From 2955b7ca24d55afde924d4c4673b3ce4d291da9d Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 4 Jun 2021 15:52:21 -0600 Subject: [PATCH 1/4] Adds alias test and failure case where we do not copy alias data into ECS compatible fields --- .../security_and_spaces/tests/aliases.ts | 69 +++++++++++++++++++ .../security_and_spaces/tests/index.ts | 1 + .../security_solution/alias/data.json | 59 ++++++++++++++++ .../security_solution/alias/mappings.json | 36 ++++++++++ 4 files changed, 165 insertions(+) create mode 100644 x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts create mode 100644 x-pack/test/functional/es_archives/security_solution/alias/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alias/mappings.json diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts new file mode 100644 index 0000000000000..9e0986993b28e --- /dev/null +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts @@ -0,0 +1,69 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { + EqlCreateSchema, + ThresholdCreateSchema, +} from '../../../../plugins/security_solution/common/detection_engine/schemas/request'; + +import { FtrProviderContext } from '../../common/ftr_provider_context'; +import { + createRule, + createSignalsIndex, + deleteAllAlerts, + deleteSignalsIndex, + getRuleForSignalTesting, + getSignalsById, + waitForRuleSuccessOrStatus, + waitForSignalsToBePresent, +} from '../../utils'; + +// eslint-disable-next-line import/no-default-export +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + + interface EventModule { + module: string; + dataset: string; + } + + describe('Tests involving aliases of source indexes and the signals index', () => { + beforeEach(async () => { + await createSignalsIndex(supertest); + await esArchiver.load('security_solution/alias'); + }); + + afterEach(async () => { + await deleteSignalsIndex(supertest); + await deleteAllAlerts(supertest); + await esArchiver.unload('security_solution/alias'); + }); + + it('Should keep the original alias value such as "host_alias" from a source index even if that value is not indexed', async () => { + const rule = getRuleForSignalTesting(['alias']); + const { id } = await createRule(supertest, rule); + await waitForRuleSuccessOrStatus(supertest, id); + await waitForSignalsToBePresent(supertest, 4, [id]); + const signalsOpen = await getSignalsById(supertest, id); + const hits = signalsOpen.hits.hits.map((signal) => signal._source.host_alias.name); + expect(hits).to.eql(['host name 1', 'host name 2', 'host name 3', 'host name 4']); + }); + + // TODO: Make aliases work to where we can have ECS fields such as host.name filled out + it.skip('Should copy alias data from a source index into the signals index in the same position if the target is ECS compatible', async () => { + const rule = getRuleForSignalTesting(['alias']); + const { id } = await createRule(supertest, rule); + await waitForRuleSuccessOrStatus(supertest, id); + await waitForSignalsToBePresent(supertest, 4, [id]); + const signalsOpen = await getSignalsById(supertest, id); + const hits = signalsOpen.hits.hits.map((signal) => signal._source.host.name); + expect(hits).to.eql(['host name 1', 'host name 2', 'host name 3', 'host name 4']); + }); + }); +}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts index 5756b02c238ae..9947c42ecd650 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/index.ts @@ -13,6 +13,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => { describe('', function () { this.tags('ciGroup11'); + loadTestFile(require.resolve('./aliases')); loadTestFile(require.resolve('./add_actions')); loadTestFile(require.resolve('./update_actions')); loadTestFile(require.resolve('./add_prepackaged_rules')); diff --git a/x-pack/test/functional/es_archives/security_solution/alias/data.json b/x-pack/test/functional/es_archives/security_solution/alias/data.json new file mode 100644 index 0000000000000..a8bd64cb044eb --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alias/data.json @@ -0,0 +1,59 @@ +{ + "type": "doc", + "value": { + "id": "1", + "index": "alias", + "source": { + "@timestamp": "2020-10-28T05:00:53.000Z", + "host_alias": { + "name": "host name 1" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "2", + "index": "alias", + "source": { + "@timestamp": "2020-10-28T05:01:53.000Z", + "host_alias": { + "name": "host name 2" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "3", + "index": "alias", + "source": { + "@timestamp": "2020-10-28T05:02:53.000Z", + "host_alias": { + "name": "host name 3" + } + }, + "type": "_doc" + } +} + +{ + "type": "doc", + "value": { + "id": "4", + "index": "alias", + "source": { + "@timestamp": "2020-10-28T05:03:53.000Z", + "host_alias": { + "name": "host name 4" + } + }, + "type": "_doc" + } +} diff --git a/x-pack/test/functional/es_archives/security_solution/alias/mappings.json b/x-pack/test/functional/es_archives/security_solution/alias/mappings.json new file mode 100644 index 0000000000000..280ec9377df64 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alias/mappings.json @@ -0,0 +1,36 @@ +{ + "type": "index", + "value": { + "index": "host_alias", + "mappings": { + "dynamic": "strict", + "properties": { + "@timestamp": { + "type": "date" + }, + "host": { + "properties": { + "name": { + "type": "alias", + "path": "host_alias.name" + } + } + }, + "host_alias": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "refresh_interval": "1s", + "number_of_replicas": "1", + "number_of_shards": "1" + } + } + } +} From 05b8268e8cded848c8bec9dae6bdba87d5f12408 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 4 Jun 2021 15:53:45 -0600 Subject: [PATCH 2/4] Removes unused code --- .../security_and_spaces/tests/aliases.ts | 5 ----- 1 file changed, 5 deletions(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts index 9e0986993b28e..68fc789b6f8e6 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts @@ -28,11 +28,6 @@ export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); - interface EventModule { - module: string; - dataset: string; - } - describe('Tests involving aliases of source indexes and the signals index', () => { beforeEach(async () => { await createSignalsIndex(supertest); From 79250f134a6c4a47d1f59e6a78b69458c2ab84b8 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 4 Jun 2021 16:00:17 -0600 Subject: [PATCH 3/4] Updated wording --- .../security_and_spaces/tests/aliases.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts index 68fc789b6f8e6..56fcf2fbbb2e5 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts @@ -40,7 +40,7 @@ export default ({ getService }: FtrProviderContext) => { await esArchiver.unload('security_solution/alias'); }); - it('Should keep the original alias value such as "host_alias" from a source index even if that value is not indexed', async () => { + it('Should keep the original alias value such as "host_alias" from a source index when the value is indexed', async () => { const rule = getRuleForSignalTesting(['alias']); const { id } = await createRule(supertest, rule); await waitForRuleSuccessOrStatus(supertest, id); @@ -51,7 +51,7 @@ export default ({ getService }: FtrProviderContext) => { }); // TODO: Make aliases work to where we can have ECS fields such as host.name filled out - it.skip('Should copy alias data from a source index into the signals index in the same position if the target is ECS compatible', async () => { + it.skip('Should copy alias data from a source index into the signals index in the same position when the target is ECS compatible', async () => { const rule = getRuleForSignalTesting(['alias']); const { id } = await createRule(supertest, rule); await waitForRuleSuccessOrStatus(supertest, id); From 8a876c2cebaebac1225dc29fbcb8ea525d0ff686 Mon Sep 17 00:00:00 2001 From: FrankHassanabad Date: Fri, 4 Jun 2021 18:52:49 -0600 Subject: [PATCH 4/4] Fixed typing issues --- .../security_and_spaces/tests/aliases.ts | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts index 56fcf2fbbb2e5..d21253199d733 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/aliases.ts @@ -6,10 +6,6 @@ */ import expect from '@kbn/expect'; -import { - EqlCreateSchema, - ThresholdCreateSchema, -} from '../../../../plugins/security_solution/common/detection_engine/schemas/request'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { @@ -27,6 +23,9 @@ import { export default ({ getService }: FtrProviderContext) => { const supertest = getService('supertest'); const esArchiver = getService('esArchiver'); + interface HostAlias { + name: string; + } describe('Tests involving aliases of source indexes and the signals index', () => { beforeEach(async () => { @@ -46,7 +45,9 @@ export default ({ getService }: FtrProviderContext) => { await waitForRuleSuccessOrStatus(supertest, id); await waitForSignalsToBePresent(supertest, 4, [id]); const signalsOpen = await getSignalsById(supertest, id); - const hits = signalsOpen.hits.hits.map((signal) => signal._source.host_alias.name); + const hits = signalsOpen.hits.hits.map( + (signal) => (signal._source.host_alias as HostAlias).name + ); expect(hits).to.eql(['host name 1', 'host name 2', 'host name 3', 'host name 4']); }); @@ -57,7 +58,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForRuleSuccessOrStatus(supertest, id); await waitForSignalsToBePresent(supertest, 4, [id]); const signalsOpen = await getSignalsById(supertest, id); - const hits = signalsOpen.hits.hits.map((signal) => signal._source.host.name); + const hits = signalsOpen.hits.hits.map((signal) => (signal._source.host as HostAlias).name); expect(hits).to.eql(['host name 1', 'host name 2', 'host name 3', 'host name 4']); }); });