diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml index d6b9580b8d80d..c3ad45f9b007d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/endpoint_exceptions_per_policy_opt_in/endpoint_exceptions_per_policy_opt_in.schema.yaml @@ -8,9 +8,7 @@ paths: summary: Retrieve endpoint exceptions per policy opt-in operationId: GetEndpointExceptionsPerPolicyOptIn x-codegen-enabled: true - x-labels: [] - # TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below. - # x-labels: [ ess, serverless ] + x-labels: [ ess, serverless ] x-internal: true responses: '200': @@ -32,9 +30,7 @@ paths: summary: Opt-in to endpoint exceptions per policy operationId: PerformEndpointExceptionsPerPolicyOptIn x-codegen-enabled: true - x-labels: [] - # TODO: When the feature flag `endpointExceptionsMovedUnderManagement` is enabled, remove empty `x-labels` and un-comment the line below. - # x-labels: [ ess, serverless ] + x-labels: [ ess, serverless ] x-internal: true responses: '200': diff --git a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts index 3209886e40901..098776101d0cf 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts @@ -142,8 +142,9 @@ export const allowedExperimentalValues = Object.freeze({ /** * Removes Endpoint Exceptions from Rules/Alerts pages, and shows it instead in Manage/Assets. + * Additionally: enables import/export for all Endpoint artifacts. */ - endpointExceptionsMovedUnderManagement: false, + endpointExceptionsMovedUnderManagement: true, /** * Enables CrowdStrike's RunScript RTR command diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts deleted file mode 100644 index 9eed1c1c481b5..0000000000000 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -import * as essSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/security_header'; -import * as serverlessSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/serverless_security_header'; -import { - APP_ENDPOINT_EXCEPTIONS_PATH, - APP_PATH, - RULES_FEATURE_ID, - SECURITY_FEATURE_ID, -} from '../../../../../common/constants'; -import { login, ROLE } from '../../tasks/login'; - -describe('Endpoint exceptions - preserving behaviour without `endpointExceptionsMovedUnderManagement` feature flag', () => { - describe('ESS', { tags: ['@ess'] }, () => { - const loginWithReadAccess = () => { - login.withCustomKibanaPrivileges({ - [SECURITY_FEATURE_ID]: ['read', 'endpoint_exceptions_read'], - [RULES_FEATURE_ID]: ['read'], - }); - }; - - it('should not display Endpoint Exceptions in Administration page', () => { - loginWithReadAccess(); - cy.visit('app/security/manage'); - cy.getByTestSubj('LandingItem').should('not.contain', 'Endpoint exceptions'); - }); - - it('should not display Endpoint Exceptions in Manage side panel', () => { - loginWithReadAccess(); - cy.visit(APP_PATH); - - essSecurityHeaders.openNavigationPanelFor(essSecurityHeaders.ARTIFACTS); - cy.getByTestSubj('solutionSideNavPanel') - .find('[data-test-subj="solutionSideNavPanelLink-endpoint_exceptions"]') - .should('not.exist'); - }); - - it('should display Not Found page when opening url directly', () => { - loginWithReadAccess(); - cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH); - cy.getByTestSubj('notFoundPage').should('exist'); - }); - }); - - describe('Serverless', { tags: ['@serverless', '@skipInServerlessMKI'] }, () => { - it('should not display Endpoint Exceptions in Assets side panel ', () => { - // instead of testing with the lowest access (READ), we're testing with t3_analyst with WRITE access, - // as we neither have any role with READ access, nor custom roles on serverless yet - login(ROLE.t3_analyst); - cy.visit(APP_PATH); - - serverlessSecurityHeaders.showMoreItems(); - serverlessSecurityHeaders.openNavigationPanelFor(serverlessSecurityHeaders.ARTIFACTS); - cy.get('[data-test-subj~="nav-item-id-endpoint_exceptions"]').should('not.exist'); - }); - - it('should display Not Found page when opening url directly', () => { - login(ROLE.t3_analyst); - cy.visit(APP_ENDPOINT_EXCEPTIONS_PATH); - cy.getByTestSubj('notFoundPage').should('exist'); - }); - }); -}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts b/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts index 42fc5ffe72f07..8dfe0fb52756d 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/hooks/artifacts/use_endpoint_per_policy_opt_in.test.ts @@ -40,6 +40,8 @@ describe('useGetEndpointExceptionsPerPolicyOptIn()', () => { }); it('should not call the API when the experimental feature is disabled', () => { + testContext.setExperimentalFlag({ endpointExceptionsMovedUnderManagement: false }); + const { result } = testContext.renderHook(() => useGetEndpointExceptionsPerPolicyOptIn()); expect(result.current.data).toBeUndefined(); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/links.ts b/x-pack/solutions/security/plugins/security_solution/public/management/links.ts index 389a2f6290ae2..9f1dabc098f31 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/links.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/links.ts @@ -15,6 +15,7 @@ import { getEndpointAuthzInitialState, } from '../../common/endpoint/service/authz'; import { + ENDPOINT_EXCEPTIONS_PATH, ENDPOINTS_PATH, ENTITY_ANALYTICS_MANAGEMENT_PATH, MANAGE_PATH, @@ -23,7 +24,6 @@ import { SCRIPT_LIBRARY_PATH, SECURITY_FEATURE_ID, SecurityPageName, - TRUSTED_APPS_PATH, } from '../../common/constants'; import { ARTIFACTS, @@ -135,7 +135,7 @@ export const links: LinkItem = { 'Manage exceptions, trusted applications, and other settings that control how endpoints are protected and respond to activity.', }), landingIcon: IconArtifacts, - path: TRUSTED_APPS_PATH, + path: ENDPOINT_EXCEPTIONS_PATH, skipUrlState: true, hideTimeline: true, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx index 2daa8d3d3f95d..f66bf13dfc58f 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/endpoint_exceptions/view/components/endpoint_exceptions_flyout.tsx @@ -175,7 +175,7 @@ export const EndpointExceptionsFlyout: React.FC = > -

+

{ENDPOINT_EXCEPTIONS_PAGE_LABELS.flyoutCreateTitle}

diff --git a/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts b/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts index bbd33930fc3a9..4dc7136e254a8 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/rules/links.ts @@ -20,7 +20,6 @@ import { RULES_CREATE_PATH, RULES_LANDING_PATH, RULES_PATH, - SECURITY_FEATURE_ID, } from '../../common/constants'; import { ADD_RULES, @@ -95,10 +94,7 @@ export const links: LinkItem = { }), landingIcon: IconConsoleCloud, path: EXCEPTIONS_PATH, - capabilities: [ - EXCEPTIONS_UI_READ_PRIVILEGES, - `${SECURITY_FEATURE_ID}.showEndpointExceptions`, - ], + capabilities: [EXCEPTIONS_UI_READ_PRIVILEGES], skipUrlState: true, hideTimeline: true, globalSearchKeywords: [ diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts index 00593b5fa3a78..3867966f3bc32 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/ess.config.ts @@ -16,6 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { 'trustedAppsAdvancedMode', 'filterProcessDescendantsForTrustedAppsEnabled', 'trustedDevices', + 'endpointExceptionsMovedUnderManagement', ]; return { diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts index 4c034a31c9276..43d2efba74756 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/configs/serverless.config.ts @@ -16,6 +16,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { 'trustedAppsAdvancedMode', 'filterProcessDescendantsForTrustedAppsEnabled', 'trustedDevices', + 'endpointExceptionsMovedUnderManagement', ]; return { diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts index e6d39dd22c8f8..bd42ebacfe574 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/event_filters.ts @@ -10,10 +10,6 @@ import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-t import expect from '@kbn/expect'; import { BY_POLICY_ARTIFACT_TAG_PREFIX } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; import { ExceptionsListItemGenerator } from '@kbn/security-solution-plugin/common/endpoint/data_generators/exceptions_list_item_generator'; -import { - getImportExceptionsListSchemaMock, - toNdJsonString, -} from '@kbn/lists-plugin/common/schemas/request/import_exceptions_schema.mock'; import type TestAgent from 'supertest/lib/agent'; import type { PolicyTestResourceInfo } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_policy'; import type { ArtifactTestData } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_artifacts'; @@ -167,24 +163,6 @@ export default function ({ getService }: FtrProviderContext) { } }); - it('should return 400 for import of endpoint exceptions', async () => { - await endpointPolicyManagerSupertest - .post(`${EXCEPTION_LIST_URL}/_import?overwrite=false`) - .set('kbn-xsrf', 'true') - .attach( - 'file', - Buffer.from( - toNdJsonString([getImportExceptionsListSchemaMock(eventFilterData.artifact.list_id)]) - ), - 'exceptions.ndjson' - ) - .expect(400, { - status_code: 400, - message: - 'EndpointArtifactError: Import is not supported for Endpoint artifact exceptions', - }); - }); - describe('and has authorization to manage endpoint security', () => { for (const eventFilterApiCall of eventFilterCalls) { it(`should error on [${eventFilterApiCall.method}] if more than one OS is set`, async () => { diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts index b78f0a4917bd1..e6ca56d663569 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/artifacts/trial_license_complete_tier/host_isolation_exceptions.ts @@ -12,10 +12,6 @@ import { BY_POLICY_ARTIFACT_TAG_PREFIX, GLOBAL_ARTIFACT_TAG, } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; -import { - getImportExceptionsListSchemaMock, - toNdJsonString, -} from '@kbn/lists-plugin/common/schemas/request/import_exceptions_schema.mock'; import { ExceptionsListItemGenerator } from '@kbn/security-solution-plugin/common/endpoint/data_generators/exceptions_list_item_generator'; import type TestAgent from 'supertest/lib/agent'; import type { PolicyTestResourceInfo } from '@kbn/test-suites-xpack-security-endpoint/services/endpoint_policy'; @@ -169,26 +165,6 @@ export default function ({ getService }: FtrProviderContext) { } }); - it('should return 400 for import of endpoint exceptions', async () => { - await endpointPolicyManagerSupertest - .post(`${EXCEPTION_LIST_URL}/_import?overwrite=false`) - .set('kbn-xsrf', 'true') - .attach( - 'file', - Buffer.from( - toNdJsonString([ - getImportExceptionsListSchemaMock(hostIsolationExceptionData.artifact.list_id), - ]) - ), - 'exceptions.ndjson' - ) - .expect(400, { - status_code: 400, - message: - 'EndpointArtifactError: Import is not supported for Endpoint artifact exceptions', - }); - }); - describe('and has authorization to manage endpoint security', () => { for (const hostIsolationExceptionApiCall of hostIsolationExceptionCalls) { it(`[${hostIsolationExceptionApiCall.method}] if invalid condition entry fields are used`, async () => { diff --git a/x-pack/solutions/security/test/security_solution_cypress/config.ts b/x-pack/solutions/security/test/security_solution_cypress/config.ts index fbdca1ed3f41c..5451712f7b783 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/config.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/config.ts @@ -56,6 +56,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { `--xpack.fleet.developer.bundledPackageLocation=./inexistentDir`, '--csp.strict=false', '--csp.warnLegacyBrowsers=false', + // For testing Import flyout with Endpoint artifacts + '--xpack.securitySolution.enableExperimental=["endpointExceptionsMovedUnderManagement"]', ], runOptions: { wait: FLEET_PLUGIN_READY_LOG_MESSAGE_REGEXP, diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts index e14b0261b80cc..7d873b188234c 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/endpoint_exceptions.cy.ts @@ -33,12 +33,14 @@ import { import { ALERTS_COUNT } from '../../../../../screens/alerts'; import { ADD_NESTED_BTN, - EXCEPTION_CARD_ITEM_CONDITIONS, - EXCEPTION_CARD_ITEM_NAME, - EXCEPTION_ITEM_VIEWER_CONTAINER, + ENDPOINT_EXCEPTION_CARD, + ENDPOINT_EXCEPTION_CARD_CONDITIONS, + ENDPOINT_EXCEPTION_CARD_HEADER_TITLE, + ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN, + ENDPOINT_EXCEPTION_ITEM_NAME_INPUT, } from '../../../../../screens/exceptions'; import { - goToEndpointExceptionsTab, + goToEndpointExceptions, visitRuleDetailsPage, waitForTheRuleToBeExecuted, } from '../../../../../tasks/rule_details'; @@ -53,7 +55,6 @@ describe( const ADDITIONAL_ENTRY = 'host.hostname'; beforeEach(() => { - cy.task('esArchiverUnload', { archiveName: 'endpoint' }); login(); deleteAlertsAndRules(); deleteEndpointExceptionList(); @@ -82,8 +83,8 @@ describe( validateExceptionConditionField('file.Ext.code_signature'); selectCloseSingleAlerts(); - addExceptionFlyoutItemName(ITEM_NAME); - submitNewExceptionItem(); + addExceptionFlyoutItemName(ITEM_NAME, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT); + submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN); // Instead of immediately checking if the Opened Alert has moved to the closed tab, // use the waitForAlerts method to create a buffer, allowing the alerts some time to @@ -105,7 +106,7 @@ describe( // As the endpoint.alerts-* is used to trigger the alert the // file.Ext.code_signature will be auto-populated validateExceptionConditionField('file.Ext.code_signature'); - addExceptionFlyoutItemName(ITEM_NAME); + addExceptionFlyoutItemName(ITEM_NAME, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT); // Add non-nested condition cy.get(ADD_NESTED_BTN).click(); @@ -114,21 +115,20 @@ describe( addExceptionEntryFieldValueValue('foo', 4); // Change the name again - editExceptionFlyoutItemName(ITEM_NAME_EDIT); + editExceptionFlyoutItemName(ITEM_NAME_EDIT, ENDPOINT_EXCEPTION_ITEM_NAME_INPUT); // validate the condition is still "agent.name" or got rest after the name is changed validateExceptionConditionField(ADDITIONAL_ENTRY); selectCloseSingleAlerts(); - submitNewExceptionItem(); + submitNewExceptionItem(ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN); - // Endpoint Exception will move to Endpoint List under Exception tab of rule - goToEndpointExceptionsTab(); + goToEndpointExceptions(); // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', ITEM_NAME_EDIT); - cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).contains('span', ADDITIONAL_ENTRY); + cy.get(ENDPOINT_EXCEPTION_CARD).should('have.length', 1); + cy.get(ENDPOINT_EXCEPTION_CARD_HEADER_TITLE).should('have.text', ITEM_NAME_EDIT); + cy.get(ENDPOINT_EXCEPTION_CARD_CONDITIONS).contains('span', ADDITIONAL_ENTRY); }); } ); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts index 766990a824a76..f877a00f082bb 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/alerts_table_flow/rule_exceptions/auto_populate_with_alert_data.cy.ts @@ -38,8 +38,7 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles const ADDITIONAL_ENTRY = 'host.hostname'; beforeEach(() => { - cy.task('esArchiverUnload', { archiveName: 'endpoint_2' }); - cy.task('esArchiverLoad', { archiveName: 'endpoint_2' }); + cy.task('esArchiverLoad', { archiveName: 'endpoint' }); login(); createRule(getEndpointRule()).then((rule) => visitRuleDetailsPage(rule.body.id, { tab: 'alerts' }) @@ -48,7 +47,6 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles waitForAlertsToPopulate(); }); after(() => { - cy.task('esArchiverUnload', { archiveName: 'endpoint' }); deleteAlertsAndRules(); }); afterEach(() => { @@ -73,6 +71,12 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles type: 'match', value: 'siem-kibana', }, + { + field: 'agent.id', + operator: 'included', + type: 'match', + value: '0ebd469b-c164-4734-00e6-96d018098dc7', + }, { field: 'user.name', operator: 'included', @@ -104,10 +108,6 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles value: ['-zsh'], }, ]); - cy.wrap(response?.body[0].comments[0].comment).should( - 'contain', - 'Exception conditions are pre-filled with relevant data from an alert with the alert id (_id):' - ); }); }); @@ -144,6 +144,12 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles type: 'match', value: 'siem-kibana', }, + { + field: 'agent.id', + operator: 'included', + type: 'match', + value: '0ebd469b-c164-4734-00e6-96d018098dc7', + }, { field: 'user.name', operator: 'included', @@ -163,16 +169,16 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles value: '123', }, { - field: 'process.name', + field: 'host.hostname', operator: 'included', type: 'match', - value: 'zsh', + value: 'foo', }, { - field: 'host.hostname', + field: 'process.args', operator: 'included', - type: 'match', - value: 'foo', + type: 'match_any', + value: ['-zsh'], }, ]); cy.wrap(response?.body[0].comments[0].comment).should( @@ -206,6 +212,7 @@ describe('Auto populate exception with Alert data', { tags: ['@ess', '@serverles 'user.name', 'process.executable', 'file.path', + 'process.name', ]; /** diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts deleted file mode 100644 index 7924780c43624..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/rule_details_flow/add_edit_endpoint_exception.cy.ts +++ /dev/null @@ -1,237 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { getNewRule } from '../../../../../objects/rule'; - -import { createRule } from '../../../../../tasks/api_calls/rules'; -import { login } from '../../../../../tasks/login'; -import { - openEditException, - openExceptionFlyoutFromEmptyViewerPrompt, - searchForExceptionItem, - visitRuleDetailsPage, - waitForPageToBeLoaded as waitForRuleDetailsPageToBeLoaded, -} from '../../../../../tasks/rule_details'; -import { - addExceptionConditions, - addExceptionFlyoutItemName, - editException, - editExceptionFlyoutItemName, - selectOs, - submitEditedExceptionItem, - submitNewExceptionItem, -} from '../../../../../tasks/exceptions'; - -import { deleteAlertsAndRules } from '../../../../../tasks/api_calls/common'; -import { - NO_EXCEPTIONS_EXIST_PROMPT, - EXCEPTION_ITEM_VIEWER_CONTAINER, - NO_EXCEPTIONS_SEARCH_RESULTS_PROMPT, - CLOSE_ALERTS_CHECKBOX, - CONFIRM_BTN, - ADD_TO_RULE_OR_LIST_SECTION, - CLOSE_SINGLE_ALERT_CHECKBOX, - EXCEPTION_ITEM_CONTAINER, - VALUES_INPUT, - EXCEPTION_CARD_ITEM_NAME, - EXCEPTION_CARD_ITEM_CONDITIONS, - FIELD_INPUT_PARENT, -} from '../../../../../screens/exceptions'; -import { - createEndpointExceptionList, - createEndpointExceptionListItem, - deleteEndpointExceptionList, - deleteExceptionLists, -} from '../../../../../tasks/api_calls/exceptions'; - -// https://github.com/elastic/kibana/issues/187279 -describe( - 'Add endpoint exception from rule details', - { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, - () => { - const ITEM_NAME = 'Sample Exception List Item'; - const NEW_ITEM_NAME = 'Exception item-EDITED'; - const ITEM_FIELD = 'event.code'; - const FIELD_DIFFERENT_FROM_EXISTING_ITEM_FIELD = 'agent.type'; - - before(() => { - cy.task('esArchiverLoad', { archiveName: 'auditbeat_multiple' }); - }); - - after(() => { - cy.task('esArchiverUnload', { archiveName: 'auditbeat_multiple' }); - }); - - beforeEach(() => { - deleteExceptionLists(); - deleteEndpointExceptionList(); - - login(); - deleteAlertsAndRules(); - }); - - describe('without exception items', () => { - beforeEach(() => { - createEndpointExceptionList().then((response) => { - createRule( - getNewRule({ - query: 'event.code:*', - index: ['auditbeat*'], - exceptions_list: [ - { - id: response.body.id, - list_id: response.body.list_id, - type: response.body.type, - namespace_type: response.body.namespace_type, - }, - ], - rule_id: '2', - enabled: false, - }) - ).then((rule) => visitRuleDetailsPage(rule.body.id, { tab: 'endpoint_exceptions' })); - }); - }); - - it('creates an exception item', () => { - // when no exceptions exist, empty component shows with action to add exception - - cy.get(NO_EXCEPTIONS_EXIST_PROMPT).should('exist'); - - // open add exception modal - openExceptionFlyoutFromEmptyViewerPrompt(); - - // submit button is disabled if no paramerters were added - cy.get(CONFIRM_BTN).should('have.attr', 'disabled'); - - // for endpoint exceptions, must specify OS - selectOs('windows'); - - // add exception item conditions - addExceptionConditions({ - field: 'event.code', - operator: 'is', - values: ['foo'], - }); - - // Name is required so want to check that submit is still disabled - cy.get(CONFIRM_BTN).should('have.attr', 'disabled'); - - // add exception item name - addExceptionFlyoutItemName(ITEM_NAME); - - // Option to add to rule or add to list should NOT appear - cy.get(ADD_TO_RULE_OR_LIST_SECTION).should('not.exist'); - - // not testing close alert functionality here, just ensuring that the options appear as expected - cy.get(CLOSE_SINGLE_ALERT_CHECKBOX).should('not.exist'); - cy.get(CLOSE_ALERTS_CHECKBOX).should('exist'); - - // submit - submitNewExceptionItem(); - - // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - }); - }); - - // FLAKY: https://github.com/elastic/kibana/issues/179582 - describe.skip('with exception items', () => { - beforeEach(() => { - createEndpointExceptionList().then((response) => { - createEndpointExceptionListItem({ - comments: [], - description: 'Exception list item', - entries: [ - { - field: ITEM_FIELD, - operator: 'included', - type: 'match', - value: 'foo', - }, - ], - name: ITEM_NAME, - tags: [], - type: 'simple', - os_types: ['windows'], - }); - - createRule( - getNewRule({ - name: 'Rule with exceptions', - query: 'event.code:*', - index: ['auditbeat*'], - exceptions_list: [ - { - id: response.body.id, - list_id: response.body.list_id, - type: response.body.type, - namespace_type: response.body.namespace_type, - }, - ], - rule_id: '2', - enabled: false, - }) - ).then((rule) => { - visitRuleDetailsPage(rule.body.id, { tab: 'endpoint_exceptions' }); - waitForRuleDetailsPageToBeLoaded('Rule with exceptions'); - }); - }); - }); - - it('edits an endpoint exception item', () => { - // displays existing exception items - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - cy.get(NO_EXCEPTIONS_EXIST_PROMPT).should('not.exist'); - cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', ITEM_NAME); - cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).should('have.text', ` ${ITEM_FIELD}IS foo`); - - // open edit exception modal - openEditException(); - - // edit exception item name - editExceptionFlyoutItemName(NEW_ITEM_NAME); - - // check that the existing item's field is being populated - cy.get(EXCEPTION_ITEM_CONTAINER) - .eq(0) - .find(FIELD_INPUT_PARENT) - .eq(0) - .should('have.value', ITEM_FIELD); - cy.get(VALUES_INPUT).should('have.value', 'foo'); - - // edit conditions - editException(FIELD_DIFFERENT_FROM_EXISTING_ITEM_FIELD, 0, 0); - - // submit - submitEditedExceptionItem(); - - // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - - // check that updates stuck - cy.get(EXCEPTION_CARD_ITEM_NAME).should('have.text', NEW_ITEM_NAME); - cy.get(EXCEPTION_CARD_ITEM_CONDITIONS).should('have.text', ' agent.typeIS foo'); - }); - - it('allows user to search for items', () => { - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - - // can search for an exception value - searchForExceptionItem('foo'); - - // new exception item displays - cy.get(EXCEPTION_ITEM_VIEWER_CONTAINER).should('have.length', 1); - - // displays empty search result view if no matches found - searchForExceptionItem('abc'); - - // new exception item displays - cy.get(NO_EXCEPTIONS_SEARCH_RESULTS_PROMPT).should('exist'); - }); - }); - } -); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts index 95f75c38a05be..ef9867331ef8a 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/filter_table.cy.ts @@ -74,15 +74,15 @@ describe('Filter Lists', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); // Single word search - searchForExceptionList('Endpoint'); + searchForExceptionList('my'); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); - cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', 'Endpoint Security Exception List'); + cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', EXCEPTION_LIST_NAME); // Multi word search clearSearchSelection(); @@ -105,17 +105,17 @@ describe('Filter Lists', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] // Field search clearSearchSelection(); - searchForExceptionList('list_id:endpoint_list'); + searchForExceptionList('list_id:exception_list_1'); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); - cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', 'Endpoint Security Exception List'); + cy.get(EXCEPTIONS_TABLE_LIST_NAME).should('have.text', EXCEPTION_LIST_NAME); clearSearchSelection(); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); }); }); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts index 4ebba57b9a279..680ad93e8aa70 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/import_lists.cy.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants'; import { IMPORT_SHARED_EXCEPTION_LISTS_CLOSE_BTN, EXCEPTIONS_TABLE_SHOWING_LISTS, @@ -16,7 +17,7 @@ import { importExceptionListWithSelectingCreateNewOption, validateImportExceptionListWentSuccessfully, validateImportExceptionListFailedBecauseExistingListFound, - validateImportExceptionListCreateNewOptionDisabled, + validateImportExceptionListFailedOnArtifactTypePrecheck, } from '../../../../../../tasks/exceptions_table'; import { login } from '../../../../../../tasks/login'; import { visit } from '../../../../../../tasks/navigation'; @@ -24,7 +25,6 @@ import { EXCEPTIONS_URL } from '../../../../../../urls/navigation'; describe('Import Lists', { tags: ['@ess', '@serverless', '@skipInServerless'] }, () => { const LIST_TO_IMPORT_FILENAME = 'cypress/fixtures/7_16_exception_list.ndjson'; - const ENDPOINT_LIST_TO_IMPORT_FILENAME = 'cypress/fixtures/endpoint_exception_list.ndjson'; beforeEach(() => { login(); visit(EXCEPTIONS_URL); @@ -85,27 +85,30 @@ describe('Import Lists', { tags: ['@ess', '@serverless', '@skipInServerless'] }, }); }); - describe('Endpoint Security Exception List', () => { + describe('When importing Endpoint artifacts', () => { + const prepareFile = (listId: string) => + Cypress.Buffer + .from(`{"_version":"WzUxOTM4LDE1XQ==","created_at":"2024-03-18T14:11:18.125Z","created_by":"kibana","description":"Endpoint Security Exception List","id":"endpoint_list","immutable":false,"list_id":"${listId}","name":"Endpoint Security Exception List","namespace_type":"agnostic","os_types":[],"tags":[],"tie_breaker_id":"04deda68-7162-4349-8e34-c315bb9f896f","type":"endpoint","updated_at":"2024-03-19T12:57:31.911Z","updated_by":"elastic","version":1} +{"randomFields":"randomValues","list_id":"${listId}"} +{"exported_exception_list_count":1,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} +`); + before(() => { login(); visit(EXCEPTIONS_URL); waitForExceptionsTableToBeLoaded(); - cy.intercept(/(\/api\/exception_lists\/_import)/).as('import'); - - // Make sure we have Endpoint Security Exception List - importExceptionLists(ENDPOINT_LIST_TO_IMPORT_FILENAME); - validateImportExceptionListWentSuccessfully(); - cy.get(IMPORT_SHARED_EXCEPTION_LISTS_CLOSE_BTN).click(); }); - it('Should not allow to import or create a second Endpoint Security Exception List', () => { - // Try to import another Endpoint Security Exception List - importExceptionLists(ENDPOINT_LIST_TO_IMPORT_FILENAME); + ENDPOINT_ARTIFACT_LIST_IDS.forEach((listId) => { + it(`Should not allow to import Endpoint artifacts to "${listId}" list`, () => { + cy.intercept(/(\/api\/exception_lists\/_import)/, () => { + throw new Error(`Import API should not be called when importing ${listId} list`); + }); - validateImportExceptionListFailedBecauseExistingListFound(); + importExceptionLists(prepareFile(listId)); - // Validate that "Create new list" option is disabled - validateImportExceptionListCreateNewOptionDisabled(); + validateImportExceptionListFailedOnArtifactTypePrecheck(); + }); }); }); }); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts index 049a29bdd334f..71273d34b5702 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/exceptions/shared_exception_lists_management/shared_exception_list_page/manage_lists.cy.ts @@ -132,13 +132,13 @@ describe( it('Delete exception list without rule reference', () => { // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); deleteExceptionListWithoutRuleReferenceByListId(getExceptionList1().list_id); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); }); it('Deletes exception list with rule reference', () => { @@ -147,13 +147,13 @@ describe( // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '3'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); deleteExceptionListWithRuleReferenceByListId(getExceptionList2().list_id); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown - cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '2'); + cy.contains(EXCEPTIONS_TABLE_SHOWING_LISTS, '1'); }); }); } diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts index d4e6e75c68f3e..31f7ddf9b3600 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/navigation/navigation.cy.ts @@ -69,6 +69,9 @@ import { RULES_COVERAGE_URL, OSQUERY_URL, HOSTS_URL, + ENDPOINT_EXCEPTIONS_URL, + HOST_ISOLATION_EXCEPTIONS_URL, + TRUSTED_DEVICES_URL, CLOUD_NATIVE_VULN_MGMT_URL, DATA_QUALITY_URL, KUBERNETES_URL, @@ -282,14 +285,19 @@ describe('top-level navigation common to all pages in the Security app', { tags: navigateFromHeaderTo(ARTIFACTS); cy.url().should('include', ADMINISTRATION_URL_PREFIX); }); - it('artifact tab deep links still resolve', () => { - visit(TRUSTED_APPS_URL); - cy.url().should('include', TRUSTED_APPS_URL); - visit(EVENT_FILTERS_URL); - cy.url().should('include', EVENT_FILTERS_URL); - visit(BLOCKLIST_URL); - cy.url().should('include', BLOCKLIST_URL); - }); + for (const [artifactName, artifactUrl] of [ + ['trusted apps', TRUSTED_APPS_URL], + ['event filters', EVENT_FILTERS_URL], + ['blocklist', BLOCKLIST_URL], + ['endpoint exceptions', ENDPOINT_EXCEPTIONS_URL], + ['host isolation exceptions', HOST_ISOLATION_EXCEPTIONS_URL], + ['trusted devices', TRUSTED_DEVICES_URL], + ]) { + it(`${artifactName} deep links still resolve`, () => { + visit(artifactUrl); + cy.url().should('include', artifactUrl); + }); + } it('navigates to the CSP Benchmarks page', () => { navigateFromHeaderTo(CSP_BENCHMARKS); cy.url().should('include', CSP_BENCHMARKS_URL); diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson b/x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson deleted file mode 100644 index ebd1cbc34d25e..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/fixtures/endpoint_exception_list.ndjson +++ /dev/null @@ -1,2 +0,0 @@ -{"_version":"WzUxOTM4LDE1XQ==","created_at":"2024-03-18T14:11:18.125Z","created_by":"kibana","description":"Endpoint Security Exception List","id":"endpoint_list","immutable":false,"list_id":"endpoint_list","name":"Endpoint Security Exception List","namespace_type":"agnostic","os_types":[],"tags":[],"tie_breaker_id":"04deda68-7162-4349-8e34-c315bb9f896f","type":"endpoint","updated_at":"2024-03-19T12:57:31.911Z","updated_by":"elastic","version":1} -{"exported_exception_list_count":1,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts index e3310f5258ad8..4fd1e3b216eb0 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/objects/rule.ts @@ -481,7 +481,7 @@ export const getEditedRule = (): QueryRuleCreateProps => export const getEndpointRule = (): QueryRuleCreateProps => ({ type: 'query', query: 'event.kind:alert and event.module:(endpoint and not endgame)', - index: ['endpoint.alerts-*'], + index: ['logs-endpoint.alerts-*'], name: 'Endpoint Rule', description: 'The new rule description.', severity: 'high', diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts index 847b2175426b9..09820508c1d5c 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/exceptions.ts @@ -11,6 +11,9 @@ export const CLOSE_SINGLE_ALERT_CHECKBOX = '[data-test-subj="closeAlertOnAddExce export const CONFIRM_BTN = '[data-test-subj="addExceptionConfirmButton"]'; +export const ENDPOINT_EXCEPTION_ITEM_CONFIRM_BTN = + '[data-test-subj="add-endpoint-exception-confirm-button"]'; + export const FIELD_INPUT = '[data-test-subj="fieldAutocompleteComboBox"] [data-test-subj="comboBoxSearchInput"]'; @@ -128,6 +131,17 @@ export const EXCEPTION_CARD_ITEM_CONDITIONS = // Exception flyout components export const EXCEPTION_ITEM_NAME_INPUT = 'input[data-test-subj="exceptionFlyoutNameInput"]'; +export const ENDPOINT_EXCEPTION_ITEM_NAME_INPUT = + 'input[data-test-subj="endpointExceptions-form-name-input"]'; + +export const ENDPOINT_EXCEPTION_CARD = '[data-test-subj="endpointExceptionsListPage-card"]'; + +export const ENDPOINT_EXCEPTION_CARD_HEADER_TITLE = + '[data-test-subj="endpointExceptionsListPage-card-header-title"]'; + +export const ENDPOINT_EXCEPTION_CARD_CONDITIONS = + '[data-test-subj="endpointExceptionsListPage-card-criteriaConditions-condition"]'; + export const ADD_TO_SHARED_LIST_RADIO_LABEL = '[data-test-subj="addToListsRadioOption"] label'; export const ADD_TO_SHARED_LIST_RADIO_INPUT = 'input[id="add_to_lists"]'; diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts index 26a6e931ef4b2..7881d8e081605 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/rule_details.ts @@ -52,8 +52,6 @@ export const INDEX_PATTERNS_DETAILS = 'Index patterns'; export const INVESTIGATION_FIELDS_DETAILS = 'Custom highlighted fields'; -export const ENDPOINT_EXCEPTIONS_TAB = 'a[data-test-subj="navigation-endpoint_exceptions"]'; - export const INDICATOR_INDEX_PATTERNS = 'Indicator index patterns'; export const INDICATOR_INDEX_QUERY = 'Indicator index query'; diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts index 36d98573e370b..e49b0d5fcb394 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions/flyout_options.ts @@ -33,24 +33,30 @@ export const showMappingConflictsWarningMessage = (message: string, index = 0) = cy.get(EXCEPTION_FIELD_MAPPING_CONFLICTS_DESCRIPTION).eq(index).should('have.text', message); }; -export const addExceptionFlyoutItemName = (name: string) => { +export const addExceptionFlyoutItemName = ( + name: string, + selector: string = EXCEPTION_ITEM_NAME_INPUT +) => { // waitUntil reduces the flakiness of this task because sometimes // there are background process/events happening which prevents cypress // to completely write the name of the exception before it page re-renders // thereby cypress losing the focus on the input element. - cy.waitUntil(() => cy.get(EXCEPTION_ITEM_NAME_INPUT).then(($el) => Cypress.dom.isAttached($el))); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('exist'); - cy.get(EXCEPTION_ITEM_NAME_INPUT).scrollIntoView(); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('be.visible'); - cy.get(EXCEPTION_ITEM_NAME_INPUT).first().focus(); - cy.get(EXCEPTION_ITEM_NAME_INPUT).type(`{selectall}${name}{enter}`, { force: true }); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('have.value', name); + cy.waitUntil(() => cy.get(selector).then(($el) => Cypress.dom.isAttached($el))); + cy.get(selector).should('exist'); + cy.get(selector).scrollIntoView(); + cy.get(selector).should('be.visible'); + cy.get(selector).first().focus(); + cy.get(selector).type(`{selectall}${name}{enter}`, { force: true }); + cy.get(selector).should('have.value', name); }; -export const editExceptionFlyoutItemName = (name: string) => { - cy.get(EXCEPTION_ITEM_NAME_INPUT).clear(); - cy.get(EXCEPTION_ITEM_NAME_INPUT).type(`{selectall}${name}{enter}`); - cy.get(EXCEPTION_ITEM_NAME_INPUT).should('have.value', name); +export const editExceptionFlyoutItemName = ( + name: string, + selector: string = EXCEPTION_ITEM_NAME_INPUT +) => { + cy.get(selector).clear(); + cy.get(selector).type(`{selectall}${name}{enter}`); + cy.get(selector).should('have.value', name); }; export const selectBulkCloseAlerts = () => { @@ -71,8 +77,8 @@ export const selectOs = (os: string) => { cy.get(OS_INPUT).type(`${os}{downArrow}{enter}`); }; -export const submitNewExceptionItem = () => { - cy.get(CONFIRM_BTN).should('exist'); +export const submitNewExceptionItem = (selector: string = CONFIRM_BTN) => { + cy.get(selector).should('exist'); /* Sometimes a toaster error message unrelated with the test performed is displayed. The toaster is blocking the confirm button we have to click. Using force true would solve the issue, but should not be used. There are some tests that use the closeErrorToast() method to close error toasters before continuing with the interactions with the page. @@ -84,8 +90,8 @@ export const submitNewExceptionItem = () => { closeErrorToast(); } }); - cy.get(CONFIRM_BTN).click(); - cy.get(CONFIRM_BTN).should('not.exist'); + cy.get(selector).click(); + cy.get(selector).should('not.exist'); }; export const submitEditedExceptionItem = () => { diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts index 0312c7bc859f3..da7b4c809659a 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/exceptions_table.ts @@ -56,7 +56,7 @@ export const clearSearchSelection = () => { cy.get(EXCEPTIONS_TABLE_SEARCH_CLEAR).first().click(); }; -export const importExceptionLists = (listsFile: string) => { +export const importExceptionLists = (listsFile: Cypress.FileReference) => { cy.get(IMPORT_SHARED_EXCEPTION_LISTS_BTN).click(); cy.get(INPUT_FILE).should('exist'); cy.get(INPUT_FILE).trigger('click'); @@ -301,6 +301,13 @@ export const validateImportExceptionListFailedBecauseExistingListFound = () => { }); }; -export const validateImportExceptionListCreateNewOptionDisabled = () => { - cy.get(IMPORT_SHARED_EXCEPTION_LISTS_OVERWRITE_CREATE_NEW_CHECKBOX).should('be.disabled'); +export const validateImportExceptionListFailedOnArtifactTypePrecheck = () => { + cy.get(TOASTER).should('have.text', 'There was an error uploading the exception list.'); + cy.get(TOASTER_BODY) + .invoke('text') + .should((bodyText) => { + expect(bodyText).to.match( + /You can only import shared exception lists here, but at least one of the imported files contains endpoint artifacts. Import endpoint artifacts from their dedicated pages instead./i + ); + }); }; diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts index d67e8ab6700e7..bc3d74098da23 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/rule_details.ts @@ -24,7 +24,6 @@ import { DETAILS_TITLE, EDIT_EXCEPTION_BTN, EDIT_RULE_SETTINGS_LINK, - ENDPOINT_EXCEPTIONS_TAB, EXCEPTION_ITEM_ACTIONS_BUTTON, EXCEPTIONS_TAB, EXCEPTIONS_TAB_ACTIVE_FILTER, @@ -63,6 +62,7 @@ import { addsFields, closeFieldsBrowser, filterFieldsBrowser } from './fields_br import { visit } from './navigation'; import { LOCAL_DATE_PICKER_APPLY_BUTTON_TIMELINE } from '../screens/date_picker'; import { GAP_AUTO_FILL_LOGS_TABLE } from '../screens/rule_gaps'; +import { ENDPOINT_EXCEPTIONS_URL } from '../urls/navigation'; interface VisitRuleDetailsPageOptions { tab?: RuleDetailsTabs; @@ -143,8 +143,8 @@ export const viewExpiredExceptionItems = () => { cy.get(EXCEPTIONS_TAB_ACTIVE_FILTER).click(); }; -export const goToEndpointExceptionsTab = () => { - cy.get(ENDPOINT_EXCEPTIONS_TAB).click(); +export const goToEndpointExceptions = () => { + cy.visit(ENDPOINT_EXCEPTIONS_URL); }; export const openEditException = (index = 0) => { diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts index 45329800b238a..a909ad22d5211 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/urls/navigation.ts @@ -19,6 +19,8 @@ export const POLICIES_URL = '/app/security/administration/policy'; /** Any artifact tab lives under this path prefix (trusted apps, event filters, blocklist, etc.) */ export const ADMINISTRATION_URL_PREFIX = '/app/security/administration'; export const TRUSTED_APPS_URL = '/app/security/administration/trusted_apps'; +export const TRUSTED_DEVICES_URL = '/app/security/administration/trusted_devices'; +export const ENDPOINT_EXCEPTIONS_URL = '/app/security/administration/endpoint_exceptions'; export const EVENT_FILTERS_URL = '/app/security/administration/event_filters'; export const BLOCKLIST_URL = '/app/security/administration/blocklist'; export const HOST_ISOLATION_EXCEPTIONS_URL = `app/security/administration/host_isolation_exceptions`; diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json index a7f577105c4d9..b7ba950a9f565 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json +++ b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/data.json @@ -2,7 +2,8 @@ "type": "doc", "value": { "id": "_aZE5nwBOpWiDwiSth_F", - "index": "endpoint.alerts-cypress", + "data_stream": "logs-endpoint.alerts-default", + "index": ".ds-logs-endpoint.alerts-default-2023.02.15-000001", "source": { "@timestamp": "2023-02-15T16:37:12.225Z", "file": { @@ -69,8 +70,12 @@ "module": "endpoint", "dataset": "process", "kind": "alert", - "category": ["process"], - "type": ["start"], + "category": [ + "process" + ], + "type": [ + "start" + ], "action": "process_started", "code": "test" }, @@ -89,7 +94,9 @@ }, "executable": "/bin/zsh", "name": "zsh", - "args": ["-zsh"], + "args": [ + "-zsh" + ], "entity_id": "q6pltOhTWlQx3BCD", "entry_leader": { "entity_id": "q6pltOhTWlQx3BCD", @@ -126,4 +133,4 @@ } } } -} +} \ No newline at end of file diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json index da54afa121a80..c494125913bda 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json +++ b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint/mappings.json @@ -1,251 +1,137 @@ { - "type": "index", + "type": "data_stream", "value": { - "aliases": { - "endgame": { - "is_write_index": false - } - }, - "settings": { - "index": { - "refresh_interval": "5s" + "data_stream": "logs-endpoint.alerts-default", + "template": { + "name": "logs-endpoint.alerts-test-archiver", + "_meta": { + "managed": true, + "namespace": "default" }, - "index.mapping.total_fields.limit": 2000 - }, - "index": "endpoint.alerts-cypress", - "mappings": { - "properties": { - "@timestamp": { - "type": "date" - }, - "file": { + "index_patterns": [ + "logs-endpoint.alerts-*" + ], + "data_stream": {}, + "template": { + "mappings": { "properties": { - "Ext": { + "@timestamp": { + "type": "date" + }, + "file": { "properties": { - "code_signature": { - "type": "nested", + "Ext": { + "properties": { + "code_signature": { + "type": "nested", + "properties": { + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + } + } + } + } + }, + "hash": { "properties": { - "subject_name": { + "sha256": { "type": "keyword", "ignore_above": 1024 + } + } + }, + "path": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "caseless": { + "type": "keyword", + "ignore_above": 1024, + "normalizer": "lowercase" }, - "trusted": { - "type": "boolean" + "text": { + "type": "text" } } } } }, - "hash": { + "agent": { "properties": { - "sha256": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "path": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "caseless": { - "type": "keyword", - "ignore_above": 1024, - "normalizer": "lowercase" + "ephemeral_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } }, - "text": { - "type": "text" - } - } - } - } - }, - "agent": { - "properties": { - "ephemeral_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "event": { - "properties": { - "action": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "category": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "dataset": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "kind": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "module": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "hostname": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "ip": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "type": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "version": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, - "mac": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "destination": { + "properties": { + "port": { + "type": "long" } } }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "ecs": { + "properties": { + "version": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, - "os": { + "event": { "properties": { - "build": { + "action": { "type": "text", "fields": { "keyword": { @@ -254,7 +140,7 @@ } } }, - "family": { + "category": { "type": "text", "fields": { "keyword": { @@ -263,7 +149,7 @@ } } }, - "kernel": { + "dataset": { "type": "text", "fields": { "keyword": { @@ -272,7 +158,7 @@ } } }, - "name": { + "kind": { "type": "text", "fields": { "keyword": { @@ -281,7 +167,7 @@ } } }, - "platform": { + "module": { "type": "text", "fields": { "keyword": { @@ -298,8 +184,21 @@ "ignore_above": 256 } } + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } }, - "version": { + "hostname": { "type": "text", "fields": { "keyword": { @@ -307,43 +206,26 @@ "ignore_above": 256 } } - } - } - } - } - }, - "message": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "process": { - "properties": { - "args": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entity_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entry_leader": { - "properties": { - "entity_id": { + }, + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "ip": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "mac": { "type": "text", "fields": { "keyword": { @@ -361,12 +243,76 @@ } } }, - "pid": { - "type": "long" + "os": { + "properties": { + "build": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "family": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "kernel": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "platform": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "type": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "version": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } } } }, - "executable": { + "message": { "type": "text", "fields": { "keyword": { @@ -375,9 +321,9 @@ } } }, - "hash": { + "process": { "properties": { - "sha1": { + "args": { "type": "text", "fields": { "keyword": { @@ -385,62 +331,28 @@ "ignore_above": 256 } } - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "parent": { - "properties": { - "pid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "working_directory": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "service": { - "properties": { - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "group": { + }, + "entity_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "entry_leader": { "properties": { - "id": { + "entity_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "name": { "type": "text", "fields": { "keyword": { @@ -448,10 +360,13 @@ "ignore_above": 256 } } + }, + "pid": { + "type": "long" } } }, - "id": { + "executable": { "type": "text", "fields": { "keyword": { @@ -459,12 +374,21 @@ "ignore_above": 256 } } - } - } - }, - "group": { - "properties": { - "id": { + }, + "hash": { + "properties": { + "sha1": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, + "name": { "type": "text", "fields": { "keyword": { @@ -473,7 +397,20 @@ } } }, - "name": { + "parent": { + "properties": { + "pid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "working_directory": { "type": "text", "fields": { "keyword": { @@ -484,26 +421,47 @@ } } }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "service": { + "properties": { + "type": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, - "saved": { + "user": { "properties": { + "effective": { + "properties": { + "group": { + "properties": { + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, "group": { "properties": { "id": { @@ -514,6 +472,15 @@ "ignore_above": 256 } } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } } } }, @@ -525,6 +492,41 @@ "ignore_above": 256 } } + }, + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "saved": { + "properties": { + "group": { + "properties": { + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + }, + "id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } } } } diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json deleted file mode 100644 index c8e78bbe7c623..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/data.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "type": "doc", - "value": { - "id": "_wZE5nwBOpWiDwiSth_W", - "index": "endpoint.alerts-cypress-1", - "source": { - "@timestamp": "2023-02-15T16:37:12.225Z", - "file": { - "Ext": { - "code_signature": { - "subject_name": "test", - "trusted": true - } - }, - "path": "123", - "hash": { - "sha256": "test" - } - }, - "host": { - "hostname": "test.local", - "architecture": "x86_64", - "os": { - "platform": "darwin", - "version": "10.16", - "family": "darwin", - "name": "Mac OS X", - "kernel": "21.3.0", - "build": "21D62", - "type": "macos" - }, - "id": "44426D67-79AB-547C-7777-440AB8F5DDD2", - "ip": [ - "fe80::bade:48ff:fe00:1122", - "fe81::4ab:9565:1199:be3", - "192.168.5.175", - "fe80::40d7:d0ff:fe66:f55", - "fe81::40d8:d0ff:fe66:f55", - "fe82::c2c:6bdf:3307:dce0", - "fe83::5069:fcd5:e31c:7059", - "fe80::ce81:b2c:bd2c:69e", - "fe80::febc:bbc1:c517:827b", - "fe80::6d09:bee6:55a5:539d", - "fe80::c920:752e:1e0e:edc9", - "fe80::a4a:ca38:761f:83e2" - ], - "mac": [ - "ad:df:48:00:11:22", - "a6:86:e7:ae:5a:b6", - "a9:83:e7:ae:5a:b6", - "43:d8:d0:66:0f:55", - "42:d8:d0:66:0f:57", - "82:70:c7:c2:3c:01", - "82:70:c6:c2:4c:00", - "82:76:a6:c2:3c:05", - "82:70:c6:b2:3c:04", - "82:71:a6:c2:3c:01" - ], - "name": "siem-kibana" - }, - "agent": { - "type": "auditbeat", - "version": "8.1.0", - "ephemeral_id": "f6df090f-656a-4a79-a6a1-0c8671c9752d", - "id": "0ebd469b-c164-4734-00e6-96d018098dc7", - "name": "test.local" - }, - "event": { - "module": "endpoint", - "dataset": "process", - "kind": "alert", - "category": ["process"], - "type": ["start"], - "action": "process_started", - "code": "test" - }, - "destination": { - "port": 80 - }, - "process": { - "start": "2022-03-04T19:41:32.902Z", - "pid": 30884, - "working_directory": "/Users/test/security_solution", - "hash": { - "sha1": "ae2d46c38fa207efbea5fcecd6294eebbf5af00f" - }, - "parent": { - "pid": 777 - }, - "executable": "/bin/zsh", - "name": "zsh", - "args": ["-zsh"], - "entity_id": "q6pltOhTWlQx3BCD", - "entry_leader": { - "entity_id": "q6pltOhTWlQx3BCD", - "name": "fake entry", - "pid": 2342342 - } - }, - "message": "Process zsh (PID: 27884) by user test STARTED", - "user": { - "id": "505", - "group": { - "name": "staff", - "id": "20" - }, - "effective": { - "id": "505", - "group": { - "id": "20" - } - }, - "saved": { - "id": "505", - "group": { - "id": "20" - } - }, - "name": "test" - }, - "service": { - "type": "system" - }, - "ecs": { - "version": "8.0.0" - } - } - } -} diff --git a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json b/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json deleted file mode 100644 index a63c3c6d5854b..0000000000000 --- a/x-pack/solutions/security/test/security_solution_cypress/es_archives/endpoint_2/mappings.json +++ /dev/null @@ -1,494 +0,0 @@ -{ - "type": "index", - "value": { - "aliases": { - "endgame": { - "is_write_index": false - } - }, - "settings": { - "index": { - "refresh_interval": "5s" - }, - "index.mapping.total_fields.limit": 2000 - }, - "index": "endpoint.alerts-cypress-1", - "mappings": { - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "destination": { - "properties": { - "port": { - "type": "long" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "event": { - "properties": { - "action": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "category": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "dataset": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "kind": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "module": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "hostname": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "ip": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "mac": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "os": { - "properties": { - "build": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "family": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "kernel": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "platform": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "version": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - } - } - }, - "message": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "process": { - "properties": { - "args": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entity_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "entry_leader": { - "properties": { - "entity_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "pid": { - "type": "long" - } - } - }, - "executable": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "hash": { - "properties": { - "sha1": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "parent": { - "properties": { - "pid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "working_directory": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "service": { - "properties": { - "type": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "user": { - "properties": { - "effective": { - "properties": { - "group": { - "properties": { - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "group": { - "properties": { - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "saved": { - "properties": { - "group": { - "properties": { - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - }, - "id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - } - } - } - } - } - } - } - } -}