Updated alerting and security analytics cypress tests for 2.9 patch. (#…

…930) * [2.10] Latest tests security analytics (#826) * updated tests Signed-off-by: Amardeepsingh Siglani <[email protected]> * excluded a couple tests; fixed alerts tests Signed-off-by: Amardeepsingh Siglani <[email protected]> --------- Signed-off-by: Amardeepsingh Siglani <[email protected]> * updated mappings for test index (#841) Signed-off-by: Amardeepsingh Siglani <[email protected]> * avoid clicking filter menu btn twice (#849) Signed-off-by: Amardeepsingh Siglani <[email protected]> * removed check for url since it differs with and without security (#863) Signed-off-by: Amardeepsingh Siglani <[email protected]> * excluded flaky test (#891) Signed-off-by: Amardeepsingh Siglani <[email protected]> * Updated security analytics cypress tests for 2.9 patch. Signed-off-by: AWSHurneyt <[email protected]> * Skipping flaky test. Signed-off-by: AWSHurneyt <[email protected]> * Updated alerting cypress tests. Signed-off-by: AWSHurneyt <[email protected]> --------- Signed-off-by: Amardeepsingh Siglani <[email protected]> Signed-off-by: AWSHurneyt <[email protected]> Co-authored-by: Amardeepsingh Siglani <[email protected]>
opensearch-project · Oct 16, 2023 · af53f24 · af53f24
1 parent bb18274
commit af53f24
Show file tree

Hide file tree

Showing 33 changed files with 2,227 additions and 1,096 deletions.
diff --git a/...rity-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_data.json b/...rity-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_data.json
@@ -27,19 +27,19 @@
   "triggers": [
     {
       "name": "DNS name alert",
-      "sev_levels": ["low"],
-      "tags": ["dns.low"],
+      "sev_levels": ["high"],
+      "tags": ["dns.high"],
       "actions": [
         {
           "id": "",
-          "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector",
+          "name": "Triggered alert condition:  - Severity: 1 (Highest)  - Threat detector: Cypress DNS Detector",
           "destination_id": "",
           "subject_template": {
-            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector",
+            "source": "Triggered alert condition:  - Severity: 1 (Highest)  - Threat detector: Cypress DNS Detector",
             "lang": "mustache"
           },
           "message_template": {
-            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: Cypress DNS Detector\nDescription: Detects DNS names.\nDetector data sources:\n\tdns",
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest) \nThreat detector: Cypress DNS Detector\nDescription: Detects DNS names.\nDetector data sources:\n\tdns",
             "lang": "mustache"
           },
           "throttle_enabled": false,

diff --git a/...ytics-dashboards-plugin/integration_tests/detector/create_dns_detector_mappings_data.json b/...ytics-dashboards-plugin/integration_tests/detector/create_dns_detector_mappings_data.json
@@ -2,15 +2,15 @@
   "properties": {
     "dns-answers-type": {
       "type": "alias",
-      "path": "DnsAnswerType"
+      "path": "dns.answers.type"
     },
     "dns-question-name": {
       "type": "alias",
-      "path": "DnsQuestionName"
+      "path": "dns.question.name"
     },
     "dns-question-registered_domain": {
       "type": "alias",
-      "path": "DnsQuestionRegisteredDomain"
+      "path": "dns.question.registered_domain"
     }
   }
 }
diff --git a/...rity-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_data.json b/...rity-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_data.json
@@ -27,19 +27,19 @@
   "triggers": [
     {
       "name": "USB plugged in alert",
-      "sev_levels": ["low"],
+      "sev_levels": ["high"],
       "tags": ["windows.usb"],
       "actions": [
         {
           "id": "",
           "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: USB Detector",
           "destination_id": "",
           "subject_template": {
-            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: USB Detector",
+            "source": "Triggered alert condition:  - Severity: 1 (Highest)  - Threat detector: USB Detector",
             "lang": "mustache"
           },
           "message_template": {
-            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: USB Detector\nDescription: Detect USB plugged in.\nDetector data sources:\n\twindows",
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest) \nThreat detector: USB Detector\nDescription: Detect USB plugged in.\nDetector data sources:\n\twindows",
             "lang": "mustache"
           },
           "throttle_enabled": false,

diff --git a/...ytics-dashboards-plugin/integration_tests/detector/create_usb_detector_mappings_data.json b/...ytics-dashboards-plugin/integration_tests/detector/create_usb_detector_mappings_data.json
@@ -1,28 +1,12 @@
 {
   "properties": {
-    "event_uid": {
+    "winlog.event_id": {
       "type": "alias",
       "path": "EventID"
     },
-    "windows-event_data-CommandLine": {
+    "winlog-provider_name": {
       "type": "alias",
-      "path": "CommandLine"
-    },
-    "windows-hostname": {
-      "type": "alias",
-      "path": "HostName"
-    },
-    "windows-message": {
-      "type": "alias",
-      "path": "Message"
-    },
-    "windows-provider-name": {
-      "type": "alias",
-      "path": "Provider_Name"
-    },
-    "windows-servicename": {
-      "type": "alias",
-      "path": "ServiceName"
+      "path": "winlog.provider_name"
     }
   }
 }
diff --git a/...gins/security-analytics-dashboards-plugin/integration_tests/index/add_dns_index_data.json b/...gins/security-analytics-dashboards-plugin/integration_tests/index/add_dns_index_data.json
@@ -1,5 +1,5 @@
 {
-  "DnsAnswerType": "QWE",
-  "DnsQuestionRegisteredDomain": "EC2AMAZ-EPWO7HKA",
-  "DnsQuestionName": "QWE"
+  "dns.answers.type": "AnswerType",
+  "dns.question.registered_domain": "EC2AMAZ-EPWO7HKA",
+  "dns.question.name": "QuestionName"
 }
diff --git a/.../security-analytics-dashboards-plugin/integration_tests/index/add_windows_index_data.json b/.../security-analytics-dashboards-plugin/integration_tests/index/add_windows_index_data.json
@@ -1,39 +1,3 @@
 {
-  "EventTime": "2020-02-04T14:59:39.343541+00:00",
-  "HostName": "EC2AMAZ-EPO7HKA",
-  "Keywords": "9223372036854775808",
-  "SeverityValue": 2,
-  "Severity": "ERROR",
-  "EventID": 2003,
-  "SourceName": "Microsoft-Windows-Sysmon",
-  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
-  "Version": 5,
-  "TaskValue": 22,
-  "OpcodeValue": 0,
-  "RecordNumber": 9532,
-  "ExecutionProcessID": 1996,
-  "ExecutionThreadID": 2616,
-  "Channel": "Microsoft-Windows-Sysmon/Operational",
-  "Domain": "NT AUTHORITY",
-  "AccountName": "SYSTEM",
-  "UserID": "S-1-5-18",
-  "AccountType": "User",
-  "Message": "Dns query:\r\nRuleName: \r\nUtcTime: 2020-02-04 14:59:38.349\r\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\r\nProcessId: 1904\r\nQueryName: EC2AMAZ-EPO7HKA\r\nQueryStatus: 0\r\nQueryResults: 172.31.46.38;\r\nImage: C:\\Program Files\\nxlog\\nxlog.exe",
-  "Category": "Dns query (rule: DnsQuery)",
-  "Opcode": "Info",
-  "UtcTime": "2020-02-04 14:59:38.349",
-  "ProcessGuid": "{b3c285a4-3cda-5dc0-0000-001077270b00}",
-  "ProcessId": "1904",
-  "QueryName": "EC2AMAZ-EPO7HKA",
-  "QueryStatus": "0",
-  "QueryResults": "172.31.46.38;",
-  "Image": "C:\\Program Files\\nxlog\\regsvr32.exe",
-  "EventReceivedTime": "2020-02-04T14:59:40.780905+00:00",
-  "SourceModuleName": "in",
-  "SourceModuleType": "im_msvistalog",
-  "CommandLine": "eachtest",
-  "Initiated": "true",
-  "Provider_Name": "Service_ws_Control_ws_Manager",
-  "TargetObject": "\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security",
-  "EventType": "SetValue"
+  "EventID": "2003"
 }
diff --git a/...ins/security-analytics-dashboards-plugin/integration_tests/index/create_dns_settings.json b/...ins/security-analytics-dashboards-plugin/integration_tests/index/create_dns_settings.json
@@ -1,13 +1,13 @@
 {
   "mappings": {
     "properties": {
-      "DnsAnswerType": {
+      "dns.answers.type": {
         "type": "text"
       },
-      "DnsQuestionRegisteredDomain": {
+      "dns.question.name": {
         "type": "text"
       },
-      "DnsQuestionName": {
+      "dns.question.registered_domain": {
         "type": "text"
       }
     }

diff --git a/...security-analytics-dashboards-plugin/integration_tests/index/create_windows_settings.json b/...security-analytics-dashboards-plugin/integration_tests/index/create_windows_settings.json
@@ -1,22 +1,10 @@
 {
   "mappings": {
     "properties": {
-      "CommandLine": {
-        "type": "text"
-      },
       "EventID": {
         "type": "integer"
       },
-      "HostName": {
-        "type": "text"
-      },
-      "Message": {
-        "type": "text"
-      },
-      "Provider_Name": {
-        "type": "text"
-      },
-      "ServiceName": {
+      "winlog.provider_name": {
         "type": "text"
       }
     }

diff --git a/...tegration_tests/rule/create_dns_rule.json → .../create_dns_rule_with_name_selection.json b/...tegration_tests/rule/create_dns_rule.json → .../create_dns_rule_with_name_selection.json
@@ -12,12 +12,12 @@
   ],
   "tags": [
     {
-      "value": "dns.low"
+      "value": "dns.high"
     }
   ],
   "log_source": "",
-  "detection": "selection:\n  query:\n    - QWE\n    - ASD\n    - YXC\ncondition: selection",
-  "level": "low",
+  "detection": "selection:\n  dns-question-name:\n    - QuestionName\ncondition: selection",
+  "level": "high",
   "false_positives": [
     {
       "value": ""

diff --git a/...alytics-dashboards-plugin/integration_tests/rule/create_dns_rule_with_type_selection.json b/...alytics-dashboards-plugin/integration_tests/rule/create_dns_rule_with_type_selection.json
@@ -0,0 +1,26 @@
+{
+  "id": "25b9c01c-350d-4b95-bed1-836d04a4f325",
+  "category": "dns",
+  "title": "Cypress DNS Type Rule",
+  "description": "Detects DNS type as QWE",
+  "status": "experimental",
+  "author": "Cypress Tests",
+  "references": [
+    {
+      "value": ""
+    }
+  ],
+  "tags": [
+    {
+      "value": "dns.high"
+    }
+  ],
+  "log_source": "",
+  "detection": "selection:\n  dns-answers-type:\n    - AnswerType\ncondition: selection",
+  "level": "high",
+  "false_positives": [
+    {
+      "value": ""
+    }
+  ]
+}
diff --git a/...gins/security-analytics-dashboards-plugin/integration_tests/rule/create_network_rule.json b/...gins/security-analytics-dashboards-plugin/integration_tests/rule/create_network_rule.json
@@ -12,12 +12,12 @@
   ],
   "tags": [
     {
-      "value": "network.low"
+      "value": "network.high"
     }
   ],
   "log_source": "",
   "detection": "selection:\n  keywords:\n    - erase\n    - delete\n    - YXC\ncondition: selection",
-  "level": "low",
+  "level": "high",
   "false_positives": [
     {
       "value": ""

diff --git a/.../security-analytics-dashboards-plugin/integration_tests/rule/create_windows_usb_rule.json b/.../security-analytics-dashboards-plugin/integration_tests/rule/create_windows_usb_rule.json
@@ -17,7 +17,7 @@
   ],
   "log_source": "",
   "detection": "selection:\n  EventID:\n    - 2003\n    - 2100\n    - 2102\ncondition: selection",
-  "level": "low",
+  "level": "high",
   "false_positives": [
     {
       "value": ""

diff --git a/...ecurity-analytics-dashboards-plugin/integration_tests/rule/sample_dns_field_mappings.json b/...ecurity-analytics-dashboards-plugin/integration_tests/rule/sample_dns_field_mappings.json
@@ -0,0 +1,5 @@
+{
+  "dns-question-registered_domain": "dns.question.registered_domain",
+  "dns-question-name": "dns.question.name",
+  "dns-answers-type": "dns.answers.type"
+}
diff --git a/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_alias_mappings.json b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_alias_mappings.json
@@ -1,16 +1,8 @@
 {
   "properties": {
-    "source_ip": {
+    "winlog.event_id": {
       "type": "alias",
-      "path": "src_ip"
-    },
-    "windows-event_data-CommandLine": {
-      "path": "CommandLine",
-      "type": "alias"
-    },
-    "event_uid": {
-      "path": "EventID",
-      "type": "alias"
+      "path": "EventID"
     }
   }
 }
diff --git a/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_detector.json b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_detector.json
@@ -20,26 +20,30 @@
             "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4"
           }
         ],
-        "custom_rules": []
+        "custom_rules": [
+          {
+            "id": ""
+          }
+        ]
       }
     }
   ],
   "triggers": [
     {
       "name": "sample_alert_condition",
-      "sev_levels": [],
+      "sev_levels": ["high"],
       "tags": [],
       "actions": [
         {
           "id": "",
           "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: sample_detector",
           "destination_id": "",
           "subject_template": {
-            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: sample_detector",
+            "source": "Triggered alert condition:  - Severity: 1 (Highest)  - Threat detector: sample_detector",
             "lang": "mustache"
           },
           "message_template": {
-            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: sample_detector\nDescription: Description for sample_detector.\nDetector data sources:\n\twindows",
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest) \nThreat detector: sample_detector\nDescription: Description for sample_detector.\nDetector data sources:\n\twindows",
             "lang": "mustache"
           },
           "throttle_enabled": false,
@@ -51,7 +55,7 @@
       ],
       "types": ["windows"],
       "severity": "4",
-      "ids": ["1a4bd6e3-4c6e-405d-a9a3-53a116e341d4"]
+      "ids": []
     }
   ]
 }
diff --git a/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_dns_index_settings.json b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_dns_index_settings.json
@@ -0,0 +1,21 @@
+{
+  "mappings": {
+    "properties": {
+      "dns.question.name": {
+        "type": "text"
+      },
+      "dns.answers.type": {
+        "type": "text"
+      },
+      "dns.question.registered_domain": {
+        "type": "text"
+      }
+    }
+  },
+  "settings": {
+    "index": {
+      "number_of_shards": "1",
+      "number_of_replicas": "1"
+    }
+  }
+}
diff --git a/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_document.json b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_document.json
@@ -1,39 +1,3 @@
 {
-  "EventTime": "2020-02-04T14:59:39.343541+00:00",
-  "HostName": "EC2AMAZ-EPO7HKA",
-  "Keywords": "9223372036854775808",
-  "SeverityValue": 2,
-  "Severity": "INFO",
-  "EventID": 2003,
-  "SourceName": "Microsoft-Windows-Sysmon",
-  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
-  "Version": 5,
-  "TaskValue": 22,
-  "OpcodeValue": 0,
-  "RecordNumber": 9532,
-  "ExecutionProcessID": 1996,
-  "ExecutionThreadID": 2616,
-  "Channel": "Microsoft-Windows-Sysmon/Operational",
-  "Domain": "NT AUTHORITY",
-  "AccountName": "SYSTEM",
-  "UserID": "S-1-5-18",
-  "AccountType": "User",
-  "Message": "Dns query:\r\nRuleName: \r\nUtcTime: 2020-02-04 14:59:38.349\r\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\r\nProcessId: 1904\r\nQueryName: EC2AMAZ-EPO7HKA\r\nQueryStatus: 0\r\nQueryResults: 172.31.46.38;\r\nImage: C:\\Program Files\\nxlog\\nxlog.exe",
-  "Category": "Dns query (rule: DnsQuery)",
-  "Opcode": "Info",
-  "UtcTime": "2020-02-04 14:59:38.349",
-  "ProcessGuid": "{b3c285a4-3cda-5dc0-0000-001077270b00}",
-  "ProcessId": "1904",
-  "QueryName": "EC2AMAZ-EPO7HKA",
-  "QueryStatus": "0",
-  "QueryResults": "172.31.46.38;",
-  "Image": "C:\\Program Files\\nxlog\\regsvr32.exe",
-  "EventReceivedTime": "2020-02-04T14:59:40.780905+00:00",
-  "SourceModuleName": "in",
-  "SourceModuleType": "im_msvistalog",
-  "CommandLine": "eachtest",
-  "Initiated": "true",
-  "Provider_Name": "Microsoft-Windows-Kernel-General",
-  "TargetObject": "\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security",
-  "EventType": "SetValue"
+  "EventID": 2003
 }