Skip to content

Commit

Permalink
[Security] Add EQL rule test in CCS config (#112852)
Browse files Browse the repository at this point in the history
  • Loading branch information
cavokz authored Oct 4, 2021
1 parent 252278a commit 3d7e04b
Show file tree
Hide file tree
Showing 5 changed files with 1,178 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { esArchiverCCSLoad } from '../../tasks/es_archiver';
import { getCCSEqlRule } from '../../objects/rule';

import { ALERT_DATA_GRID, NUMBER_OF_ALERTS } from '../../screens/alerts';

import {
filterByCustomRules,
goToRuleDetails,
waitForRulesTableToBeLoaded,
} from '../../tasks/alerts_detection_rules';
import { createSignalsIndex, createEventCorrelationRule } from '../../tasks/api_calls/rules';
import { cleanKibana } from '../../tasks/common';
import { waitForAlertsToPopulate, waitForTheRuleToBeExecuted } from '../../tasks/create_new_rule';
import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';

import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';

describe('Detection rules', function () {
const expectedNumberOfAlerts = '1 alert';

beforeEach('Reset signals index', function () {
cleanKibana();
createSignalsIndex();
});

it('EQL rule on remote indices generates alerts', function () {
esArchiverCCSLoad('linux_process');
this.rule = getCCSEqlRule();
createEventCorrelationRule(this.rule);

loginAndWaitForPageWithoutDateRange(DETECTIONS_RULE_MANAGEMENT_URL);
waitForRulesTableToBeLoaded();
filterByCustomRules();
goToRuleDetails();
waitForTheRuleToBeExecuted();
waitForAlertsToPopulate();

cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
cy.get(ALERT_DATA_GRID)
.invoke('text')
.then((text) => {
cy.log('ALERT_DATA_GRID', text);
expect(text).contains(this.rule.name);
expect(text).contains(this.rule.severity.toLowerCase());
expect(text).contains(this.rule.riskScore);
});
});
});
23 changes: 23 additions & 0 deletions x-pack/plugins/security_solution/cypress/objects/rule.ts
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ export interface OverrideRule extends CustomRule {
timestampOverride: string;
}

export interface EventCorrelationRule extends CustomRule {
language: string;
}

export interface ThreatIndicatorRule extends CustomRule {
indicatorIndexPattern: string[];
indicatorMappingField: string;
Expand Down Expand Up @@ -326,6 +330,25 @@ export const getEqlRule = (): CustomRule => ({
maxSignals: 100,
});

export const getCCSEqlRule = (): EventCorrelationRule => ({
customQuery: 'any where process.name == "run-parts"',
name: 'New EQL Rule',
index: [`${ccsRemoteName}:run-parts`],
description: 'New EQL rule description.',
severity: 'High',
riskScore: '17',
tags: ['test', 'newRule'],
referenceUrls: ['http://example.com/', 'https://example.com/'],
falsePositivesExamples: ['False1', 'False2'],
mitre: [getMitre1(), getMitre2()],
note: '# test markdown',
runsEvery: getRunsEvery(),
lookBack: getLookBack(),
timeline: getTimeline(),
maxSignals: 100,
language: 'eql',
});

export const getEqlSequenceRule = (): CustomRule => ({
customQuery:
'sequence with maxspan=30s\
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* 2.0.
*/

import { CustomRule, ThreatIndicatorRule } from '../../objects/rule';
import { CustomRule, EventCorrelationRule, ThreatIndicatorRule } from '../../objects/rule';

export const createCustomRule = (rule: CustomRule, ruleId = 'rule_testing', interval = '100m') =>
cy.request({
Expand All @@ -29,6 +29,27 @@ export const createCustomRule = (rule: CustomRule, ruleId = 'rule_testing', inte
failOnStatusCode: false,
});

export const createEventCorrelationRule = (rule: EventCorrelationRule, ruleId = 'rule_testing') =>
cy.request({
method: 'POST',
url: 'api/detection_engine/rules',
body: {
rule_id: ruleId,
risk_score: parseInt(rule.riskScore, 10),
description: rule.description,
interval: `${rule.runsEvery.interval}${rule.runsEvery.type}`,
from: `now-${rule.lookBack.interval}${rule.lookBack.type}`,
name: rule.name,
severity: rule.severity.toLocaleLowerCase(),
type: 'eql',
index: rule.index,
query: rule.customQuery,
language: 'eql',
enabled: true,
},
headers: { 'kbn-xsrf': 'cypress-creds' },
});

export const createCustomIndicatorRule = (rule: ThreatIndicatorRule, ruleId = 'rule_testing') =>
cy.request({
method: 'POST',
Expand Down Expand Up @@ -107,6 +128,14 @@ export const deleteCustomRule = (ruleId = '1') => {
});
};

export const createSignalsIndex = () => {
cy.request({
method: 'POST',
url: 'api/detection_engine/index',
headers: { 'kbn-xsrf': 'cypress-creds' },
});
};

export const removeSignalsIndex = () => {
cy.request({ url: '/api/detection_engine/index', failOnStatusCode: false }).then((response) => {
if (response.status === 200) {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
{
"type": "doc",
"value": {
"id": "qxnqn3sBBf0WZxoXk7tg",
"index": "run-parts",
"source": {
"@timestamp": "2021-09-01T05:52:29.9451497Z",
"agent": {
"id": "cda623db-f791-4869-a63d-5b8352dfaa56",
"type": "endpoint",
"version": "7.14.0"
},
"data_stream": {
"dataset": "endpoint.events.process",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "1.6.0"
},
"elastic": {
"agent": {
"id": "cda623db-f791-4869-a63d-5b8352dfaa56"
}
},
"event": {
"action": "exec",
"agent_id_status": "verified",
"category": [
"process"
],
"created": "2021-09-01T05:52:29.9451497Z",
"dataset": "endpoint.events.process",
"id": "MGwI0NpfzFKkX6gW+++++CVd",
"ingested": "2021-09-01T05:52:35.677424686Z",
"kind": "event",
"module": "endpoint",
"sequence": 3523,
"type": [
"start"
]
},
"group": {
"Ext": {
"real": {
"id": 0,
"name": "root"
}
},
"id": 0,
"name": "root"
},
"host": {
"architecture": "x86_64",
"hostname": "localhost",
"id": "f5c59e5f0c963f828782bc413653d324",
"ip": [
"127.0.0.1",
"::1"
],
"mac": [
"00:16:3e:10:96:79"
],
"name": "localhost",
"os": {
"Ext": {
"variant": "Debian"
},
"family": "debian",
"full": "Debian 10",
"kernel": "4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18)",
"name": "Linux",
"platform": "debian",
"version": "10"
}
},
"message": "Endpoint process event",
"process": {
"Ext": {
"ancestry": [
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTM2Njk1MDAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTMwNzYyMTAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDktMTMyNzQ5NDkxNDkuOTI4OTI0ODAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDktMTMyNzQ5NDkxNDkuOTI3NDgwMzAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDEtMTMyNzQ5NDkxNDYuNTI3ODA5NTAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNDEtMTMyNzQ5NDkxNDYuNTIzNzEzOTAw",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTczOC0xMzI3NDk0ODg3OS4yNzgyMjQwMDA=",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTczOC0xMzI3NDk0ODg3OS4yNTQ1MTUzMDA=",
"Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEtMTMyNzQ5NDg4NjkuMA=="
]
},
"args": [
"run-parts",
"--lsbsysinit",
"/etc/update-motd.d"
],
"args_count": 3,
"command_line": "run-parts --lsbsysinit /etc/update-motd.d",
"entity_id": "Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTQ1MTQ5NzAw",
"executable": "/usr/bin/run-parts",
"hash": {
"md5": "c83b0578484bf5267893d795b55928bd",
"sha1": "46b6e74e28e5daf69c1dd0f18a8e911ae2922dda",
"sha256": "3346b4d47c637a8c02cb6865eee42d2a5aa9c4e46c6371a9143621348d27420f"
},
"name": "run-parts",
"parent": {
"args": [
"sh",
"-c",
"/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"
],
"args_count": 0,
"command_line": "sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new",
"entity_id": "Y2ZhNjk5ZGItYzI5My00ODY5LWI2OGMtNWI4MzE0ZGZhYTU2LTEzNTAtMTMyNzQ5NDkxNDkuOTM2Njk1MDAw",
"executable": "/",
"name": "",
"pid": 1349
},
"pid": 1350
},
"user": {
"Ext": {
"real": {
"id": 0,
"name": "root"
}
},
"id": 0,
"name": "root"
}
},
"type": "_doc"
}
}
Loading

0 comments on commit 3d7e04b

Please sign in to comment.