Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport main] [Security analytics][2.x] Updated tests 2.13 release #1160

Merged
merged 1 commit into from
May 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
title: Moriya Rootkit
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
description: Detects the use of Moriya rootkit as described in the securelist Operation TunnelSnake report
status: experimental
author: Bhabesh Raj
date: 2021/05/06
modified: 2021/11/30
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: d3
category: s3
service: azure
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 2100
ServiceName: ZzNetSvc
condition: selection
level: critical
falsepositives:
- Unknown
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,48 @@ describe('Detectors', () => {
validateFieldMappingsTable('rules are changed');
});

it('...can be stopped and started back from detectors list action menu', () => {
cy.wait(1000);
cy.get('tbody > tr')
.first()
.within(() => {
cy.get('[class="euiCheckbox__input"]').click({ force: true });
});

// Waiting for Actions menu button to be enabled
cy.wait(1000);

setupIntercept(
cy,
`${NODE_API.DETECTORS_BASE}/_search`,
'detectorsSearch'
);

cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });

cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
// Need this extra wait time for the Actions button to become enabled again
cy.wait(2000);

setupIntercept(
cy,
`${NODE_API.DETECTORS_BASE}/_search`,
'detectorsSearch'
);
cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
cy.get('[data-test-subj="toggleDetectorButton').contains('Start');
cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });

cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
// Need this extra wait time for the Actions button to become enabled again
cy.wait(2000);

cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
});

it('...can be deleted', () => {
setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getSigmaRules');
openDetectorDetails(detectorName);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ const checkRulesFlyout = () => {
};

const getCreateButton = () => cy.get('[data-test-subj="create_rule_button"]');
const getImportButton = () => cy.get('[data-test-subj="import_rule_button"]');
const getImportRuleFilePicker = () =>
cy.get('[data-test-subj="import_rule_file_picker"]');
const getNameField = () => cy.sa_getFieldByLabel('Rule name');
const getRuleStatusField = () => cy.sa_getFieldByLabel('Rule Status');
const getDescriptionField = () =>
Expand Down Expand Up @@ -631,6 +634,15 @@ describe('Rules', () => {
checkRulesFlyout();
});

it('...can be imported with log type', () => {
getImportButton().click({ force: true });
getImportRuleFilePicker().selectFile(
'./cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml'
);
// Check that AWS S3 log type is set.
cy.contains('AWS S3');
});

it('...can be deleted', () => {
setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getRules', 'POST');

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -152,5 +152,28 @@ describe('Findings', () => {
});
});

it('shows document not found warning when the document is empty', () => {
cy.deleteIndex(indexName);
cy.reload();

// Wait for page to load
cy.sa_waitForPageLoad('findings', {
contains: 'Findings',
});

// filter table to show only sample_detector findings
cy.get(`input[placeholder="Search findings"]`).sa_ospSearch(indexName);

// open Finding details flyout via finding id link. cy.wait essential, timeout insufficient.
cy.sa_getTableFirstRow('[data-test-subj="view-details-icon"]').then(
($el) => {
cy.get($el).click({ force: true });
}
);

// Flyout should show 'Document not found' warning
cy.contains('Document not found');
});

after(() => cy.sa_cleanUpTests());
});
Loading