Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Detections] Improves Cypress EQL test #79014

Merged
merged 2 commits into from
Oct 2, 2020
Merged

[Security Solution] [Detections] Improves Cypress EQL test #79014

merged 2 commits into from
Oct 2, 2020

Conversation

MadameSheema
Copy link
Member

@MadameSheema MadameSheema commented Sep 30, 2020
edited
Loading

Summary

Improves current EQL cypress test in order to check also that the created rule can generate alerts.

@MadameSheema
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@MadameSheema MadameSheema changed the title [Security Solution] Improves eql test [Security Solution] [Detections] Improves Cypress EQL test Oct 1, 2020
@MadameSheema MadameSheema self-assigned this Oct 1, 2020
@MadameSheema MadameSheema added release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team:SIEM v7.10.0 v8.0.0 labels Oct 1, 2020
@MadameSheema MadameSheema marked this pull request as ready for review October 1, 2020 12:31
@MadameSheema MadameSheema requested review from a team as code owners October 1, 2020 12:31
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

rylnd
rylnd approved these changes Oct 1, 2020
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MadameSheema this looks great, thank you!

x-pack/plugins/security_solution/cypress/objects/rule.ts
@@ -215,7 +215,7 @@ export const machineLearningRule: MachineLearningRule = {
};

export const eqlRule: CustomRule = {
customQuery: 'process where process_name == "explorer.exe"',
customQuery: 'any where process.name == "which"',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems indicative of a data issue and it would be nice to test the event.category functionality, but this is a great improvement!

@peluja1012
Copy link
Contributor

peluja1012 commented Oct 1, 2020
edited
Loading

Thanks for adding this test @MadameSheema! It doesn't have to be included in this PR, but I think it would be nice to also add a test that verifies that the correct number of signals is generated when an EQL query that has a sequence statement returns multiple sequences. For example, if the following query returns 2 sequences, we should expect 2 signals:

sequence with maxspan=30s
   [process where process.name == "smss.exe"]
   [process where process.name == "python3.5"]

@MadameSheema MadameSheema merged commit b01140f into elastic:master Oct 2, 2020
@MadameSheema MadameSheema deleted the improves-eql-test branch October 2, 2020 11:52
@MadameSheema MadameSheema mentioned this pull request Oct 2, 2020
Merged
MadameSheema added a commit to MadameSheema/kibana that referenced this pull request Oct 2, 2020
@MadameSheema @elasticmachine
improves eql test (elastic#79014)
ec17450 
Co-authored-by: Elastic Machine <[email protected]>
MadameSheema added a commit that referenced this pull request Oct 2, 2020
@MadameSheema @elasticmachine
improves eql test (#79014) (#79272)
7b3ac35 
Co-authored-by: Elastic Machine <[email protected]>

Co-authored-by: Elastic Machine <[email protected]>
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylnd rylnd rylnd approved these changes

@peluja1012 peluja1012 Awaiting requested review from peluja1012

@yctercero yctercero Awaiting requested review from yctercero

@dhurley14 dhurley14 Awaiting requested review from dhurley14

@FrankHassanabad FrankHassanabad Awaiting requested review from FrankHassanabad

@spong spong Awaiting requested review from spong

Assignees

@MadameSheema MadameSheema

Labels
release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@MadameSheema @kibanamachine @elasticmachine @peluja1012 @rylnd @MindyRS