From 824c874d7919a4f9940a0da87589ba005ff1196d Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Mon, 25 Mar 2024 12:20:36 -0700 Subject: [PATCH 1/4] moving tests into basic license, skipping where not needed to run in mki --- .buildkite/ftr_configs.yml | 24 +- .../package.json | 70 ++--- .../configs/ess.config.ts | 4 +- .../configs/serverless.config.ts | 4 +- .../date.ts | 0 .../double.ts | 0 .../float.ts | 0 .../index.ts | 0 .../integer.ts | 0 .../configs/ess.config.ts | 4 +- .../configs/serverless.config.ts | 4 +- .../index.ts | 0 .../ip.ts | 0 .../ip_array.ts | 0 .../configs/ess.config.ts | 4 +- .../configs/serverless.config.ts | 4 +- .../index.ts | 0 .../keyword.ts | 0 .../keyword_array.ts | 0 .../configs/ess.config.ts | 4 +- .../configs/serverless.config.ts | 4 +- .../index.ts | 0 .../long.ts | 0 .../configs/ess.config.ts | 4 +- .../configs/serverless.config.ts | 4 +- .../index.ts | 0 .../text.ts | 0 .../text_array.ts | 0 .../add_edit_comments_ess.ts} | 2 +- .../add_edit_comments_serverless.ts | 251 ++++++++++++++++++ .../configs/ess.config.ts | 4 +- .../configs/serverless.config.ts | 4 +- .../create_endpoint_exceptions.ts | 3 +- .../create_rule_exceptions.ts | 64 +---- .../create_rule_exceptions_ess.ts | 106 ++++++++ .../exceptions_data_integrity.ts} | 3 +- .../find_rule_exception_references.ts | 3 +- .../index.ts | 10 +- .../role_based_rule_exceptions_workflows.ts | 0 39 files changed, 444 insertions(+), 140 deletions(-) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/configs/ess.config.ts (91%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/configs/serverless.config.ts (83%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/date.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/double.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/float.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/index.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/{trial_license_complete_tier => basic_license_essentials_tier}/integer.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/{trial_license_complete_tier => basic_license_essentials_tier}/configs/ess.config.ts (93%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/{trial_license_complete_tier => basic_license_essentials_tier}/configs/serverless.config.ts (85%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/{trial_license_complete_tier => basic_license_essentials_tier}/index.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/{trial_license_complete_tier => basic_license_essentials_tier}/ip.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/{trial_license_complete_tier => basic_license_essentials_tier}/ip_array.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/{trial_license_complete_tier => basic_license_essentials_tier}/configs/ess.config.ts (92%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/{trial_license_complete_tier => basic_license_essentials_tier}/configs/serverless.config.ts (84%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/{trial_license_complete_tier => basic_license_essentials_tier}/index.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/{trial_license_complete_tier => basic_license_essentials_tier}/keyword.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/{trial_license_complete_tier => basic_license_essentials_tier}/keyword_array.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/{trial_license_complete_tier => basic_license_essentials_tier}/configs/ess.config.ts (92%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/{trial_license_complete_tier => basic_license_essentials_tier}/configs/serverless.config.ts (85%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/{trial_license_complete_tier => basic_license_essentials_tier}/index.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/{trial_license_complete_tier => basic_license_essentials_tier}/long.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/{trial_license_complete_tier => basic_license_essentials_tier}/configs/ess.config.ts (92%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/{trial_license_complete_tier => basic_license_essentials_tier}/configs/serverless.config.ts (85%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/{trial_license_complete_tier => basic_license_essentials_tier}/index.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/{trial_license_complete_tier => basic_license_essentials_tier}/text.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/{trial_license_complete_tier => basic_license_essentials_tier}/text_array.ts (100%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier/role_based_add_edit_comments.ts => basic_license_essentials_tier/add_edit_comments_ess.ts} (99%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/configs/ess.config.ts (94%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/configs/serverless.config.ts (87%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/create_endpoint_exceptions.ts (99%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/create_rule_exceptions.ts (78%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier/rule_exception_synchronizations.ts => basic_license_essentials_tier/exceptions_data_integrity.ts} (96%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/find_rule_exception_references.ts (97%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/index.ts (67%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/{trial_license_complete_tier => basic_license_essentials_tier}/role_based_rule_exceptions_workflows.ts (100%) diff --git a/.buildkite/ftr_configs.yml b/.buildkite/ftr_configs.yml index 43bee5ba27a7d..425185d705cc4 100644 --- a/.buildkite/ftr_configs.yml +++ b/.buildkite/ftr_configs.yml @@ -474,18 +474,18 @@ enabled: - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/configs/serverless.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/ess.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/serverless.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/ess.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/serverless.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/ess.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/serverless.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/ess.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/serverless.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/ess.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/serverless.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/ess.config.ts - - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_creation/basic_license_essentials_tier/configs/ess.config.ts diff --git a/x-pack/test/security_solution_api_integration/package.json b/x-pack/test/security_solution_api_integration/package.json index 270927876dc14..c716c47ec7c33 100644 --- a/x-pack/test/security_solution_api_integration/package.json +++ b/x-pack/test/security_solution_api_integration/package.json @@ -74,41 +74,41 @@ "telemetry:server:ess": "npm run initialize-server:dr telemetry ess", "telemetry:runner:ess": "npm run run-tests:dr telemetry ess essEnv", - "exception_workflows:server:serverless": "npm run initialize-server:de exceptions/workflows serverless", - "exception_workflows:runner:serverless": "npm run run-tests:de exceptions/workflows serverless serverlessEnv", - "exception_workflows:qa:serverless": "npm run run-tests:de exceptions/workflows serverless qaEnv", - "exception_workflows:server:ess": "npm run initialize-server:de exceptions/workflows ess", - "exception_workflows:runner:ess": "npm run run-tests:de exceptions/workflows ess essEnv", - - "exception_operators_date_numeric_types:server:serverless": "npm run initialize-server:de exceptions/operators_data_types/date_numeric_types serverless", - "exception_operators_date_numeric_types:runner:serverless": "npm run run-tests:de exceptions/operators_data_types/date_numeric_types serverless serverlessEnv", - "exception_operators_date_numeric_types:qa:serverless": "npm run run-tests:de exceptions/operators_data_types/date_numeric_types serverless qaEnv", - "exception_operators_date_numeric_types:server:ess": "npm run initialize-server:de exceptions/operators_data_types/date_numeric_types ess", - "exception_operators_date_numeric_types:runner:ess": "npm run run-tests:de exceptions/operators_data_types/date_numeric_types ess essEnv", - - "exception_operators_keyword:server:serverless": "npm run initialize-server:de exceptions/operators_data_types/keyword serverless", - "exception_operators_keyword:runner:serverless": "npm run run-tests:de exceptions/operators_data_types/keyword serverless serverlessEnv", - "exception_operators_keyword:qa:serverless": "npm run run-tests:de exceptions/operators_data_types/keyword serverless qaEnv", - "exception_operators_keyword:server:ess": "npm run initialize-server:de exceptions/operators_data_types/keyword ess", - "exception_operators_keyword:runner:ess": "npm run run-tests:de exceptions/operators_data_types/keyword ess essEnv", - - "exception_operators_ips:server:serverless": "npm run initialize-server:de exceptions/operators_data_types/ips serverless", - "exception_operators_ips:runner:serverless": "npm run run-tests:de exceptions/operators_data_types/ips serverless serverlessEnv", - "exception_operators_ips:qa:serverless": "npm run run-tests:de exceptions/operators_data_types/ips serverless qaEnv", - "exception_operators_ips:server:ess": "npm run initialize-server:de exceptions/operators_data_types/ips ess", - "exception_operators_ips:runner:ess": "npm run run-tests:de exceptions/operators_data_types/ips ess essEnv", - - "exception_operators_long:server:serverless": "npm run initialize-server:de exceptions/operators_data_types/long serverless", - "exception_operators_long:runner:serverless": "npm run run-tests:de exceptions/operators_data_types/long serverless serverlessEnv", - "exception_operators_long:qa:serverless": "npm run run-tests:de exceptions/operators_data_types/long serverless qaEnv", - "exception_operators_long:server:ess": "npm run initialize-server:de exceptions/operators_data_types/long ess", - "exception_operators_long:runner:ess": "npm run run-tests:de exceptions/operators_data_types/long ess essEnv", - - "exception_operators_text:server:serverless": "npm run initialize-server:de exceptions/operators_data_types/text serverless", - "exception_operators_text:runner:serverless": "npm run run-tests:de exceptions/operators_data_types/text serverless serverlessEnv", - "exception_operators_text:qa:serverless": "npm run run-tests:de exceptions/operators_data_types/text serverless qaEnv", - "exception_operators_text:server:ess": "npm run initialize-server:de exceptions/operators_data_types/text ess", - "exception_operators_text:runner:ess": "npm run run-tests:de exceptions/operators_data_types/text ess essEnv", + "exception_workflows:essentials:server:serverless": "npm run initialize-server:de:basic_essentials exceptions/workflows serverless", + "exception_workflows:essentials:runner:serverless": "npm run run-tests:de:basic_essentials exceptions/workflows serverless serverlessEnv", + "exception_workflows:essentials:qa:serverless": "npm run run-tests:de:basic_essentials exceptions/workflows serverless qaEnv", + "exception_workflows:basic:server:ess": "npm run initialize-server:de:basic_essentials exceptions/workflows ess", + "exception_workflows:basic:runner:ess": "npm run run-tests:de:basic_essentials exceptions/workflows ess essEnv", + + "exception_operators_date_numeric_types:essentials:server:serverless": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/date_numeric_types serverless", + "exception_operators_date_numeric_types:essentials:runner:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/date_numeric_types serverless serverlessEnv", + "exception_operators_date_numeric_types:essentials:qa:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/date_numeric_types serverless qaEnv", + "exception_operators_date_numeric_types:basic:server:ess": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/date_numeric_types ess", + "exception_operators_date_numeric_types:basic:runner:ess": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/date_numeric_types ess essEnv", + + "exception_operators_keyword:essentials:server:serverless": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/keyword serverless", + "exception_operators_keyword:essentials:runner:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/keyword serverless serverlessEnv", + "exception_operators_keyword:essentials:qa:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/keyword serverless qaEnv", + "exception_operators_keyword:basic:server:ess": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/keyword ess", + "exception_operators_keyword:basic:runner:ess": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/keyword ess essEnv", + + "exception_operators_ips:essentials:server:serverless": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/ips serverless", + "exception_operators_ips:essentials:runner:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/ips serverless serverlessEnv", + "exception_operators_ips:essentials:qa:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/ips serverless qaEnv", + "exception_operators_ips:basic:server:ess": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/ips ess", + "exception_operators_ips:basic:runner:ess": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/ips ess essEnv", + + "exception_operators_long:essentials:server:serverless": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/long serverless", + "exception_operators_long:essentials:runner:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/long serverless serverlessEnv", + "exception_operators_long:essentials:qa:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/long serverless qaEnv", + "exception_operators_long:basic:server:ess": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/long ess", + "exception_operators_long:basic:runner:ess": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/long ess essEnv", + + "exception_operators_text:essentials:server:serverless": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/text serverless", + "exception_operators_text:essentials:runner:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/text serverless serverlessEnv", + "exception_operators_text:essentials:qa:serverless": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/text serverless qaEnv", + "exception_operators_text:basic:server:ess": "npm run initialize-server:de:basic_essentials exceptions/operators_data_types/text ess", + "exception_operators_text:basic:runner:ess": "npm run run-tests:de:basic_essentials exceptions/operators_data_types/text ess essEnv", "actions:server:serverless": "npm run initialize-server:de actions serverless", "actions:runner:serverless": "npm run run-tests:de actions serverless serverlessEnv", diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/ess.config.ts similarity index 91% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/ess.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/ess.config.ts index e2a1fb7a5773a..e8856e50b064a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/ess.config.ts @@ -9,7 +9,7 @@ import { FtrConfigProviderContext } from '@kbn/test'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const functionalConfig = await readConfigFile( - require.resolve('../../../../../../../../config/ess/config.base.trial') + require.resolve('../../../../../../../../config/ess/config.base.basic') ); return { @@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Date & Numeric Types Integration Tests - ESS Env - Trial License', + 'Detection Engine - Exception Operators Date & Numeric Types Integration Tests - ESS Env - Basic License', }, }; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/serverless.config.ts similarity index 83% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/serverless.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/serverless.config.ts index ef5d538b9983e..1098fc2b5c0fd 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/configs/serverless.config.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { createTestConfig } from '../../../../../../../../config/serverless/config.base'; +import { createTestConfig } from '../../../../../../../../config/serverless/config.base.essentials'; export default createTestConfig({ testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Date & Numeric Types Integration Tests - Serverless Env - Complete Tier', + 'Detection Engine - Exception Operators Date & Numeric Types Integration Tests - Serverless Env - Essentials Tier', }, }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/date.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/date.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/date.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/date.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/double.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/double.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/double.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/double.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/float.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/float.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/float.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/float.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/index.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/index.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/integer.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/integer.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/trial_license_complete_tier/integer.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/date_numeric_types/basic_license_essentials_tier/integer.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/ess.config.ts similarity index 93% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/ess.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/ess.config.ts index 7e32a2da4551f..dab0c82986bc8 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/ess.config.ts @@ -9,7 +9,7 @@ import { FtrConfigProviderContext } from '@kbn/test'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const functionalConfig = await readConfigFile( - require.resolve('../../../../../../../../config/ess/config.base.trial') + require.resolve('../../../../../../../../config/ess/config.base.basic') ); return { @@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators IP Types Integration Tests - ESS Env - Trial License', + 'Detection Engine - Exception Operators IP Types Integration Tests - ESS Env - Basic License', }, }; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/serverless.config.ts similarity index 85% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/serverless.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/serverless.config.ts index dff4e5acb1bd8..8608db2c51108 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/configs/serverless.config.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { createTestConfig } from '../../../../../../../../config/serverless/config.base'; +import { createTestConfig } from '../../../../../../../../config/serverless/config.base.essentials'; export default createTestConfig({ testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators IP Types Integration Tests - Serverless Env - Complete Tier', + 'Detection Engine - Exception Operators IP Types Integration Tests - Serverless Env - Essentials Tier', }, }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/index.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/index.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/ip.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/ip.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/ip.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/ip.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/ip_array.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/ip_array.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/trial_license_complete_tier/ip_array.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/ips/basic_license_essentials_tier/ip_array.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/ess.config.ts similarity index 92% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/ess.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/ess.config.ts index a347d2e5634f6..9c9103e5cc5dd 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/ess.config.ts @@ -9,7 +9,7 @@ import { FtrConfigProviderContext } from '@kbn/test'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const functionalConfig = await readConfigFile( - require.resolve('../../../../../../../../config/ess/config.base.trial') + require.resolve('../../../../../../../../config/ess/config.base.basic') ); return { @@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Keyword Types Integration Tests - ESS Env - Trial License', + 'Detection Engine - Exception Operators Keyword Types Integration Tests - ESS Env - Basic License', }, }; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/serverless.config.ts similarity index 84% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/serverless.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/serverless.config.ts index 0c7574bae6e0e..e8adea7fc7cda 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/configs/serverless.config.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { createTestConfig } from '../../../../../../../../config/serverless/config.base'; +import { createTestConfig } from '../../../../../../../../config/serverless/config.base.essentials'; export default createTestConfig({ testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Keyword Types Integration Tests - Serverless Env - Complete Tier', + 'Detection Engine - Exception Operators Keyword Types Integration Tests - Serverless Env - Essentials Tier', }, }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/index.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/index.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/keyword.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/keyword.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/keyword.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/keyword.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/keyword_array.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/keyword_array.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/trial_license_complete_tier/keyword_array.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/keyword/basic_license_essentials_tier/keyword_array.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/ess.config.ts similarity index 92% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/ess.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/ess.config.ts index 45b835d2a4de7..d9ebb277f3554 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/ess.config.ts @@ -9,7 +9,7 @@ import { FtrConfigProviderContext } from '@kbn/test'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const functionalConfig = await readConfigFile( - require.resolve('../../../../../../../../config/ess/config.base.trial') + require.resolve('../../../../../../../../config/ess/config.base.basic') ); return { @@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Long Types Integration Tests - ESS Env - Trial License', + 'Detection Engine - Exception Operators Long Types Integration Tests - ESS Env - Basic License', }, }; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/serverless.config.ts similarity index 85% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/serverless.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/serverless.config.ts index 2855c92ca239b..3e92c768e2c6e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/configs/serverless.config.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { createTestConfig } from '../../../../../../../../config/serverless/config.base'; +import { createTestConfig } from '../../../../../../../../config/serverless/config.base.essentials'; export default createTestConfig({ testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Long Types Integration Tests - Serverless Env - Complete Tier', + 'Detection Engine - Exception Operators Long Types Integration Tests - Serverless Env - Essentials Tier', }, }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/index.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/index.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/long.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/long.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/trial_license_complete_tier/long.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/long/basic_license_essentials_tier/long.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/ess.config.ts similarity index 92% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/ess.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/ess.config.ts index f3b5a18bacaad..5054fed7f616f 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/ess.config.ts @@ -9,7 +9,7 @@ import { FtrConfigProviderContext } from '@kbn/test'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const functionalConfig = await readConfigFile( - require.resolve('../../../../../../../../config/ess/config.base.trial') + require.resolve('../../../../../../../../config/ess/config.base.basic') ); return { @@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Text Types Integration Tests - ESS Env - Trial License', + 'Detection Engine - Exception Operators Text Types Integration Tests - ESS Env - Basic License', }, }; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/serverless.config.ts similarity index 85% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/serverless.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/serverless.config.ts index 750d852361911..cc118940c3384 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/configs/serverless.config.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { createTestConfig } from '../../../../../../../../config/serverless/config.base'; +import { createTestConfig } from '../../../../../../../../config/serverless/config.base.essentials'; export default createTestConfig({ testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Operators Text Types Integration Tests - Serverless Env - Complete Tier', + 'Detection Engine - Exception Operators Text Types Integration Tests - Serverless Env - Essentials Tier', }, }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/index.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/index.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/text.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/text.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/text.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/text.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/text_array.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/text_array.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/trial_license_complete_tier/text_array.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/operators_data_types/text/basic_license_essentials_tier/text_array.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/role_based_add_edit_comments.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts similarity index 99% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/role_based_add_edit_comments.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts index 6535273cacb13..3ec89514a4d2d 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/role_based_add_edit_comments.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts @@ -30,7 +30,7 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const supertestWithoutAuth = getService('supertestWithoutAuth'); - describe('@serverless @ess @brokenInServerless role_based_add_edit_comments', () => { + describe('@ess role_based_add_edit_comments', () => { const socManager = ROLES.soc_manager; const detectionAdmin = ROLES.detections_admin; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts new file mode 100644 index 0000000000000..dcf09821e434d --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts @@ -0,0 +1,251 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable @typescript-eslint/naming-convention */ + +import expect from 'expect'; + +import { EXCEPTION_LIST_ITEM_URL, EXCEPTION_LIST_URL } from '@kbn/securitysolution-list-constants'; +import { + getCreateExceptionListDetectionSchemaMock, + getCreateExceptionListMinimalSchemaMock, +} from '@kbn/lists-plugin/common/schemas/request/create_exception_list_schema.mock'; +import { getCreateExceptionListItemMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_item_schema.mock'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { getUpdateMinimalExceptionListItemSchemaMock } from '@kbn/lists-plugin/common/schemas/request/update_exception_list_item_schema.mock'; +import { UpdateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; +import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils'; +import { + createUserAndRole, + deleteUserAndRole, +} from '../../../../../../../common/services/security_solution'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const log = getService('log'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); + + // @skipInQA purposefully - only running tests in MKI whose failure should block release + describe('@serverless @skipInQA role_based_add_edit_comments', () => { + const socManager = ROLES.detections_admin; + const detectionAdmin = ROLES.t3_analyst; + + describe('Rule Exceptions', () => { + beforeEach(async () => { + await createUserAndRole(getService, detectionAdmin); + await createUserAndRole(getService, socManager); + }); + + afterEach(async () => { + await deleteUserAndRole(getService, detectionAdmin); + await deleteUserAndRole(getService, socManager); + await deleteAllExceptions(supertest, log); + }); + + it('Add comment on a new exception, add another comment has unicode from a different user', async () => { + await supertestWithoutAuth + .post(EXCEPTION_LIST_URL) + .auth(detectionAdmin, 'changeme') + .set('kbn-xsrf', 'true') + .send(getCreateExceptionListDetectionSchemaMock()) + .expect(200); + + const { os_types, ...ruleException } = getCreateExceptionListItemMinimalSchemaMock(); + + // Add comment by the Detection Admin + await supertestWithoutAuth + .post(EXCEPTION_LIST_ITEM_URL) + .auth(detectionAdmin, 'changeme') + .set('kbn-xsrf', 'true') + .send({ + ...ruleException, + comments: [{ comment: 'Comment by user@detections_admin' }], + }) + .expect(200); + + const { body: items } = await supertestWithoutAuth + .get( + `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${ + getCreateExceptionListMinimalSchemaMock().list_id + }` + ) + .auth(detectionAdmin, 'changeme') + .set('kbn-xsrf', 'true') + .send() + .expect(200); + + // Validate the first user comment + expect(items.total).toEqual(1); + const [item] = items.data; + const detectionAdminComments = item.comments; + expect(detectionAdminComments.length).toEqual(1); + + expect(detectionAdminComments[0]).toEqual( + expect.objectContaining({ + created_by: 'detections_admin', + comment: 'Comment by user@detections_admin', + }) + ); + + const expectedId = item.id; + + // Update exception comment by different user Soc-manager + const { item_id: _, ...updateItemWithoutItemId } = + getUpdateMinimalExceptionListItemSchemaMock(); + + const updatePayload: UpdateExceptionListItemSchema = { + ...updateItemWithoutItemId, + comments: [ + ...(updateItemWithoutItemId.comments || []), + { comment: 'Comment by user@soc_manager' }, + ], + id: expectedId, + }; + await supertestWithoutAuth + .put(EXCEPTION_LIST_ITEM_URL) + .auth(socManager, 'changeme') + .set('kbn-xsrf', 'true') + .send(updatePayload) + .expect(200); + + const { body: itemsAfterUpdate } = await supertest + .get( + `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${ + getCreateExceptionListMinimalSchemaMock().list_id + }` + ) + .auth(socManager, 'changeme') + .set('kbn-xsrf', 'true') + .send() + .expect(200); + const [itemAfterUpdate] = itemsAfterUpdate.data; + const detectionAdminAndSocManagerComments = itemAfterUpdate.comments; + + expect(detectionAdminAndSocManagerComments.length).toEqual(2); + + expect(detectionAdminAndSocManagerComments).toEqual( + expect.arrayContaining([ + expect.objectContaining({ + created_by: 'detections_admin', + comment: 'Comment by user@detections_admin', + }), + expect.objectContaining({ + created_by: 'soc_manager', + comment: 'Comment by user@soc_manager', + }), + ]) + ); + }); + }); + describe('Endpoint Exceptions', () => { + beforeEach(async () => { + await createUserAndRole(getService, detectionAdmin); + await createUserAndRole(getService, socManager); + }); + + afterEach(async () => { + await deleteUserAndRole(getService, detectionAdmin); + await deleteUserAndRole(getService, socManager); + await deleteAllExceptions(supertest, log); + }); + + it('Add comment on a new exception, add another comment has unicode from a different user', async () => { + await supertestWithoutAuth + .post(EXCEPTION_LIST_URL) + .auth(detectionAdmin, 'changeme') + .set('kbn-xsrf', 'true') + .send(getCreateExceptionListMinimalSchemaMock()) + .expect(200); + + // Add comment by the Detection Admin + await supertestWithoutAuth + .post(EXCEPTION_LIST_ITEM_URL) + .auth(detectionAdmin, 'changeme') + .set('kbn-xsrf', 'true') + .send({ + ...getCreateExceptionListItemMinimalSchemaMock(), + comments: [{ comment: 'Comment by user@detections_admin' }], + }) + .expect(200); + + const { body: items } = await supertestWithoutAuth + .get( + `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${ + getCreateExceptionListMinimalSchemaMock().list_id + }` + ) + .auth(detectionAdmin, 'changeme') + .set('kbn-xsrf', 'true') + .send() + .expect(200); + + // Validate the first user comment + expect(items.total).toEqual(1); + const [item] = items.data; + const detectionAdminComments = item.comments; + expect(detectionAdminComments.length).toEqual(1); + + expect(detectionAdminComments[0]).toEqual( + expect.objectContaining({ + created_by: 'detections_admin', + comment: 'Comment by user@detections_admin', + }) + ); + + const expectedId = item.id; + + // Update exception comment by different user Soc-manager + const { item_id: _, ...updateItemWithoutItemId } = + getUpdateMinimalExceptionListItemSchemaMock(); + + const updatePayload: UpdateExceptionListItemSchema = { + ...updateItemWithoutItemId, + comments: [ + ...(updateItemWithoutItemId.comments || []), + { comment: 'Comment by user@soc_manager' }, + ], + id: expectedId, + }; + await supertestWithoutAuth + .put(EXCEPTION_LIST_ITEM_URL) + .auth(socManager, 'changeme') + .set('kbn-xsrf', 'true') + .send(updatePayload) + .expect(200); + + const { body: itemsAfterUpdate } = await supertest + .get( + `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${ + getCreateExceptionListMinimalSchemaMock().list_id + }` + ) + .auth(socManager, 'changeme') + .set('kbn-xsrf', 'true') + .send() + .expect(200); + const [itemAfterUpdate] = itemsAfterUpdate.data; + const detectionAdminAndSocManagerComments = itemAfterUpdate.comments; + + expect(detectionAdminAndSocManagerComments.length).toEqual(2); + + expect(detectionAdminAndSocManagerComments).toEqual( + expect.arrayContaining([ + expect.objectContaining({ + created_by: 'detections_admin', + comment: 'Comment by user@detections_admin', + }), + expect.objectContaining({ + created_by: 'soc_manager', + comment: 'Comment by user@soc_manager', + }), + ]) + ); + }); + }); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/ess.config.ts similarity index 94% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/ess.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/ess.config.ts index e3d1852401d8c..210e19bfbbfc1 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/ess.config.ts @@ -9,7 +9,7 @@ import { FtrConfigProviderContext } from '@kbn/test'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const functionalConfig = await readConfigFile( - require.resolve('../../../../../../../config/ess/config.base.trial') + require.resolve('../../../../../../../config/ess/config.base.basic') ); return { @@ -17,7 +17,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Workflows Integration Tests - ESS Env - Trial License', + 'Detection Engine - Exception Workflows Integration Tests - ESS Env - Basic License', }, }; } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/serverless.config.ts similarity index 87% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/serverless.config.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/serverless.config.ts index 0e664b489dd9a..d4423273eaadc 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/configs/serverless.config.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { createTestConfig } from '../../../../../../../config/serverless/config.base'; +import { createTestConfig } from '../../../../../../../config/serverless/config.base.essentials'; export default createTestConfig({ testFiles: [require.resolve('..')], junit: { reportName: - 'Detection Engine - Exception Workflows Integration Tests - Serverless Env - Complete Tier', + 'Detection Engine - Exception Workflows Integration Tests - Serverless Env - Essentials Tier', }, }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/create_endpoint_exceptions.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts similarity index 99% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/create_endpoint_exceptions.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts index 8850976d1cf53..8bae9c4bee809 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/create_endpoint_exceptions.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts @@ -74,7 +74,8 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const es = getService('es'); - describe('@serverless @ess create_endpoint_exceptions', () => { + // @skipInQA purposefully - only running tests in MKI whose failure should block release + describe('@serverless @ess @skipInQA create_endpoint_exceptions', () => { before(async () => { await esArchiver.load( 'x-pack/test/functional/es_archives/rule_exceptions/endpoint_without_host_type' diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/create_rule_exceptions.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts similarity index 78% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/create_rule_exceptions.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts index 9a51cd8a1e130..4f0c1ed1106e4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/create_rule_exceptions.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts @@ -6,8 +6,6 @@ */ import expect from '@kbn/expect'; -import { Rule } from '@kbn/alerting-plugin/common'; -import { BaseRuleParams } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_schema'; import { DETECTION_ENGINE_RULES_URL } from '@kbn/security-solution-plugin/common/constants'; import { CreateExceptionListSchema, @@ -16,15 +14,7 @@ import { ExceptionListTypeEnum, } from '@kbn/securitysolution-io-ts-list-types'; import { getCreateExceptionListMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_schema.mock'; -import { - fetchRule, - getSimpleRule, - createExceptionList, - getRuleSOById, - createRuleThroughAlertingEndpoint, - getRuleSavedObjectWithLegacyInvestigationFields, - checkInvestigationFieldSoValue, -} from '../../../../utils'; +import { fetchRule, getSimpleRule, createExceptionList } from '../../../../utils'; import { createRule, createAlertsIndex, @@ -58,7 +48,8 @@ export default ({ getService }: FtrProviderContext) => { const config = getService('config'); const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); - describe('@serverless @ess create_rule_exception_route', () => { + // @skipInQA purposefully - only running tests in MKI whose failure should block release + describe('@serverless @ess @skipInQA create_rule_exception_route', () => { before(async () => { await createAlertsIndex(supertest, log); }); @@ -254,54 +245,5 @@ export default ({ getService }: FtrProviderContext) => { status_code: 500, }); }); - - // TODO: When available this tag should be @skipInServerless - // This use case is not relevant to serverless. - describe('@brokenInServerless legacy investigation_fields', () => { - let ruleWithLegacyInvestigationField: Rule; - - beforeEach(async () => { - await deleteAllRules(supertest, log); - ruleWithLegacyInvestigationField = await createRuleThroughAlertingEndpoint( - supertest, - getRuleSavedObjectWithLegacyInvestigationFields() - ); - }); - - afterEach(async () => { - await deleteAllRules(supertest, log); - }); - - it('creates and associates a `rule_default` exception list to a rule with a legacy investigation_field', async () => { - await supertest - .post(`${DETECTION_ENGINE_RULES_URL}/${ruleWithLegacyInvestigationField.id}/exceptions`) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - items: [getRuleExceptionItemMock()], - }) - .expect(200); - - /** - * Confirm type on SO so that it's clear in the tests whether it's expected that - * the SO itself is migrated to the inteded object type, or if the transformation is - * happening just on the response. In this case, change will - * NOT include a migration on SO. - */ - const { - hits: { - hits: [{ _source: ruleSO }], - }, - } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id); - const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(ruleSO, { - field_names: ['client.address', 'agent.name'], - }); - - expect( - ruleSO?.alert.params.exceptionsList.some((list) => list.type === 'rule_default') - ).to.eql(true); - expect(isInvestigationFieldMigratedInSo).to.eql(false); - }); - }); }); }; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts new file mode 100644 index 0000000000000..bdc487504e6cc --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { Rule } from '@kbn/alerting-plugin/common'; +import { BaseRuleParams } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_schema'; +import { DETECTION_ENGINE_RULES_URL } from '@kbn/security-solution-plugin/common/constants'; +import { CreateRuleExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; +import { + getRuleSOById, + createRuleThroughAlertingEndpoint, + getRuleSavedObjectWithLegacyInvestigationFields, + checkInvestigationFieldSoValue, +} from '../../../../utils'; +import { + createAlertsIndex, + deleteAllRules, + deleteAllAlerts, +} from '../../../../../../../common/utils/security_solution'; +import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; + +const getRuleExceptionItemMock = (): CreateRuleExceptionListItemSchema => ({ + description: 'Exception item for rule default exception list', + entries: [ + { + field: 'some.not.nested.field', + operator: 'included', + type: 'match', + value: 'some value', + }, + ], + name: 'Sample exception item', + type: 'simple', +}); + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const log = getService('log'); + const es = getService('es'); + const config = getService('config'); + const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); + + describe('@ess create rule exception routes, ESS specific logic', () => { + before(async () => { + await createAlertsIndex(supertest, log); + }); + + after(async () => { + await deleteAllExceptions(supertest, log); + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + }); + + describe('legacy investigation_fields', () => { + let ruleWithLegacyInvestigationField: Rule; + + beforeEach(async () => { + await deleteAllRules(supertest, log); + ruleWithLegacyInvestigationField = await createRuleThroughAlertingEndpoint( + supertest, + getRuleSavedObjectWithLegacyInvestigationFields() + ); + }); + + afterEach(async () => { + await deleteAllRules(supertest, log); + }); + + it('creates and associates a `rule_default` exception list to a rule with a legacy investigation_field', async () => { + await supertest + .post(`${DETECTION_ENGINE_RULES_URL}/${ruleWithLegacyInvestigationField.id}/exceptions`) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + items: [getRuleExceptionItemMock()], + }) + .expect(200); + + /** + * Confirm type on SO so that it's clear in the tests whether it's expected that + * the SO itself is migrated to the inteded object type, or if the transformation is + * happening just on the response. In this case, change will + * NOT include a migration on SO. + */ + const { + hits: { + hits: [{ _source: ruleSO }], + }, + } = await getRuleSOById(es, ruleWithLegacyInvestigationField.id); + const isInvestigationFieldMigratedInSo = await checkInvestigationFieldSoValue(ruleSO, { + field_names: ['client.address', 'agent.name'], + }); + + expect( + ruleSO?.alert.params.exceptionsList.some((list) => list.type === 'rule_default') + ).to.eql(true); + expect(isInvestigationFieldMigratedInSo).to.eql(false); + }); + }); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/rule_exception_synchronizations.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exceptions_data_integrity.ts similarity index 96% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/rule_exception_synchronizations.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exceptions_data_integrity.ts index f966098d4fa58..8aac6a504d52e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/rule_exception_synchronizations.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exceptions_data_integrity.ts @@ -37,7 +37,8 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const es = getService('es'); - describe('@serverless @ess Synchronizations', () => { + // @skipInQA purposefully - only running tests in MKI whose failure should block release + describe('@serverless @ess @skipInQA exceptions data integrity', () => { afterEach(async () => { await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/find_rule_exception_references.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts similarity index 97% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/find_rule_exception_references.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts index de24472e94989..029f8bd76c4ed 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/find_rule_exception_references.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts @@ -36,7 +36,8 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const es = getService('es'); - describe('@serverless @ess find_rule_exception_references', () => { + // @skipInQA purposefully - only running tests in MKI whose failure should block release + describe('@serverless @ess @skipInQA find_rule_exception_references', () => { before(async () => { await createAlertsIndex(supertest, log); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts similarity index 67% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/index.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts index 729f941111d8f..48a7fdadb6d6c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts @@ -8,11 +8,13 @@ import { FtrProviderContext } from '../../../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { describe('Detection Engine - Exception workflows APIs', function () { + loadTestFile(require.resolve('./add_edit_comments_ess')); + loadTestFile(require.resolve('./add_edit_comments_serverless')); + loadTestFile(require.resolve('./create_endpoint_exceptions')); + loadTestFile(require.resolve('./create_rule_exceptions_ess')); loadTestFile(require.resolve('./create_rule_exceptions')); - loadTestFile(require.resolve('./create_rule_exceptions')); + loadTestFile(require.resolve('./exceptions_data_integrity')); + loadTestFile(require.resolve('./find_rule_exception_references')); loadTestFile(require.resolve('./role_based_rule_exceptions_workflows')); - loadTestFile(require.resolve('./create_endpoint_exceptions')); - loadTestFile(require.resolve('./role_based_add_edit_comments')); - loadTestFile(require.resolve('./rule_exception_synchronizations')); }); } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/role_based_rule_exceptions_workflows.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/role_based_rule_exceptions_workflows.ts similarity index 100% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/trial_license_complete_tier/role_based_rule_exceptions_workflows.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/role_based_rule_exceptions_workflows.ts From da4d1a667145ca4dc18e7510466337efeff62377 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Fri, 29 Mar 2024 11:06:21 -0700 Subject: [PATCH 2/4] got em runnin --- .../api_integration/api-integration-tests.sh | 4 +- .../serverless_resources/security_roles.json | 10 +- .../query_alerts.ts | 1 - .../create_endpoint_exceptions.ts | 3 +- .../create_rule_exceptions.ts | 3 +- ...ments_ess.ts => exception_comments_ess.ts} | 2 +- ...ss.ts => exception_comments_serverless.ts} | 113 +- .../find_rule_exception_references.ts | 9 +- .../basic_license_essentials_tier/index.ts | 7 +- .../prebuilt_rules.ts | 402 +++++++ .../role_based_rule_exceptions_workflows.ts | 984 ------------------ .../rule_exceptions_execution.ts | 479 +++++++++ 12 files changed, 947 insertions(+), 1070 deletions(-) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/{add_edit_comments_ess.ts => exception_comments_ess.ts} (99%) rename x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/{add_edit_comments_serverless.ts => exception_comments_serverless.ts} (63%) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/prebuilt_rules.ts delete mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/role_based_rule_exceptions_workflows.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts diff --git a/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh b/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh index 9bbb9aa5b7442..64ac782a8c488 100755 --- a/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh +++ b/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh @@ -90,7 +90,9 @@ FORMATTED_KB_URL="${KB_URL/https:\/\//}" # This is used in order to wait for the environment to be ready. sleep 150 -TEST_CLOUD=1 TEST_ES_URL="https://elastic:$PASSWORD@$FORMATTED_ES_URL:443" TEST_KIBANA_URL="https://elastic:$PASSWORD@$FORMATTED_KB_URL:443" yarn run $1 +echo "uername: $USERNAME" + +TEST_CLOUD=1 TEST_ES_URL="https://$USERNAME:$PASSWORD@$FORMATTED_ES_URL:443" TEST_KIBANA_URL="https://$USERNAME:$PASSWORD@$FORMATTED_KB_URL:443" yarn run $1 cmd_status=$? echo "Exit code with status: $cmd_status" diff --git a/packages/kbn-es/src/serverless_resources/security_roles.json b/packages/kbn-es/src/serverless_resources/security_roles.json index 0c965328a971c..8ba9dc4c6bc73 100644 --- a/packages/kbn-es/src/serverless_resources/security_roles.json +++ b/packages/kbn-es/src/serverless_resources/security_roles.json @@ -104,6 +104,7 @@ "logs-*", "packetbeat-*", "winlogbeat-*", + "logstash-*", ".asset-criticality.asset-criticality-*" ], "privileges": ["read", "write"] @@ -117,7 +118,7 @@ "privileges": ["read", "write"] }, { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*", "risk-score.risk-score-*"], "privileges": ["read"] } ], @@ -143,9 +144,14 @@ "file_operations_all" ], "securitySolutionCases": ["all"], + "securitySolutionAssistant": ["all"], "actions": ["read"], "builtInAlerts": ["all"], - "osquery": ["all"] + "osquery": ["all"], + "discover": ["all"], + "dashboard": ["all"], + "maps": ["all"], + "visualize": ["all"] }, "spaces": ["*"], "base": [] diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts index 4412632f2c4a9..5dcc78486ebdc 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/basic_license_essentials_tier/query_alerts.ts @@ -72,7 +72,6 @@ export default ({ getService }: FtrProviderContext) => { await createAlertsIndex(supertest, log); }); after(async () => { - // await esArchiver.unload('x-pack/test/functional/es_archives/endpoint/resolver/signals'); await deleteAllAlerts(supertest, log, es); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts index 8bae9c4bee809..8850976d1cf53 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_endpoint_exceptions.ts @@ -74,8 +74,7 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const es = getService('es'); - // @skipInQA purposefully - only running tests in MKI whose failure should block release - describe('@serverless @ess @skipInQA create_endpoint_exceptions', () => { + describe('@serverless @ess create_endpoint_exceptions', () => { before(async () => { await esArchiver.load( 'x-pack/test/functional/es_archives/rule_exceptions/endpoint_without_host_type' diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts index 4f0c1ed1106e4..e65914d7f4193 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions.ts @@ -48,8 +48,7 @@ export default ({ getService }: FtrProviderContext) => { const config = getService('config'); const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); - // @skipInQA purposefully - only running tests in MKI whose failure should block release - describe('@serverless @ess @skipInQA create_rule_exception_route', () => { + describe('@serverless @ess create "rule_default" exceptions', () => { before(async () => { await createAlertsIndex(supertest, log); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_ess.ts similarity index 99% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_ess.ts index 3ec89514a4d2d..aeecef2a60ade 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_ess.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_ess.ts @@ -30,7 +30,7 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const supertestWithoutAuth = getService('supertestWithoutAuth'); - describe('@ess role_based_add_edit_comments', () => { + describe('@ess exception item comments', () => { const socManager = ROLES.soc_manager; const detectionAdmin = ROLES.detections_admin; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_serverless.ts similarity index 63% rename from x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts rename to x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_serverless.ts index dcf09821e434d..e4431967bf439 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/add_edit_comments_serverless.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/exception_comments_serverless.ts @@ -19,10 +19,6 @@ import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { getUpdateMinimalExceptionListItemSchemaMock } from '@kbn/lists-plugin/common/schemas/request/update_exception_list_item_schema.mock'; import { UpdateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils'; -import { - createUserAndRole, - deleteUserAndRole, -} from '../../../../../../../common/services/security_solution'; import { FtrProviderContext } from '../../../../../../ftr_provider_context'; export default ({ getService }: FtrProviderContext) => { @@ -31,50 +27,37 @@ export default ({ getService }: FtrProviderContext) => { const supertestWithoutAuth = getService('supertestWithoutAuth'); // @skipInQA purposefully - only running tests in MKI whose failure should block release - describe('@serverless @skipInQA role_based_add_edit_comments', () => { - const socManager = ROLES.detections_admin; - const detectionAdmin = ROLES.t3_analyst; - + describe('@serverless @skipInQA exception item comments - serverless specific behavior', () => { describe('Rule Exceptions', () => { - beforeEach(async () => { - await createUserAndRole(getService, detectionAdmin); - await createUserAndRole(getService, socManager); - }); - afterEach(async () => { - await deleteUserAndRole(getService, detectionAdmin); - await deleteUserAndRole(getService, socManager); await deleteAllExceptions(supertest, log); }); it('Add comment on a new exception, add another comment has unicode from a different user', async () => { - await supertestWithoutAuth + await supertest .post(EXCEPTION_LIST_URL) - .auth(detectionAdmin, 'changeme') .set('kbn-xsrf', 'true') .send(getCreateExceptionListDetectionSchemaMock()) .expect(200); const { os_types, ...ruleException } = getCreateExceptionListItemMinimalSchemaMock(); - // Add comment by the Detection Admin + // Add comment by another user await supertestWithoutAuth .post(EXCEPTION_LIST_ITEM_URL) - .auth(detectionAdmin, 'changeme') + .auth(ROLES.t3_analyst, 'changeme') .set('kbn-xsrf', 'true') .send({ ...ruleException, - comments: [{ comment: 'Comment by user@detections_admin' }], + comments: [{ comment: 'Comment by user@t3_analyst' }], }) .expect(200); - - const { body: items } = await supertestWithoutAuth + const { body: items } = await supertest .get( `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${ getCreateExceptionListMinimalSchemaMock().list_id }` ) - .auth(detectionAdmin, 'changeme') .set('kbn-xsrf', 'true') .send() .expect(200); @@ -82,19 +65,19 @@ export default ({ getService }: FtrProviderContext) => { // Validate the first user comment expect(items.total).toEqual(1); const [item] = items.data; - const detectionAdminComments = item.comments; - expect(detectionAdminComments.length).toEqual(1); + const t3AnalystComments = item.comments; + expect(t3AnalystComments.length).toEqual(1); - expect(detectionAdminComments[0]).toEqual( + expect(t3AnalystComments[0]).toEqual( expect.objectContaining({ - created_by: 'detections_admin', - comment: 'Comment by user@detections_admin', + created_by: 't3_analyst', + comment: 'Comment by user@t3_analyst', }) ); const expectedId = item.id; - // Update exception comment by different user Soc-manager + // Update exception comment by different user const { item_id: _, ...updateItemWithoutItemId } = getUpdateMinimalExceptionListItemSchemaMock(); @@ -102,13 +85,12 @@ export default ({ getService }: FtrProviderContext) => { ...updateItemWithoutItemId, comments: [ ...(updateItemWithoutItemId.comments || []), - { comment: 'Comment by user@soc_manager' }, + { comment: 'Comment by elastic_serverless' }, ], id: expectedId, }; - await supertestWithoutAuth + await supertest .put(EXCEPTION_LIST_ITEM_URL) - .auth(socManager, 'changeme') .set('kbn-xsrf', 'true') .send(updatePayload) .expect(200); @@ -119,67 +101,58 @@ export default ({ getService }: FtrProviderContext) => { getCreateExceptionListMinimalSchemaMock().list_id }` ) - .auth(socManager, 'changeme') .set('kbn-xsrf', 'true') .send() .expect(200); + const [itemAfterUpdate] = itemsAfterUpdate.data; - const detectionAdminAndSocManagerComments = itemAfterUpdate.comments; + const comments = itemAfterUpdate.comments; - expect(detectionAdminAndSocManagerComments.length).toEqual(2); + expect(comments.length).toEqual(2); - expect(detectionAdminAndSocManagerComments).toEqual( + expect(comments).toEqual( expect.arrayContaining([ expect.objectContaining({ - created_by: 'detections_admin', - comment: 'Comment by user@detections_admin', + created_by: 't3_analyst', + comment: 'Comment by user@t3_analyst', }), expect.objectContaining({ - created_by: 'soc_manager', - comment: 'Comment by user@soc_manager', + created_by: 'elastic_serverless', + comment: 'Comment by elastic_serverless', }), ]) ); }); }); describe('Endpoint Exceptions', () => { - beforeEach(async () => { - await createUserAndRole(getService, detectionAdmin); - await createUserAndRole(getService, socManager); - }); - afterEach(async () => { - await deleteUserAndRole(getService, detectionAdmin); - await deleteUserAndRole(getService, socManager); await deleteAllExceptions(supertest, log); }); it('Add comment on a new exception, add another comment has unicode from a different user', async () => { - await supertestWithoutAuth + await supertest .post(EXCEPTION_LIST_URL) - .auth(detectionAdmin, 'changeme') .set('kbn-xsrf', 'true') .send(getCreateExceptionListMinimalSchemaMock()) .expect(200); - // Add comment by the Detection Admin + // Add comment by the t3 analyst await supertestWithoutAuth .post(EXCEPTION_LIST_ITEM_URL) - .auth(detectionAdmin, 'changeme') + .auth(ROLES.t3_analyst, 'changeme') .set('kbn-xsrf', 'true') .send({ ...getCreateExceptionListItemMinimalSchemaMock(), - comments: [{ comment: 'Comment by user@detections_admin' }], + comments: [{ comment: 'Comment by user@t3_analyst' }], }) .expect(200); - const { body: items } = await supertestWithoutAuth + const { body: items } = await supertest .get( `${EXCEPTION_LIST_ITEM_URL}/_find?list_id=${ getCreateExceptionListMinimalSchemaMock().list_id }` ) - .auth(detectionAdmin, 'changeme') .set('kbn-xsrf', 'true') .send() .expect(200); @@ -187,19 +160,19 @@ export default ({ getService }: FtrProviderContext) => { // Validate the first user comment expect(items.total).toEqual(1); const [item] = items.data; - const detectionAdminComments = item.comments; - expect(detectionAdminComments.length).toEqual(1); + const t3AnalystComments = item.comments; + expect(t3AnalystComments.length).toEqual(1); - expect(detectionAdminComments[0]).toEqual( + expect(t3AnalystComments[0]).toEqual( expect.objectContaining({ - created_by: 'detections_admin', - comment: 'Comment by user@detections_admin', + created_by: 't3_analyst', + comment: 'Comment by user@t3_analyst', }) ); const expectedId = item.id; - // Update exception comment by different user Soc-manager + // Update exception comment by different user const { item_id: _, ...updateItemWithoutItemId } = getUpdateMinimalExceptionListItemSchemaMock(); @@ -207,13 +180,12 @@ export default ({ getService }: FtrProviderContext) => { ...updateItemWithoutItemId, comments: [ ...(updateItemWithoutItemId.comments || []), - { comment: 'Comment by user@soc_manager' }, + { comment: 'Comment by elastic_serverless' }, ], id: expectedId, }; - await supertestWithoutAuth + await supertest .put(EXCEPTION_LIST_ITEM_URL) - .auth(socManager, 'changeme') .set('kbn-xsrf', 'true') .send(updatePayload) .expect(200); @@ -224,24 +196,23 @@ export default ({ getService }: FtrProviderContext) => { getCreateExceptionListMinimalSchemaMock().list_id }` ) - .auth(socManager, 'changeme') .set('kbn-xsrf', 'true') .send() .expect(200); const [itemAfterUpdate] = itemsAfterUpdate.data; - const detectionAdminAndSocManagerComments = itemAfterUpdate.comments; + const comments = itemAfterUpdate.comments; - expect(detectionAdminAndSocManagerComments.length).toEqual(2); + expect(comments.length).toEqual(2); - expect(detectionAdminAndSocManagerComments).toEqual( + expect(comments).toEqual( expect.arrayContaining([ expect.objectContaining({ - created_by: 'detections_admin', - comment: 'Comment by user@detections_admin', + created_by: 't3_analyst', + comment: 'Comment by user@t3_analyst', }), expect.objectContaining({ - created_by: 'soc_manager', - comment: 'Comment by user@soc_manager', + created_by: 'elastic_serverless', + comment: 'Comment by elastic_serverless', }), ]) ); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts index 029f8bd76c4ed..e8f8a5bab1981 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/find_rule_exception_references.ts @@ -36,19 +36,18 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const es = getService('es'); - // @skipInQA purposefully - only running tests in MKI whose failure should block release - describe('@serverless @ess @skipInQA find_rule_exception_references', () => { + describe('@serverless @ess find_rule_exception_references', () => { before(async () => { await createAlertsIndex(supertest, log); }); after(async () => { await deleteAllAlerts(supertest, log, es); - await deleteAllRules(supertest, log); }); afterEach(async () => { await deleteAllExceptions(supertest, log); + await deleteAllRules(supertest, log); }); it('returns empty array per list_id if no references are found', async () => { @@ -68,6 +67,7 @@ export default ({ getService }: FtrProviderContext) => { .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL) .set('kbn-xsrf', 'true') .set('elastic-api-version', '1') + .set('X-Elastic-Internal-Origin', 'Kibana') .query({ ids: `${exceptionList.id}`, list_ids: `${exceptionList.list_id}`, @@ -122,6 +122,7 @@ export default ({ getService }: FtrProviderContext) => { .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL) .set('kbn-xsrf', 'true') .set('elastic-api-version', '1') + .set('X-Elastic-Internal-Origin', 'Kibana') .query({ ids: `1234`, list_ids: `i_dont_exist`, @@ -169,6 +170,7 @@ export default ({ getService }: FtrProviderContext) => { .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL) .set('kbn-xsrf', 'true') .set('elastic-api-version', '1') + .set('X-Elastic-Internal-Origin', 'Kibana') .query({ ids: `${exceptionList.id},${exceptionList2.id}`, list_ids: `${exceptionList.list_id},${exceptionList2.list_id}`, @@ -218,6 +220,7 @@ export default ({ getService }: FtrProviderContext) => { .get(DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL) .set('kbn-xsrf', 'true') .set('elastic-api-version', '1') + .set('X-Elastic-Internal-Origin', 'Kibana') .query({ namespace_types: 'single,agnostic', }) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts index 48a7fdadb6d6c..66941493174a7 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/index.ts @@ -8,13 +8,14 @@ import { FtrProviderContext } from '../../../../../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { describe('Detection Engine - Exception workflows APIs', function () { - loadTestFile(require.resolve('./add_edit_comments_ess')); - loadTestFile(require.resolve('./add_edit_comments_serverless')); + loadTestFile(require.resolve('./exception_comments_ess')); + loadTestFile(require.resolve('./exception_comments_serverless')); loadTestFile(require.resolve('./create_endpoint_exceptions')); loadTestFile(require.resolve('./create_rule_exceptions_ess')); loadTestFile(require.resolve('./create_rule_exceptions')); loadTestFile(require.resolve('./exceptions_data_integrity')); loadTestFile(require.resolve('./find_rule_exception_references')); - loadTestFile(require.resolve('./role_based_rule_exceptions_workflows')); + loadTestFile(require.resolve('./rule_exceptions_execution')); + loadTestFile(require.resolve('./prebuilt_rules')); }); } diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/prebuilt_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/prebuilt_rules.ts new file mode 100644 index 0000000000000..0eb674d148727 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/prebuilt_rules.ts @@ -0,0 +1,402 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable @typescript-eslint/naming-convention */ + +import expect from 'expect'; + +import { getCreateExceptionListMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_schema.mock'; + +import { DETECTION_ENGINE_RULES_URL } from '@kbn/security-solution-plugin/common/constants'; +import { ELASTIC_SECURITY_RULE_ID } from '@kbn/security-solution-plugin/common'; + +import { + fetchRule, + createExceptionList, + removeServerGeneratedProperties, + downgradeImmutableRule, + installMockPrebuiltRules, + findImmutableRuleById, + getPrebuiltRulesAndTimelinesStatus, + SAMPLE_PREBUILT_RULES, +} from '../../../../utils'; +import { + createAlertsIndex, + deleteAllRules, + deleteAllAlerts, +} from '../../../../../../../common/utils/security_solution'; +import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const log = getService('log'); + const es = getService('es'); + + // @skipInQA purposefully - only running tests in MKI whose failure should block release + describe('@serverless @ess @skipInQA exceptions workflows for prebuilt rules', () => { + describe('creating rules with exceptions', () => { + beforeEach(async () => { + await createAlertsIndex(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + await deleteAllExceptions(supertest, log); + }); + + it('should allow removing an exception list from an immutable rule through patch', async () => { + await installMockPrebuiltRules(supertest, es); + + // This rule has an existing exceptions_list that we are going to use + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one exceptions_list + + // remove the exceptions list as a user is allowed to remove it from an immutable rule + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ rule_id: ELASTIC_SECURITY_RULE_ID, exceptions_list: [] }) + .expect(200); + + const immutableRuleSecondTime = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRuleSecondTime.exceptions_list.length).toEqual(0); + }); + + it('should allow adding a second exception list to an immutable rule through patch', async () => { + await installMockPrebuiltRules(supertest, es); + + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + // This rule has an existing exceptions_list that we are going to use + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one + + // add a second exceptions list as a user is allowed to add a second list to an immutable rule + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + rule_id: ELASTIC_SECURITY_RULE_ID, + exceptions_list: [ + ...immutableRule.exceptions_list, + { + id, + list_id, + namespace_type, + type, + }, + ], + }) + .expect(200); + + const immutableRuleSecondTime = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + + expect(immutableRuleSecondTime.exceptions_list.length).toEqual(2); + }); + + it('should override any updates to pre-packaged rules if the user removes the exception list through the API but the new version of a rule has an exception list again', async () => { + await installMockPrebuiltRules(supertest, es); + + // This rule has an existing exceptions_list that we are going to use + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one + + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ rule_id: ELASTIC_SECURITY_RULE_ID, exceptions_list: [] }) + .expect(200); + + await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); + await installMockPrebuiltRules(supertest, es); + const immutableRuleSecondTime = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + + // We should have a length of 1 and it should be the same as our original before we tried to remove it using patch + expect(immutableRuleSecondTime.exceptions_list.length).toEqual(1); + expect(immutableRuleSecondTime.exceptions_list).toEqual(immutableRule.exceptions_list); + }); + + it('should merge back an exceptions_list if it was removed from the immutable rule through PATCH', async () => { + await installMockPrebuiltRules(supertest, es); + + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + // This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one + + // remove the exception list and only have a single list that is not an endpoint_list + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + rule_id: ELASTIC_SECURITY_RULE_ID, + exceptions_list: [ + { + id, + list_id, + namespace_type, + type, + }, + ], + }) + .expect(200); + + await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); + await installMockPrebuiltRules(supertest, es); + const immutableRuleSecondTime = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + + expect(immutableRuleSecondTime.exceptions_list).toEqual([ + ...immutableRule.exceptions_list, + { + id, + list_id, + namespace_type, + type, + }, + ]); + }); + + it('should NOT add an extra exceptions_list that already exists on a rule during an upgrade', async () => { + await installMockPrebuiltRules(supertest, es); + + // This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one + + await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); + await installMockPrebuiltRules(supertest, es); + + const immutableRuleSecondTime = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + + // The installed rule should have both the original immutable exceptions list back and the + // new list the user added. + expect(immutableRuleSecondTime.exceptions_list).toEqual([...immutableRule.exceptions_list]); + }); + + it('should NOT allow updates to pre-packaged rules to overwrite existing exception based rules when the user adds an additional exception list', async () => { + await installMockPrebuiltRules(supertest, es); + + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + // This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + + // add a second exceptions list as a user is allowed to add a second list to an immutable rule + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + rule_id: ELASTIC_SECURITY_RULE_ID, + exceptions_list: [ + ...immutableRule.exceptions_list, + { + id, + list_id, + namespace_type, + type, + }, + ], + }) + .expect(200); + + await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); + await installMockPrebuiltRules(supertest, es); + const immutableRuleSecondTime = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + + // It should be the same as what the user added originally + expect(immutableRuleSecondTime.exceptions_list).toEqual([ + ...immutableRule.exceptions_list, + { + id, + list_id, + namespace_type, + type, + }, + ]); + }); + + it('should not remove any exceptions added to a pre-packaged/immutable rule during an update if that rule has no existing exception lists', async () => { + await installMockPrebuiltRules(supertest, es); + + // Create a new exception list + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + // Find a rule without exceptions_list + const ruleWithoutExceptionList = SAMPLE_PREBUILT_RULES.find( + (rule) => !rule['security-rule'].exceptions_list + ); + const ruleId = ruleWithoutExceptionList?.['security-rule'].rule_id; + if (!ruleId) { + throw new Error('Cannot find a rule without exceptions_list in the sample data'); + } + + const immutableRule = await fetchRule(supertest, { ruleId }); + expect(immutableRule.exceptions_list.length).toEqual(0); // make sure we have no exceptions_list + + // add a second exceptions list as a user is allowed to add a second list to an immutable rule + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + rule_id: ruleId, + exceptions_list: [ + { + id, + list_id, + namespace_type, + type, + }, + ], + }) + .expect(200); + + await downgradeImmutableRule(es, log, ruleId); + await installMockPrebuiltRules(supertest, es); + const immutableRuleSecondTime = await fetchRule(supertest, { ruleId }); + + expect(immutableRuleSecondTime.exceptions_list).toEqual([ + { + id, + list_id, + namespace_type, + type, + }, + ]); + }); + + it('should not change the immutable tags when adding a second exception list to an immutable rule through patch', async () => { + await installMockPrebuiltRules(supertest, es); + + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + // This rule has an existing exceptions_list that we are going to use + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one + + // add a second exceptions list as a user is allowed to add a second list to an immutable rule + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + rule_id: ELASTIC_SECURITY_RULE_ID, + exceptions_list: [ + ...immutableRule.exceptions_list, + { + id, + list_id, + namespace_type, + type, + }, + ], + }) + .expect(200); + + const body = await findImmutableRuleById(supertest, log, ELASTIC_SECURITY_RULE_ID); + expect(body.data.length).toEqual(1); // should have only one length to the data set, otherwise we have duplicates or the tags were removed and that is incredibly bad. + + const bodyToCompare = removeServerGeneratedProperties(body.data[0]); + expect(bodyToCompare.rule_id).toEqual(immutableRule.rule_id); // Rule id should not change with a a patch + expect(bodyToCompare.immutable).toEqual(immutableRule.immutable); // Immutable should always stay the same which is true and never flip to false. + expect(bodyToCompare.version).toEqual(immutableRule.version); // The version should never update on a patch + }); + + it('should not change count of prepacked rules when adding a second exception list to an immutable rule through patch. If this fails, suspect the immutable tags are not staying on the rule correctly.', async () => { + await installMockPrebuiltRules(supertest, es); + + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + // This rule has an existing exceptions_list that we are going to use + const immutableRule = await fetchRule(supertest, { + ruleId: ELASTIC_SECURITY_RULE_ID, + }); + expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one + + // add a second exceptions list as a user is allowed to add a second list to an immutable rule + await supertest + .patch(DETECTION_ENGINE_RULES_URL) + .set('kbn-xsrf', 'true') + .set('elastic-api-version', '2023-10-31') + .send({ + rule_id: ELASTIC_SECURITY_RULE_ID, + exceptions_list: [ + ...immutableRule.exceptions_list, + { + id, + list_id, + namespace_type, + type, + }, + ], + }) + .expect(200); + + const status = await getPrebuiltRulesAndTimelinesStatus(es, supertest); + expect(status.rules_not_installed).toEqual(0); + }); + }); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/role_based_rule_exceptions_workflows.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/role_based_rule_exceptions_workflows.ts deleted file mode 100644 index 1472637d3b5f5..0000000000000 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/role_based_rule_exceptions_workflows.ts +++ /dev/null @@ -1,984 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/* eslint-disable @typescript-eslint/naming-convention */ - -import expect from 'expect'; -import type { CreateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; -import { - EXCEPTION_LIST_ITEM_URL, - EXCEPTION_LIST_URL, - LIST_URL, -} from '@kbn/securitysolution-list-constants'; -import type { - RuleCreateProps, - EqlRuleCreateProps, - QueryRuleCreateProps, - ThreatMatchRuleCreateProps, - ThresholdRuleCreateProps, -} from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { getCreateExceptionListItemMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_item_schema.mock'; -import { getCreateExceptionListMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_schema.mock'; - -import { DETECTION_ENGINE_RULES_URL } from '@kbn/security-solution-plugin/common/constants'; -import { ROLES } from '@kbn/security-solution-plugin/common/test'; -import { ELASTIC_SECURITY_RULE_ID } from '@kbn/security-solution-plugin/common'; - -import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder'; -import { - fetchRule, - getSimpleRule, - createExceptionList, - createExceptionListItem, - getThresholdRuleForAlertTesting, - getSimpleRuleOutput, - removeServerGeneratedProperties, - downgradeImmutableRule, - installMockPrebuiltRules, - findImmutableRuleById, - getPrebuiltRulesAndTimelinesStatus, - getOpenAlerts, - createRuleWithExceptionEntries, - getEqlRuleForAlertTesting, - SAMPLE_PREBUILT_RULES, - updateUsername, -} from '../../../../utils'; -import { - createAlertsIndex, - createRule, - deleteAllRules, - waitForRuleSuccess, - waitForAlertsToBePresent, - getAlertsByIds, - deleteAllAlerts, -} from '../../../../../../../common/utils/security_solution'; -import { - createListsIndex, - deleteAllExceptions, - deleteListsIndex, - importFile, -} from '../../../../../lists_and_exception_lists/utils'; -import { - createUserAndRole, - deleteUserAndRole, -} from '../../../../../../../common/services/security_solution'; -import { FtrProviderContext } from '../../../../../../ftr_provider_context'; - -export default ({ getService }: FtrProviderContext) => { - const supertest = getService('supertest'); - const supertestWithoutAuth = getService('supertestWithoutAuth'); - const esArchiver = getService('esArchiver'); - const log = getService('log'); - const es = getService('es'); - // TODO: add a new service for loading archiver files similar to "getService('es')" - const config = getService('config'); - const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); - const isServerless = config.get('serverless'); - const dataPathBuilder = new EsArchivePathBuilder(isServerless); - const path = dataPathBuilder.getPath('auditbeat/hosts'); - - describe('@serverless @ess role_based_rule_exceptions_workflows', () => { - before(async () => { - await esArchiver.load(path); - }); - - after(async () => { - await esArchiver.unload(path); - }); - - describe('creating rules with exceptions', () => { - beforeEach(async () => { - await createAlertsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteAllAlerts(supertest, log, es); - await deleteAllRules(supertest, log); - await deleteAllExceptions(supertest, log); - }); - - describe('elastic admin', () => { - it('should create a single rule with a rule_id and add an exception list to the rule', async () => { - const { - body: { id, list_id, namespace_type, type }, - } = await supertest - .post(EXCEPTION_LIST_URL) - .set('kbn-xsrf', 'true') - .send(getCreateExceptionListMinimalSchemaMock()) - .expect(200); - - const ruleWithException: RuleCreateProps = { - ...getSimpleRule(), - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }; - const expectedRule = updateUsername(getSimpleRuleOutput(), ELASTICSEARCH_USERNAME); - const rule = await createRule(supertest, log, ruleWithException); - const expected = { - ...expectedRule, - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }; - const bodyToCompare = removeServerGeneratedProperties(rule); - expect(bodyToCompare).toEqual(expected); - }); - - it('should create a single rule with an exception list and validate it ran successfully', async () => { - const { - body: { id, list_id, namespace_type, type }, - } = await supertest - .post(EXCEPTION_LIST_URL) - .set('kbn-xsrf', 'true') - .send(getCreateExceptionListMinimalSchemaMock()) - .expect(200); - - const ruleWithException: RuleCreateProps = { - ...getSimpleRule(), - enabled: true, - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }; - - const rule = await createRule(supertest, log, ruleWithException); - await waitForRuleSuccess({ supertest, log, id: rule.id }); - const bodyToCompare = removeServerGeneratedProperties(rule); - const expectedRule = updateUsername(getSimpleRuleOutput(), ELASTICSEARCH_USERNAME); - - const expected = { - ...expectedRule, - enabled: true, - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }; - expect(bodyToCompare).toEqual(expected); - }); - - it('@skipInQA should allow removing an exception list from an immutable rule through patch', async () => { - await installMockPrebuiltRules(supertest, es); - - // This rule has an existing exceptions_list that we are going to use - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one exceptions_list - - // remove the exceptions list as a user is allowed to remove it from an immutable rule - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ rule_id: ELASTIC_SECURITY_RULE_ID, exceptions_list: [] }) - .expect(200); - - const immutableRuleSecondTime = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRuleSecondTime.exceptions_list.length).toEqual(0); - }); - - it('@skipInQA should allow adding a second exception list to an immutable rule through patch', async () => { - await installMockPrebuiltRules(supertest, es); - - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - // This rule has an existing exceptions_list that we are going to use - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one - - // add a second exceptions list as a user is allowed to add a second list to an immutable rule - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - rule_id: ELASTIC_SECURITY_RULE_ID, - exceptions_list: [ - ...immutableRule.exceptions_list, - { - id, - list_id, - namespace_type, - type, - }, - ], - }) - .expect(200); - - const immutableRuleSecondTime = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - - expect(immutableRuleSecondTime.exceptions_list.length).toEqual(2); - }); - - it('@skipInQA should override any updates to pre-packaged rules if the user removes the exception list through the API but the new version of a rule has an exception list again', async () => { - await installMockPrebuiltRules(supertest, es); - - // This rule has an existing exceptions_list that we are going to use - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one - - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ rule_id: ELASTIC_SECURITY_RULE_ID, exceptions_list: [] }) - .expect(200); - - await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); - await installMockPrebuiltRules(supertest, es); - const immutableRuleSecondTime = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - - // We should have a length of 1 and it should be the same as our original before we tried to remove it using patch - expect(immutableRuleSecondTime.exceptions_list.length).toEqual(1); - expect(immutableRuleSecondTime.exceptions_list).toEqual(immutableRule.exceptions_list); - }); - - it('@skipInQA should merge back an exceptions_list if it was removed from the immutable rule through PATCH', async () => { - await installMockPrebuiltRules(supertest, es); - - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - // This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one - - // remove the exception list and only have a single list that is not an endpoint_list - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - rule_id: ELASTIC_SECURITY_RULE_ID, - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }) - .expect(200); - - await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); - await installMockPrebuiltRules(supertest, es); - const immutableRuleSecondTime = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - - expect(immutableRuleSecondTime.exceptions_list).toEqual([ - ...immutableRule.exceptions_list, - { - id, - list_id, - namespace_type, - type, - }, - ]); - }); - - it('@skipInQA should NOT add an extra exceptions_list that already exists on a rule during an upgrade', async () => { - await installMockPrebuiltRules(supertest, es); - - // This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one - - await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); - await installMockPrebuiltRules(supertest, es); - - const immutableRuleSecondTime = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - - // The installed rule should have both the original immutable exceptions list back and the - // new list the user added. - expect(immutableRuleSecondTime.exceptions_list).toEqual([ - ...immutableRule.exceptions_list, - ]); - }); - - it('@skipInQA should NOT allow updates to pre-packaged rules to overwrite existing exception based rules when the user adds an additional exception list', async () => { - await installMockPrebuiltRules(supertest, es); - - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - // This rule has an existing exceptions_list that we are going to ensure does not stomp on our existing rule - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - - // add a second exceptions list as a user is allowed to add a second list to an immutable rule - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - rule_id: ELASTIC_SECURITY_RULE_ID, - exceptions_list: [ - ...immutableRule.exceptions_list, - { - id, - list_id, - namespace_type, - type, - }, - ], - }) - .expect(200); - - await downgradeImmutableRule(es, log, ELASTIC_SECURITY_RULE_ID); - await installMockPrebuiltRules(supertest, es); - const immutableRuleSecondTime = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - - // It should be the same as what the user added originally - expect(immutableRuleSecondTime.exceptions_list).toEqual([ - ...immutableRule.exceptions_list, - { - id, - list_id, - namespace_type, - type, - }, - ]); - }); - - it('@skipInQA should not remove any exceptions added to a pre-packaged/immutable rule during an update if that rule has no existing exception lists', async () => { - await installMockPrebuiltRules(supertest, es); - - // Create a new exception list - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - // Find a rule without exceptions_list - const ruleWithoutExceptionList = SAMPLE_PREBUILT_RULES.find( - (rule) => !rule['security-rule'].exceptions_list - ); - const ruleId = ruleWithoutExceptionList?.['security-rule'].rule_id; - if (!ruleId) { - throw new Error('Cannot find a rule without exceptions_list in the sample data'); - } - - const immutableRule = await fetchRule(supertest, { ruleId }); - expect(immutableRule.exceptions_list.length).toEqual(0); // make sure we have no exceptions_list - - // add a second exceptions list as a user is allowed to add a second list to an immutable rule - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - rule_id: ruleId, - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }) - .expect(200); - - await downgradeImmutableRule(es, log, ruleId); - await installMockPrebuiltRules(supertest, es); - const immutableRuleSecondTime = await fetchRule(supertest, { ruleId }); - - expect(immutableRuleSecondTime.exceptions_list).toEqual([ - { - id, - list_id, - namespace_type, - type, - }, - ]); - }); - - it('@skipInQA should not change the immutable tags when adding a second exception list to an immutable rule through patch', async () => { - await installMockPrebuiltRules(supertest, es); - - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - // This rule has an existing exceptions_list that we are going to use - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one - - // add a second exceptions list as a user is allowed to add a second list to an immutable rule - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - rule_id: ELASTIC_SECURITY_RULE_ID, - exceptions_list: [ - ...immutableRule.exceptions_list, - { - id, - list_id, - namespace_type, - type, - }, - ], - }) - .expect(200); - - const body = await findImmutableRuleById(supertest, log, ELASTIC_SECURITY_RULE_ID); - expect(body.data.length).toEqual(1); // should have only one length to the data set, otherwise we have duplicates or the tags were removed and that is incredibly bad. - - const bodyToCompare = removeServerGeneratedProperties(body.data[0]); - expect(bodyToCompare.rule_id).toEqual(immutableRule.rule_id); // Rule id should not change with a a patch - expect(bodyToCompare.immutable).toEqual(immutableRule.immutable); // Immutable should always stay the same which is true and never flip to false. - expect(bodyToCompare.version).toEqual(immutableRule.version); // The version should never update on a patch - }); - - it('@skipInQA should not change count of prepacked rules when adding a second exception list to an immutable rule through patch. If this fails, suspect the immutable tags are not staying on the rule correctly.', async () => { - await installMockPrebuiltRules(supertest, es); - - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - // This rule has an existing exceptions_list that we are going to use - const immutableRule = await fetchRule(supertest, { - ruleId: ELASTIC_SECURITY_RULE_ID, - }); - expect(immutableRule.exceptions_list.length).toBeGreaterThan(0); // make sure we have at least one - - // add a second exceptions list as a user is allowed to add a second list to an immutable rule - await supertest - .patch(DETECTION_ENGINE_RULES_URL) - .set('kbn-xsrf', 'true') - .set('elastic-api-version', '2023-10-31') - .send({ - rule_id: ELASTIC_SECURITY_RULE_ID, - exceptions_list: [ - ...immutableRule.exceptions_list, - { - id, - list_id, - namespace_type, - type, - }, - ], - }) - .expect(200); - - const status = await getPrebuiltRulesAndTimelinesStatus(es, supertest); - expect(status.rules_not_installed).toEqual(0); - }); - }); - - describe('@brokenInServerless t1_analyst', () => { - const role = ROLES.t1_analyst; - - beforeEach(async () => { - await createUserAndRole(getService, role); - }); - - afterEach(async () => { - await deleteUserAndRole(getService, role); - }); - - it('should NOT be able to create an exception list', async () => { - await supertestWithoutAuth - .post(EXCEPTION_LIST_ITEM_URL) - .auth(role, 'changeme') - .set('kbn-xsrf', 'true') - .send(getCreateExceptionListItemMinimalSchemaMock()) - .expect(403); - }); - - it('should NOT be able to create an exception list item', async () => { - await supertestWithoutAuth - .post(EXCEPTION_LIST_ITEM_URL) - .auth(role, 'changeme') - .set('kbn-xsrf', 'true') - .send(getCreateExceptionListItemMinimalSchemaMock()) - .expect(403); - }); - }); - - // FLAKY: https://github.com/elastic/kibana/issues/169664 - describe.skip('tests with auditbeat data', () => { - before(async () => { - await esArchiver.load(path); - }); - - after(async () => { - await esArchiver.unload(path); - }); - - beforeEach(async () => { - await createAlertsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteAllAlerts(supertest, log, es); - await deleteAllRules(supertest, log); - await deleteAllExceptions(supertest, log); - }); - - it('should be able to execute against an exception list that does not include valid entries and get back 10 alerts', async () => { - const { id, list_id, namespace_type, type } = await createExceptionList( - supertest, - log, - getCreateExceptionListMinimalSchemaMock() - ); - - const exceptionListItem: CreateExceptionListItemSchema = { - ...getCreateExceptionListItemMinimalSchemaMock(), - entries: [ - { - field: 'some.none.existent.field', // non-existent field where we should not exclude anything - operator: 'included', - type: 'match', - value: 'some value', - }, - ], - }; - await createExceptionListItem(supertest, log, exceptionListItem); - - const ruleWithException: RuleCreateProps = { - name: 'Simple Rule Query', - description: 'Simple Rule Query', - enabled: true, - risk_score: 1, - rule_id: 'rule-1', - severity: 'high', - index: ['auditbeat-*'], - type: 'query', - from: '1900-01-01T00:00:00.000Z', - query: 'host.name: "suricata-sensor-amsterdam"', - exceptions_list: [ - { - id, - list_id, - namespace_type, - type, - }, - ], - }; - const { id: createdId } = await createRule(supertest, log, ruleWithException); - await waitForRuleSuccess({ supertest, log, id: createdId }); - await waitForAlertsToBePresent(supertest, log, 10, [createdId]); - const alertsOpen = await getAlertsByIds(supertest, log, [createdId]); - expect(alertsOpen.hits.hits.length).toEqual(10); - }); - - it('should be able to execute against an exception list that does include valid entries and get back 0 alerts', async () => { - const rule: QueryRuleCreateProps = { - name: 'Simple Rule Query', - description: 'Simple Rule Query', - enabled: true, - risk_score: 1, - rule_id: 'rule-1', - severity: 'high', - index: ['auditbeat-*'], - type: 'query', - from: '1900-01-01T00:00:00.000Z', - query: 'host.name: "suricata-sensor-amsterdam"', - }; - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.name', // This matches the query above which will exclude everything - operator: 'included', - type: 'match', - value: 'suricata-sensor-amsterdam', - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - - it('should be able to execute against an exception list that does include valid case sensitive entries and get back 0 alerts', async () => { - const rule: QueryRuleCreateProps = { - name: 'Simple Rule Query', - description: 'Simple Rule Query', - enabled: true, - risk_score: 1, - rule_id: 'rule-1', - severity: 'high', - index: ['auditbeat-*'], - type: 'query', - from: '1900-01-01T00:00:00.000Z', - query: 'host.name: "suricata-sensor-amsterdam"', - }; - const rule2: QueryRuleCreateProps = { - name: 'Simple Rule Query', - description: 'Simple Rule Query', - enabled: true, - risk_score: 1, - rule_id: 'rule-2', - severity: 'high', - index: ['auditbeat-*'], - type: 'query', - from: '1900-01-01T00:00:00.000Z', - query: 'host.name: "suricata-sensor-amsterdam"', - }; - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.os.name', - operator: 'included', - type: 'match_any', - value: ['ubuntu'], - }, - ], - ]); - const createdRule2 = await createRuleWithExceptionEntries(supertest, log, rule2, [ - [ - { - field: 'host.os.name', // This matches the query above which will exclude everything - operator: 'included', - type: 'match_any', - value: ['ubuntu', 'Ubuntu'], - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - const alertsOpen2 = await getOpenAlerts(supertest, log, es, createdRule2); - // Expect alerts here because all values are "Ubuntu" - // and exception is one of ["ubuntu"] - expect(alertsOpen.hits.hits.length).toEqual(10); - // Expect no alerts here because all values are "Ubuntu" - // and exception is one of ["ubuntu", "Ubuntu"] - expect(alertsOpen2.hits.hits.length).toEqual(0); - }); - - it('generates no alerts when an exception is added for an EQL rule', async () => { - const rule: EqlRuleCreateProps = { - ...getEqlRuleForAlertTesting(['auditbeat-*']), - query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', - }; - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.id', - operator: 'included', - type: 'match', - value: '8cc95778cce5407c809480e8e32ad76b', - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - - it('generates no alerts when an exception is added for a threshold rule', async () => { - const rule: ThresholdRuleCreateProps = { - ...getThresholdRuleForAlertTesting(['auditbeat-*']), - threshold: { - field: 'host.id', - value: 700, - }, - }; - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.id', - operator: 'included', - type: 'match', - value: '8cc95778cce5407c809480e8e32ad76b', - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - - it('generates no alerts when an exception is added for a threat match rule', async () => { - const rule: ThreatMatchRuleCreateProps = { - description: 'Detecting root and admin users', - name: 'Query with a rule id', - severity: 'high', - index: ['auditbeat-*'], - type: 'threat_match', - risk_score: 55, - language: 'kuery', - rule_id: 'rule-1', - from: '1900-01-01T00:00:00.000Z', - query: '*:*', - threat_query: 'source.ip: "188.166.120.93"', // narrow things down with a query to a specific source ip - threat_index: ['auditbeat-*'], // We use auditbeat as both the matching index and the threat list for simplicity - threat_mapping: [ - // We match host.name against host.name - { - entries: [ - { - field: 'host.name', - value: 'host.name', - type: 'mapping', - }, - ], - }, - ], - threat_filters: [], - }; - - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'source.ip', - operator: 'included', - type: 'match', - value: '188.166.120.93', - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - describe('rules with value list exceptions', () => { - beforeEach(async () => { - await createListsIndex(supertest, log); - }); - - afterEach(async () => { - await deleteListsIndex(supertest, log); - }); - - it('generates no alerts when a value list exception is added for a query rule', async () => { - const valueListId = 'value-list-id.txt'; - await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId); - const rule: QueryRuleCreateProps = { - name: 'Simple Rule Query', - description: 'Simple Rule Query', - enabled: true, - risk_score: 1, - rule_id: 'rule-1', - severity: 'high', - index: ['auditbeat-*'], - type: 'query', - from: '1900-01-01T00:00:00.000Z', - query: 'host.name: "suricata-sensor-amsterdam"', - }; - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.name', - operator: 'included', - type: 'list', - list: { - id: valueListId, - type: 'keyword', - }, - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - - it('generates no alerts when a value list exception is added for a threat match rule', async () => { - const valueListId = 'value-list-id.txt'; - await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId); - const rule: ThreatMatchRuleCreateProps = { - description: 'Detecting root and admin users', - name: 'Query with a rule id', - severity: 'high', - index: ['auditbeat-*'], - type: 'threat_match', - risk_score: 55, - language: 'kuery', - rule_id: 'rule-1', - from: '1900-01-01T00:00:00.000Z', - query: '*:*', - threat_query: 'source.ip: "188.166.120.93"', // narrow things down with a query to a specific source ip - threat_index: ['auditbeat-*'], // We use auditbeat as both the matching index and the threat list for simplicity - threat_mapping: [ - // We match host.name against host.name - { - entries: [ - { - field: 'host.name', - value: 'host.name', - type: 'mapping', - }, - ], - }, - ], - threat_filters: [], - }; - - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.name', - operator: 'included', - type: 'list', - list: { - id: valueListId, - type: 'keyword', - }, - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - - it('generates no alerts when a value list exception is added for a threshold rule', async () => { - const valueListId = 'value-list-id.txt'; - await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId); - const rule: ThresholdRuleCreateProps = { - description: 'Detecting root and admin users', - name: 'Query with a rule id', - severity: 'high', - index: ['auditbeat-*'], - type: 'threshold', - risk_score: 55, - language: 'kuery', - rule_id: 'rule-1', - from: '1900-01-01T00:00:00.000Z', - query: 'host.name: "zeek-sensor-amsterdam"', - threshold: { - field: 'host.name', - value: 1, - }, - }; - - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.name', - operator: 'included', - type: 'list', - list: { - id: valueListId, - type: 'keyword', - }, - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - - it('generates no alerts when a value list exception is added for an EQL rule', async () => { - const valueListId = 'value-list-id.txt'; - await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId); - const rule: EqlRuleCreateProps = { - ...getEqlRuleForAlertTesting(['auditbeat-*']), - query: 'configuration where host.name=="zeek-sensor-amsterdam"', - }; - - const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.name', - operator: 'included', - type: 'list', - list: { - id: valueListId, - type: 'keyword', - }, - }, - ], - ]); - const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); - expect(alertsOpen.hits.hits.length).toEqual(0); - }); - it('should Not allow deleting value list when there are references and ignoreReferences is false', async () => { - const valueListId = 'value-list-id.txt'; - await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId); - const rule: QueryRuleCreateProps = { - ...getSimpleRule(), - query: 'host.name: "suricata-sensor-amsterdam"', - }; - await createRuleWithExceptionEntries(supertest, log, rule, [ - [ - { - field: 'host.name', - operator: 'included', - type: 'list', - list: { - id: valueListId, - type: 'keyword', - }, - }, - ], - ]); - - const deleteReferences = false; - const ignoreReferences = false; - - // Delete the value list - await supertest - .delete( - `${LIST_URL}?deleteReferences=${deleteReferences}&id=${valueListId}&ignoreReferences=${ignoreReferences}` - ) - .set('kbn-xsrf', 'true') - .send() - .expect(409); - }); - }); - }); - }); - }); -}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts new file mode 100644 index 0000000000000..4c24d025ce76f --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/rule_exceptions_execution.ts @@ -0,0 +1,479 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable @typescript-eslint/naming-convention */ + +import expect from 'expect'; +import type { CreateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; +import { LIST_URL } from '@kbn/securitysolution-list-constants'; +import type { + RuleCreateProps, + EqlRuleCreateProps, + QueryRuleCreateProps, + ThreatMatchRuleCreateProps, + ThresholdRuleCreateProps, +} from '@kbn/security-solution-plugin/common/api/detection_engine'; +import { getCreateExceptionListItemMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_item_schema.mock'; +import { getCreateExceptionListMinimalSchemaMock } from '@kbn/lists-plugin/common/schemas/request/create_exception_list_schema.mock'; + +import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder'; +import { + getSimpleRule, + createExceptionList, + createExceptionListItem, + getThresholdRuleForAlertTesting, + getOpenAlerts, + createRuleWithExceptionEntries, + getEqlRuleForAlertTesting, +} from '../../../../utils'; +import { + createAlertsIndex, + createRule, + deleteAllRules, + waitForRuleSuccess, + waitForAlertsToBePresent, + getAlertsByIds, + deleteAllAlerts, +} from '../../../../../../../common/utils/security_solution'; +import { + createListsIndex, + deleteAllExceptions, + deleteListsIndex, + importFile, +} from '../../../../../lists_and_exception_lists/utils'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const log = getService('log'); + const es = getService('es'); + // TODO: add a new service for loading archiver files similar to "getService('es')" + const config = getService('config'); + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const path = dataPathBuilder.getPath('auditbeat/hosts'); + + describe('@serverless @ess rule exceptions execution', () => { + before(async () => { + await esArchiver.load(path); + }); + + after(async () => { + await esArchiver.unload(path); + }); + + describe('creating rules with exceptions', () => { + beforeEach(async () => { + await createAlertsIndex(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + await deleteAllExceptions(supertest, log); + }); + + it('should be able to execute against an exception list that does not include valid entries and get back 10 alerts', async () => { + const { id, list_id, namespace_type, type } = await createExceptionList( + supertest, + log, + getCreateExceptionListMinimalSchemaMock() + ); + + const exceptionListItem: CreateExceptionListItemSchema = { + ...getCreateExceptionListItemMinimalSchemaMock(), + entries: [ + { + field: 'some.none.existent.field', // non-existent field where we should not exclude anything + operator: 'included', + type: 'match', + value: 'some value', + }, + ], + }; + await createExceptionListItem(supertest, log, exceptionListItem); + + const ruleWithException: RuleCreateProps = { + name: 'Simple Rule Query', + description: 'Simple Rule Query', + enabled: true, + risk_score: 1, + rule_id: 'rule-1', + severity: 'high', + index: ['auditbeat-*'], + type: 'query', + from: '1900-01-01T00:00:00.000Z', + query: 'host.name: "suricata-sensor-amsterdam"', + exceptions_list: [ + { + id, + list_id, + namespace_type, + type, + }, + ], + }; + const { id: createdId } = await createRule(supertest, log, ruleWithException); + await waitForRuleSuccess({ supertest, log, id: createdId }); + await waitForAlertsToBePresent(supertest, log, 10, [createdId]); + const alertsOpen = await getAlertsByIds(supertest, log, [createdId]); + expect(alertsOpen.hits.hits.length).toEqual(10); + }); + + it('should be able to execute against an exception list that does include valid entries and get back 0 alerts', async () => { + const rule: QueryRuleCreateProps = { + name: 'Simple Rule Query', + description: 'Simple Rule Query', + enabled: true, + risk_score: 1, + rule_id: 'rule-1', + severity: 'high', + index: ['auditbeat-*'], + type: 'query', + from: '1900-01-01T00:00:00.000Z', + query: 'host.name: "suricata-sensor-amsterdam"', + }; + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.name', // This matches the query above which will exclude everything + operator: 'included', + type: 'match', + value: 'suricata-sensor-amsterdam', + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + + it('should be able to execute against an exception list that does include valid case sensitive entries and get back 0 alerts', async () => { + const rule: QueryRuleCreateProps = { + name: 'Simple Rule Query', + description: 'Simple Rule Query', + enabled: true, + risk_score: 1, + rule_id: 'rule-1', + severity: 'high', + index: ['auditbeat-*'], + type: 'query', + from: '1900-01-01T00:00:00.000Z', + query: 'host.name: "suricata-sensor-amsterdam"', + }; + const rule2: QueryRuleCreateProps = { + name: 'Simple Rule Query', + description: 'Simple Rule Query', + enabled: true, + risk_score: 1, + rule_id: 'rule-2', + severity: 'high', + index: ['auditbeat-*'], + type: 'query', + from: '1900-01-01T00:00:00.000Z', + query: 'host.name: "suricata-sensor-amsterdam"', + }; + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.os.name', + operator: 'included', + type: 'match_any', + value: ['ubuntu'], + }, + ], + ]); + const createdRule2 = await createRuleWithExceptionEntries(supertest, log, rule2, [ + [ + { + field: 'host.os.name', // This matches the query above which will exclude everything + operator: 'included', + type: 'match_any', + value: ['ubuntu', 'Ubuntu'], + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + const alertsOpen2 = await getOpenAlerts(supertest, log, es, createdRule2); + // Expect alerts here because all values are "Ubuntu" + // and exception is one of ["ubuntu"] + expect(alertsOpen.hits.hits.length).toEqual(10); + // Expect no alerts here because all values are "Ubuntu" + // and exception is one of ["ubuntu", "Ubuntu"] + expect(alertsOpen2.hits.hits.length).toEqual(0); + }); + + it('generates no alerts when an exception is added for an EQL rule', async () => { + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['auditbeat-*']), + query: 'configuration where agent.id=="a1d7b39c-f898-4dbe-a761-efb61939302d"', + }; + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.id', + operator: 'included', + type: 'match', + value: '8cc95778cce5407c809480e8e32ad76b', + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + + it('generates no alerts when an exception is added for a threshold rule', async () => { + const rule: ThresholdRuleCreateProps = { + ...getThresholdRuleForAlertTesting(['auditbeat-*']), + threshold: { + field: 'host.id', + value: 700, + }, + }; + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.id', + operator: 'included', + type: 'match', + value: '8cc95778cce5407c809480e8e32ad76b', + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + + it('generates no alerts when an exception is added for a threat match rule', async () => { + const rule: ThreatMatchRuleCreateProps = { + description: 'Detecting root and admin users', + name: 'Query with a rule id', + severity: 'high', + index: ['auditbeat-*'], + type: 'threat_match', + risk_score: 55, + language: 'kuery', + rule_id: 'rule-1', + from: '1900-01-01T00:00:00.000Z', + query: '*:*', + threat_query: 'source.ip: "188.166.120.93"', // narrow things down with a query to a specific source ip + threat_index: ['auditbeat-*'], // We use auditbeat as both the matching index and the threat list for simplicity + threat_mapping: [ + // We match host.name against host.name + { + entries: [ + { + field: 'host.name', + value: 'host.name', + type: 'mapping', + }, + ], + }, + ], + threat_filters: [], + }; + + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'source.ip', + operator: 'included', + type: 'match', + value: '188.166.120.93', + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + describe('rules with value list exceptions', () => { + beforeEach(async () => { + await createListsIndex(supertest, log); + }); + + afterEach(async () => { + await deleteListsIndex(supertest, log); + }); + + it('generates no alerts when a value list exception is added for a query rule', async () => { + const valueListId = 'value-list-id.txt'; + await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId); + const rule: QueryRuleCreateProps = { + name: 'Simple Rule Query', + description: 'Simple Rule Query', + enabled: true, + risk_score: 1, + rule_id: 'rule-1', + severity: 'high', + index: ['auditbeat-*'], + type: 'query', + from: '1900-01-01T00:00:00.000Z', + query: 'host.name: "suricata-sensor-amsterdam"', + }; + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.name', + operator: 'included', + type: 'list', + list: { + id: valueListId, + type: 'keyword', + }, + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + + it('generates no alerts when a value list exception is added for a threat match rule', async () => { + const valueListId = 'value-list-id.txt'; + await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId); + const rule: ThreatMatchRuleCreateProps = { + description: 'Detecting root and admin users', + name: 'Query with a rule id', + severity: 'high', + index: ['auditbeat-*'], + type: 'threat_match', + risk_score: 55, + language: 'kuery', + rule_id: 'rule-1', + from: '1900-01-01T00:00:00.000Z', + query: '*:*', + threat_query: 'source.ip: "188.166.120.93"', // narrow things down with a query to a specific source ip + threat_index: ['auditbeat-*'], // We use auditbeat as both the matching index and the threat list for simplicity + threat_mapping: [ + // We match host.name against host.name + { + entries: [ + { + field: 'host.name', + value: 'host.name', + type: 'mapping', + }, + ], + }, + ], + threat_filters: [], + }; + + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.name', + operator: 'included', + type: 'list', + list: { + id: valueListId, + type: 'keyword', + }, + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + + it('generates no alerts when a value list exception is added for a threshold rule', async () => { + const valueListId = 'value-list-id.txt'; + await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId); + const rule: ThresholdRuleCreateProps = { + description: 'Detecting root and admin users', + name: 'Query with a rule id', + severity: 'high', + index: ['auditbeat-*'], + type: 'threshold', + risk_score: 55, + language: 'kuery', + rule_id: 'rule-1', + from: '1900-01-01T00:00:00.000Z', + query: 'host.name: "zeek-sensor-amsterdam"', + threshold: { + field: 'host.name', + value: 1, + }, + }; + + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.name', + operator: 'included', + type: 'list', + list: { + id: valueListId, + type: 'keyword', + }, + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + + it('generates no alerts when a value list exception is added for an EQL rule', async () => { + const valueListId = 'value-list-id.txt'; + await importFile(supertest, log, 'keyword', ['zeek-sensor-amsterdam'], valueListId); + const rule: EqlRuleCreateProps = { + ...getEqlRuleForAlertTesting(['auditbeat-*']), + query: 'configuration where host.name=="zeek-sensor-amsterdam"', + }; + + const createdRule = await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.name', + operator: 'included', + type: 'list', + list: { + id: valueListId, + type: 'keyword', + }, + }, + ], + ]); + const alertsOpen = await getOpenAlerts(supertest, log, es, createdRule); + expect(alertsOpen.hits.hits.length).toEqual(0); + }); + it('should Not allow deleting value list when there are references and ignoreReferences is false', async () => { + const valueListId = 'value-list-id.txt'; + await importFile(supertest, log, 'keyword', ['suricata-sensor-amsterdam'], valueListId); + const rule: QueryRuleCreateProps = { + ...getSimpleRule(), + query: 'host.name: "suricata-sensor-amsterdam"', + }; + await createRuleWithExceptionEntries(supertest, log, rule, [ + [ + { + field: 'host.name', + operator: 'included', + type: 'list', + list: { + id: valueListId, + type: 'keyword', + }, + }, + ], + ]); + + const deleteReferences = false; + const ignoreReferences = false; + + // Delete the value list + await supertest + .delete( + `${LIST_URL}?deleteReferences=${deleteReferences}&id=${valueListId}&ignoreReferences=${ignoreReferences}` + ) + .set('kbn-xsrf', 'true') + .send() + .expect(409); + }); + }); + }); + }); +}; From 17f0bf907e1203a79fce720ae1811698d09b5557 Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Fri, 29 Mar 2024 14:07:53 -0700 Subject: [PATCH 3/4] cleanup --- .../api_integration/api-integration-tests.sh | 2 -- .../basic_license_essentials_tier/create_rule_exceptions_ess.ts | 1 - 2 files changed, 3 deletions(-) diff --git a/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh b/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh index 64ac782a8c488..f87df9cb58bac 100755 --- a/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh +++ b/.buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh @@ -90,8 +90,6 @@ FORMATTED_KB_URL="${KB_URL/https:\/\//}" # This is used in order to wait for the environment to be ready. sleep 150 -echo "uername: $USERNAME" - TEST_CLOUD=1 TEST_ES_URL="https://$USERNAME:$PASSWORD@$FORMATTED_ES_URL:443" TEST_KIBANA_URL="https://$USERNAME:$PASSWORD@$FORMATTED_KB_URL:443" yarn run $1 cmd_status=$? echo "Exit code with status: $cmd_status" diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts index bdc487504e6cc..d69573bc03385 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts @@ -43,7 +43,6 @@ export default ({ getService }: FtrProviderContext) => { const log = getService('log'); const es = getService('es'); const config = getService('config'); - const ELASTICSEARCH_USERNAME = config.get('servers.kibana.username'); describe('@ess create rule exception routes, ESS specific logic', () => { before(async () => { From c4727eb01188fa9a5ced815c120b781aacb5899d Mon Sep 17 00:00:00 2001 From: Yara Tercero Date: Tue, 2 Apr 2024 09:07:18 -0700 Subject: [PATCH 4/4] removing unused variable --- .../basic_license_essentials_tier/create_rule_exceptions_ess.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts index d69573bc03385..9406964106170 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/exceptions/workflows/basic_license_essentials_tier/create_rule_exceptions_ess.ts @@ -42,7 +42,6 @@ export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const log = getService('log'); const es = getService('es'); - const config = getService('config'); describe('@ess create rule exception routes, ESS specific logic', () => { before(async () => {