Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Expand test coverage for performing rule field upgrades to all diffable fields #205339

Closed
wants to merge 5 commits into from
Closed

[Security Solution] Expand test coverage for performing rule field upgrades to all diffable fields #205339

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
be28c71
Expand upgrade/_review test plan and coverage to include all rule fields
jpdjere Dec 27, 2024
05cdd2f
fix type
jpdjere Dec 27, 2024
01257a1
Expanded test plan
jpdjere Dec 27, 2024
9b4915a
fix lint
jpdjere Dec 27, 2024
dbb5b23
Refactored and expanded upgrade/_perform integrations tests in ALL_RU…
jpdjere Dec 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions ...y_solution/docs/testing/test_plans/detection_response/prebuilt_rules/upgrade.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,47 @@ Status: `in progress`. The current test plan matches [Rule Immutability/Customiz

- User should be able to install prebuilt rules with and without previewing what exactly they would install (rule properties).
- User should be able to upgrade prebuilt rules with and without previewing what updates they would apply (rule properties of target rule versions).
- User should be able to review and perform upgrades for all diffable fields across rule types:

| Field Name | Rule Type | Field Type |
|------------------------|-------------------|---------------------|
| name | Common | Single Line String |
| severity | Common | Single Line String |
| description | Common | Multi Line String |
| note | Common | Multi Line String |
| setup | Common | Multi Line String |
| risk_score | Common | Number |
| max_signals | Common | Number |
| tags | Common | Scalar Array |
| references | Common | Scalar Array |
| severity_mapping | Common | Simple |
| risk_score_mapping | Common | Simple |
| false_positives | Common | Simple |
| threat | Common | Simple |
| related_integrations | Common | Simple |
| required_fields | Common | Simple |
| rule_schedule | Common | Simple |
| rule_name_override | Common | Simple |
| timestamp_override | Common | Simple |
| timeline_template | Common | Simple |
| building_block | Common | Simple |
| investigation_fields | Common | Simple |
| alert_suppression | Common | Simple |
| data_source | Common | Data Source |
| type | Common | Rule Type |
| version | Common | Force Target Version|
| kql_query | query | KQL Query |
| threat_indicator_path | threat_match | Single Line String |
| threat_query | threat_match | KQL Query |
| threat_index | threat_match | Scalar Array |
| threshold | threshold | Simple |
| anomaly_threshold | machine_learning | Number |
| machine_learning_job_id| machine_learning | Simple |
| history_window_start | new_terms | Single Line String |
| new_terms_fields | new_terms | Scalar Array |
| eql_query | eql | EQL Query |
| esql_query | esql | ESQL Query |

- If user chooses to preview a prebuilt rule to be installed/upgraded, we currently show this preview in a flyout.
- In the prebuilt rule preview a tab that doesn't have any sections should not be displayed and a section that doesn't have any properties also should not be displayed.

Expand Down
41 changes: 41 additions & 0 deletions .../lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -337,3 +337,44 @@ const allFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableAllFields> = {
...newTermsFieldsDiffAlgorithms,
type: ruleTypeDiffAlgorithm,
};

export type SINGLE_LINE_STRING_FIELDS =
| 'name'
| 'severity'
| 'threat_indicator_path'
| 'history_window_start';

export type MULTI_LINE_STRING_FIELDS = 'description' | 'note' | 'setup';

export type NUMBER_FIELDS = 'risk_score' | 'max_signals' | 'anomaly_threshold';

export type SCALAR_ARRAY_FIELDS = 'tags' | 'references' | 'threat_index' | 'new_terms_fields';

export type SIMPLE_FIELDS =
| 'severity_mapping'
| 'risk_score_mapping'
| 'false_positives'
| 'threat'
| 'related_integrations'
| 'required_fields'
| 'rule_schedule'
| 'rule_name_override'
| 'timestamp_override'
| 'timeline_template'
| 'building_block'
| 'investigation_fields'
| 'alert_suppression'
| 'threshold'
| 'machine_learning_job_id';

export type KQL_QUERY_FIELDS = 'kql_query' | 'threat_query';

export type EQL_QUERY_FIELDS = 'eql_query';

export type ESQL_QUERY_FIELDS = 'esql_query';

export type DATA_SOURCE_FIELDS = 'data_source';

export type RULE_TYPE_FIELDS = 'type';

export type FORCE_TARGET_VERSION_FIELDS = 'version';
3 changes: 2 additions & 1 deletion .../server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.mock.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ export const getPrebuiltThreatMatchRuleSpecificFieldsMock = (): ThreatMatchRuleC
],
},
],
threat_indicator_path: 'threat.indicator.mock',
concurrent_searches: 2,
items_per_search: 10,
});
Expand Down Expand Up @@ -109,7 +110,7 @@ export const getPrebuiltNewTermsRuleSpecificFieldsMock = (): NewTermsRuleCreateF
query: 'user.name: *',
language: 'kuery',
new_terms_fields: ['user.name'],
history_window_start: '1h',
history_window_start: 'now-1h',
});

export const getPrebuiltEsqlRuleSpecificFieldsMock = (): EsqlRuleCreateFields => ({
Expand Down
3 changes: 2 additions & 1 deletion ..._response/rules_management/prebuilt_rules/management/trial_license_complete_tier/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
import { FtrProviderContext } from '../../../../../../ftr_provider_context';

export default ({ loadTestFile }: FtrProviderContext): void => {
describe('Rules Management - Prebuilt Rules - Prebuilt Rules Management', function () {
describe('Rules Management - Prebuilt Rules - Prebuilt Rules Management - ', function () {
loadTestFile(require.resolve('./bootstrap_prebuilt_rules'));
loadTestFile(require.resolve('./get_prebuilt_rules_status'));
loadTestFile(require.resolve('./get_prebuilt_timelines_status'));
Expand All @@ -20,6 +20,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => {
loadTestFile(require.resolve('./upgrade_perform_prebuilt_rules.all_rules_mode'));
loadTestFile(require.resolve('./upgrade_perform_prebuilt_rules.specific_rules_mode'));
loadTestFile(require.resolve('./upgrade_review_prebuilt_rules.rule_type_fields'));
loadTestFile(require.resolve('./upgrade_review_prebuilt_rules.simple_fields'));
loadTestFile(require.resolve('./upgrade_review_prebuilt_rules.number_fields'));
loadTestFile(require.resolve('./upgrade_review_prebuilt_rules.single_line_string_fields'));
loadTestFile(require.resolve('./upgrade_review_prebuilt_rules.scalar_array_fields'));
Expand Down
Loading