[master] More precise alerts matching (#99820)
* Split out test preparation and cleanup * Load data on the remote cluster * Update the rule to the new (remote) data
This commit is contained in:
parent
3930749f0e
commit
a4b4da3674
|
@ -5,7 +5,12 @@
|
||||||
* 2.0.
|
* 2.0.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
import fs from 'fs';
|
||||||
import expect from '@kbn/expect';
|
import expect from '@kbn/expect';
|
||||||
|
import { Client as EsClient } from '@elastic/elasticsearch';
|
||||||
|
import { KbnClient } from '@kbn/test';
|
||||||
|
import { EsArchiver } from '@kbn/es-archiver';
|
||||||
|
import { CA_CERT_PATH } from '@kbn/dev-utils';
|
||||||
|
|
||||||
export default ({ getService, getPageObjects }) => {
|
export default ({ getService, getPageObjects }) => {
|
||||||
describe('Cross cluster search test in discover', async () => {
|
describe('Cross cluster search test in discover', async () => {
|
||||||
|
@ -24,7 +29,6 @@ export default ({ getService, getPageObjects }) => {
|
||||||
const kibanaServer = getService('kibanaServer');
|
const kibanaServer = getService('kibanaServer');
|
||||||
const queryBar = getService('queryBar');
|
const queryBar = getService('queryBar');
|
||||||
const filterBar = getService('filterBar');
|
const filterBar = getService('filterBar');
|
||||||
const supertest = getService('supertest');
|
|
||||||
|
|
||||||
before(async () => {
|
before(async () => {
|
||||||
await browser.setWindowSize(1200, 800);
|
await browser.setWindowSize(1200, 800);
|
||||||
|
@ -98,8 +102,6 @@ export default ({ getService, getPageObjects }) => {
|
||||||
);
|
);
|
||||||
await PageObjects.security.logout();
|
await PageObjects.security.logout();
|
||||||
}
|
}
|
||||||
// visit app/security so to create .siem-signals-* as side effect
|
|
||||||
await PageObjects.common.navigateToApp('security', { insertTimestamp: false });
|
|
||||||
const url = await browser.getCurrentUrl();
|
const url = await browser.getCurrentUrl();
|
||||||
log.debug(url);
|
log.debug(url);
|
||||||
if (!url.includes('kibana')) {
|
if (!url.includes('kibana')) {
|
||||||
|
@ -138,35 +140,6 @@ export default ({ getService, getPageObjects }) => {
|
||||||
expect(patternName).to.be('*:makelogs工程-*');
|
expect(patternName).to.be('*:makelogs工程-*');
|
||||||
});
|
});
|
||||||
|
|
||||||
it('create local siem signals index pattern', async () => {
|
|
||||||
log.debug('Add index pattern: .siem-signals-*');
|
|
||||||
await supertest
|
|
||||||
.post('/api/index_patterns/index_pattern')
|
|
||||||
.set('kbn-xsrf', 'true')
|
|
||||||
.send({
|
|
||||||
index_pattern: {
|
|
||||||
title: '.siem-signals-*',
|
|
||||||
},
|
|
||||||
override: true,
|
|
||||||
})
|
|
||||||
.expect(200);
|
|
||||||
});
|
|
||||||
|
|
||||||
it('create remote monitoring ES index pattern', async () => {
|
|
||||||
log.debug('Add index pattern: data:.monitoring-es-*');
|
|
||||||
await supertest
|
|
||||||
.post('/api/index_patterns/index_pattern')
|
|
||||||
.set('kbn-xsrf', 'true')
|
|
||||||
.send({
|
|
||||||
index_pattern: {
|
|
||||||
title: 'data:.monitoring-es-*',
|
|
||||||
timeFieldName: 'timestamp',
|
|
||||||
},
|
|
||||||
override: true,
|
|
||||||
})
|
|
||||||
.expect(200);
|
|
||||||
});
|
|
||||||
|
|
||||||
it('local:makelogs(star) should discover data from the local cluster', async () => {
|
it('local:makelogs(star) should discover data from the local cluster', async () => {
|
||||||
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
|
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
|
||||||
|
|
||||||
|
@ -236,34 +209,151 @@ export default ({ getService, getPageObjects }) => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should generate alerts based on remote events', async () => {
|
describe('Detection engine', async function () {
|
||||||
log.debug('Add detection rule type:shards on data:.monitoring-es-*');
|
const supertest = getService('supertest');
|
||||||
await supertest
|
const esSupertest = getService('esSupertest');
|
||||||
.post('/api/detection_engine/rules')
|
const config = getService('config');
|
||||||
.set('kbn-xsrf', 'true')
|
|
||||||
.send({
|
|
||||||
description: 'This is the description of the rule',
|
|
||||||
risk_score: 17,
|
|
||||||
severity: 'low',
|
|
||||||
interval: '10s',
|
|
||||||
name: 'CCS_Detection_test',
|
|
||||||
type: 'query',
|
|
||||||
from: 'now-1d',
|
|
||||||
index: ['data:.monitoring-es-*'],
|
|
||||||
timestamp_override: 'timestamp',
|
|
||||||
query: 'type:shards',
|
|
||||||
language: 'kuery',
|
|
||||||
enabled: true,
|
|
||||||
})
|
|
||||||
.expect(200);
|
|
||||||
|
|
||||||
log.debug('Check if any alert got to .siem-signals-*');
|
const esClient = new EsClient({
|
||||||
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
|
ssl: {
|
||||||
await PageObjects.discover.selectIndexPattern('.siem-signals-*');
|
ca: fs.readFileSync(CA_CERT_PATH, 'utf-8'),
|
||||||
await retry.tryForTime(40000, async () => {
|
},
|
||||||
const hitCount = await PageObjects.discover.getHitCount();
|
nodes: [process.env.TEST_ES_URLDATA],
|
||||||
log.debug('### hit count = ' + hitCount);
|
requestTimeout: config.get('timeouts.esRequestTimeout'),
|
||||||
expect(hitCount).to.be.greaterThan('0');
|
});
|
||||||
|
|
||||||
|
const kbnClient = new KbnClient({
|
||||||
|
log,
|
||||||
|
url: process.env.TEST_KIBANA_URLDATA,
|
||||||
|
certificateAuthorities: config.get('servers.kibana.certificateAuthorities'),
|
||||||
|
uiSettingDefaults: kibanaServer.uiSettings,
|
||||||
|
importExportDir: config.get('kbnArchiver.directory'),
|
||||||
|
});
|
||||||
|
|
||||||
|
const esArchiver = new EsArchiver({
|
||||||
|
log,
|
||||||
|
client: esClient,
|
||||||
|
kbnClient,
|
||||||
|
dataDir: config.get('esArchiver.directory'),
|
||||||
|
});
|
||||||
|
|
||||||
|
let signalsId;
|
||||||
|
let dataId;
|
||||||
|
let ruleId;
|
||||||
|
|
||||||
|
before('Prepare .siem-signal-*', async function () {
|
||||||
|
log.info('Create index');
|
||||||
|
// visit app/security so to create .siem-signals-* as side effect
|
||||||
|
await PageObjects.common.navigateToApp('security', { insertTimestamp: false });
|
||||||
|
|
||||||
|
log.info('Create index pattern');
|
||||||
|
signalsId = await supertest
|
||||||
|
.post('/api/index_patterns/index_pattern')
|
||||||
|
.set('kbn-xsrf', 'true')
|
||||||
|
.send({
|
||||||
|
index_pattern: {
|
||||||
|
title: '.siem-signals-*',
|
||||||
|
},
|
||||||
|
override: true,
|
||||||
|
})
|
||||||
|
.expect(200)
|
||||||
|
.then((res) => JSON.parse(res.text).index_pattern.id);
|
||||||
|
log.debug('id: ' + signalsId);
|
||||||
|
});
|
||||||
|
|
||||||
|
before('Prepare data:metricbeat-*', async function () {
|
||||||
|
log.info('Create index');
|
||||||
|
await esArchiver.load('metricbeat');
|
||||||
|
|
||||||
|
log.info('Create index pattern');
|
||||||
|
dataId = await supertest
|
||||||
|
.post('/api/index_patterns/index_pattern')
|
||||||
|
.set('kbn-xsrf', 'true')
|
||||||
|
.send({
|
||||||
|
index_pattern: {
|
||||||
|
title: 'data:metricbeat-*',
|
||||||
|
},
|
||||||
|
override: true,
|
||||||
|
})
|
||||||
|
.expect(200)
|
||||||
|
.then((res) => JSON.parse(res.text).index_pattern.id);
|
||||||
|
log.debug('id: ' + dataId);
|
||||||
|
});
|
||||||
|
|
||||||
|
before('Add detection rule', async function () {
|
||||||
|
ruleId = await supertest
|
||||||
|
.post('/api/detection_engine/rules')
|
||||||
|
.set('kbn-xsrf', 'true')
|
||||||
|
.send({
|
||||||
|
description: 'This is the description of the rule',
|
||||||
|
risk_score: 17,
|
||||||
|
severity: 'low',
|
||||||
|
interval: '10s',
|
||||||
|
name: 'CCS_Detection_test',
|
||||||
|
type: 'query',
|
||||||
|
from: 'now-1y',
|
||||||
|
index: ['data:metricbeat-*'],
|
||||||
|
query: '*:*',
|
||||||
|
language: 'kuery',
|
||||||
|
enabled: true,
|
||||||
|
})
|
||||||
|
.expect(200)
|
||||||
|
.then((res) => JSON.parse(res.text).id);
|
||||||
|
log.debug('id: ' + ruleId);
|
||||||
|
});
|
||||||
|
|
||||||
|
after('Clean up detection rule', async function () {
|
||||||
|
if (ruleId !== undefined) {
|
||||||
|
log.debug('id: ' + ruleId);
|
||||||
|
await supertest
|
||||||
|
.delete('/api/detection_engine/rules?id=' + ruleId)
|
||||||
|
.set('kbn-xsrf', 'true')
|
||||||
|
.expect(200);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
after('Clean up data:metricbeat-*', async function () {
|
||||||
|
if (dataId !== undefined) {
|
||||||
|
log.info('Delete index pattern');
|
||||||
|
log.debug('id: ' + dataId);
|
||||||
|
await supertest
|
||||||
|
.delete('/api/index_patterns/index_pattern/' + dataId)
|
||||||
|
.set('kbn-xsrf', 'true')
|
||||||
|
.expect(200);
|
||||||
|
}
|
||||||
|
|
||||||
|
log.info('Delete index');
|
||||||
|
await esArchiver.unload('metricbeat');
|
||||||
|
});
|
||||||
|
|
||||||
|
after('Clean up .siem-signal-*', async function () {
|
||||||
|
if (signalsId !== undefined) {
|
||||||
|
log.info('Delete index pattern: .siem-signals-*');
|
||||||
|
log.debug('id: ' + signalsId);
|
||||||
|
await supertest
|
||||||
|
.delete('/api/index_patterns/index_pattern/' + signalsId)
|
||||||
|
.set('kbn-xsrf', 'true')
|
||||||
|
.expect(200);
|
||||||
|
}
|
||||||
|
|
||||||
|
log.info('Delete index alias: .siem-signals-default');
|
||||||
|
await esSupertest
|
||||||
|
.delete('/.siem-signals-default-000001/_alias/.siem-signals-default')
|
||||||
|
.expect(200);
|
||||||
|
|
||||||
|
log.info('Delete index: .siem-signals-default-000001');
|
||||||
|
await esSupertest.delete('/.siem-signals-default-000001').expect(200);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('Should generate alerts based on remote events', async function () {
|
||||||
|
log.info('Check if any alert got to .siem-signals-*');
|
||||||
|
await PageObjects.common.navigateToApp('discover', { insertTimestamp: false });
|
||||||
|
await PageObjects.discover.selectIndexPattern('.siem-signals-*');
|
||||||
|
await retry.tryForTime(30000, async () => {
|
||||||
|
const hitCount = await PageObjects.discover.getHitCount();
|
||||||
|
log.debug('### hit count = ' + hitCount);
|
||||||
|
expect(hitCount).to.be('100');
|
||||||
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in a new issue