-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backport 2.x] Added additional security analytics and updated alerti…
…ng cypress tests for 2.7 release. (#639) (#640) * Resolving conflicts from cherry-picking PR 622. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Resolved lint errors. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Removed outdated test file. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Reduced flakiness in notifications tests. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Reduced flakiness in security analytics tests. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Fixed lint errors. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> --------- Signed-off-by: AWSHurneyt <hurneyt@amazon.com> (cherry picked from commit a1a56fc) Co-authored-by: AWSHurneyt <hurneyt@amazon.com>
- Loading branch information
1 parent
96b83f2
commit 7408f70
Showing
46 changed files
with
3,545 additions
and
664 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
113 changes: 113 additions & 0 deletions
113
cypress/fixtures/plugins/alerting-dashboards-plugin/sample_document_level_monitor.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
{ | ||
"type": "monitor", | ||
"monitor_type": "doc_level_monitor", | ||
"name": "sample_document_level_monitor", | ||
"enabled": true, | ||
"createdBy": "chip", | ||
"schedule": { | ||
"period": { | ||
"interval": 1, | ||
"unit": "MINUTES" | ||
} | ||
}, | ||
"inputs": [ | ||
{ | ||
"doc_level_input": { | ||
"description": "windows-powershell", | ||
"indices": ["document-level-monitor-test-index"], | ||
"queries": [ | ||
{ | ||
"id": "sigma-123", | ||
"name": "sigma-123", | ||
"query": "region:\"us-west-2\"", | ||
"tags": ["MITRE:8500"] | ||
}, | ||
{ | ||
"id": "sigma-456", | ||
"name": "sigma-456", | ||
"query": "region:\"us-east-1\"", | ||
"tags": ["MITRE:8600"] | ||
}, | ||
{ | ||
"id": "sigma-789", | ||
"name": "sigma-789", | ||
"query": "message:\"This is an error from IAD region\"", | ||
"tags": ["MITRE:8700"] | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"triggers": [ | ||
{ | ||
"document_level_trigger": { | ||
"name": "sample_trigger", | ||
"severity": "1", | ||
"condition": { | ||
"script": { | ||
"source": "query[name=sigma-123] || query[name=sigma-456] || query[name=sigma-789]", | ||
"lang": "painless" | ||
} | ||
}, | ||
"actions": [] | ||
} | ||
} | ||
], | ||
"ui_metadata": { | ||
"schedule": { | ||
"timezone": null, | ||
"frequency": "interval", | ||
"period": { | ||
"interval": 1, | ||
"unit": "MINUTES" | ||
}, | ||
"daily": 0, | ||
"weekly": { | ||
"mon": false, | ||
"tue": false, | ||
"wed": false, | ||
"thur": false, | ||
"fri": false, | ||
"sat": false, | ||
"sun": false | ||
}, | ||
"monthly": { | ||
"type": "day", | ||
"day": 1 | ||
}, | ||
"cronExpression": "0 */1 * * *" | ||
}, | ||
"monitor_type": "doc_level_monitor", | ||
"doc_level_input": { | ||
"queries": [ | ||
{ | ||
"id": "sigma-123", | ||
"queryName": "sigma-123", | ||
"field": "region", | ||
"operator": "==", | ||
"query": "us-west-2", | ||
"tags": ["MITRE:8500"] | ||
}, | ||
{ | ||
"id": "sigma-456", | ||
"queryName": "sigma-456", | ||
"field": "region", | ||
"operator": "==", | ||
"query": "us-east-1", | ||
"tags": ["MITRE:8600"] | ||
}, | ||
{ | ||
"id": "sigma-789", | ||
"queryName": "sigma-789", | ||
"field": "message", | ||
"operator": "==", | ||
"query": "This is an error from IAD region", | ||
"tags": ["MITRE:8700"] | ||
} | ||
] | ||
}, | ||
"search": { | ||
"searchType": "graph" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
...rity-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
{ | ||
"type": "detector", | ||
"detector_type": "dns", | ||
"name": "Cypress DNS Detector", | ||
"enabled": true, | ||
"createdBy": "", | ||
"schedule": { | ||
"period": { | ||
"interval": 1, | ||
"unit": "MINUTES" | ||
} | ||
}, | ||
"inputs": [ | ||
{ | ||
"detector_input": { | ||
"description": "Detects DNS names.", | ||
"indices": ["cypress-index-dns"], | ||
"pre_packaged_rules": [], | ||
"custom_rules": [ | ||
{ | ||
"id": "25b9c01c-350d-4b95-bed1-836d04a4f325" | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"triggers": [ | ||
{ | ||
"name": "DNS name alert", | ||
"sev_levels": ["low"], | ||
"tags": ["dns.low"], | ||
"actions": [ | ||
{ | ||
"id": "", | ||
"name": "Triggered alert condition: - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector", | ||
"destination_id": "", | ||
"subject_template": { | ||
"source": "Triggered alert condition: - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector", | ||
"lang": "mustache" | ||
}, | ||
"message_template": { | ||
"source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: Cypress DNS Detector\nDescription: Detects DNS names.\nDetector data sources:\n\tdns", | ||
"lang": "mustache" | ||
}, | ||
"throttle_enabled": false, | ||
"throttle": { | ||
"value": 10, | ||
"unit": "MINUTES" | ||
} | ||
} | ||
], | ||
"types": ["dns"], | ||
"severity": "1", | ||
"ids": ["R1ng94QBbw8UQ2Cvqe6h"] | ||
} | ||
] | ||
} |
16 changes: 16 additions & 0 deletions
16
...ytics-dashboards-plugin/integration_tests/detector/create_dns_detector_mappings_data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
{ | ||
"properties": { | ||
"dns-answers-type": { | ||
"type": "alias", | ||
"path": "DnsAnswerType" | ||
}, | ||
"dns-question-name": { | ||
"type": "alias", | ||
"path": "DnsQuestionName" | ||
}, | ||
"dns-question-registered_domain": { | ||
"type": "alias", | ||
"path": "DnsQuestionRegisteredDomain" | ||
} | ||
} | ||
} |
57 changes: 57 additions & 0 deletions
57
...rity-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
{ | ||
"type": "detector", | ||
"detector_type": "windows", | ||
"name": "Cypress USB Detector", | ||
"enabled": true, | ||
"createdBy": "", | ||
"schedule": { | ||
"period": { | ||
"interval": 1, | ||
"unit": "MINUTES" | ||
} | ||
}, | ||
"inputs": [ | ||
{ | ||
"detector_input": { | ||
"description": "Detect USB plugged in.", | ||
"indices": ["cypress-index-windows"], | ||
"pre_packaged_rules": [], | ||
"custom_rules": [ | ||
{ | ||
"id": "25b9c01c-350d-4b95-bed1-836d04a4f324" | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"triggers": [ | ||
{ | ||
"name": "USB plugged in alert", | ||
"sev_levels": ["low"], | ||
"tags": ["windows.usb"], | ||
"actions": [ | ||
{ | ||
"id": "", | ||
"name": "Triggered alert condition: - Severity: 1 (Highest) - Threat detector: USB Detector", | ||
"destination_id": "", | ||
"subject_template": { | ||
"source": "Triggered alert condition: - Severity: 1 (Highest) - Threat detector: USB Detector", | ||
"lang": "mustache" | ||
}, | ||
"message_template": { | ||
"source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: USB Detector\nDescription: Detect USB plugged in.\nDetector data sources:\n\twindows", | ||
"lang": "mustache" | ||
}, | ||
"throttle_enabled": false, | ||
"throttle": { | ||
"value": 10, | ||
"unit": "MINUTES" | ||
} | ||
} | ||
], | ||
"types": ["windows"], | ||
"severity": "1", | ||
"ids": ["25b9c01c-350d-4b95-bed1-836d04a4f123"] | ||
} | ||
] | ||
} |
28 changes: 28 additions & 0 deletions
28
...ytics-dashboards-plugin/integration_tests/detector/create_usb_detector_mappings_data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
{ | ||
"properties": { | ||
"event_uid": { | ||
"type": "alias", | ||
"path": "EventID" | ||
}, | ||
"windows-event_data-CommandLine": { | ||
"type": "alias", | ||
"path": "CommandLine" | ||
}, | ||
"windows-hostname": { | ||
"type": "alias", | ||
"path": "HostName" | ||
}, | ||
"windows-message": { | ||
"type": "alias", | ||
"path": "Message" | ||
}, | ||
"windows-provider-name": { | ||
"type": "alias", | ||
"path": "Provider_Name" | ||
}, | ||
"windows-servicename": { | ||
"type": "alias", | ||
"path": "ServiceName" | ||
} | ||
} | ||
} |
5 changes: 5 additions & 0 deletions
5
...gins/security-analytics-dashboards-plugin/integration_tests/index/add_dns_index_data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"DnsAnswerType": "QWE", | ||
"DnsQuestionRegisteredDomain": "EC2AMAZ-EPWO7HKA", | ||
"DnsQuestionName": "QWE" | ||
} |
39 changes: 39 additions & 0 deletions
39
.../security-analytics-dashboards-plugin/integration_tests/index/add_windows_index_data.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
{ | ||
"EventTime": "2020-02-04T14:59:39.343541+00:00", | ||
"HostName": "EC2AMAZ-EPO7HKA", | ||
"Keywords": "9223372036854775808", | ||
"SeverityValue": 2, | ||
"Severity": "ERROR", | ||
"EventID": 2003, | ||
"SourceName": "Microsoft-Windows-Sysmon", | ||
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", | ||
"Version": 5, | ||
"TaskValue": 22, | ||
"OpcodeValue": 0, | ||
"RecordNumber": 9532, | ||
"ExecutionProcessID": 1996, | ||
"ExecutionThreadID": 2616, | ||
"Channel": "Microsoft-Windows-Sysmon/Operational", | ||
"Domain": "NT AUTHORITY", | ||
"AccountName": "SYSTEM", | ||
"UserID": "S-1-5-18", | ||
"AccountType": "User", | ||
"Message": "Dns query:\r\nRuleName: \r\nUtcTime: 2020-02-04 14:59:38.349\r\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\r\nProcessId: 1904\r\nQueryName: EC2AMAZ-EPO7HKA\r\nQueryStatus: 0\r\nQueryResults: 172.31.46.38;\r\nImage: C:\\Program Files\\nxlog\\nxlog.exe", | ||
"Category": "Dns query (rule: DnsQuery)", | ||
"Opcode": "Info", | ||
"UtcTime": "2020-02-04 14:59:38.349", | ||
"ProcessGuid": "{b3c285a4-3cda-5dc0-0000-001077270b00}", | ||
"ProcessId": "1904", | ||
"QueryName": "EC2AMAZ-EPO7HKA", | ||
"QueryStatus": "0", | ||
"QueryResults": "172.31.46.38;", | ||
"Image": "C:\\Program Files\\nxlog\\regsvr32.exe", | ||
"EventReceivedTime": "2020-02-04T14:59:40.780905+00:00", | ||
"SourceModuleName": "in", | ||
"SourceModuleType": "im_msvistalog", | ||
"CommandLine": "eachtest", | ||
"Initiated": "true", | ||
"Provider_Name": "Service_ws_Control_ws_Manager", | ||
"TargetObject": "\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security", | ||
"EventType": "SetValue" | ||
} |
Oops, something went wrong.