 127.0.0.2/31, 127.0.0.4/30"', async () => {
await importFile(
supertest,
log,
'ip_range',
['127.0.0.1/32', '127.0.0.2/31', '127.0.0.4/30'],
'list_items.txt',
@ -682,7 +687,7 @@ export default ({ getService }: FtrProviderContext) => {
]
);
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -695,9 +700,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],
@ -706,7 +711,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 3 results if we have a list which contains the range syntax of "127.0.0.1-127.0.0.7"', async () => {
await importFile(supertest, 'ip_range', ['127.0.0.1-127.0.0.7'], 'list_items.txt', [
await importFile(supertest, log, 'ip_range', ['127.0.0.1-127.0.0.7'], 'list_items.txt', [
'127.0.0.1',
'127.0.0.2',
'127.0.0.3',
@ -716,7 +721,7 @@ export default ({ getService }: FtrProviderContext) => {
'127.0.0.7',
]);
const rule = getRuleForSignalTesting(['ip_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'ip',
@ -729,9 +734,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const ips = signalsOpen.hits.hits.map((hit) => hit._source?.ip).sort();
expect(ips).to.eql([
['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4'],

197
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/keyword.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type keyword', () => {
before(async () => {
@ -41,31 +42,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the keyword from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});
it('should filter 1 single keyword if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -75,16 +76,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('should filter 2 keyword if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -102,16 +103,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word three']);
});
it('should filter 3 keyword if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -137,16 +138,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four']);
});
it('should filter 4 keyword if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -180,8 +181,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
@ -190,7 +191,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -200,15 +201,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -218,16 +219,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word one']);
});
it('will return 0 results if we exclude two keyword', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -245,8 +246,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
@ -255,7 +256,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single keyword if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -265,16 +266,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('should filter 2 keyword if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -284,16 +285,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word three']);
});
it('should filter 3 keyword if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -303,16 +304,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four']);
});
it('should filter 4 keyword if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -322,8 +323,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
@ -332,7 +333,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -342,15 +343,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -360,9 +361,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word one']);
});
@ -371,7 +372,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against keyword', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -380,8 +381,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
@ -390,7 +391,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against keyword', async () => {
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -399,9 +400,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});
@ -409,10 +410,10 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
it('will return 4 results if we have two lists with an AND contradiction keyword === "word one" AND keyword === "word two"', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items_1.txt');
await importFile(supertest, 'keyword', ['word two'], 'list_items_2.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items_1.txt');
await importFile(supertest, log, 'keyword', ['word two'], 'list_items_2.txt');
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -434,17 +435,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});
it('will return 3 results if we have a list that includes 1 keyword', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -457,17 +458,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('will return 2 results if we have a list that includes 2 keyword', async () => {
await importFile(supertest, 'keyword', ['word one', 'word three'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one', 'word three'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -480,9 +481,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word two']);
});
@ -490,12 +491,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 0 results if we have a list that includes all keyword', async () => {
await importFile(
supertest,
log,
'keyword',
['word one', 'word two', 'word three', 'word four'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -508,8 +510,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
@ -517,9 +519,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
it('will return 1 result if we have a list that excludes 1 keyword', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -532,17 +534,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word one']);
});
it('will return 2 results if we have a list that excludes 2 keyword', async () => {
await importFile(supertest, 'keyword', ['word one', 'word three'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one', 'word three'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -555,9 +557,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word one', 'word three']);
});
@ -565,12 +567,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 4 results if we have a list that excludes all keyword', async () => {
await importFile(
supertest,
log,
'keyword',
['word one', 'word two', 'word three', 'word four'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['keyword']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -583,9 +586,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});

211
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/keyword_array.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type keyword', () => {
before(async () => {
@ -43,24 +44,24 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the keyword from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
[],
@ -72,7 +73,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 1 single keyword if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -82,9 +83,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
[],
@ -95,7 +96,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 keyword if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -113,16 +114,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([[], ['word eight', 'word nine', 'word ten']]);
});
it('should filter 3 keyword if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -148,9 +149,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -159,7 +160,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -169,15 +170,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -187,16 +188,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([['word one', 'word two', 'word three', 'word four']]);
});
it('will return 0 results if we exclude two keyword', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -214,8 +215,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
@ -224,7 +225,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single keyword if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -234,9 +235,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
[],
@ -247,7 +248,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 keyword if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -257,16 +258,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([[], ['word eight', 'word nine', 'word ten']]);
});
it('should filter 3 keyword if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -276,9 +277,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -287,7 +288,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -297,15 +298,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -315,9 +316,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
['word five', null, 'word six', 'word seven'],
@ -329,7 +330,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 1 results if matching against keyword for the empty array', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -338,9 +339,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -349,7 +350,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 3 results if matching against keyword', async () => {
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -358,9 +359,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
['word eight', 'word nine', 'word ten'],
@ -372,10 +373,10 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
it('will return 4 results if we have two lists with an AND contradiction keyword === "word one" AND keyword === "word five"', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items_1.txt');
await importFile(supertest, 'keyword', ['word five'], 'list_items_2.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items_1.txt');
await importFile(supertest, log, 'keyword', ['word five'], 'list_items_2.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -397,9 +398,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
[],
@ -410,10 +411,10 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 3 results if we have two lists with an AND keyword === "word one" AND keyword === "word two" since we have an array', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items_1.txt');
await importFile(supertest, 'keyword', ['word two'], 'list_items_2.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items_1.txt');
await importFile(supertest, log, 'keyword', ['word two'], 'list_items_2.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -435,9 +436,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
[],
@ -447,9 +448,9 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 3 results if we have a list that includes 1 keyword', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -462,9 +463,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
[],
@ -474,9 +475,9 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 2 results if we have a list that includes 2 keyword', async () => {
await importFile(supertest, 'keyword', ['word one', 'word six'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one', 'word six'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -489,9 +490,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([[], ['word eight', 'word nine', 'word ten']]);
});
@ -499,12 +500,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return only the empty array for results if we have a list that includes all keyword', async () => {
await importFile(
supertest,
log,
'keyword',
['word one', 'word five', 'word eight'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -517,9 +519,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -527,9 +529,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
it('will return 1 result if we have a list that excludes 1 keyword', async () => {
await importFile(supertest, 'keyword', ['word one'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -542,17 +544,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([['word one', 'word two', 'word three', 'word four']]);
});
it('will return 1 result if we have a list that excludes 1 keyword but repeat 2 elements from the array in the list', async () => {
await importFile(supertest, 'keyword', ['word one', 'word two'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one', 'word two'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -565,17 +567,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([['word one', 'word two', 'word three', 'word four']]);
});
it('will return 2 results if we have a list that excludes 2 keyword', async () => {
await importFile(supertest, 'keyword', ['word one', 'word five'], 'list_items.txt');
await importFile(supertest, log, 'keyword', ['word one', 'word five'], 'list_items.txt');
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -588,9 +590,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
['word five', null, 'word six', 'word seven'],
@ -601,12 +603,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 3 results if we have a list that excludes 3 items', async () => {
await importFile(
supertest,
log,
'keyword',
['word one', 'word six', 'word ten'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['keyword_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'keyword',
@ -619,9 +622,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.keyword).sort();
expect(hits).to.eql([
['word eight', 'word nine', 'word ten'],

273
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/long.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type long', () => {
before(async () => {
@ -43,31 +44,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the long from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
it('should filter 1 single long if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -77,16 +78,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('should filter 2 long if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -104,16 +105,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['3', '4']);
});
it('should filter 3 long if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -139,16 +140,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['4']);
});
it('should filter 4 long if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -182,8 +183,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
@ -192,7 +193,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -202,15 +203,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -220,16 +221,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1']);
});
it('will return 0 results if we exclude two long', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -247,8 +248,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
@ -257,7 +258,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single long if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -267,16 +268,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('should filter 2 long if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -286,16 +287,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['3', '4']);
});
it('should filter 3 long if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -305,16 +306,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['4']);
});
it('should filter 4 long if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -324,8 +325,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
@ -334,7 +335,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -344,15 +345,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -362,9 +363,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '4']);
});
@ -373,7 +374,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against long', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -382,8 +383,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
@ -392,7 +393,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against long', async () => {
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -401,9 +402,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
@ -412,9 +413,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
describe('working against long values in the data set', () => {
it('will return 3 results if we have a list that includes 1 long', async () => {
await importFile(supertest, 'long', ['1'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -427,17 +428,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('will return 2 results if we have a list that includes 2 long', async () => {
await importFile(supertest, 'long', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -450,17 +451,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['2', '4']);
});
it('will return 0 results if we have a list that includes all long', async () => {
await importFile(supertest, 'long', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -473,8 +474,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
@ -482,9 +483,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 3 results if we have a list that includes 1 long', async () => {
await importFile(supertest, 'long', ['1'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -497,17 +498,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['2', '3', '4']);
});
it('will return 2 results if we have a list that includes 2 long', async () => {
await importFile(supertest, 'long', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -520,17 +521,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['2', '4']);
});
it('will return 0 results if we have a list that includes all long', async () => {
await importFile(supertest, 'long', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -543,16 +544,20 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql([]);
});
it('will return 1 result if we have a list which contains the long range of 1-3', async () => {
await importFile(supertest, 'long_range', ['1-3'], 'list_items.txt', ['1', '2', '3']);
await importFile(supertest, log, 'long_range', ['1-3'], 'list_items.txt', [
'1',
'2',
'3',
]);
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -565,9 +570,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['4']);
});
@ -577,9 +582,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
describe('working against long values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 long', async () => {
await importFile(supertest, 'long', ['1'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -592,17 +597,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1']);
});
it('will return 2 results if we have a list that excludes 2 long', async () => {
await importFile(supertest, 'long', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -615,17 +620,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '3']);
});
it('will return 4 results if we have a list that excludes all long', async () => {
await importFile(supertest, 'long', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -638,9 +643,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
@ -648,9 +653,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against string values in the data set', () => {
it('will return 1 result if we have a list that excludes 1 long', async () => {
await importFile(supertest, 'long', ['1'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -663,17 +668,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1']);
});
it('will return 2 results if we have a list that excludes 2 long', async () => {
await importFile(supertest, 'long', ['1', '3'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '3'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -686,17 +691,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '3']);
});
it('will return 4 results if we have a list that excludes all long', async () => {
await importFile(supertest, 'long', ['1', '2', '3', '4'], 'list_items.txt');
await importFile(supertest, log, 'long', ['1', '2', '3', '4'], 'list_items.txt');
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -709,17 +714,21 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '2', '3', '4']);
});
it('will return 3 results if we have a list which contains the long range of 1-3', async () => {
await importFile(supertest, 'long_range', ['1-3'], 'list_items.txt', ['1', '2', '3']);
await importFile(supertest, log, 'long_range', ['1-3'], 'list_items.txt', [
'1',
'2',
'3',
]);
const rule = getRuleForSignalTesting(['long_as_string']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'long',
@ -732,9 +741,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.long).sort();
expect(hits).to.eql(['1', '2', '3']);
});

311
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/text.ts
View file

@ -31,6 +31,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type text', () => {
before(async () => {
@ -44,31 +45,31 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the text from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});
it('should filter 1 single text if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -78,16 +79,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('should filter 2 text if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -105,16 +106,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three']);
});
it('should filter 3 text if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -140,16 +141,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four']);
});
it('should filter 4 text if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -183,15 +184,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('should filter 1 single text using a single word', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -201,16 +202,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('should filter all words using a common piece of text', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -220,15 +221,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('should filter 1 single text with punctuation added', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -238,9 +239,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
@ -249,7 +250,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -259,15 +260,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -277,16 +278,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word one']);
});
it('will return 0 results if we exclude two text', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -304,15 +305,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('should filter 1 single text using a single word', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -322,16 +323,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word one']);
});
it('should filter all words using a common piece of text', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -341,16 +342,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});
it('should filter 1 single text with punctuation added', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -360,9 +361,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word one']);
});
@ -371,7 +372,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single text if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -381,16 +382,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('should filter 2 text if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -400,16 +401,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three']);
});
it('should filter 3 text if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -419,16 +420,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four']);
});
it('should filter 4 text if all are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -438,8 +439,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
@ -448,7 +449,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -458,15 +459,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -476,9 +477,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word one']);
});
@ -487,7 +488,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 0 results if matching against text', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -496,8 +497,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
@ -506,7 +507,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 4 results if matching against text', async () => {
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -515,9 +516,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});
@ -526,9 +527,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
describe('working against text values without spaces', () => {
it('will return 3 results if we have a list that includes 1 text', async () => {
await importFile(supertest, 'text', ['one'], 'list_items.txt');
await importFile(supertest, log, 'text', ['one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_no_spaces']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -541,17 +542,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['four', 'three', 'two']);
});
it('will return 2 results if we have a list that includes 2 text', async () => {
await importFile(supertest, 'text', ['one', 'three'], 'list_items.txt');
await importFile(supertest, log, 'text', ['one', 'three'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_no_spaces']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -564,9 +565,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['four', 'two']);
});
@ -574,12 +575,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 0 results if we have a list that includes all text', async () => {
await importTextFile(
supertest,
log,
'text',
['one', 'two', 'three', 'four'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text_no_spaces']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -592,8 +594,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
@ -601,9 +603,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against text values with spaces', () => {
it('will return 3 results if we have a list that includes 1 text', async () => {
await importTextFile(supertest, 'text', ['word one'], 'list_items.txt');
await importTextFile(supertest, log, 'text', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -616,9 +618,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
@ -626,12 +628,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 3 results if we have a list that includes 1 text with additional wording', async () => {
await importTextFile(
supertest,
log,
'text',
['word one additional wording'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -644,17 +647,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word three', 'word two']);
});
it('will return 2 results if we have a list that includes 2 text', async () => {
await importFile(supertest, 'text', ['word one', 'word three'], 'list_items.txt');
await importFile(supertest, log, 'text', ['word one', 'word three'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -667,9 +670,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word two']);
});
@ -677,12 +680,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 0 results if we have a list that includes all text', async () => {
await importTextFile(
supertest,
log,
'text',
['word one', 'word two', 'word three', 'word four'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -695,8 +699,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
@ -706,9 +710,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
describe('working against text values without spaces', () => {
it('will return 1 result if we have a list that excludes 1 text', async () => {
await importTextFile(supertest, 'text', ['one'], 'list_items.txt');
await importTextFile(supertest, log, 'text', ['one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_no_spaces']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -721,17 +725,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['one']);
});
it('will return 2 results if we have a list that excludes 2 text', async () => {
await importTextFile(supertest, 'text', ['one', 'three'], 'list_items.txt');
await importTextFile(supertest, log, 'text', ['one', 'three'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_no_spaces']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -744,9 +748,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['one', 'three']);
});
@ -754,12 +758,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 4 results if we have a list that excludes all text', async () => {
await importTextFile(
supertest,
log,
'text',
['one', 'two', 'three', 'four'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text_no_spaces']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -772,9 +777,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['four', 'one', 'three', 'two']);
});
@ -782,9 +787,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('working against text values with spaces', () => {
it('will return 1 result if we have a list that excludes 1 text', async () => {
await importTextFile(supertest, 'text', ['word one'], 'list_items.txt');
await importTextFile(supertest, log, 'text', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -797,9 +802,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word one']);
});
@ -807,12 +812,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 1 result if we have a list that excludes 1 text with additional wording', async () => {
await importTextFile(
supertest,
log,
'text',
['word one additional wording'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -825,17 +831,23 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word one']);
});
it('will return 2 results if we have a list that excludes 2 text', async () => {
await importTextFile(supertest, 'text', ['word one', 'word three'], 'list_items.txt');
await importTextFile(
supertest,
log,
'text',
['word one', 'word three'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -848,9 +860,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word one', 'word three']);
});
@ -858,12 +870,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return 4 results if we have a list that excludes all text', async () => {
await importTextFile(
supertest,
log,
'text',
['word one', 'word two', 'word three', 'word four'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -876,9 +889,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql(['word four', 'word one', 'word three', 'word two']);
});

218
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/exception_operators_data_types/text_array.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule exception operators for data type text', () => {
before(async () => {
@ -41,24 +42,24 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createListsIndex(supertest);
await createSignalsIndex(supertest, log);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllExceptions(supertest, log);
await deleteListsIndex(supertest, log);
});
describe('"is" operator', () => {
it('should find all the text from the data set when no exceptions are set on the rule', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
[],
@ -70,7 +71,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 1 single text if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -80,9 +81,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
[],
@ -93,7 +94,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 text if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -111,16 +112,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([[], ['word eight', 'word nine', 'word ten']]);
});
it('should filter 3 text if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -146,9 +147,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -157,7 +158,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -167,15 +168,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('will return just 1 result we excluded', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -185,16 +186,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([['word one', 'word two', 'word three', 'word four']]);
});
it('will return 0 results if we exclude two text', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -212,8 +213,8 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
@ -222,7 +223,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is one of" operator', () => {
it('should filter 1 single text if it is set as an exception', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -232,9 +233,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
[],
@ -245,7 +246,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should filter 2 text if both are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -255,16 +256,16 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([[], ['word eight', 'word nine', 'word ten']]);
});
it('should filter 3 text if all 3 are set as exceptions', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -274,9 +275,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -285,7 +286,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not one of" operator', () => {
it('will return 0 results if it cannot find what it is excluding', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -295,15 +296,15 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([]);
});
it('will return just the result we excluded', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -313,9 +314,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
['word five', null, 'word six', 'word seven'],
@ -327,7 +328,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"exists" operator', () => {
it('will return 1 results if matching against text for the empty array', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -336,9 +337,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -347,7 +348,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('"does not exist" operator', () => {
it('will return 3 results if matching against text', async () => {
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -356,9 +357,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
['word eight', 'word nine', 'word ten'],
@ -370,10 +371,10 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is in list" operator', () => {
it('will return 4 results if we have two lists with an AND contradiction text === "word one" AND text === "word five"', async () => {
await importFile(supertest, 'text', ['word one'], 'list_items_1.txt');
await importFile(supertest, 'text', ['word five'], 'list_items_2.txt');
await importFile(supertest, log, 'text', ['word one'], 'list_items_1.txt');
await importFile(supertest, log, 'text', ['word five'], 'list_items_2.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -395,9 +396,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
[],
@ -408,10 +409,10 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 3 results if we have two lists with an AND text === "word one" AND text === "word two" since we have an array', async () => {
await importFile(supertest, 'text', ['word one'], 'list_items_1.txt');
await importFile(supertest, 'text', ['word two'], 'list_items_2.txt');
await importFile(supertest, log, 'text', ['word one'], 'list_items_1.txt');
await importFile(supertest, log, 'text', ['word two'], 'list_items_2.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -433,9 +434,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
[],
@ -445,9 +446,9 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 3 results if we have a list that includes 1 text', async () => {
await importFile(supertest, 'text', ['word one'], 'list_items.txt');
await importFile(supertest, log, 'text', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -460,9 +461,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
[],
@ -472,9 +473,9 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 2 results if we have a list that includes 2 text', async () => {
await importFile(supertest, 'text', ['word one', 'word six'], 'list_items.txt');
await importFile(supertest, log, 'text', ['word one', 'word six'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -487,9 +488,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([[], ['word eight', 'word nine', 'word ten']]);
});
@ -497,12 +498,13 @@ export default ({ getService }: FtrProviderContext) => {
it('will return only the empty array for results if we have a list that includes all text', async () => {
await importFile(
supertest,
log,
'text',
['word one', 'word five', 'word eight'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -515,9 +517,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits.flat(Number.MAX_SAFE_INTEGER)).to.eql([]);
});
@ -525,9 +527,9 @@ export default ({ getService }: FtrProviderContext) => {
describe('"is not in list" operator', () => {
it('will return 1 result if we have a list that excludes 1 text', async () => {
await importFile(supertest, 'text', ['word one'], 'list_items.txt');
await importFile(supertest, log, 'text', ['word one'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -540,17 +542,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([['word one', 'word two', 'word three', 'word four']]);
});
it('will return 1 result if we have a list that excludes 1 text but repeat 2 elements from the array in the list', async () => {
await importFile(supertest, 'text', ['word one', 'word two'], 'list_items.txt');
await importFile(supertest, log, 'text', ['word one', 'word two'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -563,17 +565,17 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([['word one', 'word two', 'word three', 'word four']]);
});
it('will return 2 results if we have a list that excludes 2 text', async () => {
await importFile(supertest, 'text', ['word one', 'word five'], 'list_items.txt');
await importFile(supertest, log, 'text', ['word one', 'word five'], 'list_items.txt');
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -586,9 +588,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
['word five', null, 'word six', 'word seven'],
@ -597,9 +599,15 @@ export default ({ getService }: FtrProviderContext) => {
});
it('will return 3 results if we have a list that excludes 3 items', async () => {
await importFile(supertest, 'text', ['word one', 'word six', 'word ten'], 'list_items.txt');
await importFile(
supertest,
log,
'text',
['word one', 'word six', 'word ten'],
'list_items.txt'
);
const rule = getRuleForSignalTesting(['text_as_array']);
const { id } = await createRuleWithExceptionEntries(supertest, rule, [
const { id } = await createRuleWithExceptionEntries(supertest, log, rule, [
[
{
field: 'text',
@ -612,9 +620,9 @@ export default ({ getService }: FtrProviderContext) => {
},
],
]);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsById(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.text).sort();
expect(hits).to.eql([
['word eight', 'word nine', 'word ten'],

31
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/export_rules.ts
View file

@ -24,20 +24,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('export_rules', () => {
describe('exporting rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should set the response content types to be expected', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -49,7 +50,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should export a single rule with a rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -65,7 +66,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should export a exported count with a single rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -91,8 +92,8 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should export exactly two rules given two rules', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, getSimpleRule('rule-2'));
await createRule(supertest, log, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-2'));
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -145,7 +146,7 @@ export default ({ getService }: FtrProviderContext): void => {
actions: [action1, action2],
};
await createRule(supertest, rule1);
await createRule(supertest, log, rule1);
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -190,8 +191,8 @@ export default ({ getService }: FtrProviderContext): void => {
actions: [action],
};
await createRule(supertest, rule1);
await createRule(supertest, rule2);
await createRule(supertest, log, rule1);
await createRule(supertest, log, rule2);
const { body } = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_export`)
@ -233,7 +234,7 @@ export default ({ getService }: FtrProviderContext): void => {
.expect(200);
// create a rule without actions
const rule = await createRule(supertest, getSimpleRule('rule-1'));
const rule = await createRule(supertest, log, getSimpleRule('rule-1'));
// attach the legacy notification
await supertest
@ -301,7 +302,7 @@ export default ({ getService }: FtrProviderContext): void => {
.expect(200);
// create a rule without actions
const rule = await createRule(supertest, getSimpleRule('rule-1'));
const rule = await createRule(supertest, log, getSimpleRule('rule-1'));
// attach the legacy notification with actions
await supertest
@ -387,8 +388,8 @@ export default ({ getService }: FtrProviderContext): void => {
.expect(200);
// create 2 rules without actions
const rule1 = await createRule(supertest, getSimpleRule('rule-1'));
const rule2 = await createRule(supertest, getSimpleRule('rule-2'));
const rule1 = await createRule(supertest, log, getSimpleRule('rule-1'));
const rule2 = await createRule(supertest, log, getSimpleRule('rule-2'));
// attach the legacy notification with actions to the first rule
await supertest

137
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/finalize_signals_migrations.ts
View file

@ -46,6 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
const kbnClient = getService('kibanaServer');
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('Finalizing signals migrations', () => {
let legacySignalsIndexName: string;
@ -61,7 +62,7 @@ export default ({ getService }: FtrProviderContext): void => {
outdatedSignalsIndexName = getIndexNameFromLoad(
await esArchiver.load('x-pack/test/functional/es_archives/signals/outdated_signals_index')
);
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
({
body: { indices: createdMigrations },
@ -88,7 +89,7 @@ export default ({ getService }: FtrProviderContext): void => {
kbnClient,
ids: createdMigrations.filter((m) => m?.migration_id).map((m) => m.migration_id),
});
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('replaces the original index alias with the migrated one', async () => {
@ -103,31 +104,39 @@ export default ({ getService }: FtrProviderContext): void => {
expect(indicesBefore).to.contain(createdMigration.index);
expect(indicesBefore).not.to.contain(createdMigration.migration_index);
await waitFor(async () => {
const {
body: {
migrations: [{ completed }],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200);
await waitFor(
async () => {
const {
body: {
migrations: [{ completed }],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200);
return completed === true;
}, `polling finalize_migration until complete`);
return completed === true;
},
`polling finalize_migration until complete`,
log
);
let statusAfter: StatusResponse[] = [];
await waitFor(async () => {
({
body: { indices: statusAfter },
} = await supertest
.get(DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL)
.query({ from: '2020-10-10' })
.set('kbn-xsrf', 'true')
.expect(200));
return statusAfter.some((s) => !s.is_outdated);
}, `polling finalize_migration until complete`);
await waitFor(
async () => {
({
body: { indices: statusAfter },
} = await supertest
.get(DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL)
.query({ from: '2020-10-10' })
.set('kbn-xsrf', 'true')
.expect(200));
return statusAfter.some((s) => !s.is_outdated);
},
`polling finalize_migration until complete`,
log
);
const indicesAfter = statusAfter.map((s) => s.index);
@ -145,17 +154,21 @@ export default ({ getService }: FtrProviderContext): void => {
createdMigrations = [...createdMigrations, ...body.indices];
let finalizeResponse: FinalizeResponse[];
await waitFor(async () => {
({
body: { migrations: finalizeResponse },
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: createdMigrations.map((m) => m.migration_id) })
.expect(200));
await waitFor(
async () => {
({
body: { migrations: finalizeResponse },
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: createdMigrations.map((m) => m.migration_id) })
.expect(200));
return finalizeResponse.every((index) => index.completed);
}, `polling finalize_migration until all complete`);
return finalizeResponse.every((index) => index.completed);
},
`polling finalize_migration until all complete`,
log
);
const { body: bodyAfter } = await supertest
.get(DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL)
@ -171,19 +184,23 @@ export default ({ getService }: FtrProviderContext): void => {
});
it.skip('deletes the underlying migration task', async () => {
await waitFor(async () => {
const {
body: {
migrations: [{ completed }],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200);
await waitFor(
async () => {
const {
body: {
migrations: [{ completed }],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200);
return completed;
}, `polling finalize_migration until complete`);
return completed;
},
`polling finalize_migration until complete`,
log
);
// const [{ taskId }] = await getMigration({ id: migration.migration_id });
// expect(taskId.length).greaterThan(0);
@ -192,19 +209,23 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('subsequent attempts at finalization are idempotent', async () => {
await waitFor(async () => {
const {
body: {
migrations: [{ completed }],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200);
await waitFor(
async () => {
const {
body: {
migrations: [{ completed }],
},
} = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)
.set('kbn-xsrf', 'true')
.send({ migration_ids: [createdMigration.migration_id] })
.expect(200);
return completed;
}, `polling finalize_migration until complete`);
return completed;
},
`polling finalize_migration until complete`,
log
);
const { body } = await supertest
.post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL)

15
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/find_rules.ts
View file

@ -25,15 +25,16 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('find_rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should return an empty find body correctly if no rules are loaded', async () => {
@ -52,7 +53,7 @@ export default ({ getService }: FtrProviderContext): void => {
});
it('should return a single rule when a single rule is loaded from a find with defaults added', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
// query the single rule from _find
const { body } = await supertest
@ -114,7 +115,7 @@ export default ({ getService }: FtrProviderContext): void => {
...getSimpleRule('rule-1'),
actions: [action],
};
await createRule(supertest, rule);
await createRule(supertest, log, rule);
// query the single rule from _find
const { body } = await supertest
@ -159,7 +160,7 @@ export default ({ getService }: FtrProviderContext): void => {
throttle: '1h', // <-- throttle makes this a scheduled action
actions: [action],
};
await createRule(supertest, rule);
await createRule(supertest, log, rule);
// query the single rule from _find
const { body } = await supertest
@ -197,7 +198,7 @@ export default ({ getService }: FtrProviderContext): void => {
.expect(200);
// create a rule without actions
const createRuleBody = await createRule(supertest, getSimpleRule('rule-1'));
const createRuleBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// attach the legacy notification
await supertest

13
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/find_statuses.ts
View file

@ -24,6 +24,7 @@ export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const es = getService('es');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('find_statuses', () => {
before(async () => {
@ -35,13 +36,13 @@ export default ({ getService }: FtrProviderContext): void => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteAllRulesStatuses(es);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllRulesStatuses(es, log);
});
it('should return an empty find statuses body correctly if no statuses are loaded', async () => {
@ -74,9 +75,9 @@ export default ({ getService }: FtrProviderContext): void => {
this pops up again elsewhere.
*/
it('should return a single rule status when a single rule is loaded from a find status with defaults added', async () => {
const resBody = await createRule(supertest, getSimpleRule('rule-1', true));
const resBody = await createRule(supertest, log, getSimpleRule('rule-1', true));
await waitForRuleSuccessOrStatus(supertest, resBody.id);
await waitForRuleSuccessOrStatus(supertest, log, resBody.id);
// query the single rule from _find
const { body } = await supertest

179
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
View file

@ -67,16 +67,17 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const es = getService('es');
const log = getService('log');
describe('Generating signals from source indexes', () => {
beforeEach(async () => {
await deleteSignalsIndex(supertest);
await createSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('Signals from audit beat are of the expected structure', () => {
@ -93,10 +94,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['auditbeat-*']),
query: `_id:${ID}`,
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).greaterThan(0);
});
@ -106,10 +107,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['auditbeat-*']),
max_signals: maxSignals,
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, maxSignals, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id], maxSignals);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, maxSignals, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id], maxSignals);
expect(signalsOpen.hits.hits.length).equal(maxSignals);
});
@ -118,10 +119,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['auditbeat-*']),
query: `_id:${ID}`,
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits[0]._source![ALERT_RULE_RULE_ID]).eql(getSimpleRule().rule_id);
});
@ -130,10 +131,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['auditbeat-*']),
query: `_id:${ID}`,
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signal = signalsOpen.hits.hits[0]._source!;
expect(signal).eql({
@ -165,10 +166,10 @@ export default ({ getService }: FtrProviderContext) => {
query: `_id:${ID}`,
saved_id: 'doesnt-exist',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signal = signalsOpen.hits.hits[0]._source!;
expect(signal).eql({
...signal,
@ -197,9 +198,9 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['auditbeat-*']),
query: `_id:${ID}`,
};
const { id: createdId } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, createdId);
await waitForSignalsToBePresent(supertest, 1, [createdId]);
const { id: createdId } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, createdId);
await waitForSignalsToBePresent(supertest, log, 1, [createdId]);
// Run signals on top of that 1 signal which should create a single signal (on top of) a signal
const ruleForSignals: QueryCreateSchema = {
@ -207,12 +208,12 @@ export default ({ getService }: FtrProviderContext) => {
rule_id: 'signal-on-signal',
};
const { id } = await createRule(supertest, ruleForSignals);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const { id } = await createRule(supertest, log, ruleForSignals);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
// Get our single signal on top of a signal
const signalsOpen = await getSignalsByRuleIds(supertest, ['signal-on-signal']);
const signalsOpen = await getSignalsByRuleIds(supertest, log, ['signal-on-signal']);
const signal = signalsOpen.hits.hits[0]._source!;
expect(signal).eql({
@ -249,10 +250,10 @@ export default ({ getService }: FtrProviderContext) => {
...getEqlRuleForSignalTesting(['auditbeat-*']),
query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
expect(signals.hits.hits.length).eql(1);
const fullSignal = signals.hits.hits[0]._source;
if (!fullSignal) {
@ -350,10 +351,10 @@ export default ({ getService }: FtrProviderContext) => {
it('generates up to max_signals for non-sequence EQL queries', async () => {
const rule: EqlCreateSchema = getEqlRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 100, [id]);
const signals = await getSignalsByIds(supertest, [id], 1000);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 100, [id]);
const signals = await getSignalsByIds(supertest, log, [id], 1000);
const filteredSignals = signals.hits.hits.filter(
(signal) => signal._source?.[ALERT_DEPTH] === 1
);
@ -366,10 +367,10 @@ export default ({ getService }: FtrProviderContext) => {
query: 'config_change where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"',
event_category_override: 'auditd.message_type',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
expect(signals.hits.hits.length).eql(1);
const fullSignal = signals.hits.hits[0]._source;
if (!fullSignal) {
@ -438,10 +439,10 @@ export default ({ getService }: FtrProviderContext) => {
...getEqlRuleForSignalTesting(['auditbeat-*']),
query: 'sequence by host.name [anomoly where true] [any where true]', // TODO: spelling
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signals = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signals = await getSignalsByIds(supertest, log, [id]);
const buildingBlock = signals.hits.hits.find(
(signal) =>
signal._source?.[ALERT_DEPTH] === 1 &&
@ -586,10 +587,10 @@ export default ({ getService }: FtrProviderContext) => {
...getEqlRuleForSignalTesting(['auditbeat-*']),
query: 'sequence by host.name [anomoly where true] [any where true]',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const sequenceSignal = signalsOpen.hits.hits.find(
(signal) => signal._source?.[ALERT_DEPTH] === 2
);
@ -672,13 +673,13 @@ export default ({ getService }: FtrProviderContext) => {
...getEqlRuleForSignalTesting(['auditbeat-*']),
query: 'sequence by host.name [any where true] [any where true]',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
// For EQL rules, max_signals is the maximum number of detected sequences: each sequence has a building block
// alert for each event in the sequence, so max_signals=100 results in 200 building blocks in addition to
// 100 regular alerts
await waitForSignalsToBePresent(supertest, 300, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id], 1000);
await waitForSignalsToBePresent(supertest, log, 300, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id], 1000);
expect(signalsOpen.hits.hits.length).eql(300);
const shellSignals = signalsOpen.hits.hits.filter(
(signal) => signal._source?.[ALERT_DEPTH] === 2
@ -700,10 +701,10 @@ export default ({ getService }: FtrProviderContext) => {
value: 700,
},
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).eql(1);
const fullSignal = signalsOpen.hits.hits[0]._source;
if (!fullSignal) {
@ -748,10 +749,10 @@ export default ({ getService }: FtrProviderContext) => {
value: 100,
},
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).eql(2);
});
@ -764,10 +765,10 @@ export default ({ getService }: FtrProviderContext) => {
value: 21,
},
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).eql(1);
});
@ -785,8 +786,8 @@ export default ({ getService }: FtrProviderContext) => {
],
},
};
const createdRule = await createRule(supertest, rule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, rule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(0);
});
@ -804,8 +805,8 @@ export default ({ getService }: FtrProviderContext) => {
],
},
};
const createdRule = await createRule(supertest, rule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, rule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(0);
});
@ -823,8 +824,8 @@ export default ({ getService }: FtrProviderContext) => {
],
},
};
const createdRule = await createRule(supertest, rule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, rule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(1);
const fullSignal = signalsOpen.hits.hits[0]._source;
if (!fullSignal) {
@ -875,8 +876,8 @@ export default ({ getService }: FtrProviderContext) => {
value: 22,
},
};
const createdRule = await createRule(supertest, rule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, rule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(0);
});
@ -888,8 +889,8 @@ export default ({ getService }: FtrProviderContext) => {
value: 21,
},
};
const createdRule = await createRule(supertest, rule);
const signalsOpen = await getOpenSignals(supertest, es, createdRule);
const createdRule = await createRule(supertest, log, rule);
const signalsOpen = await getOpenSignals(supertest, log, es, createdRule);
expect(signalsOpen.hits.hits.length).eql(1);
const fullSignal = signalsOpen.hits.hits[0]._source;
if (!fullSignal) {
@ -955,10 +956,10 @@ export default ({ getService }: FtrProviderContext) => {
});
const executeRuleAndGetSignals = async (rule: QueryCreateSchema) => {
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id]);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc');
return signalsOrderedByEventId;
@ -1102,13 +1103,13 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await deleteSignalsIndex(supertest);
await createSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should generate signals with name_override field', async () => {
@ -1117,11 +1118,11 @@ export default ({ getService }: FtrProviderContext) => {
rule_name_override: 'event.action',
};
const { id } = await createRule(supertest, rule);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id], 1);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id], 1);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc');
const fullSignal = signalsOrderedByEventId[0];

7
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_prepackaged_rules_status.ts
View file

@ -24,16 +24,17 @@ import {
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const es = getService('es');
const log = getService('log');
describe('get_prepackaged_rules_status', () => {
describe('getting prepackaged rules status', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await deleteAllTimelines(es);
});

5
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_signals_migration_status.ts
View file

@ -18,6 +18,7 @@ export default ({ getService }: FtrProviderContext): void => {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('Signals migration status', () => {
let legacySignalsIndexName: string;
@ -25,12 +26,12 @@ export default ({ getService }: FtrProviderContext): void => {
legacySignalsIndexName = getIndexNameFromLoad(
await esArchiver.load('x-pack/test/functional/es_archives/signals/legacy_signals_index')
);
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await esArchiver.unload('x-pack/test/functional/es_archives/signals/legacy_signals_index');
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
it('returns no indexes if no signals exist in the specified range', async () => {

39
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/ignore_fields.ts
View file

@ -50,6 +50,7 @@ export default ({ getService }: FtrProviderContext): void => {
describe('ignore_fields', () => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
before(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/security_solution/ignore_fields');
@ -60,21 +61,21 @@ export default ({ getService }: FtrProviderContext): void => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should ignore the field of "testing_ignored"', async () => {
const rule = getEqlRuleForSignalTesting(['ignore_fields']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((hit) => (hit._source as Ignore).testing_ignored)
.sort();
@ -86,10 +87,10 @@ export default ({ getService }: FtrProviderContext): void => {
it('should ignore the field of "testing_regex"', async () => {
const rule = getEqlRuleForSignalTesting(['ignore_fields']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => (hit._source as Ignore).testing_regex).sort();
// Value should be "undefined for all records"
@ -99,10 +100,10 @@ export default ({ getService }: FtrProviderContext): void => {
it('should have the field of "normal_constant"', async () => {
const rule = getEqlRuleForSignalTesting(['ignore_fields']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((hit) => (hit._source as Ignore).normal_constant)
.sort();
@ -115,10 +116,10 @@ export default ({ getService }: FtrProviderContext): void => {
it('should ignore the field of "_ignored" when using EQL and index the data', async () => {
const rule = getEqlRuleForSignalTesting(['ignore_fields']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => (hit._source as Ignore).small_field).sort();
// We just test a constant value to ensure this did not blow up on us and did index data.

7
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts
View file

@ -24,16 +24,17 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('import_rules', () => {
describe('importing rules with an index', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should set the response content types to be expected', async () => {

47
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/keyword_family/const_keyword.ts
View file

@ -29,6 +29,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule detects against a keyword of event.dataset', () => {
before(async () => {
@ -42,12 +43,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('"kql" rule type', () => {
@ -56,10 +57,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['const_keyword']),
query: 'event.dataset: "dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
expect(signalsOpen.hits.hits.length).to.eql(4);
});
@ -68,10 +69,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['const_keyword']),
query: 'event.dataset: "dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort();
expect(hits).to.eql([
'dataset_name_1',
@ -89,10 +90,10 @@ export default ({ getService }: FtrProviderContext) => {
query: 'any where event.dataset=="dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
expect(signalsOpen.hits.hits.length).to.eql(4);
});
@ -102,10 +103,10 @@ export default ({ getService }: FtrProviderContext) => {
query: 'any where event.dataset=="dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort();
expect(hits).to.eql([
'dataset_name_1',
@ -125,10 +126,10 @@ export default ({ getService }: FtrProviderContext) => {
value: 1,
},
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.threshold_result ?? null)
.sort();

31
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/keyword_family/keyword.ts
View file

@ -30,6 +30,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule detects against a keyword of event.dataset', () => {
before(async () => {
@ -41,12 +42,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('"kql" rule type', () => {
@ -55,10 +56,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['keyword']),
query: 'event.dataset: "dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort();
expect(hits).to.eql([
'dataset_name_1',
@ -76,10 +77,10 @@ export default ({ getService }: FtrProviderContext) => {
query: 'any where event.dataset=="dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort();
expect(hits).to.eql([
'dataset_name_1',
@ -99,10 +100,10 @@ export default ({ getService }: FtrProviderContext) => {
value: 1,
},
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.threshold_result ?? null)
.sort();

47
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/keyword_family/keyword_mixed_with_const.ts
View file

@ -28,6 +28,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('Rule detects against a keyword and constant_keyword of event.dataset', () => {
before(async () => {
@ -43,12 +44,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('"kql" rule type', () => {
@ -57,10 +58,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['keyword', 'const_keyword']),
query: 'event.dataset: "dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 8, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 8, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
expect(signalsOpen.hits.hits.length).to.eql(8);
});
@ -69,10 +70,10 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['keyword', 'const_keyword']),
query: 'event.dataset: "dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 8, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 8, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort();
expect(hits).to.eql([
'dataset_name_1',
@ -94,10 +95,10 @@ export default ({ getService }: FtrProviderContext) => {
query: 'any where event.dataset=="dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 8, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 8, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
expect(signalsOpen.hits.hits.length).to.eql(8);
});
@ -107,10 +108,10 @@ export default ({ getService }: FtrProviderContext) => {
query: 'any where event.dataset=="dataset_name_1"',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 8, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 8, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map((hit) => hit._source?.['event.dataset']).sort();
expect(hits).to.eql([
'dataset_name_1',
@ -138,10 +139,10 @@ export default ({ getService }: FtrProviderContext) => {
value: 1,
},
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.threshold_result ?? null)
.sort();

61
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/open_close_signals.ts
View file

@ -36,6 +36,7 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const supertestWithoutAuth = getService('supertestWithoutAuth');
const log = getService('log');
describe('open_close_signals', () => {
describe.skip('validation checks', () => {
@ -53,7 +54,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not give errors when querying and the signals index does exist and is empty', async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
const { body } = await supertest
.post(DETECTION_ENGINE_SIGNALS_STATUS_URL)
.set('kbn-xsrf', 'true')
@ -65,7 +66,7 @@ export default ({ getService }: FtrProviderContext) => {
expect(body).to.eql(getSignalStatusEmptyResponse());
await deleteSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
});
describe('tests with auditbeat data', () => {
@ -78,30 +79,30 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await deleteAllAlerts(supertest);
await createSignalsIndex(supertest);
await deleteAllAlerts(supertest, log);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to execute and get 10 signals', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
expect(signalsOpen.hits.hits.length).equal(10);
});
it('should be have set the signals in an open state initially', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const everySignalOpen = signalsOpen.hits.hits.every(
(hit) => hit._source?.[ALERT_WORKFLOW_STATUS] === 'open'
);
@ -110,10 +111,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able to get a count of 10 closed signals when closing 10', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 10, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of closed. There is no reason to use a waitUntil here
@ -136,10 +137,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able close signals immediately and they all should be closed', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// set all of the signals to the state of closed. There is no reason to use a waitUntil here
@ -166,11 +167,11 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able to close signals with t1 analyst user', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
await createUserAndRole(getService, ROLES.t1_analyst);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// Try to set all of the signals to the state of closed.
@ -201,12 +202,12 @@ export default ({ getService }: FtrProviderContext) => {
it('should be able to close signals with soc_manager user', async () => {
const rule = getRuleForSignalTesting(['auditbeat-*']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 1, [id]);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const userAndRole = ROLES.soc_manager;
await createUserAndRole(getService, userAndRole);
const signalsOpen = await getSignalsByIds(supertest, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const signalIds = signalsOpen.hits.hits.map((signal) => signal._id);
// Try to set all of the signals to the state of closed.

25
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/patch_rules.ts
View file

@ -27,20 +27,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('patch_rules', () => {
describe('patch rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should patch a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -57,7 +58,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it("should patch a machine_learning rule's job ID if in a legacy format", async () => {
await createRule(supertest, getSimpleMlRule('rule-1'));
await createRule(supertest, log, getSimpleMlRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -73,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using a rule_id of type "machine learning"', async () => {
await createRule(supertest, getSimpleMlRule('rule-1'));
await createRule(supertest, log, getSimpleMlRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -92,7 +93,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should patch a single rule property of name using the auto-generated rule_id', async () => {
const rule = getSimpleRule('rule-1');
delete rule.rule_id;
const createRuleBody = await createRule(supertest, rule);
const createRuleBody = await createRule(supertest, log, rule);
// patch a simple rule's name
const { body } = await supertest
@ -109,7 +110,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -126,7 +127,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change the version of a rule when it patches only enabled', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false
const { body } = await supertest
@ -143,7 +144,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it patches enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false and another property
const { body } = await supertest
@ -162,7 +163,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change other properties when it does patches', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's timeline_title
await supertest
@ -200,7 +201,7 @@ export default ({ getService }: FtrProviderContext) => {
webhookUrl: 'http://localhost:1234',
},
}),
createRule(supertest, getSimpleRule('rule-1')),
createRule(supertest, log, getSimpleRule('rule-1')),
]);
await createLegacyRuleAction(supertest, rule.id, connector.body.id);

35
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/patch_rules_bulk.ts
View file

@ -25,20 +25,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('patch_rules_bulk', () => {
describe('patch rules bulk', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should patch a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -55,8 +56,8 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch two rule properties of name using the two rules rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, getSimpleRule('rule-2'));
await createRule(supertest, log, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-2'));
// patch both rule names
const { body } = await supertest
@ -83,7 +84,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using an id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRule('rule-1'));
const createRuleBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -100,8 +101,8 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch two rule properties of name using the two rules id', async () => {
const createRule1 = await createRule(supertest, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, getSimpleRule('rule-2'));
const createRule1 = await createRule(supertest, log, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, log, getSimpleRule('rule-2'));
// patch both rule names
const { body } = await supertest
@ -139,8 +140,8 @@ export default ({ getService }: FtrProviderContext) => {
webhookUrl: 'http://localhost:1234',
},
}),
createRule(supertest, getSimpleRule('rule-1')),
createRule(supertest, getSimpleRule('rule-2')),
createRule(supertest, log, getSimpleRule('rule-1')),
createRule(supertest, log, getSimpleRule('rule-2')),
]);
await Promise.all([
createLegacyRuleAction(supertest, rule1.id, connector.body.id),
@ -177,7 +178,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's name
const { body } = await supertest
@ -194,7 +195,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change the version of a rule when it patches only enabled', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false
const { body } = await supertest
@ -211,7 +212,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it patches enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's enabled to false and another property
const { body } = await supertest
@ -230,7 +231,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should not change other properties when it does patches', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch a simple rule's timeline_title
await supertest
@ -290,7 +291,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch one rule property and give an error about a second fake rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// patch one rule name and give a fake id for the second
const { body } = await supertest
@ -320,7 +321,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should patch one rule property and give an error about a second fake id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// patch one rule name and give a fake id for the second
const { body } = await supertest

17
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/perform_bulk_action.ts
View file

@ -27,19 +27,20 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('perform_bulk_action', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should export rules', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.post(DETECTION_ENGINE_RULES_BULK_ACTION)
@ -72,7 +73,7 @@ export default ({ getService }: FtrProviderContext): void => {
it('should delete rules', async () => {
const ruleId = 'ruleId';
await createRule(supertest, getSimpleRule(ruleId));
await createRule(supertest, log, getSimpleRule(ruleId));
const { body } = await supertest
.post(DETECTION_ENGINE_RULES_BULK_ACTION)
@ -90,7 +91,7 @@ export default ({ getService }: FtrProviderContext): void => {
it('should enable rules', async () => {
const ruleId = 'ruleId';
await createRule(supertest, getSimpleRule(ruleId));
await createRule(supertest, log, getSimpleRule(ruleId));
const { body } = await supertest
.post(DETECTION_ENGINE_RULES_BULK_ACTION)
@ -115,7 +116,7 @@ export default ({ getService }: FtrProviderContext): void => {
it('should disable rules', async () => {
const ruleId = 'ruleId';
await createRule(supertest, getSimpleRule(ruleId, true));
await createRule(supertest, log, getSimpleRule(ruleId, true));
const { body } = await supertest
.post(DETECTION_ENGINE_RULES_BULK_ACTION)
@ -138,7 +139,7 @@ export default ({ getService }: FtrProviderContext): void => {
it('should duplicate rules', async () => {
const ruleId = 'ruleId';
await createRule(supertest, getSimpleRule(ruleId));
await createRule(supertest, log, getSimpleRule(ruleId));
const { body } = await supertest
.post(DETECTION_ENGINE_RULES_BULK_ACTION)

19
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/read_rules.ts
View file

@ -26,20 +26,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('read_rules', () => {
describe('reading rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to read a single rule using rule_id', async () => {
await createRule(supertest, getSimpleRule());
await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?rule_id=rule-1`)
@ -52,7 +53,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to read a single rule using id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRule());
const createRuleBody = await createRule(supertest, log, getSimpleRule());
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?id=${createRuleBody.id}`)
@ -65,7 +66,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to read a single rule with an auto-generated rule_id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRuleWithoutRuleId());
const createRuleBody = await createRule(supertest, log, getSimpleRuleWithoutRuleId());
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?rule_id=${createRuleBody.rule_id}`)
@ -123,7 +124,7 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule('rule-1'),
actions: [action],
};
const createRuleBody = await createRule(supertest, rule);
const createRuleBody = await createRule(supertest, log, rule);
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?id=${createRuleBody.id}`)
@ -162,7 +163,7 @@ export default ({ getService }: FtrProviderContext) => {
actions: [action],
};
const createRuleBody = await createRule(supertest, rule);
const createRuleBody = await createRule(supertest, log, rule);
const { body } = await supertest
.get(`${DETECTION_ENGINE_RULES_URL}?id=${createRuleBody.id}`)
@ -193,7 +194,7 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
// create a rule without actions
const createRuleBody = await createRule(supertest, getSimpleRule('rule-1'));
const createRuleBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// attach the legacy notification
await supertest

7
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/resolve_read_rules.ts
View file

@ -18,19 +18,20 @@ export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const es = getService('es');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('resolve_read_rules', () => {
describe('reading rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/resolve_read_rules/7_14'
);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/resolve_read_rules/7_14'
);

46
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/runtime.ts
View file

@ -23,6 +23,8 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
interface Runtime {
name: string;
hostname: string;
@ -39,20 +41,20 @@ export default ({ getService }: FtrProviderContext) => {
describe('Regular runtime field mappings', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should copy normal non-runtime data set from the source index into the signals index in the same position when the target is ECS compatible', async () => {
const rule = getRuleForSignalTesting(['runtime']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((signal) => (signal._source?.host as Runtime).name)
.sort();
@ -61,10 +63,10 @@ export default ({ getService }: FtrProviderContext) => {
it('should copy "runtime mapping" data from a source index into the signals index in the same position when the target is ECS compatible', async () => {
const rule = getRuleForSignalTesting(['runtime']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((signal) => (signal._source?.host as Runtime).hostname)
.sort();
@ -74,15 +76,15 @@ export default ({ getService }: FtrProviderContext) => {
describe('Runtime field mappings that have conflicts within them', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields'
);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/runtime_conflicting_fields'
);
@ -95,10 +97,10 @@ export default ({ getService }: FtrProviderContext) => {
*/
it('should NOT copy normal non-runtime data set from the source index into the signals index in the same position when the target is ECS compatible', async () => {
const rule = getRuleForSignalTesting(['runtime_conflicting_fields']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits
.map((signal) => signal._source?.host as Array<{ name: string }>)
.map((host) => {
@ -152,10 +154,10 @@ export default ({ getService }: FtrProviderContext) => {
*/
it('should NOT copy "runtime mapping" data from a source index into the signals index in the same position when the target is ECS compatible', async () => {
const rule = getRuleForSignalTesting(['runtime_conflicting_fields']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForSignalsToBePresent(supertest, 4, [id]);
const signalsOpen = await getSignalsById(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await waitForSignalsToBePresent(supertest, log, 4, [id]);
const signalsOpen = await getSignalsById(supertest, log, id);
const hits = signalsOpen.hits.hits.map(
(signal) => (signal._source?.host as Runtime).hostname
);

61
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/throttle.ts
View file

@ -29,6 +29,7 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
/**
*
@ -46,12 +47,12 @@ export default ({ getService }: FtrProviderContext) => {
describe('throttle', () => {
describe('adding actions', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('creating a rule', () => {
@ -63,7 +64,7 @@ export default ({ getService }: FtrProviderContext) => {
.send(getWebHookAction())
.expect(200);
const rule = await createRule(supertest, getRuleWithWebHookAction(hookAction.id));
const rule = await createRule(supertest, log, getRuleWithWebHookAction(hookAction.id));
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -76,7 +77,7 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule(),
throttle: NOTIFICATION_THROTTLE_NO_ACTIONS,
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -96,7 +97,7 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleWithWebHookAction(hookAction.id),
throttle: NOTIFICATION_THROTTLE_NO_ACTIONS,
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -109,7 +110,7 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule(),
throttle: NOTIFICATION_THROTTLE_RULE,
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -123,7 +124,7 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule(),
throttle: NOTIFICATION_THROTTLE_RULE,
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
expect(rule.throttle).to.eql(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
@ -139,7 +140,7 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleWithWebHookAction(hookAction.id),
throttle: NOTIFICATION_THROTTLE_RULE,
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -152,7 +153,7 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule(),
throttle: '1h',
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -172,7 +173,7 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleWithWebHookAction(hookAction.id),
throttle: '1h',
};
const rule = await createRule(supertest, ruleWithThrottle);
const rule = await createRule(supertest, log, ruleWithThrottle);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${rule.id}`);
@ -190,8 +191,8 @@ export default ({ getService }: FtrProviderContext) => {
.send(getWebHookAction())
.expect(200);
const rule = await createRule(supertest, getRuleWithWebHookAction(hookAction.id));
const readRule = await getRule(supertest, rule.rule_id);
const rule = await createRule(supertest, log, getRuleWithWebHookAction(hookAction.id));
const readRule = await getRule(supertest, log, rule.rule_id);
expect(readRule.throttle).to.eql(NOTIFICATION_THROTTLE_RULE);
});
@ -200,8 +201,8 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule(),
throttle: NOTIFICATION_THROTTLE_NO_ACTIONS,
};
const rule = await createRule(supertest, ruleWithThrottle);
const readRule = await getRule(supertest, rule.rule_id);
const rule = await createRule(supertest, log, ruleWithThrottle);
const readRule = await getRule(supertest, log, rule.rule_id);
expect(readRule.throttle).to.eql(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
@ -211,8 +212,8 @@ export default ({ getService }: FtrProviderContext) => {
...getSimpleRule(),
throttle: NOTIFICATION_THROTTLE_RULE,
};
const rule = await createRule(supertest, ruleWithThrottle);
const readRule = await getRule(supertest, rule.rule_id);
const rule = await createRule(supertest, log, ruleWithThrottle);
const readRule = await getRule(supertest, log, rule.rule_id);
expect(readRule.throttle).to.eql(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
@ -224,13 +225,13 @@ export default ({ getService }: FtrProviderContext) => {
.send(getWebHookAction())
.expect(200);
const rule = await createRule(supertest, getRuleWithWebHookAction(hookAction.id));
const rule = await createRule(supertest, log, getRuleWithWebHookAction(hookAction.id));
await supertest
.post(`/api/alerting/rule/${rule.id}/_mute_all`)
.set('kbn-xsrf', 'true')
.send()
.expect(204);
const readRule = await getRule(supertest, rule.rule_id);
const readRule = await getRule(supertest, log, rule.rule_id);
expect(readRule.throttle).to.eql(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
});
@ -245,9 +246,9 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const ruleWithWebHookAction = getRuleWithWebHookAction(hookAction.id);
await createRule(supertest, ruleWithWebHookAction);
await createRule(supertest, log, ruleWithWebHookAction);
ruleWithWebHookAction.name = 'some other name';
const updated = await updateRule(supertest, ruleWithWebHookAction);
const updated = await updateRule(supertest, log, ruleWithWebHookAction);
expect(updated.throttle).to.eql(NOTIFICATION_THROTTLE_RULE);
});
@ -260,9 +261,9 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const ruleWithWebHookAction = getRuleWithWebHookAction(hookAction.id);
await createRule(supertest, ruleWithWebHookAction);
await createRule(supertest, log, ruleWithWebHookAction);
ruleWithWebHookAction.name = 'some other name';
const updated = await updateRule(supertest, ruleWithWebHookAction);
const updated = await updateRule(supertest, log, ruleWithWebHookAction);
const {
body: { mute_all: muteAll, notify_when: notifyWhen },
} = await supertest.get(`/api/alerting/rule/${updated.id}`);
@ -280,9 +281,9 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const ruleWithWebHookAction = getRuleWithWebHookAction(hookAction.id);
await createRule(supertest, ruleWithWebHookAction);
await createRule(supertest, log, ruleWithWebHookAction);
ruleWithWebHookAction.actions = [];
const updated = await updateRule(supertest, ruleWithWebHookAction);
const updated = await updateRule(supertest, log, ruleWithWebHookAction);
expect(updated.throttle).to.eql(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
});
@ -297,14 +298,14 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const ruleWithWebHookAction = getRuleWithWebHookAction(hookAction.id);
const rule = await createRule(supertest, ruleWithWebHookAction);
const rule = await createRule(supertest, log, ruleWithWebHookAction);
// patch a simple rule's name
await supertest
.patch(DETECTION_ENGINE_RULES_URL)
.set('kbn-xsrf', 'true')
.send({ rule_id: rule.rule_id, name: 'some other name' })
.expect(200);
const readRule = await getRule(supertest, rule.rule_id);
const readRule = await getRule(supertest, log, rule.rule_id);
expect(readRule.throttle).to.eql(NOTIFICATION_THROTTLE_RULE);
});
@ -317,7 +318,7 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const ruleWithWebHookAction = getRuleWithWebHookAction(hookAction.id);
const rule = await createRule(supertest, ruleWithWebHookAction);
const rule = await createRule(supertest, log, ruleWithWebHookAction);
// patch a simple rule's name
await supertest
.patch(DETECTION_ENGINE_RULES_URL)
@ -341,14 +342,14 @@ export default ({ getService }: FtrProviderContext) => {
.expect(200);
const ruleWithWebHookAction = getRuleWithWebHookAction(hookAction.id);
const rule = await createRule(supertest, ruleWithWebHookAction);
const rule = await createRule(supertest, log, ruleWithWebHookAction);
// patch a simple rule's action
await supertest
.patch(DETECTION_ENGINE_RULES_URL)
.set('kbn-xsrf', 'true')
.send({ rule_id: rule.rule_id, actions: [] })
.expect(200);
const readRule = await getRule(supertest, rule.rule_id);
const readRule = await getRule(supertest, log, rule.rule_id);
expect(readRule.throttle).to.eql(NOTIFICATION_THROTTLE_NO_ACTIONS);
});
});

101
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/timestamps.ts
View file

@ -34,6 +34,7 @@ function sleep(ms: number) {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
/**
* Tests around timestamps within signals such as the copying of timestamps correctly into
@ -43,7 +44,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('timestamp tests', () => {
describe('Signals generated from events with a timestamp in seconds is converted correctly into the forced ISO8601 format when copying', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds'
);
@ -53,8 +54,8 @@ export default ({ getService }: FtrProviderContext) => {
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/timestamp_in_seconds'
);
@ -66,11 +67,11 @@ export default ({ getService }: FtrProviderContext) => {
describe('KQL query', () => {
it('should convert the @timestamp which is epoch_seconds into the correct ISO format', async () => {
const rule = getRuleForSignalTesting(['timestamp_in_seconds']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await sleep(5000);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME])
.sort();
@ -82,11 +83,11 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['myfakeindex-5']),
timestamp_override: 'event.ingested',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await sleep(5000);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME])
.sort();
@ -97,11 +98,11 @@ export default ({ getService }: FtrProviderContext) => {
describe('EQL query', () => {
it('should convert the @timestamp which is epoch_seconds into the correct ISO format for EQL', async () => {
const rule = getEqlRuleForSignalTesting(['timestamp_in_seconds']);
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await sleep(5000);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME])
.sort();
@ -113,11 +114,11 @@ export default ({ getService }: FtrProviderContext) => {
...getEqlRuleForSignalTesting(['myfakeindex-5']),
timestamp_override: 'event.ingested',
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id);
await sleep(5000);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, [id]);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsOpen = await getSignalsByIds(supertest, log, [id]);
const hits = signalsOpen.hits.hits
.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME])
.sort();
@ -134,8 +135,8 @@ export default ({ getService }: FtrProviderContext) => {
*/
describe('Signals generated from events with timestamp override field', async () => {
beforeEach(async () => {
await deleteSignalsIndex(supertest);
await createSignalsIndex(supertest);
await deleteSignalsIndex(supertest, log);
await createSignalsIndex(supertest, log);
await esArchiver.load(
'x-pack/test/functional/es_archives/security_solution/timestamp_override_1'
);
@ -151,8 +152,8 @@ export default ({ getService }: FtrProviderContext) => {
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
await esArchiver.unload(
'x-pack/test/functional/es_archives/security_solution/timestamp_override_1'
);
@ -174,12 +175,12 @@ export default ({ getService }: FtrProviderContext) => {
timestamp_override: 'event.ingested',
};
const { id } = await createRule(supertest, rule);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
await sleep(5000);
await waitForSignalsToBePresent(supertest, 3, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id], 3);
await waitForSignalsToBePresent(supertest, log, 3, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id], 3);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc');
@ -189,12 +190,12 @@ export default ({ getService }: FtrProviderContext) => {
it('should generate 2 signals with @timestamp', async () => {
const rule: QueryCreateSchema = getRuleForSignalTesting(['myfa*']);
const { id } = await createRule(supertest, rule);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
await sleep(5000);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id]);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id]);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc');
@ -206,12 +207,12 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['myfa*']),
timestamp_override: 'event.fakeingestfield',
};
const { id } = await createRule(supertest, rule);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
await sleep(5000);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id, id]);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id, id]);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc');
@ -229,12 +230,12 @@ export default ({ getService }: FtrProviderContext) => {
...getRuleForSignalTesting(['myfakeindex-2']),
timestamp_override: 'event.ingested',
};
const { id } = await createRule(supertest, rule);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, id);
await waitForRuleSuccessOrStatus(supertest, log, id);
await sleep(5000);
await waitForSignalsToBePresent(supertest, 1, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id, id]);
await waitForSignalsToBePresent(supertest, log, 1, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id, id]);
const hits = signalsResponse.hits.hits
.map((hit) => hit._source?.[ALERT_ORIGINAL_TIME])
.sort();
@ -246,12 +247,12 @@ export default ({ getService }: FtrProviderContext) => {
it('should generate 2 signals with @timestamp', async () => {
const rule: EqlCreateSchema = getEqlRuleForSignalTesting(['myfa*']);
const { id } = await createRule(supertest, rule);
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
await sleep(5000);
await waitForSignalsToBePresent(supertest, 2, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id]);
await waitForSignalsToBePresent(supertest, log, 2, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id]);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc');
@ -270,12 +271,12 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
describe('KQL', () => {
@ -297,11 +298,11 @@ export default ({ getService }: FtrProviderContext) => {
max_signals: 200,
};
const { id } = await createRule(supertest, rule);
await waitForRuleSuccessOrStatus(supertest, id, 'partial failure');
const { id } = await createRule(supertest, log, rule);
await waitForRuleSuccessOrStatus(supertest, log, id, 'partial failure');
await sleep(5000);
await waitForSignalsToBePresent(supertest, 200, [id]);
const signalsResponse = await getSignalsByIds(supertest, [id], 200);
await waitForSignalsToBePresent(supertest, log, 200, [id]);
const signalsResponse = await getSignalsByIds(supertest, log, [id], 200);
const signals = signalsResponse.hits.hits.map((hit) => hit._source);
expect(signals.length).equal(200);

69
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/update_actions.ts
View file

@ -33,6 +33,7 @@ import {
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const esArchiver = getService('esArchiver');
const log = getService('log');
describe('update_actions', () => {
describe('updating actions', () => {
@ -45,20 +46,20 @@ export default ({ getService }: FtrProviderContext) => {
});
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should be able to create a new webhook action and update a rule with the webhook action', async () => {
const hookAction = await createNewAction(supertest);
const hookAction = await createNewAction(supertest, log);
const rule = getSimpleRule();
await createRule(supertest, rule);
await createRule(supertest, log, rule);
const ruleToUpdate = getRuleWithWebHookAction(hookAction.id, false, rule);
const updatedRule = await updateRule(supertest, ruleToUpdate);
const updatedRule = await updateRule(supertest, log, ruleToUpdate);
const bodyToCompare = removeServerGeneratedProperties(updatedRule);
const expected = {
@ -69,12 +70,12 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to add a new webhook action and then remove the action from the rule again', async () => {
const hookAction = await createNewAction(supertest);
const hookAction = await createNewAction(supertest, log);
const rule = getSimpleRule();
await createRule(supertest, rule);
await createRule(supertest, log, rule);
const ruleToUpdate = getRuleWithWebHookAction(hookAction.id, false, rule);
await updateRule(supertest, ruleToUpdate);
const ruleAfterActionRemoved = await updateRule(supertest, rule);
await updateRule(supertest, log, ruleToUpdate);
const ruleAfterActionRemoved = await updateRule(supertest, log, rule);
const bodyToCompare = removeServerGeneratedProperties(ruleAfterActionRemoved);
const expected = {
...getSimpleRuleOutput(),
@ -84,12 +85,12 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to create a new webhook action and attach it to a rule without a meta field and run it correctly', async () => {
const hookAction = await createNewAction(supertest);
const hookAction = await createNewAction(supertest, log);
const rule = getSimpleRule();
await createRule(supertest, rule);
await createRule(supertest, log, rule);
const ruleToUpdate = getRuleWithWebHookAction(hookAction.id, true, rule);
const updatedRule = await updateRule(supertest, ruleToUpdate);
await waitForRuleSuccessOrStatus(supertest, updatedRule.id);
const updatedRule = await updateRule(supertest, log, ruleToUpdate);
await waitForRuleSuccessOrStatus(supertest, log, updatedRule.id);
// expected result for status should be 'succeeded'
const { body } = await supertest
@ -101,15 +102,15 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to create a new webhook action and attach it to a rule with a meta field and run it correctly', async () => {
const hookAction = await createNewAction(supertest);
const hookAction = await createNewAction(supertest, log);
const rule = getSimpleRule();
await createRule(supertest, rule);
await createRule(supertest, log, rule);
const ruleToUpdate: CreateRulesSchema = {
...getRuleWithWebHookAction(hookAction.id, true, rule),
meta: {}, // create a rule with the action attached and a meta field
};
const updatedRule = await updateRule(supertest, ruleToUpdate);
await waitForRuleSuccessOrStatus(supertest, updatedRule.id);
const updatedRule = await updateRule(supertest, log, ruleToUpdate);
await waitForRuleSuccessOrStatus(supertest, log, updatedRule.id);
// expected result for status should be 'succeeded'
const { body } = await supertest
@ -121,14 +122,14 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to create a new webhook action and attach it to an immutable rule', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const hookAction = await createNewAction(supertest);
const immutableRule = await getRule(supertest, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const hookAction = await createNewAction(supertest, log);
const newRuleToUpdate = getSimpleRule(immutableRule.rule_id);
const ruleToUpdate = getRuleWithWebHookAction(hookAction.id, false, newRuleToUpdate);
const updatedRule = await updateRule(supertest, ruleToUpdate);
const updatedRule = await updateRule(supertest, log, ruleToUpdate);
const bodyToCompare = removeServerGeneratedProperties(updatedRule);
const expected = {
@ -141,29 +142,33 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should be able to create a new webhook action, attach it to an immutable rule and the count of prepackaged rules should not increase. If this fails, suspect the immutable tags are not staying on the rule correctly.', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const hookAction = await createNewAction(supertest);
const immutableRule = await getRule(supertest, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const hookAction = await createNewAction(supertest, log);
const newRuleToUpdate = getSimpleRule(immutableRule.rule_id);
const ruleToUpdate = getRuleWithWebHookAction(hookAction.id, false, newRuleToUpdate);
await updateRule(supertest, ruleToUpdate);
await updateRule(supertest, log, ruleToUpdate);
const status = await getPrePackagedRulesStatus(supertest);
const status = await getPrePackagedRulesStatus(supertest, log);
expect(status.rules_not_installed).to.eql(0);
});
it('should be able to create a new webhook action, attach it to an immutable rule and the rule should stay immutable when searching against immutable tags', async () => {
await installPrePackagedRules(supertest);
await installPrePackagedRules(supertest, log);
// Rule id of "9a1a2dae-0b5f-4c3d-8305-a268d404c306" is from the file:
// x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/elastic_endpoint.json
const immutableRule = await getRule(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const hookAction = await createNewAction(supertest);
const immutableRule = await getRule(supertest, log, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
const hookAction = await createNewAction(supertest, log);
const newRuleToUpdate = getSimpleRule(immutableRule.rule_id);
const ruleToUpdate = getRuleWithWebHookAction(hookAction.id, false, newRuleToUpdate);
await updateRule(supertest, ruleToUpdate);
const body = await findImmutableRuleById(supertest, '9a1a2dae-0b5f-4c3d-8305-a268d404c306');
await updateRule(supertest, log, ruleToUpdate);
const body = await findImmutableRuleById(
supertest,
log,
'9a1a2dae-0b5f-4c3d-8305-a268d404c306'
);
expect(body.data.length).to.eql(1); // should have only one length to the data set, otherwise we have duplicates or the tags were removed and that is incredibly bad.
const bodyToCompare = removeServerGeneratedProperties(body.data[0]);

23
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/update_rules.ts
View file

@ -29,20 +29,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_rules', () => {
describe('update rules', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should update a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -64,7 +65,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it("should update a rule's machine learning job ID if given a legacy job ID format", async () => {
await createRule(supertest, getSimpleMlRule('rule-1'));
await createRule(supertest, log, getSimpleMlRule('rule-1'));
// update rule's machine_learning_job_id
const updatedRule = getSimpleMlRuleUpdate('rule-1');
@ -86,7 +87,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using a rule_id with a machine learning job', async () => {
await createRule(supertest, getSimpleMlRule('rule-1'));
await createRule(supertest, log, getSimpleMlRule('rule-1'));
// update a simple rule's name
const updatedRule = getSimpleMlRuleUpdate('rule-1');
@ -110,7 +111,7 @@ export default ({ getService }: FtrProviderContext) => {
it('should update a single rule property of name using an auto-generated rule_id', async () => {
const rule = getSimpleRule('rule-1');
delete rule.rule_id;
const createRuleBody = await createRule(supertest, rule);
const createRuleBody = await createRule(supertest, log, rule);
// update a simple rule's name
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -145,7 +146,7 @@ export default ({ getService }: FtrProviderContext) => {
webhookUrl: 'http://localhost:1234',
},
}),
createRule(supertest, rule),
createRule(supertest, log, rule),
]);
await createLegacyRuleAction(supertest, createRuleBody.id, connector.body.id);
@ -181,7 +182,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -203,7 +204,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it updates enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's enabled to false and another property
const updatedRule = getSimpleRuleUpdate('rule-1');
@ -226,7 +227,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change other properties when it does updates and effectively delete them such as timeline_title', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
const ruleUpdate = getSimpleRuleUpdate('rule-1');
ruleUpdate.timeline_title = 'some title';

31
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/update_rules_bulk.ts
View file

@ -26,20 +26,21 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_rules_bulk', () => {
describe('update rules bulk', () => {
beforeEach(async () => {
await createSignalsIndex(supertest);
await createSignalsIndex(supertest, log);
});
afterEach(async () => {
await deleteSignalsIndex(supertest);
await deleteAllAlerts(supertest);
await deleteSignalsIndex(supertest, log);
await deleteAllAlerts(supertest, log);
});
it('should update a single rule property of name using a rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
const updatedRule = getSimpleRuleUpdate('rule-1');
updatedRule.name = 'some other name';
@ -59,7 +60,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update two rule properties of name using the two rules rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// create a second simple rule
await supertest
@ -107,8 +108,8 @@ export default ({ getService }: FtrProviderContext) => {
webhookUrl: 'http://localhost:1234',
},
}),
createRule(supertest, getSimpleRule('rule-1')),
createRule(supertest, getSimpleRule('rule-2')),
createRule(supertest, log, getSimpleRule('rule-1')),
createRule(supertest, log, getSimpleRule('rule-2')),
]);
await Promise.all([
createLegacyRuleAction(supertest, rule1.id, connector.body.id),
@ -154,7 +155,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using an id', async () => {
const createRuleBody = await createRule(supertest, getSimpleRule('rule-1'));
const createRuleBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -176,8 +177,8 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update two rule properties of name using the two rules id', async () => {
const createRule1 = await createRule(supertest, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, getSimpleRule('rule-2'));
const createRule1 = await createRule(supertest, log, getSimpleRule('rule-1'));
const createRule2 = await createRule(supertest, log, getSimpleRule('rule-2'));
// update both rule names
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -211,7 +212,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update a single rule property of name using the auto-generated id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's name
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -233,7 +234,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change the version of a rule when it updates enabled and another property', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's enabled to false and another property
const updatedRule1 = getSimpleRuleUpdate('rule-1');
@ -256,7 +257,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should change other properties when it does updates and effectively delete them such as timeline_title', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
// update a simple rule's timeline_title
const ruleUpdate = getSimpleRuleUpdate('rule-1');
@ -329,7 +330,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update one rule property and give an error about a second fake rule_id', async () => {
await createRule(supertest, getSimpleRule('rule-1'));
await createRule(supertest, log, getSimpleRule('rule-1'));
const ruleUpdate = getSimpleRuleUpdate('rule-1');
ruleUpdate.name = 'some other name';
@ -364,7 +365,7 @@ export default ({ getService }: FtrProviderContext) => {
});
it('should update one rule property and give an error about a second fake id', async () => {
const createdBody = await createRule(supertest, getSimpleRule('rule-1'));
const createdBody = await createRule(supertest, log, getSimpleRule('rule-1'));
// update one rule name and give a fake id for the second
const rule1 = getSimpleRuleUpdate();

423
x-pack/test/detection_engine_api_integration/utils.ts
View file

@ -24,6 +24,7 @@ import type {
ExceptionListSchema,
} from '@kbn/securitysolution-io-ts-list-types';
import { EXCEPTION_LIST_ITEM_URL, EXCEPTION_LIST_URL } from '@kbn/securitysolution-list-constants';
import { ToolingLog } from '@kbn/dev-utils';
import { PrePackagedRulesAndTimelinesStatusSchema } from '../../plugins/security_solution/common/detection_engine/schemas/response';
import {
CreateRulesSchema,
@ -415,7 +416,8 @@ export const getSimpleMlRuleOutput = (ruleId = 'rule-1'): Partial<RulesSchema> =
* @param supertest The supertest agent.
*/
export const deleteAllAlerts = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
await countDownTest(
async () => {
@ -440,33 +442,42 @@ export const deleteAllAlerts = async (
return finalCheck.data.length === 0;
},
'deleteAllAlerts',
log,
50,
1000
);
};
export const downgradeImmutableRule = async (es: Client, ruleId: string): Promise<void> => {
return countDownES(async () => {
return es.updateByQuery(
{
index: '.kibana',
refresh: true,
wait_for_completion: true,
body: {
script: {
lang: 'painless',
source: 'ctx._source.alert.params.version--',
},
query: {
term: {
'alert.tags': `${INTERNAL_RULE_ID_KEY}:${ruleId}`,
export const downgradeImmutableRule = async (
es: Client,
log: ToolingLog,
ruleId: string
): Promise<void> => {
return countDownES(
async () => {
return es.updateByQuery(
{
index: '.kibana',
refresh: true,
wait_for_completion: true,
body: {
script: {
lang: 'painless',
source: 'ctx._source.alert.params.version--',
},
query: {
term: {
'alert.tags': `${INTERNAL_RULE_ID_KEY}:${ruleId}`,
},
},
},
},
},
{ meta: true }
);
}, 'downgradeImmutableRule');
{ meta: true }
);
},
'downgradeImmutableRule',
log
);
};
/**
@ -487,20 +498,25 @@ export const deleteAllTimelines = async (es: Client): Promise<void> => {
* Remove all rules statuses from the .kibana index
* This will retry 20 times before giving up and hopefully still not interfere with other tests
* @param es The ElasticSearch handle
* @param log The tooling logger
*/
export const deleteAllRulesStatuses = async (es: Client): Promise<void> => {
return countDownES(async () => {
return es.deleteByQuery(
{
index: '.kibana',
q: 'type:siem-detection-engine-rule-status',
wait_for_completion: true,
refresh: true,
body: {},
},
{ meta: true }
);
}, 'deleteAllRulesStatuses');
export const deleteAllRulesStatuses = async (es: Client, log: ToolingLog): Promise<void> => {
return countDownES(
async () => {
return es.deleteByQuery(
{
index: '.kibana',
q: 'type:siem-detection-engine-rule-status',
wait_for_completion: true,
refresh: true,
body: {},
},
{ meta: true }
);
},
'deleteAllRulesStatuses',
log
);
};
/**
@ -509,12 +525,17 @@ export const deleteAllRulesStatuses = async (es: Client): Promise<void> => {
* @param supertest The supertest client library
*/
export const createSignalsIndex = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
await countDownTest(async () => {
await supertest.post(DETECTION_ENGINE_INDEX_URL).set('kbn-xsrf', 'true').send();
return true;
}, 'createSignalsIndex');
await countDownTest(
async () => {
await supertest.post(DETECTION_ENGINE_INDEX_URL).set('kbn-xsrf', 'true').send();
return true;
},
'createSignalsIndex',
log
);
};
export const createLegacyRuleAction = async (
@ -545,12 +566,17 @@ export const createLegacyRuleAction = async (
* @param supertest The supertest client library
*/
export const deleteSignalsIndex = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
await countDownTest(async () => {
await supertest.delete(DETECTION_ENGINE_INDEX_URL).set('kbn-xsrf', 'true').send();
return true;
}, 'deleteSignalsIndex');
await countDownTest(
async () => {
await supertest.delete(DETECTION_ENGINE_INDEX_URL).set('kbn-xsrf', 'true').send();
return true;
},
'deleteSignalsIndex',
log
);
};
/**
@ -809,6 +835,7 @@ export const getSimpleRuleOutputWithWebHookAction = (actionId: string): Partial<
export const waitFor = async (
functionToTest: () => Promise<boolean>,
functionName: string,
log: ToolingLog,
maxTimeout: number = 800000,
timeoutWait: number = 250
): Promise<void> => {
@ -819,8 +846,7 @@ export const waitFor = async (
if (await functionToTest()) {
found = true;
} else {
// eslint-disable-next-line no-console
console.log(`Try number ${numberOfTries} out of ${maxTries} for function ${functionName}`);
log.debug(`Try number ${numberOfTries} out of ${maxTries} for function ${functionName}`);
numberOfTries++;
}
@ -838,12 +864,14 @@ export const waitFor = async (
* reliant.
* @param esFunction The function to test against
* @param esFunctionName The name of the function to print if we encounter errors
* @param log The tooling logger
* @param retryCount The number of times to retry before giving up (has default)
* @param timeoutWait Time to wait before trying again (has default)
*/
export const countDownES = async (
esFunction: () => Promise<TransportResult<Record<string, any>, unknown>>,
esFunctionName: string,
log: ToolingLog,
retryCount: number = 20,
timeoutWait = 250
): Promise<void> => {
@ -851,14 +879,14 @@ export const countDownES = async (
async () => {
const result = await esFunction();
if (result.body.version_conflicts !== 0) {
// eslint-disable-next-line no-console
console.log(`Version conflicts for ${result.body.version_conflicts}`);
log.error(`Version conflicts for ${result.body.version_conflicts}`);
return false;
} else {
return true;
}
},
esFunctionName,
log,
retryCount,
timeoutWait
);
@ -881,12 +909,14 @@ export const refreshIndex = async (es: Client, index?: string) => {
* for testing resiliency.
* @param functionToTest The function to test against
* @param name The name of the function to print if we encounter errors
* @param log The tooling logger
* @param retryCount The number of times to retry before giving up (has default)
* @param timeoutWait Time to wait before trying again (has default)
*/
export const countDownTest = async (
functionToTest: () => Promise<boolean>,
name: string,
log: ToolingLog,
retryCount: number = 20,
timeoutWait = 250,
ignoreThrow: boolean = false
@ -895,30 +925,27 @@ export const countDownTest = async (
try {
const passed = await functionToTest();
if (!passed) {
// eslint-disable-next-line no-console
console.log(`Failure trying to ${name}, retries left are: ${retryCount - 1}`);
log.error(`Failure trying to ${name}, retries left are: ${retryCount - 1}`);
// retry, counting down, and delay a bit before
await new Promise((resolve) => setTimeout(resolve, timeoutWait));
await countDownTest(functionToTest, name, retryCount - 1, timeoutWait, ignoreThrow);
await countDownTest(functionToTest, name, log, retryCount - 1, timeoutWait, ignoreThrow);
}
} catch (err) {
if (ignoreThrow) {
throw err;
} else {
// eslint-disable-next-line no-console
console.log(
`Failure trying to ${name}, with exception message of:`,
err.message,
`retries left are: ${retryCount - 1}`
log.error(
`Failure trying to ${name}, with exception message of: ${
err.message
}, retries left are: ${retryCount - 1}`
);
// retry, counting down, and delay a bit before
await new Promise((resolve) => setTimeout(resolve, timeoutWait));
await countDownTest(functionToTest, name, retryCount - 1, timeoutWait, ignoreThrow);
await countDownTest(functionToTest, name, log, retryCount - 1, timeoutWait, ignoreThrow);
}
}
} else {
// eslint-disable-next-line no-console
console.log(`Could not ${name}, no retries are left`);
log.error(`Could not ${name}, no retries are left`);
}
};
@ -929,9 +956,11 @@ export const countDownTest = async (
* rule a second attempt. It only re-tries adding the rule if it encounters a conflict once.
* @param supertest The supertest deps
* @param rule The rule to create
* @param log The tooling logger
*/
export const createRule = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
rule: CreateRulesSchema
): Promise<FullResponseSchema> => {
const response = await supertest
@ -940,13 +969,12 @@ export const createRule = async (
.send(rule);
if (response.status === 409) {
if (rule.rule_id != null) {
// eslint-disable-next-line no-console
console.log(
log.debug(
`Did not get an expected 200 "ok" when creating a rule (createRule). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
await deleteRule(supertest, rule.rule_id);
await deleteRule(supertest, log, rule.rule_id);
const secondResponseTry = await supertest
.post(DETECTION_ENGINE_RULES_URL)
.set('kbn-xsrf', 'true')
@ -976,18 +1004,19 @@ export const createRule = async (
* Helper to cut down on the noise in some of the tests. Does a delete of a rule.
* It does not check for a 200 "ok" on this.
* @param supertest The supertest deps
* @param id The rule id to delete
* @param ruleId The rule id to delete
* @param log The tooling logger
*/
export const deleteRule = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
ruleId: string
): Promise<FullResponseSchema> => {
const response = await supertest
.delete(`${DETECTION_ENGINE_RULES_URL}?rule_id=${ruleId}`)
.set('kbn-xsrf', 'true');
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when deleting the rule (deleteRule). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1023,6 +1052,7 @@ export const createRuleWithAuth = async (
*/
export const updateRule = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
updatedRule: UpdateRulesSchema
): Promise<FullResponseSchema> => {
const response = await supertest
@ -1030,8 +1060,7 @@ export const updateRule = async (
.set('kbn-xsrf', 'true')
.send(updatedRule);
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when updating a rule (updateRule). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1045,14 +1074,16 @@ export const updateRule = async (
* creates a new action and expects a 200 and does not do any retries.
* @param supertest The supertest deps
*/
export const createNewAction = async (supertest: SuperTest.SuperTest<SuperTest.Test>) => {
export const createNewAction = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
) => {
const response = await supertest
.post('/api/actions/action')
.set('kbn-xsrf', 'true')
.send(getWebHookAction());
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when creating a new action. CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1068,6 +1099,7 @@ export const createNewAction = async (supertest: SuperTest.SuperTest<SuperTest.T
*/
export const findImmutableRuleById = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
ruleId: string
): Promise<{
page: number;
@ -1082,8 +1114,7 @@ export const findImmutableRuleById = async (
.set('kbn-xsrf', 'true')
.send();
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when finding an immutable rule by id (findImmutableRuleById). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1098,7 +1129,8 @@ export const findImmutableRuleById = async (
* @param supertest The supertest deps
*/
export const getPrePackagedRulesStatus = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<PrePackagedRulesAndTimelinesStatusSchema> => {
const response = await supertest
.get(`${DETECTION_ENGINE_PREPACKAGED_URL}/_status`)
@ -1106,8 +1138,7 @@ export const getPrePackagedRulesStatus = async (
.send();
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when getting a pre-packaged rule status. CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1120,10 +1151,12 @@ export const getPrePackagedRulesStatus = async (
* Helper to cut down on the noise in some of the tests. This checks for
* an expected 200 still and does not try to any retries. Creates exception lists
* @param supertest The supertest deps
* @param rule The rule to create
* @param exceptionList The exception list to create
* @param log The tooling logger
*/
export const createExceptionList = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
exceptionList: CreateExceptionListSchema
): Promise<ExceptionListSchema> => {
const response = await supertest
@ -1133,13 +1166,12 @@ export const createExceptionList = async (
if (response.status === 409) {
if (exceptionList.list_id != null) {
// eslint-disable-next-line no-console
console.log(
log.error(
`When creating an exception list found an unexpected conflict (409) creating an exception list (createExceptionList), will attempt a cleanup and one time re-try. This usually indicates a bad cleanup or race condition within the tests: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
await deleteExceptionList(supertest, exceptionList.list_id);
await deleteExceptionList(supertest, log, exceptionList.list_id);
const secondResponseTry = await supertest
.post(EXCEPTION_LIST_URL)
.set('kbn-xsrf', 'true')
@ -1171,18 +1203,19 @@ export const createExceptionList = async (
* Helper to cut down on the noise in some of the tests. Does a delete of an exception list.
* It does not check for a 200 "ok" on this.
* @param supertest The supertest deps
* @param id The rule id to delete
* @param listId The exception list to delete
* @param log The tooling logger
*/
export const deleteExceptionList = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
listId: string
): Promise<FullResponseSchema> => {
const response = await supertest
.delete(`${EXCEPTION_LIST_URL}?list_id=${listId}`)
.set('kbn-xsrf', 'true');
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when deleting an exception list (deleteExceptionList). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1196,10 +1229,12 @@ export const deleteExceptionList = async (
* Helper to cut down on the noise in some of the tests. This checks for
* an expected 200 still and does not try to any retries. Creates exception lists
* @param supertest The supertest deps
* @param rule The rule to create
* @param exceptionListItem The exception list item to create
* @param log The tooling logger
*/
export const createExceptionListItem = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
exceptionListItem: CreateExceptionListItemSchema
): Promise<ExceptionListItemSchema> => {
const response = await supertest
@ -1208,8 +1243,7 @@ export const createExceptionListItem = async (
.send(exceptionListItem);
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when creating an exception list item (createExceptionListItem). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1226,6 +1260,7 @@ export const createExceptionListItem = async (
*/
export const getRule = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
ruleId: string
): Promise<RulesSchema> => {
const response = await supertest
@ -1233,8 +1268,7 @@ export const getRule = async (
.set('kbn-xsrf', 'true');
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when getting a rule (getRule). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1245,20 +1279,24 @@ export const getRule = async (
export const waitForAlertToComplete = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
id: string
): Promise<void> => {
await waitFor(async () => {
const response = await supertest.get(`/api/alerts/alert/${id}/state`).set('kbn-xsrf', 'true');
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
`Did not get an expected 200 "ok" when waiting for an alert to complete (waitForAlertToComplete). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
}
return response.body.previousStartedAt != null;
}, 'waitForAlertToComplete');
await waitFor(
async () => {
const response = await supertest.get(`/api/alerts/alert/${id}/state`).set('kbn-xsrf', 'true');
if (response.status !== 200) {
log.error(
`Did not get an expected 200 "ok" when waiting for an alert to complete (waitForAlertToComplete). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
}
return response.body.previousStartedAt != null;
},
'waitForAlertToComplete',
log
);
};
/**
@ -1268,40 +1306,43 @@ export const waitForAlertToComplete = async (
*/
export const waitForRuleSuccessOrStatus = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
id: string,
status: 'succeeded' | 'failed' | 'partial failure' | 'warning' = 'succeeded'
): Promise<void> => {
await waitFor(async () => {
try {
const response = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
.set('kbn-xsrf', 'true')
.send({ ids: [id] });
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
`Did not get an expected 200 "ok" when waiting for a rule success or status (waitForRuleSuccessOrStatus). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
}
if (response.body[id]?.current_status?.status !== status) {
// eslint-disable-next-line no-console
console.log(
`Did not get an expected status of ${status} while waiting for a rule success or status for rule id ${id} (waitForRuleSuccessOrStatus). Will continue retrying until status is found. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
}
await waitFor(
async () => {
try {
const response = await supertest
.post(`${DETECTION_ENGINE_RULES_URL}/_find_statuses`)
.set('kbn-xsrf', 'true')
.send({ ids: [id] });
if (response.status !== 200) {
log.error(
`Did not get an expected 200 "ok" when waiting for a rule success or status (waitForRuleSuccessOrStatus). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
}
if (response.body[id]?.current_status?.status !== status) {
log.debug(
`Did not get an expected status of ${status} while waiting for a rule success or status for rule id ${id} (waitForRuleSuccessOrStatus). Will continue retrying until status is found. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
);
}
return response.body[id]?.current_status?.status === status;
} catch (e) {
if ((e as Error).message.includes('got 503 "Service Unavailable"')) {
return false;
return response.body[id]?.current_status?.status === status;
} catch (e) {
if ((e as Error).message.includes('got 503 "Service Unavailable"')) {
return false;
}
throw e;
}
throw e;
}
}, 'waitForRuleSuccessOrStatus');
},
'waitForRuleSuccessOrStatus',
log
);
};
/**
@ -1312,15 +1353,17 @@ export const waitForRuleSuccessOrStatus = async (
*/
export const waitForSignalsToBePresent = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
numberOfSignals = 1,
signalIds: string[]
): Promise<void> => {
await waitFor(
async () => {
const signalsOpen = await getSignalsByIds(supertest, signalIds, numberOfSignals);
const signalsOpen = await getSignalsByIds(supertest, log, signalIds, numberOfSignals);
return signalsOpen.hits.hits.length >= numberOfSignals;
},
'waitForSignalsToBePresent',
log,
20000,
250 // Wait 250ms between tries
);
@ -1332,6 +1375,7 @@ export const waitForSignalsToBePresent = async (
*/
export const getSignalsByRuleIds = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
ruleIds: string[]
): Promise<estypes.SearchResponse<RACAlert>> => {
const response = await supertest
@ -1340,8 +1384,7 @@ export const getSignalsByRuleIds = async (
.send(getQuerySignalsRuleId(ruleIds));
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when getting a signal by rule_id (getSignalsByRuleIds). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1360,6 +1403,7 @@ export const getSignalsByRuleIds = async (
*/
export const getSignalsByIds = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
ids: string[],
size?: number
): Promise<estypes.SearchResponse<RACAlert>> => {
@ -1369,8 +1413,7 @@ export const getSignalsByIds = async (
.send(getQuerySignalsId(ids, size));
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when getting a signal by id. CI issues could happen (getSignalsByIds). Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1387,6 +1430,7 @@ export const getSignalsByIds = async (
*/
export const getSignalsById = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
id: string
): Promise<estypes.SearchResponse<RACAlert>> => {
const response = await supertest
@ -1395,8 +1439,7 @@ export const getSignalsById = async (
.send(getQuerySignalsId([id]));
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when getting signals by id (getSignalsById). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1407,24 +1450,28 @@ export const getSignalsById = async (
};
export const installPrePackagedRules = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
await countDownTest(async () => {
const { status, body } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status !== 200) {
// eslint-disable-next-line no-console
console.log(
`Did not get an expected 200 "ok" when installing pre-packaged rules (installPrePackagedRules) yet. Retrying until we get a 200 "ok". body: ${JSON.stringify(
body
)}, status: ${JSON.stringify(status)}`
);
}
await countDownTest(
async () => {
const { status, body } = await supertest
.put(DETECTION_ENGINE_PREPACKAGED_URL)
.set('kbn-xsrf', 'true')
.send();
if (status !== 200) {
log.debug(
`Did not get an expected 200 "ok" when installing pre-packaged rules (installPrePackagedRules) yet. Retrying until we get a 200 "ok". body: ${JSON.stringify(
body
)}, status: ${JSON.stringify(status)}`
);
}
return status === 200;
}, 'installPrePackagedRules');
return status === 200;
},
'installPrePackagedRules',
log
);
};
/**
@ -1436,6 +1483,7 @@ export const installPrePackagedRules = async (
*/
export const createContainerWithEndpointEntries = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
endpointEntries: Array<{
entries: NonEmptyEntriesArray;
osTypes: OsTypeArray | undefined;
@ -1448,7 +1496,7 @@ export const createContainerWithEndpointEntries = async (
// create the endpoint exception list container
// eslint-disable-next-line @typescript-eslint/naming-convention
const { id, list_id, namespace_type, type } = await createExceptionList(supertest, {
const { id, list_id, namespace_type, type } = await createExceptionList(supertest, log, {
description: 'endpoint description',
list_id: 'endpoint_list',
name: 'endpoint_list',
@ -1466,16 +1514,20 @@ export const createContainerWithEndpointEntries = async (
os_types: endpointEntry.osTypes,
type: 'simple',
};
return createExceptionListItem(supertest, exceptionListItem);
return createExceptionListItem(supertest, log, exceptionListItem);
})
);
// To reduce the odds of in-determinism and/or bugs we ensure we have
// the same length of entries before continuing.
await waitFor(async () => {
const { body } = await supertest.get(`${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`);
return body.data.length === endpointEntries.length;
}, `within createContainerWithEndpointEntries ${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`);
await waitFor(
async () => {
const { body } = await supertest.get(`${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`);
return body.data.length === endpointEntries.length;
},
`within createContainerWithEndpointEntries ${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`,
log
);
return [
{
@ -1496,6 +1548,7 @@ export const createContainerWithEndpointEntries = async (
*/
export const createContainerWithEntries = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
entries: NonEmptyEntriesArray[]
): Promise<ListArray> => {
// If not given any endpoint entries, return without any
@ -1504,7 +1557,7 @@ export const createContainerWithEntries = async (
}
// Create the rule exception list container
// eslint-disable-next-line @typescript-eslint/naming-convention
const { id, list_id, namespace_type, type } = await createExceptionList(supertest, {
const { id, list_id, namespace_type, type } = await createExceptionList(supertest, log, {
description: 'some description',
list_id: 'some-list-id',
name: 'some name',
@ -1521,16 +1574,20 @@ export const createContainerWithEntries = async (
type: 'simple',
entries: entry,
};
return createExceptionListItem(supertest, exceptionListItem);
return createExceptionListItem(supertest, log, exceptionListItem);
})
);
// To reduce the odds of in-determinism and/or bugs we ensure we have
// the same length of entries before continuing.
await waitFor(async () => {
const { body } = await supertest.get(`${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`);
return body.data.length === entries.length;
}, `within createContainerWithEntries ${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`);
await waitFor(
async () => {
const { body } = await supertest.get(`${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`);
return body.data.length === entries.length;
},
`within createContainerWithEntries ${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${list_id}`,
log
);
return [
{
@ -1554,6 +1611,7 @@ export const createContainerWithEntries = async (
*/
export const createRuleWithExceptionEntries = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
rule: CreateRulesSchema,
entries: NonEmptyEntriesArray[],
endpointEntries?: Array<{
@ -1561,9 +1619,10 @@ export const createRuleWithExceptionEntries = async (
osTypes: OsTypeArray | undefined;
}>
): Promise<FullResponseSchema> => {
const maybeExceptionList = await createContainerWithEntries(supertest, entries);
const maybeExceptionList = await createContainerWithEntries(supertest, log, entries);
const maybeEndpointList = await createContainerWithEndpointEntries(
supertest,
log,
endpointEntries ?? []
);
@ -1576,15 +1635,14 @@ export const createRuleWithExceptionEntries = async (
enabled: false,
exceptions_list: [...maybeExceptionList, ...maybeEndpointList],
};
const ruleResponse = await createRule(supertest, ruleWithException);
const ruleResponse = await createRule(supertest, log, ruleWithException);
const response = await supertest
.patch(DETECTION_ENGINE_RULES_URL)
.set('kbn-xsrf', 'true')
.send({ rule_id: ruleResponse.rule_id, enabled: true });
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when patching a rule with exception entries (createRuleWithExceptionEntries). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1609,11 +1667,19 @@ export const getIndexNameFromLoad = (loadResponse: Record<string, unknown>): str
* @param esClient elasticsearch {@link Client}
* @param index name of the index to query
*/
export const waitForIndexToPopulate = async (es: Client, index: string): Promise<void> => {
await waitFor(async () => {
const response = await es.count({ index });
return response.count > 0;
}, `waitForIndexToPopulate: ${index}`);
export const waitForIndexToPopulate = async (
es: Client,
log: ToolingLog,
index: string
): Promise<void> => {
await waitFor(
async () => {
const response = await es.count({ index });
return response.count > 0;
},
`waitForIndexToPopulate: ${index}`,
log
);
};
export const deleteMigrations = async ({
@ -1642,8 +1708,10 @@ interface CreateMigrationResponse {
export const startSignalsMigration = async ({
indices,
supertest,
log,
}: {
supertest: SuperTest.SuperTest<SuperTest.Test>;
log: ToolingLog;
indices: string[];
}): Promise<CreateMigrationResponse[]> => {
const response = await supertest
@ -1655,8 +1723,7 @@ export const startSignalsMigration = async ({
body: { indices: created },
}: { body: { indices: CreateMigrationResponse[] } } = response;
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when starting a signals migration (startSignalsMigration). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1674,8 +1741,10 @@ interface FinalizeMigrationResponse {
export const finalizeSignalsMigration = async ({
migrationIds,
supertest,
log,
}: {
supertest: SuperTest.SuperTest<SuperTest.Test>;
log: ToolingLog;
migrationIds: string[];
}): Promise<FinalizeMigrationResponse[]> => {
const response = await supertest
@ -1687,8 +1756,7 @@ export const finalizeSignalsMigration = async ({
body: { migrations },
}: { body: { migrations: FinalizeMigrationResponse[] } } = response;
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when finalizing signals migration (finalizeSignalsMigration). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -1699,13 +1767,14 @@ export const finalizeSignalsMigration = async ({
export const getOpenSignals = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
es: Client,
rule: FullResponseSchema
) => {
await waitForRuleSuccessOrStatus(supertest, rule.id);
await waitForRuleSuccessOrStatus(supertest, log, rule.id);
// Critically important that we wait for rule success AND refresh the write index in that order before we
// assert that no signals were created. Otherwise, signals could be written but not available to query yet
// when we search, causing tests that check that signals are NOT created to pass when they should fail.
await refreshIndex(es, '.alerts-security.alerts-default*');
return getSignalsByIds(supertest, [rule.id]);
return getSignalsByIds(supertest, log, [rule.id]);
};

3
x-pack/test/lists_api_integration/security_and_spaces/tests/create_exception_list_items.ts
View file

@ -27,6 +27,7 @@ import { deleteAllExceptions } from '../../utils';
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('create_exception_list_items', () => {
describe('validation errors', () => {
@ -46,7 +47,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('creating exception list items', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should create a simple exception list item with a list item id', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/create_exception_lists.ts
View file

@ -21,11 +21,12 @@ import { deleteAllExceptions, removeExceptionListServerGeneratedProperties } fro
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('create_exception_lists', () => {
describe('creating exception lists', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should create a simple exception list', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/create_list_items.ts
View file

@ -27,6 +27,7 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('create_list_items', () => {
describe('validation errors', () => {
@ -46,11 +47,11 @@ export default ({ getService }: FtrProviderContext) => {
describe('creating list items', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should create a simple list item with a list item id', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/create_lists.ts
View file

@ -24,15 +24,16 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('create_lists', () => {
describe('creating lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should create a simple list with a list_id', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/delete_exception_list_items.ts
View file

@ -22,11 +22,12 @@ import { deleteAllExceptions, removeExceptionListItemServerGeneratedProperties }
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_exception_list_items', () => {
describe('delete exception list items', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should delete a single exception list item by its item_id', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/delete_exception_lists.ts
View file

@ -21,11 +21,12 @@ import { deleteAllExceptions, removeExceptionListServerGeneratedProperties } fro
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_exception_lists', () => {
describe('delete exception lists', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should delete a single exception list by its list_id', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/delete_list_items.ts
View file

@ -22,15 +22,16 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_list_items', () => {
describe('deleting list items', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should delete a single list item with a list item id', async () => {

7
x-pack/test/lists_api_integration/security_and_spaces/tests/delete_lists.ts
View file

@ -33,15 +33,16 @@ import { DETECTION_TYPE, LIST_ID } from '../../../../plugins/lists/common/consta
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('delete_lists', () => {
describe('deleting lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should delete a single list with a list id', async () => {
@ -116,7 +117,7 @@ export default ({ getService }: FtrProviderContext) => {
describe('deleting lists referenced in exceptions', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should return an error when deleting a list referenced within an exception list item', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/export_exception_list.ts
View file

@ -22,11 +22,12 @@ import { getCreateExceptionListItemMinimalSchemaMock } from '../../../../plugins
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('export_exception_list_route', () => {
describe('exporting exception lists', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should set the response content types to be expected', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/export_list_items.ts
View file

@ -18,15 +18,16 @@ import { createListsIndex, deleteListsIndex, binaryToString } from '../../utils'
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('export_list_items', () => {
describe('exporting lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should set the response content types to be expected', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/find_exception_list_items.ts
View file

@ -18,11 +18,12 @@ import { deleteAllExceptions, removeExceptionListItemServerGeneratedProperties }
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('find_exception_list_items', () => {
describe('find exception list items', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should return an empty find body correctly if no exception list items are loaded', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/find_exception_lists.ts
View file

@ -17,11 +17,12 @@ import { deleteAllExceptions, removeExceptionListServerGeneratedProperties } fro
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('find_exception_lists', () => {
describe('find exception lists', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should return an empty find body correctly if no exception lists are loaded', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/find_list_items.ts
View file

@ -23,15 +23,16 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('find_list_items', () => {
describe('find list items', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should give a validation error if the list_id is not supplied', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/find_lists.ts
View file

@ -21,15 +21,16 @@ import { getListResponseMockWithoutAutoGeneratedValues } from '../../../../plugi
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('find_lists', () => {
describe('find lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should return an empty find body correctly if no lists are loaded', async () => {

21
x-pack/test/lists_api_integration/security_and_spaces/tests/import_list_items.ts
View file

@ -25,6 +25,7 @@ import { getImportListItemAsBuffer } from '../../../../plugins/lists/common/sche
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext): void => {
const supertest = getService('supertest');
const log = getService('log');
describe('import_list_items', () => {
describe('importing list items without an index', () => {
@ -46,11 +47,11 @@ export default ({ getService }: FtrProviderContext): void => {
describe('importing lists with an index', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should set the response content types to be expected when importing two items', async () => {
@ -88,12 +89,16 @@ export default ({ getService }: FtrProviderContext): void => {
// Although we try to be aggressive with waitFor in the lists code base, there is still not guarantees
// that we will have the data just yet so we have to do a waitFor here for when it shows up
await waitFor(async () => {
const { status } = await supertest
.get(`${LIST_ITEM_URL}?list_id=list_items.txt&value=127.0.0.1`)
.send();
return status !== 404;
}, `${LIST_ITEM_URL}?list_id=list_items.txt&value=127.0.0.1`);
await waitFor(
async () => {
const { status } = await supertest
.get(`${LIST_ITEM_URL}?list_id=list_items.txt&value=127.0.0.1`)
.send();
return status !== 404;
},
`${LIST_ITEM_URL}?list_id=list_items.txt&value=127.0.0.1`,
log
);
const { body } = await supertest
.get(`${LIST_ITEM_URL}?list_id=list_items.txt&value=127.0.0.1`)
.send()

3
x-pack/test/lists_api_integration/security_and_spaces/tests/read_exception_list_items.ts
View file

@ -22,11 +22,12 @@ import { deleteAllExceptions, removeExceptionListItemServerGeneratedProperties }
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('read_exception_list_items', () => {
describe('reading exception list items', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should be able to read a single exception list items using item_id', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/read_exception_lists.ts
View file

@ -21,11 +21,12 @@ import { deleteAllExceptions, removeExceptionListServerGeneratedProperties } fro
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('read_exception_lists', () => {
describe('reading exception lists', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should be able to read a single exception list using list_id', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/read_list_items.ts
View file

@ -22,15 +22,16 @@ import {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('read_list_items', () => {
describe('reading list items', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should be able to read a single list item using id', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/read_lists.ts
View file

@ -24,15 +24,16 @@ import { getListResponseMockWithoutAutoGeneratedValues } from '../../../../plugi
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('read_lists', () => {
describe('reading lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should be able to read a single list using id', async () => {

7
x-pack/test/lists_api_integration/security_and_spaces/tests/summary_exception_lists.ts
View file

@ -21,15 +21,16 @@ interface SummaryResponseType {
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('summary_exception_lists', () => {
describe('summary exception lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteAllExceptions(supertest);
await deleteListsIndex(supertest, log);
await deleteAllExceptions(supertest, log);
});
it('should give a validation error if the list_id and the id are not supplied', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/update_exception_list_items.ts
View file

@ -24,11 +24,12 @@ import { getUpdateMinimalExceptionListItemSchemaMock } from '../../../../plugins
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_exception_list_items', () => {
describe('update exception list items', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should update a single exception list item property of name using an id', async () => {

3
x-pack/test/lists_api_integration/security_and_spaces/tests/update_exception_lists.ts
View file

@ -23,11 +23,12 @@ import { getUpdateMinimalExceptionListSchemaMock } from '../../../../plugins/lis
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_exception_lists', () => {
describe('update exception lists', () => {
afterEach(async () => {
await deleteAllExceptions(supertest);
await deleteAllExceptions(supertest, log);
});
it('should update a single exception list property of name using an id', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/update_list_items.ts
View file

@ -28,15 +28,16 @@ import { getUpdateMinimalListItemSchemaMock } from '../../../../plugins/lists/co
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_list_items', () => {
describe('update list items', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should update a single list item property of value using an id', async () => {

5
x-pack/test/lists_api_integration/security_and_spaces/tests/update_lists.ts
View file

@ -23,15 +23,16 @@ import { getUpdateMinimalListSchemaMock } from '../../../../plugins/lists/common
// eslint-disable-next-line import/no-default-export
export default ({ getService }: FtrProviderContext) => {
const supertest = getService('supertest');
const log = getService('log');
describe('update_lists', () => {
describe('update lists', () => {
beforeEach(async () => {
await createListsIndex(supertest);
await createListsIndex(supertest, log);
});
afterEach(async () => {
await deleteListsIndex(supertest);
await deleteListsIndex(supertest, log);
});
it('should update a single list property of name using an id', async () => {

148
x-pack/test/lists_api_integration/utils.ts
View file

@ -20,6 +20,7 @@ import {
LIST_INDEX,
LIST_ITEM_URL,
} from '@kbn/securitysolution-list-constants';
import { ToolingLog } from '@kbn/dev-utils';
import { getImportListItemAsBuffer } from '../../plugins/lists/common/schemas/request/import_list_item_schema.mock';
import { countDownTest } from '../detection_engine_api_integration/utils';
@ -29,12 +30,17 @@ import { countDownTest } from '../detection_engine_api_integration/utils';
* @param supertest The supertest client library
*/
export const createListsIndex = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
return countDownTest(async () => {
await supertest.post(LIST_INDEX).set('kbn-xsrf', 'true').send();
return true;
}, 'createListsIndex');
return countDownTest(
async () => {
await supertest.post(LIST_INDEX).set('kbn-xsrf', 'true').send();
return true;
},
'createListsIndex',
log
);
};
/**
@ -42,12 +48,17 @@ export const createListsIndex = async (
* @param supertest The supertest client library
*/
export const deleteListsIndex = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
return countDownTest(async () => {
await supertest.delete(LIST_INDEX).set('kbn-xsrf', 'true').send();
return true;
}, 'deleteListsIndex');
return countDownTest(
async () => {
await supertest.delete(LIST_INDEX).set('kbn-xsrf', 'true').send();
return true;
},
'deleteListsIndex',
log
);
};
/**
@ -56,12 +67,17 @@ export const deleteListsIndex = async (
* @param supertest The supertest client library
*/
export const createExceptionListsIndex = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
return countDownTest(async () => {
await supertest.post(LIST_INDEX).set('kbn-xsrf', 'true').send();
return true;
}, 'createListsIndex');
return countDownTest(
async () => {
await supertest.post(LIST_INDEX).set('kbn-xsrf', 'true').send();
return true;
},
'createListsIndex',
log
);
};
/**
@ -116,6 +132,7 @@ export const removeExceptionListServerGeneratedProperties = (
export const waitFor = async (
functionToTest: () => Promise<boolean>,
functionName: string,
log: ToolingLog,
maxTimeout: number = 800000,
timeoutWait: number = 250
) => {
@ -131,10 +148,7 @@ export const waitFor = async (
if (itPasses) {
found = true;
} else {
// eslint-disable-next-line no-console
console.log(
`Try number ${numberOfTries} out of ${maxTries} for function ${functionName}`
);
log.debug(`Try number ${numberOfTries} out of ${maxTries} for function ${functionName}`);
numberOfTries++;
}
@ -174,7 +188,8 @@ export const binaryToString = (res: any, callback: any): void => {
* @param supertest The supertest handle
*/
export const deleteAllExceptions = async (
supertest: SuperTest.SuperTest<SuperTest.Test>
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog
): Promise<void> => {
await countDownTest(
async () => {
@ -194,6 +209,7 @@ export const deleteAllExceptions = async (
return finalCheck.data.length === 0;
},
'deleteAllExceptions',
log,
50,
1000
);
@ -210,6 +226,7 @@ export const deleteAllExceptions = async (
*/
export const importFile = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
type: Type,
contents: string[],
fileName: string,
@ -222,8 +239,7 @@ export const importFile = async (
.expect('Content-Type', 'application/json; charset=utf-8');
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" When importing a file (importFile). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -233,7 +249,7 @@ export const importFile = async (
// although we have pushed the list and its items, it is async so we
// have to wait for the contents before continuing
const testValuesOrContents = testValues ?? contents;
await waitForListItems(supertest, testValuesOrContents, fileName);
await waitForListItems(supertest, log, testValuesOrContents, fileName);
};
/**
@ -247,6 +263,7 @@ export const importFile = async (
*/
export const importTextFile = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
type: Type,
contents: string[],
fileName: string
@ -258,8 +275,7 @@ export const importTextFile = async (
.expect('Content-Type', 'application/json; charset=utf-8');
if (response.status !== 200) {
// eslint-disable-next-line no-console
console.log(
log.error(
`Did not get an expected 200 "ok" when importing a text file (importTextFile). CI issues could happen. Suspect this line if you are seeing CI issues. body: ${JSON.stringify(
response.body
)}, status: ${JSON.stringify(response.status)}`
@ -268,7 +284,7 @@ export const importTextFile = async (
// although we have pushed the list and its items, it is async so we
// have to wait for the contents before continuing
await waitForTextListItems(supertest, contents, fileName);
await waitForTextListItems(supertest, log, contents, fileName);
};
/**
@ -280,23 +296,27 @@ export const importTextFile = async (
*/
export const waitForListItem = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
itemValue: string,
fileName: string
): Promise<void> => {
await waitFor(async () => {
const { status, body } = await supertest
.get(`${LIST_ITEM_URL}?list_id=${fileName}&value=${itemValue}`)
.send();
if (status !== 200) {
// eslint-disable-next-line no-console
console.log(
`Did not get an expected 200 "ok" when waiting for a list item (waitForListItem) yet. Retrying until we get a 200 "ok". body: ${JSON.stringify(
body
)}, status: ${JSON.stringify(status)}`
);
}
return status === 200;
}, `waitForListItem fileName: "${fileName}" itemValue: "${itemValue}"`);
await waitFor(
async () => {
const { status, body } = await supertest
.get(`${LIST_ITEM_URL}?list_id=${fileName}&value=${itemValue}`)
.send();
if (status !== 200) {
log.debug(
`Did not get an expected 200 "ok" when waiting for a list item (waitForListItem) yet. Retrying until we get a 200 "ok". body: ${JSON.stringify(
body
)}, status: ${JSON.stringify(status)}`
);
}
return status === 200;
},
`waitForListItem fileName: "${fileName}" itemValue: "${itemValue}"`,
log
);
};
/**
@ -308,10 +328,11 @@ export const waitForListItem = async (
*/
export const waitForListItems = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
itemValues: string[],
fileName: string
): Promise<void> => {
await Promise.all(itemValues.map((item) => waitForListItem(supertest, item, fileName)));
await Promise.all(itemValues.map((item) => waitForListItem(supertest, log, item, fileName)));
};
/**
@ -323,29 +344,33 @@ export const waitForListItems = async (
*/
export const waitForTextListItem = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
itemValue: string,
fileName: string
): Promise<void> => {
const tokens = itemValue.split(' ');
await waitFor(async () => {
const promises = await Promise.all(
tokens.map(async (token) => {
const { status, body } = await supertest
.get(`${LIST_ITEM_URL}?list_id=${fileName}&value=${token}`)
.send();
if (status !== 200) {
// eslint-disable-next-line no-console
console.log(
`Did not get an expected 200 "ok" when waiting for a text list item (waitForTextListItem) yet. Retrying until we get a 200 "ok". body: ${JSON.stringify(
body
)}, status: ${JSON.stringify(status)}`
);
}
return status === 200;
})
);
return promises.every((one) => one);
}, `waitForTextListItem fileName: "${fileName}" itemValue: "${itemValue}"`);
await waitFor(
async () => {
const promises = await Promise.all(
tokens.map(async (token) => {
const { status, body } = await supertest
.get(`${LIST_ITEM_URL}?list_id=${fileName}&value=${token}`)
.send();
if (status !== 200) {
log.error(
`Did not get an expected 200 "ok" when waiting for a text list item (waitForTextListItem) yet. Retrying until we get a 200 "ok". body: ${JSON.stringify(
body
)}, status: ${JSON.stringify(status)}`
);
}
return status === 200;
})
);
return promises.every((one) => one);
},
`waitForTextListItem fileName: "${fileName}" itemValue: "${itemValue}"`,
log
);
};
/**
@ -358,8 +383,9 @@ export const waitForTextListItem = async (
*/
export const waitForTextListItems = async (
supertest: SuperTest.SuperTest<SuperTest.Test>,
log: ToolingLog,
itemValues: string[],
fileName: string
): Promise<void> => {
await Promise.all(itemValues.map((item) => waitForTextListItem(supertest, item, fileName)));
await Promise.all(itemValues.map((item) => waitForTextListItem(supertest, log, item, fileName)));
};