Skip to content

Commit

Permalink
Adding tests for dns pipeline in the endpoint package
Browse files Browse the repository at this point in the history
  • Loading branch information
jonathan-buttner committed Oct 1, 2020
1 parent 4fe7625 commit e841c0e
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -718,7 +718,10 @@ export type SafeEndpointEvent = Partial<{
forwarded_ip: ECSField<string>;
}>;
dns: Partial<{
question: Partial<{ name: ECSField<string> }>;
question: Partial<{
name: ECSField<string>;
type: ECSField<string>;
}>;
}>;
process: Partial<{
entity_id: ECSField<string>;
Expand Down
Binary file not shown.
48 changes: 48 additions & 0 deletions x-pack/test/security_solution_endpoint_api_int/apis/package.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,18 @@
*/
import expect from '@kbn/expect';
import { SearchResponse } from 'elasticsearch';
import {
ResolverPaginatedEvents,
SafeEndpointEvent,
} from '../../../plugins/security_solution/common/endpoint/types';
import { eventsIndexPattern } from '../../../plugins/security_solution/common/endpoint/constants';
import {
EndpointDocGenerator,
Event,
} from '../../../plugins/security_solution/common/endpoint/generate_data';
import { FtrProviderContext } from '../ftr_provider_context';
import { InsertedEvents, processEventsIndex } from '../services/resolver';
import { deleteEventsStream } from './data_stream_helper';

interface EventIngested {
event: {
Expand All @@ -35,6 +40,8 @@ interface NetworkEvent {
const networkIndex = 'logs-endpoint.events.network-default';

export default function ({ getService }: FtrProviderContext) {
const esArchiver = getService('esArchiver');
const supertest = getService('supertest');
const resolver = getService('resolverGenerator');
const es = getService('es');
const generator = new EndpointDocGenerator('data');
Expand All @@ -59,6 +66,47 @@ export default function ({ getService }: FtrProviderContext) {
};

describe('Endpoint package', () => {
describe('dns processor', () => {
before(async () => {
await esArchiver.load('endpoint/pipeline/dns', { useCreate: true });
});

after(async () => {
await deleteEventsStream(getService);
});

it('does not set dns.question.type if it is already populated', async () => {
// this id comes from the es archive file endpoint/pipeline/dns
const id = 'LrLSOVHVsFY94TAi++++++eF';
const { body }: { body: ResolverPaginatedEvents } = await supertest
.post(`/api/endpoint/resolver/events?limit=1`)
.set('kbn-xsrf', 'xxx')
.send({
filter: `event.id:"${id}"`,
})
.expect(200);
expect(body.events.length).to.eql(1);
expect((body.events[0] as SafeEndpointEvent).dns?.question?.name).to.eql('www.google.com');
expect((body.events[0] as SafeEndpointEvent).dns?.question?.type).to.eql('INVALID_VALUE');
});

it('sets dns.question.type if it is not populated', async () => {
// this id comes from the es archive file endpoint/pipeline/dns
const id = 'LrLSOVHVsFY94TAi++++++eP';
const { body }: { body: ResolverPaginatedEvents } = await supertest
.post(`/api/endpoint/resolver/events?limit=1`)
.set('kbn-xsrf', 'xxx')
.send({
filter: `event.id:"${id}"`,
})
.expect(200);
expect(body.events.length).to.eql(1);
expect((body.events[0] as SafeEndpointEvent).dns?.question?.name).to.eql('www.aol.com');
// This value is parsed out of the message field in the event. type 28 = AAAA
expect((body.events[0] as SafeEndpointEvent).dns?.question?.type).to.eql('AAAA');
});
});

describe('ingested processor', () => {
let event: Event;
let genData: InsertedEvents;
Expand Down

0 comments on commit e841c0e

Please sign in to comment.