diff --git a/testing/tests/api_tests/data_insertion_tests/fixtures/powershellnetworkconnections.json b/testing/tests/api_tests/data_insertion_tests/fixtures/powershellnetworkconnections.json new file mode 100644 index 00000000..3db936d0 --- /dev/null +++ b/testing/tests/api_tests/data_insertion_tests/fixtures/powershellnetworkconnections.json @@ -0,0 +1,56 @@ +{ + "winlog": { + "computer_name": "C2.lme.local", + "event_id" : "3", + "keywords": [ + "Audit Failure" + ], + "user": { + "name": "APItestuserid", + "domain": "test" + }, + "event_data": { + "LogonType": "2", + "SubjectUserName": "-", + "FailureReason": "%%2313", + "SubjectDomainName": "-", + "IpAddress": "194.169.175.22", + "TargetUserName": "solidart", + "LogonProcessName": "NtLmSsp ", + "SubjectUserSid": "S-1-0-0", + "TargetUserSid": "S-1-0-0", + "AuthenticationPackageName": "NTLM" + }, + "@timestamp": "2024-06-12T09:50:18.252Z", + "host": { + "name": "C2.lme.local" + } + }, + "process": { + "parent": { + "name": "powershell.exe", + "executable": "powershell.exe", + "args": "test" + }, + "command_line": "invoke", + "executable" : "powershell.exe", + "args" : "test" + }, + "event": { + "code": "4624", + "provider": "Microsoft-Windows-Sysmon", + "action": "Logon", + "outcome": "failure" + }, + "user": { + "name": "APItestuserid", + "domain": "test" + }, + "host": { + "name": "C2.lme.local" + }, + "destination": { + "domain": "newtestdomain", + "ip" : "1.2.3.4" + } + } \ No newline at end of file diff --git a/testing/tests/api_tests/data_insertion_tests/queries/filter_powershellnetworkconnections.json b/testing/tests/api_tests/data_insertion_tests/queries/filter_powershellnetworkconnections.json new file mode 100644 index 00000000..b36180d7 --- /dev/null +++ b/testing/tests/api_tests/data_insertion_tests/queries/filter_powershellnetworkconnections.json @@ -0,0 +1,145 @@ +{ + "aggs": { + "2": { + "terms": { + "field": "user.name", + "order": { + "_count": "desc" + }, + "size": 12000 + } + } + }, + "script_fields": {}, + "stored_fields": [ + "*" + ], + "runtime_mappings": { + "day_of_week": { + "type": "long", + "script": { + "source": "emit(doc['@timestamp'].value.dayOfWeekEnum.getValue())" + } + }, + "hour_of_day": { + "type": "long", + "script": { + "source": "emit (doc['@timestamp'].value.getHour())" + } + } + }, + "_source": false, + "query": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "term": { + "winlog.event_id": { + "value": "3" + } + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "bool": { + "should": [ + { + "term": { + "process.parent.name": { + "value": "powershell.exe" + } + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "term": { + "process.name": { + "value": "powershell.exe" + } + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "term": { + "winlog.event_data.OriginalFileName": { + "value": "PowerShell.EXE" + } + } + } + ], + "minimum_should_match": 1 + } + } + ], + "minimum_should_match": 1 + } + }, + { + "bool": { + "should": [ + { + "term": { + "event.provider": { + "value": "Microsoft-Windows-Sysmon" + } + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + }, + { + "range": { + "@timestamp": { + "format": "strict_date_optional_time", + "gte": "2024-08-20T13:51:47.624Z", + "lte": "2024-08-20T14:06:47.624Z" + } + } + } + ], + "should": [], + "must_not": [] + } + }, + "highlight": { + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "fields": { + "*": {} + }, + "fragment_size": 2147483647 + } +} \ No newline at end of file diff --git a/testing/tests/api_tests/data_insertion_tests/test_server.py b/testing/tests/api_tests/data_insertion_tests/test_server.py index 7e4bf061..72539be6 100644 --- a/testing/tests/api_tests/data_insertion_tests/test_server.py +++ b/testing/tests/api_tests/data_insertion_tests/test_server.py @@ -72,6 +72,13 @@ def test_createRemoteThread(es_host, es_port, username, password): second_response_loaded=insert_winlog_data(es_host, es_port, username, password, 'filter_createRemoteThreads.json', 'createRemoteThreads.json', 1) # Check to make sure the data was inserted - assert 1==1 assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'testsource') + +def test_powershellNetworkConnections(es_host, es_port, username, password): + + second_response_loaded=insert_winlog_data(es_host, es_port, username, password, 'filter_powershellnetworkconnections.json', 'powershellnetworkconnections.json', 1) + + # Check to make sure the data was inserted + assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'APItestuserid') + diff --git a/testing/tests/selenium_tests/cluster/test_user_security_dashboard.py b/testing/tests/selenium_tests/cluster/test_user_security_dashboard.py index d02e1f5a..e4cf1210 100644 --- a/testing/tests/selenium_tests/cluster/test_user_security_dashboard.py +++ b/testing/tests/selenium_tests/cluster/test_user_security_dashboard.py @@ -112,10 +112,10 @@ def test_potentially_suspicious_powershell(self, setup_login, kibana_url, timeou driver = setup_login dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "Potentially suspicious powershell", ".euiDataGrid",".euiDataGrid__noResults") - @pytest.mark.skip(reason="Skipping this test") + #@pytest.mark.skip(reason="Skipping this test") def test_powershell_network_connections(self, setup_login, kibana_url, timeout): driver = setup_login - dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "Powershell network connections", ".needarealvaluehere",".euiDataGrid__noResults") + dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "Powershell network connections", ".euiDataGrid",".euiDataGrid__noResults") def test_security_files_title(self, setup_login, kibana_url, timeout):