[master] Security CCS automation POC #99042
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -24,6 +24,7 @@ export default ({ getService, getPageObjects }) => { | |
| const kibanaServer = getService('kibanaServer'); | ||
| const queryBar = getService('queryBar'); | ||
| const filterBar = getService('filterBar'); | ||
| const supertest = getService('supertest'); | ||
|
|
||
| before(async () => { | ||
| await browser.setWindowSize(1200, 800); | ||
|
|
@@ -97,6 +98,8 @@ export default ({ getService, getPageObjects }) => { | |
| ); | ||
| await PageObjects.security.logout(); | ||
| } | ||
| // visit app/security so to create .siem-signals-* as side effect | ||
| await PageObjects.common.navigateToApp('security', { insertTimestamp: false }); | ||
| const url = await browser.getCurrentUrl(); | ||
| log.debug(url); | ||
| if (!url.includes('kibana')) { | ||
|
|
@@ -135,6 +138,35 @@ export default ({ getService, getPageObjects }) => { | |
| expect(patternName).to.be('*:makelogs工程-*'); | ||
| }); | ||
|
|
||
| it('create local siem signals index pattern', async () => { | ||
| log.debug('Add index pattern: .siem-signals-*'); | ||
| await supertest | ||
| .post('/api/index_patterns/index_pattern') | ||
| .set('kbn-xsrf', 'true') | ||
| .send({ | ||
| index_pattern: { | ||
| title: '.siem-signals-*', | ||
| }, | ||
| override: true, | ||
| }) | ||
| .expect(200); | ||
| }); | ||
|
|
||
| it('create remote monitoring ES index pattern', async () => { | ||
|
There was a problem hiding this comment. The code inside this test and the above is a preparation of the test we want to perform. So I would refactor it in order to reflect that. There was a problem hiding this comment. We actually have 2 other ways to automate creating the index pattern without using the API.
Here's an example PR switching from using esArchiver to kbnArchiver #98063 |
||
| log.debug('Add index pattern: data:.monitoring-es-*'); | ||
| await supertest | ||
| .post('/api/index_patterns/index_pattern') | ||
| .set('kbn-xsrf', 'true') | ||
| .send({ | ||
| index_pattern: { | ||
| title: 'data:.monitoring-es-*', | ||
| timeFieldName: 'timestamp', | ||
| }, | ||
| override: true, | ||
| }) | ||
| .expect(200); | ||
| }); | ||
|
|
||
| it('local:makelogs(star) should discover data from the local cluster', async () => { | ||
| await PageObjects.common.navigateToApp('discover', { insertTimestamp: false }); | ||
|
|
||
|
|
@@ -203,5 +235,36 @@ export default ({ getService, getPageObjects }) => { | |
| expect(hitCount).to.be.lessThan(originalHitCount); | ||
| }); | ||
| }); | ||
|
|
||
| it('should generate alerts based on remote events', async () => { | ||
| log.debug('Add detection rule type:shards on data:.monitoring-es-*'); | ||
| await supertest | ||
| .post('/api/detection_engine/rules') | ||
| .set('kbn-xsrf', 'true') | ||
| .send({ | ||
| description: 'This is the description of the rule', | ||
| risk_score: 17, | ||
| severity: 'low', | ||
| interval: '10s', | ||
| name: 'CCS_Detection_test', | ||
| type: 'query', | ||
| from: 'now-1d', | ||
| index: ['data:.monitoring-es-*'], | ||
| timestamp_override: 'timestamp', | ||
| query: 'type:shards', | ||
| language: 'kuery', | ||
| enabled: true, | ||
| }) | ||
| .expect(200); | ||
|
|
||
| log.debug('Check if any alert got to .siem-signals-*'); | ||
| await PageObjects.common.navigateToApp('discover', { insertTimestamp: false }); | ||
| await PageObjects.discover.selectIndexPattern('.siem-signals-*'); | ||
| await retry.tryForTime(40000, async () => { | ||
| const hitCount = await PageObjects.discover.getHitCount(); | ||
| log.debug('### hit count = ' + hitCount); | ||
| expect(hitCount).to.be.greaterThan('0'); | ||
|
There was a problem hiding this comment. It is better if we assert the number of alerts we are expecting. There was a problem hiding this comment. This requires tuning, depends on the observation period and on the time elapsed when the reading is done. I also suspect that the observed index (.monitoring-es-*) get updated. Essentially, I'm not sure we can have a deterministic value here. Maybe I should investigate some other index for applying the rule onto. There was a problem hiding this comment. It is complex to use our own index of data in the CCS configuration? There was a problem hiding this comment. As anticipated, none of the indices on the remote (except makelogs*, which is non ECS-compatible) has a deterministic number of entries that can be checked here. Should we consider ingesting some other data then? There was a problem hiding this comment. This is probably a good place to use esArchiver, but it's going to take a little bit of work. The integration-test repo no longer uses node.js which would be required to call esArchiver. FTR tests do load data with esArchiver, but currently only to the local cluster. While it's possible to add other configuration for FTR so that esArchiver could also load data in a remote cluster, I think it would be easier to use the CLI to call it from the jenkins_test.sh script in the integration-test just before starting the FTR. |
||
| }); | ||
| }); | ||
| }); | ||
| }; | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As in this file it is already tested that an index pattern can be added, in order to improve execution time, as part of the data preparation we need for our test, we can probably add the index we need through the API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Such API is available since 7.11 but it's not publicly documented yet. See #99372. The API is described in the original implementation PR #83576.