diff --git a/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml new file mode 100644 index 000000000..ff1950c33 --- /dev/null +++ b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml @@ -0,0 +1,26 @@ +title: Moriya Rootkit +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 +description: Detects the use of Moriya rootkit as described in the securelist Operation TunnelSnake report +status: experimental +author: Bhabesh Raj +date: 2021/05/06 +modified: 2021/11/30 +references: + - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +logsource: + product: d3 + category: s3 + service: azure +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: 2100 + ServiceName: ZzNetSvc + condition: selection +level: critical +falsepositives: + - Unknown diff --git a/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js b/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js index bb2244e46..2480490ac 100644 --- a/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js +++ b/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js @@ -549,6 +549,48 @@ describe('Detectors', () => { validateFieldMappingsTable('rules are changed'); }); + it('...can be stopped and started back from detectors list action menu', () => { + cy.wait(1000); + cy.get('tbody > tr') + .first() + .within(() => { + cy.get('[class="euiCheckbox__input"]').click({ force: true }); + }); + + // Waiting for Actions menu button to be enabled + cy.wait(1000); + + setupIntercept( + cy, + `${NODE_API.DETECTORS_BASE}/_search`, + 'detectorsSearch' + ); + + cy.get('[data-test-subj="detectorsActionsButton').click({ force: true }); + cy.get('[data-test-subj="toggleDetectorButton').contains('Stop'); + cy.get('[data-test-subj="toggleDetectorButton').click({ force: true }); + + cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete'); + // Need this extra wait time for the Actions button to become enabled again + cy.wait(2000); + + setupIntercept( + cy, + `${NODE_API.DETECTORS_BASE}/_search`, + 'detectorsSearch' + ); + cy.get('[data-test-subj="detectorsActionsButton').click({ force: true }); + cy.get('[data-test-subj="toggleDetectorButton').contains('Start'); + cy.get('[data-test-subj="toggleDetectorButton').click({ force: true }); + + cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete'); + // Need this extra wait time for the Actions button to become enabled again + cy.wait(2000); + + cy.get('[data-test-subj="detectorsActionsButton').click({ force: true }); + cy.get('[data-test-subj="toggleDetectorButton').contains('Stop'); + }); + it('...can be deleted', () => { setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getSigmaRules'); openDetectorDetails(detectorName); diff --git a/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js b/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js index 5692176e5..95a80b606 100644 --- a/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js +++ b/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js @@ -155,6 +155,9 @@ const checkRulesFlyout = () => { }; const getCreateButton = () => cy.get('[data-test-subj="create_rule_button"]'); +const getImportButton = () => cy.get('[data-test-subj="import_rule_button"]'); +const getImportRuleFilePicker = () => + cy.get('[data-test-subj="import_rule_file_picker"]'); const getNameField = () => cy.sa_getFieldByLabel('Rule name'); const getRuleStatusField = () => cy.sa_getFieldByLabel('Rule Status'); const getDescriptionField = () => @@ -631,6 +634,15 @@ describe('Rules', () => { checkRulesFlyout(); }); + it('...can be imported with log type', () => { + getImportButton().click({ force: true }); + getImportRuleFilePicker().selectFile( + './cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml' + ); + // Check that AWS S3 log type is set. + cy.contains('AWS S3'); + }); + it('...can be deleted', () => { setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getRules', 'POST'); diff --git a/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js b/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js index c8d458992..b557a7517 100644 --- a/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js +++ b/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js @@ -152,5 +152,28 @@ describe('Findings', () => { }); }); + it('shows document not found warning when the document is empty', () => { + cy.deleteIndex(indexName); + cy.reload(); + + // Wait for page to load + cy.sa_waitForPageLoad('findings', { + contains: 'Findings', + }); + + // filter table to show only sample_detector findings + cy.get(`input[placeholder="Search findings"]`).sa_ospSearch(indexName); + + // open Finding details flyout via finding id link. cy.wait essential, timeout insufficient. + cy.sa_getTableFirstRow('[data-test-subj="view-details-icon"]').then( + ($el) => { + cy.get($el).click({ force: true }); + } + ); + + // Flyout should show 'Document not found' warning + cy.contains('Document not found'); + }); + after(() => cy.sa_cleanUpTests()); });