Skip to content

Commit

Permalink
Add tests validating enrichment behavior for ML suppression
Browse files Browse the repository at this point in the history
This was requested during review of elastic#181926, and I'm circling back to
that now.
  • Loading branch information
rylnd committed Jul 12, 2024
1 parent a5fcf4d commit d5aa551
Showing 1 changed file with 61 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,10 @@ import {
TIMESTAMP,
} from '@kbn/rule-data-utils';
import { ALERT_ORIGINAL_TIME } from '@kbn/security-solution-plugin/common/field_maps/field_names';
import { DETECTION_ENGINE_SIGNALS_STATUS_URL as DETECTION_ENGINE_ALERTS_STATUS_URL } from '@kbn/security-solution-plugin/common/constants';
import {
DETECTION_ENGINE_SIGNALS_STATUS_URL as DETECTION_ENGINE_ALERTS_STATUS_URL,
ENABLE_ASSET_CRITICALITY_SETTING,
} from '@kbn/security-solution-plugin/common/constants';
import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder';
import { FtrProviderContext } from '../../../../../../ftr_provider_context';
import {
Expand Down Expand Up @@ -1102,6 +1105,63 @@ export default ({ getService }: FtrProviderContext) => {
});
});
});

describe('with enrichments', () => {
const kibanaServer = getService('kibanaServer');

before(async () => {
await esArchiver.load('x-pack/test/functional/es_archives/entity/risks');
await esArchiver.load('x-pack/test/functional/es_archives/asset_criticality');
await kibanaServer.uiSettings.update({
[ENABLE_ASSET_CRITICALITY_SETTING]: true,
});
});

after(async () => {
await esArchiver.unload('x-pack/test/functional/es_archives/entity/risks');
await esArchiver.unload('x-pack/test/functional/es_archives/asset_criticality');
});

beforeEach(async () => {
const timestamp = new Date().toISOString();
const anomalyWithKnownEntities = {
...baseAnomaly,
timestamp,
user: { name: 'root' },
host: { name: 'zeek-newyork-sha-aa8df15' },
};
await indexListOfDocuments([anomalyWithKnownEntities]);

ruleProps = {
...baseRuleProps,
from: timestamp,
alert_suppression: {
group_by: ['host.name'],
missing_fields_strategy: 'suppress',
},
};
});

it('should be enriched with host risk score', async () => {
const { previewId } = await previewRule({ supertest, rule: ruleProps });
const previewAlerts = await getPreviewAlerts({ es, previewId });
expect(previewAlerts).toHaveLength(1);
const alertSource = previewAlerts[0]._source;

expect(alertSource?.host?.risk?.calculated_level).toBe('Low');
expect(alertSource?.host?.risk?.calculated_score_norm).toBe(23);
});

it('should be enriched alert with criticality_level', async () => {
const { previewId } = await previewRule({ supertest, rule: ruleProps });
const previewAlerts = await getPreviewAlerts({ es, previewId });
expect(previewAlerts).toHaveLength(1);
const fullAlert = previewAlerts[0]._source;

expect(fullAlert?.['host.asset.criticality']).toBe('medium_impact');
expect(fullAlert?.['user.asset.criticality']).toBe('extreme_impact');
});
});
});
});
};

0 comments on commit d5aa551

Please sign in to comment.