Updated API and Selenium tests to validate Raw Access Read panel on User Security Dashboard (#426)

* Updated API & Sel tests for Create Remote Threads panel

* Updated tests for Powershell network connections panel

* Updated APi & Sel test for Raw Access Read panel on User Security Dashboard

Author: rishagg01

testing/tests/api_tests/data_insertion_tests/fixtures/rawaccessevents.json

@@ -0,0 +1,57 @@
+{
+    "winlog": {
+      "computer_name": "C2.lme.local",
+      "event_id" : "9",
+      "keywords": [
+        "Audit Failure"
+      ],
+      "user": {
+        "name": "APItestuserid",
+        "domain": "test"
+      },
+      "event_data": {
+        "LogonType": "2",
+        "SubjectUserName": "-",
+        "FailureReason": "%%2313",
+        "SubjectDomainName": "-",
+        "IpAddress": "194.169.175.22",
+        "TargetUserName": "solidart",
+        "LogonProcessName": "NtLmSsp ",
+        "SubjectUserSid": "S-1-0-0",
+        "TargetUserSid": "S-1-0-0",
+        "AuthenticationPackageName": "NTLM",
+        "ProcessId" : "1234"
+      },
+      "@timestamp": "2024-06-12T09:50:18.252Z",
+      "host": {
+        "name": "C2.lme.local"
+      }  
+    },
+    "process": {
+      "parent": {
+        "name": "powershell.exe",
+        "executable": "powershell.exe",
+        "args": "test"
+      },
+      "command_line": "invoke",
+      "executable" : "powershell.exe",
+      "args" : "test"
+    },
+    "event": {
+        "code": "4624",
+        "provider": "Microsoft-Windows-Sysmon",
+        "action": "Logon",
+        "outcome": "failure"
+    },
+    "user": {
+        "name": "APItestuserid",
+        "domain": "test"
+    },
+    "host": {
+        "name": "C2.lme.local"
+      },
+    "destination": {
+        "domain": "newtestdomain",
+        "ip" : "1.2.3.4"
+      }
+  }

testing/tests/api_tests/data_insertion_tests/queries/filter_rawaccessevents.json

@@ -0,0 +1,96 @@
+{
+    "aggs": {
+      "2": {
+        "terms": {
+          "field": "user.name",
+          "order": {
+            "_count": "desc"
+          },
+          "size": 100
+        }
+      }
+    },
+  "script_fields": {},
+  "stored_fields": [
+    "*"
+  ],
+  "runtime_mappings": {
+    "day_of_week": {
+      "type": "long",
+      "script": {
+        "source": "emit(doc['@timestamp'].value.dayOfWeekEnum.getValue())"
+      }
+    },
+    "hour_of_day": {
+      "type": "long",
+      "script": {
+        "source": "emit (doc['@timestamp'].value.getHour())"
+      }
+    }
+  },
+  "_source": false,
+  "query": {
+    "bool": {
+      "must": [],
+      "filter": [
+        {
+          "bool": {
+            "filter": [
+              {
+                "bool": {
+                  "should": [
+                    {
+                      "term": {
+                        "winlog.event_id": {
+                          "value": "9"
+                        }
+                      }
+                    }
+                  ],
+                  "minimum_should_match": 1
+                }
+              },
+              {
+                "bool": {
+                  "should": [
+                    {
+                      "term": {
+                        "event.provider": {
+                          "value": "Microsoft-Windows-Sysmon"
+                        }
+                      }
+                    }
+                  ],
+                  "minimum_should_match": 1
+                }
+              }
+            ]
+          }
+        },
+        {
+          "range": {
+            "@timestamp": {
+              "format": "strict_date_optional_time",
+              "gte": "2009-08-23T13:29:55.216Z",
+              "lte": "2024-08-23T13:29:55.216Z"
+            }
+          }
+        }
+      ],
+      "should": [],
+      "must_not": []
+    }
+  },
+  "highlight": {
+    "pre_tags": [
+      "@kibana-highlighted-field@"
+    ],
+    "post_tags": [
+      "@/kibana-highlighted-field@"
+    ],
+    "fields": {
+      "*": {}
+    },
+    "fragment_size": 2147483647
+  }
+}

testing/tests/api_tests/data_insertion_tests/test_server.py

@@ -79,7 +79,12 @@ def test_powershellNetworkConnections(es_host, es_port, username, password):
     second_response_loaded=insert_winlog_data(es_host, es_port, username, password, 'filter_powershellnetworkconnections.json', 'powershellnetworkconnections.json', 1)
 
     # Check to make sure the data was inserted
-    assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'APItestuserid')        
+    assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'APItestuserid')  
 
-
-
+    
+def test_rawaccessevents(es_host, es_port, username, password):
+        
+    second_response_loaded=insert_winlog_data(es_host, es_port, username, password, 'filter_rawaccessevents.json', 'rawaccessevents.json', 1)
+    
+    # Check to make sure the data was inserted
+    assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'APItestuserid')

testing/tests/selenium_tests/cluster/test_user_security_dashboard.py

@@ -127,10 +127,10 @@ def test_references_to_temporary_files(self, setup_login, kibana_url, timeout):
         driver = setup_login
         dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "References to temporary files", ".needarealvaluehere",".visError")  
 
-    @pytest.mark.skip(reason="Skipping this test")
+    #@pytest.mark.skip(reason="Skipping this test")
     def test_raw_access_read(self, setup_login, kibana_url, timeout):
         driver = setup_login
-        dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "RawAccessRead (Sysmon Event 9)", ".needarealvaluehere",".euiDataGrid__noResults")  
+        dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "RawAccessRead (Sysmon Event 9)", ".euiDataGrid",".euiDataGrid__noResults")  
 
     def test_windows_defender_title(self, setup_login, kibana_url, timeout):
         driver = setup_login