Skip to content

Commit

Permalink
[Security Solution] [Attack discovery] Additional Attack discovery te…
Browse files Browse the repository at this point in the history
…sts (#199659)

### [Security Solution] [Attack discovery] Additional Attack discovery tests

This PR adds additional unit test coverage to Attack discovery.
  • Loading branch information
andrew-goldstein authored Nov 13, 2024
1 parent 55da11e commit 53d4580
Show file tree
Hide file tree
Showing 33 changed files with 2,195 additions and 29 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { fireEvent, render, screen } from '@testing-library/react';
import React from 'react';

import { AlertsRange } from './alerts_range';
import {
MAX_LATEST_ALERTS,
MIN_LATEST_ALERTS,
} from '../assistant/settings/alerts_settings/alerts_settings';
import { KnowledgeBaseConfig } from '../assistant/types';

const nonDefaultMin = MIN_LATEST_ALERTS + 5000;
const nonDefaultMax = nonDefaultMin + 5000;

describe('AlertsRange', () => {
beforeEach(() => jest.clearAllMocks());

it('renders the expected default min alerts', () => {
render(<AlertsRange value={200} />);

expect(screen.getByText(`${MIN_LATEST_ALERTS}`)).toBeInTheDocument();
});

it('renders the expected NON-default min alerts', () => {
render(
<AlertsRange maxAlerts={nonDefaultMax} minAlerts={nonDefaultMin} value={nonDefaultMin} />
);

expect(screen.getByText(`${nonDefaultMin}`)).toBeInTheDocument();
});

it('renders the expected default max alerts', () => {
render(<AlertsRange value={200} />);

expect(screen.getByText(`${MAX_LATEST_ALERTS}`)).toBeInTheDocument();
});

it('renders the expected NON-default max alerts', () => {
render(
<AlertsRange maxAlerts={nonDefaultMax} minAlerts={nonDefaultMin} value={nonDefaultMax} />
);

expect(screen.getByText(`${nonDefaultMax}`)).toBeInTheDocument();
});

it('calls onChange when the range value changes', () => {
const mockOnChange = jest.fn();
render(<AlertsRange onChange={mockOnChange} value={MIN_LATEST_ALERTS} />);

fireEvent.click(screen.getByText(`${MAX_LATEST_ALERTS}`));

expect(mockOnChange).toHaveBeenCalled();
});

it('calls setUpdatedKnowledgeBaseSettings with the expected arguments', () => {
const mockSetUpdatedKnowledgeBaseSettings = jest.fn();
const knowledgeBase: KnowledgeBaseConfig = { latestAlerts: 150 };

render(
<AlertsRange
knowledgeBase={knowledgeBase}
setUpdatedKnowledgeBaseSettings={mockSetUpdatedKnowledgeBaseSettings}
value={MIN_LATEST_ALERTS}
/>
);

fireEvent.click(screen.getByText(`${MAX_LATEST_ALERTS}`));

expect(mockSetUpdatedKnowledgeBaseSettings).toHaveBeenCalledWith({
...knowledgeBase,
latestAlerts: MAX_LATEST_ALERTS,
});
});

it('renders with the correct initial value', () => {
render(<AlertsRange value={250} />);

expect(screen.getByTestId('alertsRange')).toHaveValue('250');
});
});

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { AnonymizationFieldResponse } from '@kbn/elastic-assistant-common/impl/schemas/anonymization_fields/bulk_crud_anonymization_fields_route.gen';

export const getMockAnonymizationFieldResponse = (): AnonymizationFieldResponse[] => [
{
id: '6UDO45IBoEQSo_rIK1EW',
timestamp: '2024-10-31T18:19:52.468Z',
field: '_id',
allowed: true,
anonymized: false,
createdAt: '2024-10-31T18:19:52.468Z',
namespace: 'default',
},
{
id: '6kDO45IBoEQSo_rIK1EW',
timestamp: '2024-10-31T18:19:52.468Z',
field: '@timestamp',
allowed: true,
anonymized: false,
createdAt: '2024-10-31T18:19:52.468Z',
namespace: 'default',
},
{
id: '60DO45IBoEQSo_rIK1EW',
timestamp: '2024-10-31T18:19:52.468Z',
field: 'cloud.availability_zone',
allowed: true,
anonymized: false,
createdAt: '2024-10-31T18:19:52.468Z',
namespace: 'default',
},
{
id: '_EDO45IBoEQSo_rIK1EW',
timestamp: '2024-10-31T18:19:52.468Z',
field: 'host.name',
allowed: true,
anonymized: true,
createdAt: '2024-10-31T18:19:52.468Z',
namespace: 'default',
},
{
id: 'SkDO45IBoEQSo_rIK1IW',
timestamp: '2024-10-31T18:19:52.468Z',
field: 'user.name',
allowed: true,
anonymized: true,
createdAt: '2024-10-31T18:19:52.468Z',
namespace: 'default',
},
{
id: 'TUDO45IBoEQSo_rIK1IW',
timestamp: '2024-10-31T18:19:52.468Z',
field: 'user.target.name',
allowed: true,
anonymized: true,
createdAt: '2024-10-31T18:19:52.468Z',
namespace: 'default',
},
];
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ describe('getAlertsContextPrompt', () => {
it('generates the correct prompt', () => {
const anonymizedAlerts = ['Alert 1', 'Alert 2', 'Alert 3'];

const expected = `You are a cyber security analyst tasked with analyzing security events from Elastic Security to identify and report on potential cyber attacks or progressions. Your report should focus on high-risk incidents that could severely impact the organization, rather than isolated alerts. Present your findings in a way that can be easily understood by anyone, regardless of their technical expertise, as if you were briefing the CISO. Break down your response into sections based on timing, hosts, and users involved. When correlating alerts, use kibana.alert.original_time when it's available, otherwise use @timestamp. Include appropriate context about the affected hosts and users. Describe how the attack progression might have occurred and, if feasible, attribute it to known threat groups. Prioritize high and critical alerts, but include lower-severity alerts if desired. In the description field, provide as much detail as possible, in a bulleted list explaining any attack progressions. Accuracy is of utmost importance. You MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds).
const expected = `${getDefaultAttackDiscoveryPrompt()}
Use context from the following alerts to provide insights:
Expand Down
Loading

0 comments on commit 53d4580

Please sign in to comment.