From 4a9d472825234e265786306c77fef93d79cdaca6 Mon Sep 17 00:00:00 2001
From: Amardeepsingh Siglani <amardeep7194@gmail.com>
Date: Tue, 19 Mar 2024 16:44:22 -0700
Subject: [PATCH] [Security analytics][2.x] Updated tests 2.13 release (#1159)

* updated tests to match repo

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

* updated tests to match repo

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

* fixed findings tests

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

---------

Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>
(cherry picked from commit 55f08ef8bd3b17bec89198db0336a4c0a9f435c3)
---
 .../sample_aws_s3_rule_to_import.yml          | 26 ++++++++++++
 .../1_detectors.spec.js                       | 42 +++++++++++++++++++
 .../2_rules.spec.js                           | 12 ++++++
 .../4_findings.spec.js                        | 23 ++++++++++
 4 files changed, 103 insertions(+)
 create mode 100644 cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml

diff --git a/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml
new file mode 100644
index 000000000..ff1950c33
--- /dev/null
+++ b/cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml
@@ -0,0 +1,26 @@
+title: Moriya Rootkit
+id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+description: Detects the use of Moriya rootkit as described in the securelist Operation TunnelSnake report
+status: experimental
+author: Bhabesh Raj
+date: 2021/05/06
+modified: 2021/11/30
+references:
+    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1543.003
+logsource:
+    product: d3
+    category: s3
+    service: azure
+detection:
+    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 2100
+        ServiceName: ZzNetSvc
+    condition: selection
+level: critical
+falsepositives:
+    - Unknown
diff --git a/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js b/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js
index bb2244e46..2480490ac 100644
--- a/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js
+++ b/cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js
@@ -549,6 +549,48 @@ describe('Detectors', () => {
       validateFieldMappingsTable('rules are changed');
     });
 
+    it('...can be stopped and started back from detectors list action menu', () => {
+      cy.wait(1000);
+      cy.get('tbody > tr')
+        .first()
+        .within(() => {
+          cy.get('[class="euiCheckbox__input"]').click({ force: true });
+        });
+
+      // Waiting for Actions menu button to be enabled
+      cy.wait(1000);
+
+      setupIntercept(
+        cy,
+        `${NODE_API.DETECTORS_BASE}/_search`,
+        'detectorsSearch'
+      );
+
+      cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
+      cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
+      cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });
+
+      cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
+      // Need this extra wait time for the Actions button to become enabled again
+      cy.wait(2000);
+
+      setupIntercept(
+        cy,
+        `${NODE_API.DETECTORS_BASE}/_search`,
+        'detectorsSearch'
+      );
+      cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
+      cy.get('[data-test-subj="toggleDetectorButton').contains('Start');
+      cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });
+
+      cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
+      // Need this extra wait time for the Actions button to become enabled again
+      cy.wait(2000);
+
+      cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
+      cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
+    });
+
     it('...can be deleted', () => {
       setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getSigmaRules');
       openDetectorDetails(detectorName);
diff --git a/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js b/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js
index 0288cb077..3c82cbc9f 100644
--- a/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js
+++ b/cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js
@@ -155,6 +155,9 @@ const checkRulesFlyout = () => {
 };
 
 const getCreateButton = () => cy.get('[data-test-subj="create_rule_button"]');
+const getImportButton = () => cy.get('[data-test-subj="import_rule_button"]');
+const getImportRuleFilePicker = () =>
+  cy.get('[data-test-subj="import_rule_file_picker"]');
 const getNameField = () => cy.sa_getFieldByLabel('Rule name');
 const getRuleStatusField = () => cy.sa_getFieldByLabel('Rule Status');
 const getDescriptionField = () =>
@@ -634,6 +637,15 @@ describe('Rules', () => {
       checkRulesFlyout();
     });
 
+    it('...can be imported with log type', () => {
+      getImportButton().click({ force: true });
+      getImportRuleFilePicker().selectFile(
+        './cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml'
+      );
+      // Check that AWS S3 log type is set.
+      cy.contains('AWS S3');
+    });
+
     it('...can be deleted', () => {
       setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getRules', 'POST');
 
diff --git a/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js b/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js
index c8d458992..b557a7517 100644
--- a/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js
+++ b/cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js
@@ -152,5 +152,28 @@ describe('Findings', () => {
     });
   });
 
+  it('shows document not found warning when the document is empty', () => {
+    cy.deleteIndex(indexName);
+    cy.reload();
+
+    // Wait for page to load
+    cy.sa_waitForPageLoad('findings', {
+      contains: 'Findings',
+    });
+
+    // filter table to show only sample_detector findings
+    cy.get(`input[placeholder="Search findings"]`).sa_ospSearch(indexName);
+
+    // open Finding details flyout via finding id link. cy.wait essential, timeout insufficient.
+    cy.sa_getTableFirstRow('[data-test-subj="view-details-icon"]').then(
+      ($el) => {
+        cy.get($el).click({ force: true });
+      }
+    );
+
+    // Flyout should show 'Document not found' warning
+    cy.contains('Document not found');
+  });
+
   after(() => cy.sa_cleanUpTests());
 });