adds cypress test to create eql sequence rule with suppression and mo…

…ves deletion of preview index in e2e test to after function
elastic · Nov 18, 2024 · ba05c66 · ba05c66
1 parent 73e5f9a
commit ba05c66
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 5 deletions.
diff --git a/...tion_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts b/...tion_engine/rule_execution_logic/eql/trial_license_complete_tier/eql_alert_suppression.ts
@@ -81,6 +81,7 @@ export default ({ getService }: FtrProviderContext) => {
 
     after(async () => {
       await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/ecs_compliant');
+      await esDeleteAllIndices('.preview.alerts*');
     });
 
     afterEach(async () => {
@@ -89,7 +90,6 @@ export default ({ getService }: FtrProviderContext) => {
         '.alerts-security.alerts-*',
       ]);
       await deleteAllRules(supertest, log);
-      await esDeleteAllIndices('.preview.alerts*');
     });
 
     describe('non-sequence queries', () => {

diff --git a/...e2e/detection_response/detection_engine/rule_creation/eql_rule_suppression_sequence.cy.ts b/...e2e/detection_response/detection_engine/rule_creation/eql_rule_suppression_sequence.cy.ts
@@ -8,11 +8,31 @@ import { getEqlSequenceRule } from '../../../../objects/rule';
 
 import { login } from '../../../../tasks/login';
 import { visit } from '../../../../tasks/navigation';
+import { getDetails } from '../../../../tasks/rule_details';
 import { CREATE_RULE_URL } from '../../../../urls/navigation';
 import { deleteAlertsAndRules } from '../../../../tasks/api_calls/common';
-import { fillDefineEqlRule, selectEqlRuleType } from '../../../../tasks/create_new_rule';
+import {
+  fillAlertSuppressionFields,
+  fillAboutRuleMinimumAndContinue,
+  createRuleWithoutEnabling,
+  skipScheduleRuleAction,
+  continueFromDefineStep,
+  selectAlertSuppressionPerInterval,
+  setAlertSuppressionDuration,
+  selectDoNotSuppressForMissingFields,
+  fillDefineEqlRule,
+  selectEqlRuleType,
+} from '../../../../tasks/create_new_rule';
 
-import { ALERT_SUPPRESSION_FIELDS_INPUT } from '../../../../screens/create_new_rule';
+import {
+  DEFINITION_DETAILS,
+  SUPPRESS_FOR_DETAILS,
+  SUPPRESS_BY_DETAILS,
+  SUPPRESS_MISSING_FIELD,
+  DETAILS_TITLE,
+} from '../../../../screens/rule_details';
+
+const SUPPRESS_BY_FIELDS = ['agent.type'];
 
 describe(
   'Detection Rule Creation - EQL Rules - With Alert Suppression',
@@ -41,8 +61,70 @@ describe(
         fillDefineEqlRule(rule);
       });
 
-      it('displays the suppression fields', () => {
-        cy.get(ALERT_SUPPRESSION_FIELDS_INPUT).should('be.enabled');
+      it('creates a rule with a "per rule execution" suppression duration', () => {
+        // selecting only suppression fields, the rest options would be default
+        fillAlertSuppressionFields(SUPPRESS_BY_FIELDS);
+        continueFromDefineStep();
+
+        // ensures details preview works correctly
+        cy.get(DEFINITION_DETAILS).within(() => {
+          getDetails(SUPPRESS_BY_DETAILS).should('have.text', SUPPRESS_BY_FIELDS.join(''));
+          getDetails(SUPPRESS_FOR_DETAILS).should('have.text', 'One rule execution');
+          getDetails(SUPPRESS_MISSING_FIELD).should(
+            'have.text',
+            'Suppress and group alerts for events with missing fields'
+          );
+
+          // suppression functionality should be under Tech Preview
+          cy.contains(DETAILS_TITLE, SUPPRESS_FOR_DETAILS).contains('Technical Preview');
+        });
+
+        fillAboutRuleMinimumAndContinue(rule);
+        skipScheduleRuleAction();
+        createRuleWithoutEnabling();
+
+        cy.get(DEFINITION_DETAILS).within(() => {
+          getDetails(SUPPRESS_BY_DETAILS).should('have.text', SUPPRESS_BY_FIELDS.join(''));
+          getDetails(SUPPRESS_FOR_DETAILS).should('have.text', 'One rule execution');
+          getDetails(SUPPRESS_MISSING_FIELD).should(
+            'have.text',
+            'Suppress and group alerts for events with missing fields'
+          );
+        });
+      });
+
+      it('creates a rule with a "per time interval" suppression duration', () => {
+        const expectedSuppressByFields = SUPPRESS_BY_FIELDS.slice(0, 1);
+
+        // fill suppress by fields and select non-default suppression options
+        fillAlertSuppressionFields(expectedSuppressByFields);
+        selectAlertSuppressionPerInterval();
+        setAlertSuppressionDuration(45, 'm');
+        selectDoNotSuppressForMissingFields();
+        continueFromDefineStep();
+
+        // ensures details preview works correctly
+        cy.get(DEFINITION_DETAILS).within(() => {
+          getDetails(SUPPRESS_BY_DETAILS).should('have.text', expectedSuppressByFields.join(''));
+          getDetails(SUPPRESS_FOR_DETAILS).should('have.text', '45m');
+          getDetails(SUPPRESS_MISSING_FIELD).should(
+            'have.text',
+            'Do not suppress alerts for events with missing fields'
+          );
+        });
+
+        fillAboutRuleMinimumAndContinue(rule);
+        skipScheduleRuleAction();
+        createRuleWithoutEnabling();
+
+        cy.get(DEFINITION_DETAILS).within(() => {
+          getDetails(SUPPRESS_BY_DETAILS).should('have.text', expectedSuppressByFields.join(''));
+          getDetails(SUPPRESS_FOR_DETAILS).should('have.text', '45m');
+          getDetails(SUPPRESS_MISSING_FIELD).should(
+            'have.text',
+            'Do not suppress alerts for events with missing fields'
+          );
+        });
       });
     });
   }