[Backport 2.x] Added additional security analytics and updated alerti…

…ng cypress tests for 2.7 release. (#639) (#640)

* Resolving conflicts from cherry-picking PR 622.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Resolved lint errors.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Removed outdated test file.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Reduced flakiness in notifications tests.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Reduced flakiness in security analytics tests.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Fixed lint errors.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

---------

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>
(cherry picked from commit a1a56fc)

Co-authored-by: AWSHurneyt <hurneyt@amazon.com>

cypress/fixtures/plugins/alerting-dashboards-plugin/sample_alerts_flyout_bucket_level_monitor.json

@@ -121,13 +121,7 @@
       "groupBy": ["customer_gender", "user"],
       "bucketValue": 10,
       "bucketUnitOfTime": "d",
-      "where": {
-        "fieldName": [],
-        "fieldRangeEnd": 0,
-        "fieldRangeStart": 0,
-        "fieldValue": "",
-        "operator": "is"
-      }
+      "filters": []
     },
     "monitor_type": "bucket_level_monitor"
   }

cypress/fixtures/plugins/alerting-dashboards-plugin/sample_alerts_flyout_query_level_monitor.json

@@ -88,13 +88,7 @@
       "groupBy": ["user"],
       "bucketValue": 10,
       "bucketUnitOfTime": "d",
-      "where": {
-        "fieldName": [],
-        "fieldRangeEnd": 0,
-        "fieldRangeStart": 0,
-        "fieldValue": "",
-        "operator": "is"
-      }
+      "filters": []
     },
     "monitor_type": "query_level_monitor"
   }

cypress/fixtures/plugins/alerting-dashboards-plugin/sample_cluster_metrics_monitor.json

@@ -51,13 +51,7 @@
       "groupBy": [],
       "bucketValue": 1,
       "bucketUnitOfTime": "h",
-      "where": {
-        "fieldName": [],
-        "fieldRangeEnd": 0,
-        "fieldRangeStart": 0,
-        "fieldValue": "",
-        "operator": "is"
-      }
+      "filters": []
     },
     "monitor_type": "cluster_metrics_monitor"
   }

cypress/fixtures/plugins/alerting-dashboards-plugin/sample_document_level_monitor.json

@@ -0,0 +1,113 @@
+{
+  "type": "monitor",
+  "monitor_type": "doc_level_monitor",
+  "name": "sample_document_level_monitor",
+  "enabled": true,
+  "createdBy": "chip",
+  "schedule": {
+    "period": {
+      "interval": 1,
+      "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "doc_level_input": {
+        "description": "windows-powershell",
+        "indices": ["document-level-monitor-test-index"],
+        "queries": [
+          {
+            "id": "sigma-123",
+            "name": "sigma-123",
+            "query": "region:\"us-west-2\"",
+            "tags": ["MITRE:8500"]
+          },
+          {
+            "id": "sigma-456",
+            "name": "sigma-456",
+            "query": "region:\"us-east-1\"",
+            "tags": ["MITRE:8600"]
+          },
+          {
+            "id": "sigma-789",
+            "name": "sigma-789",
+            "query": "message:\"This is an error from IAD region\"",
+            "tags": ["MITRE:8700"]
+          }
+        ]
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "document_level_trigger": {
+        "name": "sample_trigger",
+        "severity": "1",
+        "condition": {
+          "script": {
+            "source": "query[name=sigma-123] || query[name=sigma-456] || query[name=sigma-789]",
+            "lang": "painless"
+          }
+        },
+        "actions": []
+      }
+    }
+  ],
+  "ui_metadata": {
+    "schedule": {
+      "timezone": null,
+      "frequency": "interval",
+      "period": {
+        "interval": 1,
+        "unit": "MINUTES"
+      },
+      "daily": 0,
+      "weekly": {
+        "mon": false,
+        "tue": false,
+        "wed": false,
+        "thur": false,
+        "fri": false,
+        "sat": false,
+        "sun": false
+      },
+      "monthly": {
+        "type": "day",
+        "day": 1
+      },
+      "cronExpression": "0 */1 * * *"
+    },
+    "monitor_type": "doc_level_monitor",
+    "doc_level_input": {
+      "queries": [
+        {
+          "id": "sigma-123",
+          "queryName": "sigma-123",
+          "field": "region",
+          "operator": "==",
+          "query": "us-west-2",
+          "tags": ["MITRE:8500"]
+        },
+        {
+          "id": "sigma-456",
+          "queryName": "sigma-456",
+          "field": "region",
+          "operator": "==",
+          "query": "us-east-1",
+          "tags": ["MITRE:8600"]
+        },
+        {
+          "id": "sigma-789",
+          "queryName": "sigma-789",
+          "field": "message",
+          "operator": "==",
+          "query": "This is an error from IAD region",
+          "tags": ["MITRE:8700"]
+        }
+      ]
+    },
+    "search": {
+      "searchType": "graph"
+    }
+  }
+}

cypress/fixtures/plugins/alerting-dashboards-plugin/sample_visual_editor_bucket_level_monitor.json

@@ -102,13 +102,7 @@
       "timeField": "order_date",
       "groupedOverTop": 5,
       "bucketUnitOfTime": "h",
-      "where": {
-        "fieldName": [],
-        "fieldRangeEnd": 0,
-        "fieldRangeStart": 0,
-        "fieldValue": "",
-        "operator": "is"
-      },
+      "filters": [],
       "groupBy": ["user"],
       "aggregations": [
         {

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_data.json

@@ -0,0 +1,57 @@
+{
+  "type": "detector",
+  "detector_type": "dns",
+  "name": "Cypress DNS Detector",
+  "enabled": true,
+  "createdBy": "",
+  "schedule": {
+    "period": {
+      "interval": 1,
+      "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "detector_input": {
+        "description": "Detects DNS names.",
+        "indices": ["cypress-index-dns"],
+        "pre_packaged_rules": [],
+        "custom_rules": [
+          {
+            "id": "25b9c01c-350d-4b95-bed1-836d04a4f325"
+          }
+        ]
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "name": "DNS name alert",
+      "sev_levels": ["low"],
+      "tags": ["dns.low"],
+      "actions": [
+        {
+          "id": "",
+          "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector",
+          "destination_id": "",
+          "subject_template": {
+            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector",
+            "lang": "mustache"
+          },
+          "message_template": {
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: Cypress DNS Detector\nDescription: Detects DNS names.\nDetector data sources:\n\tdns",
+            "lang": "mustache"
+          },
+          "throttle_enabled": false,
+          "throttle": {
+            "value": 10,
+            "unit": "MINUTES"
+          }
+        }
+      ],
+      "types": ["dns"],
+      "severity": "1",
+      "ids": ["R1ng94QBbw8UQ2Cvqe6h"]
+    }
+  ]
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_mappings_data.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "dns-answers-type": {
+      "type": "alias",
+      "path": "DnsAnswerType"
+    },
+    "dns-question-name": {
+      "type": "alias",
+      "path": "DnsQuestionName"
+    },
+    "dns-question-registered_domain": {
+      "type": "alias",
+      "path": "DnsQuestionRegisteredDomain"
+    }
+  }
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_data.json

@@ -0,0 +1,57 @@
+{
+  "type": "detector",
+  "detector_type": "windows",
+  "name": "Cypress USB Detector",
+  "enabled": true,
+  "createdBy": "",
+  "schedule": {
+    "period": {
+      "interval": 1,
+      "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "detector_input": {
+        "description": "Detect USB plugged in.",
+        "indices": ["cypress-index-windows"],
+        "pre_packaged_rules": [],
+        "custom_rules": [
+          {
+            "id": "25b9c01c-350d-4b95-bed1-836d04a4f324"
+          }
+        ]
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "name": "USB plugged in alert",
+      "sev_levels": ["low"],
+      "tags": ["windows.usb"],
+      "actions": [
+        {
+          "id": "",
+          "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: USB Detector",
+          "destination_id": "",
+          "subject_template": {
+            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: USB Detector",
+            "lang": "mustache"
+          },
+          "message_template": {
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: USB Detector\nDescription: Detect USB plugged in.\nDetector data sources:\n\twindows",
+            "lang": "mustache"
+          },
+          "throttle_enabled": false,
+          "throttle": {
+            "value": 10,
+            "unit": "MINUTES"
+          }
+        }
+      ],
+      "types": ["windows"],
+      "severity": "1",
+      "ids": ["25b9c01c-350d-4b95-bed1-836d04a4f123"]
+    }
+  ]
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_mappings_data.json

@@ -0,0 +1,28 @@
+{
+  "properties": {
+    "event_uid": {
+      "type": "alias",
+      "path": "EventID"
+    },
+    "windows-event_data-CommandLine": {
+      "type": "alias",
+      "path": "CommandLine"
+    },
+    "windows-hostname": {
+      "type": "alias",
+      "path": "HostName"
+    },
+    "windows-message": {
+      "type": "alias",
+      "path": "Message"
+    },
+    "windows-provider-name": {
+      "type": "alias",
+      "path": "Provider_Name"
+    },
+    "windows-servicename": {
+      "type": "alias",
+      "path": "ServiceName"
+    }
+  }
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/index/add_dns_index_data.json

@@ -0,0 +1,5 @@
+{
+  "DnsAnswerType": "QWE",
+  "DnsQuestionRegisteredDomain": "EC2AMAZ-EPWO7HKA",
+  "DnsQuestionName": "QWE"
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/index/add_windows_index_data.json

@@ -0,0 +1,39 @@
+{
+  "EventTime": "2020-02-04T14:59:39.343541+00:00",
+  "HostName": "EC2AMAZ-EPO7HKA",
+  "Keywords": "9223372036854775808",
+  "SeverityValue": 2,
+  "Severity": "ERROR",
+  "EventID": 2003,
+  "SourceName": "Microsoft-Windows-Sysmon",
+  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
+  "Version": 5,
+  "TaskValue": 22,
+  "OpcodeValue": 0,
+  "RecordNumber": 9532,
+  "ExecutionProcessID": 1996,
+  "ExecutionThreadID": 2616,
+  "Channel": "Microsoft-Windows-Sysmon/Operational",
+  "Domain": "NT AUTHORITY",
+  "AccountName": "SYSTEM",
+  "UserID": "S-1-5-18",
+  "AccountType": "User",
+  "Message": "Dns query:\r\nRuleName: \r\nUtcTime: 2020-02-04 14:59:38.349\r\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\r\nProcessId: 1904\r\nQueryName: EC2AMAZ-EPO7HKA\r\nQueryStatus: 0\r\nQueryResults: 172.31.46.38;\r\nImage: C:\\Program Files\\nxlog\\nxlog.exe",
+  "Category": "Dns query (rule: DnsQuery)",
+  "Opcode": "Info",
+  "UtcTime": "2020-02-04 14:59:38.349",
+  "ProcessGuid": "{b3c285a4-3cda-5dc0-0000-001077270b00}",
+  "ProcessId": "1904",
+  "QueryName": "EC2AMAZ-EPO7HKA",
+  "QueryStatus": "0",
+  "QueryResults": "172.31.46.38;",
+  "Image": "C:\\Program Files\\nxlog\\regsvr32.exe",
+  "EventReceivedTime": "2020-02-04T14:59:40.780905+00:00",
+  "SourceModuleName": "in",
+  "SourceModuleType": "im_msvistalog",
+  "CommandLine": "eachtest",
+  "Initiated": "true",
+  "Provider_Name": "Service_ws_Control_ws_Manager",
+  "TargetObject": "\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security",
+  "EventType": "SetValue"
+}