Skip to content

Commit

Permalink
[Security analytics][2.x] Updated tests 2.13 release (#1159) (#1160)
Browse files Browse the repository at this point in the history
* updated tests to match repo

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

* updated tests to match repo

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

* fixed findings tests

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

---------

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>
(cherry picked from commit 55f08ef)

Co-authored-by: Amardeepsingh Siglani <amardeep7194@gmail.com>
  • Loading branch information
opensearch-trigger-bot[bot] and amsiglan authored May 9, 2024
1 parent 1348ec1 commit 16b6c03
Show file tree
Hide file tree
Showing 4 changed files with 103 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
title: Moriya Rootkit
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
description: Detects the use of Moriya rootkit as described in the securelist Operation TunnelSnake report
status: experimental
author: Bhabesh Raj
date: 2021/05/06
modified: 2021/11/30
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: d3
category: s3
service: azure
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 2100
ServiceName: ZzNetSvc
condition: selection
level: critical
falsepositives:
- Unknown
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,48 @@ describe('Detectors', () => {
validateFieldMappingsTable('rules are changed');
});

it('...can be stopped and started back from detectors list action menu', () => {
cy.wait(1000);
cy.get('tbody > tr')
.first()
.within(() => {
cy.get('[class="euiCheckbox__input"]').click({ force: true });
});

// Waiting for Actions menu button to be enabled
cy.wait(1000);

setupIntercept(
cy,
`${NODE_API.DETECTORS_BASE}/_search`,
'detectorsSearch'
);

cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });

cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
// Need this extra wait time for the Actions button to become enabled again
cy.wait(2000);

setupIntercept(
cy,
`${NODE_API.DETECTORS_BASE}/_search`,
'detectorsSearch'
);
cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
cy.get('[data-test-subj="toggleDetectorButton').contains('Start');
cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });

cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
// Need this extra wait time for the Actions button to become enabled again
cy.wait(2000);

cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
});

it('...can be deleted', () => {
setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getSigmaRules');
openDetectorDetails(detectorName);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ const checkRulesFlyout = () => {
};

const getCreateButton = () => cy.get('[data-test-subj="create_rule_button"]');
const getImportButton = () => cy.get('[data-test-subj="import_rule_button"]');
const getImportRuleFilePicker = () =>
cy.get('[data-test-subj="import_rule_file_picker"]');
const getNameField = () => cy.sa_getFieldByLabel('Rule name');
const getRuleStatusField = () => cy.sa_getFieldByLabel('Rule Status');
const getDescriptionField = () =>
Expand Down Expand Up @@ -631,6 +634,15 @@ describe('Rules', () => {
checkRulesFlyout();
});

it('...can be imported with log type', () => {
getImportButton().click({ force: true });
getImportRuleFilePicker().selectFile(
'./cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml'
);
// Check that AWS S3 log type is set.
cy.contains('AWS S3');
});

it('...can be deleted', () => {
setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getRules', 'POST');

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -152,5 +152,28 @@ describe('Findings', () => {
});
});

it('shows document not found warning when the document is empty', () => {
cy.deleteIndex(indexName);
cy.reload();

// Wait for page to load
cy.sa_waitForPageLoad('findings', {
contains: 'Findings',
});

// filter table to show only sample_detector findings
cy.get(`input[placeholder="Search findings"]`).sa_ospSearch(indexName);

// open Finding details flyout via finding id link. cy.wait essential, timeout insufficient.
cy.sa_getTableFirstRow('[data-test-subj="view-details-icon"]').then(
($el) => {
cy.get($el).click({ force: true });
}
);

// Flyout should show 'Document not found' warning
cy.contains('Document not found');
});

after(() => cy.sa_cleanUpTests());
});

0 comments on commit 16b6c03

Please sign in to comment.