Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Coverage overview test plan #165530

Merged
merged 8 commits into from
Sep 28, 2023
Merged

[Security Solution] Coverage overview test plan #165530

Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b17f561
adds initial test plan
dplumlee Aug 23, 2023
c654b59
writes plan
dplumlee Sep 2, 2023
6cc2cea
adds table header
dplumlee Sep 2, 2023
9261953
addresses some comments
dplumlee Sep 20, 2023
1f42da5
Merge remote-tracking branch 'upstream/main' into coverage-overview-t…
dplumlee Sep 20, 2023
2127997
addresses CASE comments
dplumlee Sep 20, 2023
fa008b8
updates numbers
dplumlee Sep 20, 2023
4c0d621
addresses vicente comments
dplumlee Sep 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 176 additions & 0 deletions ...ng/test_plans/detection_response/rule_management/coverage_overview_dashboard.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
# Coverage Overview Dashboard

This is a test plan for the Mitre Att&ck coverage overview dashboard
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Instead of giving an explanation sentence here it could be just a header part so the header'd look like Coverage Overview (Mitre Att&ck) Dashboard Test Plan


Status: `in progress`. The current test plan matches `Milestone 1 - MVP` of the [Protections/Detections Coverage Overview Page](https://github.com/elastic/security-team/issues/2905) epic. The plan will be built upon further as more feature are added in later milestones.

## Useful information

### Tickets

- [Protections/Detections Coverage Overview Page](https://github.com/elastic/security-team/issues/2905) epic
- [Add test coverage for Protections/Detections Coverage Overview](https://github.com/elastic/kibana/issues/162250)
- [Write a test plan for Protections/Detections Coverage Overview](https://github.com/elastic/kibana/issues/162248)

### Terminology

- **MITRE ATT&CK**: The [3rd party framework](https://attack.mitre.org/) the dashboard is built upon. It is a knowledge base of attack tactics and techniques adversaries use in real world applications.

- **Tactic**: A generalized category or process that adversaries use to attack a system. Envelops many relevant Mitre Att&ck techniques

- **Technique**: A specific technique adversaries use to attack a system. Can belong to one or more different Mitre Tactics and can potentially contain one or more sub-techniques further describing the process.

- **Rule Activity**: The filter type defining rule status, current options are `enabled` and `disabled`.

- **Rule Source**: The filter type defining rule type, current options are `prebuilt`(from elastic prebuilt rules package) and `custom`(created by user)

-**Initial filter state**: The filters present on initial page load. Rule activity will be set to `enabled`, rule source will be set to `prebuilt` and `custom` simultaneously.

-**Dashboard containing the rule data**: The normal render of the coverage overview dashboard. Any returned rule data mapped correctly to the tile layout of all the MITRE data in a colored grid

### Assumptions

- Currently all scenarios below only apply to rules that have correctly mapped `threat` fields (unmapped fields or `threat` fields that don't contain current versioned Mitre Att&ck data will not be displayed in the dashboard)
- The feature is available under the Basic license
- "Rules" will be referring to Security rules only (unless stated otherwise)
- Page always loads with initial filter state

### Non-functional requirements

- Number of rules needs to be under 10k due to [an issue](https://github.com/elastic/kibana/issues/160698)

## Scenarios

### Coverage overview workflow: base cases

#### **Scenario: No rules installed**

**Automation**: 1 e2e test + 1 unit test + 1 integration test.

```Gherkin
Given no rules installed/created
When user navigates to Coverage Overview page
Then an empty grid of all Mitre tactics and techniques is displayed
```

#### **Scenario: Rules installed**

**Automation**: 1 e2e test + 2 integration test

```Gherkin
Given prebuilt rules installed and/or custom rules created
And rules enabled
When user navigates to Coverage Overview page
Then page should render all rule data in grid
And color tiles according to filters and dashboard legend

CASE: Test case should work with non-security rules both present and not present in system
```

#### **Scenario: User clicks on tile**

**Automation**: 1 e2e test + 1 unit test.

```Gherkin
Given prebuilt rules installed and/or custom rules created
And rules enabled
When user navigates to Coverage Overview page
And clicks on technique tile with non zero rules
Then the popover should display the same number of rule names under their corresponding rule activity section
And each name should link to its own rule details page
```

### Coverage overview workflow: filters

#### **Scenario: No filters are present**

**Automation**: 1 integration test.

```Gherkin
Given coverage overview page is loaded with rule data
When no filters or search term are present
Then the dashboard is rendered according to the rule data
```

#### **Scenario: Users enables filters**

**Automation**: integration tests + e2e tests.

```Gherkin
Given coverage overview page is loaded with rule data
When filter(s) is/are enabled
Then all filtered rule data is fetched and dashboard containing the rule data is rendered

CASE: Filtering should work for all permutations of activity and source filters

Examples:
dplumlee marked this conversation as resolved.
Show resolved Hide resolved
| type |
| enabled |
| disabled |
| prebuilt |
| custom |
| enabled and disabled |
| prebuilt and custom |
| all |
```

#### **Scenario: Search term filter present**

**Automation**: 1 integration test + 1 e2e test.

```Gherkin
Given coverage overview page is loaded with rule data
When search term filter is present in search box
And user submits the search
Then only search-filtered rule data is fetched and rendered
```

### Coverage overview workflow: rule enabling

#### **Scenario: User can't enable all rules when no disabled rules**

**Automation**: 1 unit test.

```Gherkin
Given coverage overview page is loaded with rule data
When user clicks on a technique tile with no disabled rules
Then "enable all disabled" button should be disabled
```

#### **Scenario: User enables all rules for technique**

**Automation**: 1 e2e test.

```Gherkin
Given coverage overview page is loaded with rule data
When user clicks on a technique tile with X disabled rules
And clicks "enable all disabled" button
Then all X disabled rules hould be enabled
And user should see success toast message for X rules enabled
And page should update data
```

#### **Scenario: User can't enable rules when they don't have CRUD privileges**

**Automation**: 1 unit test.

```Gherkin
Given coverage overview page is loaded with rule data
And user that doesn't have CRUD permissions
When user clicks on a technique tile with disabled rules
Then "enable all disabled" button should be disabled
```

### Error handling

#### **Scenario: Error is handled when API error is returned**

**Automation**: 2 e2e test.

```Gherkin
Given a user navigates to coverage overview page
And any error is returned from coverage overview API
Then error is handled and displayed via a toast

CASE: Should work for valid and invalid API body
```