[Security analytics][2.x] Updated tests 2.13 release (#1159) (#1160)

* updated tests to match repo

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* updated tests to match repo

Signed-off-by: Amardeepsingh Siglani <[email protected]>

* fixed findings tests

Signed-off-by: Amardeepsingh Siglani <[email protected]>

---------

Signed-off-by: Amardeepsingh Siglani <[email protected]>
(cherry picked from commit 55f08ef)

Co-authored-by: Amardeepsingh Siglani <[email protected]>

Author: opensearch-trigger-bot[bot]

cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml

@@ -0,0 +1,26 @@
+title: Moriya Rootkit
+id: 25b9c01c-350d-4b95-bed1-836d04a4f324
+description: Detects the use of Moriya rootkit as described in the securelist Operation TunnelSnake report
+status: experimental
+author: Bhabesh Raj
+date: 2021/05/06
+modified: 2021/11/30
+references:
+    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1543.003
+logsource:
+    product: d3
+    category: s3
+    service: azure
+detection:
+    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 2100
+        ServiceName: ZzNetSvc
+    condition: selection
+level: critical
+falsepositives:
+    - Unknown

cypress/integration/plugins/security-analytics-dashboards-plugin/1_detectors.spec.js

@@ -549,6 +549,48 @@ describe('Detectors', () => {
       validateFieldMappingsTable('rules are changed');
     });
 
+    it('...can be stopped and started back from detectors list action menu', () => {
+      cy.wait(1000);
+      cy.get('tbody > tr')
+        .first()
+        .within(() => {
+          cy.get('[class="euiCheckbox__input"]').click({ force: true });
+        });
+
+      // Waiting for Actions menu button to be enabled
+      cy.wait(1000);
+
+      setupIntercept(
+        cy,
+        `${NODE_API.DETECTORS_BASE}/_search`,
+        'detectorsSearch'
+      );
+
+      cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
+      cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
+      cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });
+
+      cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
+      // Need this extra wait time for the Actions button to become enabled again
+      cy.wait(2000);
+
+      setupIntercept(
+        cy,
+        `${NODE_API.DETECTORS_BASE}/_search`,
+        'detectorsSearch'
+      );
+      cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
+      cy.get('[data-test-subj="toggleDetectorButton').contains('Start');
+      cy.get('[data-test-subj="toggleDetectorButton').click({ force: true });
+
+      cy.wait('@detectorsSearch').should('have.property', 'state', 'Complete');
+      // Need this extra wait time for the Actions button to become enabled again
+      cy.wait(2000);
+
+      cy.get('[data-test-subj="detectorsActionsButton').click({ force: true });
+      cy.get('[data-test-subj="toggleDetectorButton').contains('Stop');
+    });
+
     it('...can be deleted', () => {
       setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getSigmaRules');
       openDetectorDetails(detectorName);

cypress/integration/plugins/security-analytics-dashboards-plugin/2_rules.spec.js

@@ -155,6 +155,9 @@ const checkRulesFlyout = () => {
 };
 
 const getCreateButton = () => cy.get('[data-test-subj="create_rule_button"]');
+const getImportButton = () => cy.get('[data-test-subj="import_rule_button"]');
+const getImportRuleFilePicker = () =>
+  cy.get('[data-test-subj="import_rule_file_picker"]');
 const getNameField = () => cy.sa_getFieldByLabel('Rule name');
 const getRuleStatusField = () => cy.sa_getFieldByLabel('Rule Status');
 const getDescriptionField = () =>
@@ -631,6 +634,15 @@ describe('Rules', () => {
       checkRulesFlyout();
     });
 
+    it('...can be imported with log type', () => {
+      getImportButton().click({ force: true });
+      getImportRuleFilePicker().selectFile(
+        './cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_aws_s3_rule_to_import.yml'
+      );
+      // Check that AWS S3 log type is set.
+      cy.contains('AWS S3');
+    });
+
     it('...can be deleted', () => {
       setupIntercept(cy, `${NODE_API.RULES_BASE}/_search`, 'getRules', 'POST');
 

cypress/integration/plugins/security-analytics-dashboards-plugin/4_findings.spec.js

@@ -152,5 +152,28 @@ describe('Findings', () => {
     });
   });
 
+  it('shows document not found warning when the document is empty', () => {
+    cy.deleteIndex(indexName);
+    cy.reload();
+
+    // Wait for page to load
+    cy.sa_waitForPageLoad('findings', {
+      contains: 'Findings',
+    });
+
+    // filter table to show only sample_detector findings
+    cy.get(`input[placeholder="Search findings"]`).sa_ospSearch(indexName);
+
+    // open Finding details flyout via finding id link. cy.wait essential, timeout insufficient.
+    cy.sa_getTableFirstRow('[data-test-subj="view-details-icon"]').then(
+      ($el) => {
+        cy.get($el).click({ force: true });
+      }
+    );
+
+    // Flyout should show 'Document not found' warning
+    cy.contains('Document not found');
+  });
+
   after(() => cy.sa_cleanUpTests());
 });