[Security Solution] Test plans for prebuilt rule import and export #191116
+192
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| Feature: Exporting Prebuilt Rules | ||
|
|
||
| Scenario: Exporting prebuilt rule individually | ||
| Given a space with prebuilt rules installed | ||
| When the user selects "Export rule" from the "All actions" dropdown on the rule's page | ||
| Then the rule should be exported as an NDJSON file | ||
| And it should include an "immutable" field with a value of true | ||
| And its "ruleSource" "type" should be "external" | ||
| And its "ruleSource" "isCustomized" value should depend on whether the rule was customized | ||
|
|
||
| Scenario: Exporting prebuilt rules in bulk | ||
| Given a space with prebuilt rules installed | ||
| When the user selects prebuilt rules in the alerts table | ||
| And chooses "Export" from bulk actions | ||
| Then the selected rules should be exported as an NDJSON file | ||
| And they should include an "immutable" field with a value of true | ||
| And their "ruleSource" "type" should be "external" | ||
| And their "ruleSource" "isCustomized" should depend on whether the rule was customized | ||
|
|
||
| Scenario: Exporting both prebuilt and custom rules in bulk | ||
| Given a space with prebuilt and custom rules installed | ||
| When the user selects prebuilt rules in the alerts table | ||
| And chooses "Export" from bulk actions | ||
| Then the selected rules should be exported as an NDJSON file | ||
| And the prebuilt rules should include an "immutable" field with a value of true | ||
| And the custom rules should include an "immutable" field with a value of false | ||
| And the prebuilt rules' "ruleSource" "type" should be "external" | ||
| And the custom rules' "ruleSource" "type" should be "internal" | ||
|
|
||
| Scenario: Exporting beyond the export limit | ||
| Given a space with prebuilt and custom rules installed | ||
| And the number of rules is greater than the export limit (defaults to 10_000) | ||
| Then the request should be rejected as a bad request |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| Feature: Importing Prebuilt Rules | ||
|
|
||
| Scenario: Importing an unmodified prebuilt rule with a matching rule_id and version | ||
| Given the import payload contains a prebuilt rule with a matching rule_id and version, identical to the published rule | ||
| When the user imports the rule | ||
| Then the rule should be created or updated | ||
| And the ruleSource type should be "external" | ||
| And isCustomized should be false | ||
|
|
||
| Scenario: Importing a customized prebuilt rule with a matching rule_id and version | ||
| Given the import payload contains a prebuilt rule with a matching rule_id and version, modified from the published version | ||
| When the user imports the rule | ||
| Then the rule should be created or updated | ||
| And the ruleSource type should be "external" | ||
| And isCustomized should be true | ||
|
|
||
| Scenario: Importing a prebuilt rule with a matching rule_id but no matching version | ||
| Given the import payload contains a prebuilt rule with a matching rule_id but no matching version | ||
| When the user imports the rule | ||
| Then the rule should be created or updated | ||
| And the ruleSource type should be "external" | ||
| And isCustomized should be true | ||
|
There was a problem hiding this comment. @rylnd the 2 scenarios above are independent of the overwrite flag? There was a problem hiding this comment. @pborgonovi good question! Most of these tests deal with whether the incoming rule(s) match prebuilt assets based on When the test states
The overwriting functionality is orthogonal to this feature and so isn't really touched on in these tests; "known If they were to be added here, the scenarios dealing with overwrite would look like: Scenario: Importing an existing prebuilt rule is rejected by default
Scenario: Importing an existing prebuilt rule is allowed if overwrite is true |
||
|
|
||
| Scenario: Importing a prebuilt rule with a non-existent rule_id | ||
| Given the import payload contains a prebuilt rule with a non-existent rule_id | ||
| When the user imports the rule | ||
| Then the rule should be created | ||
| And the ruleSource type should be "internal" | ||
|
|
||
| Scenario: Importing a prebuilt rule without a rule_id field | ||
| Given the import payload contains a prebuilt rule without a rule_id field | ||
| When the user imports the rule | ||
| Then the import should be rejected with a message "rule_id field is required" | ||
|
|
||
| Scenario: Importing a prebuilt rule with a matching rule_id but missing a version field | ||
| Given the import payload contains a prebuilt rule without a version field | ||
| When the user imports the rule | ||
| Then the import should be rejected with a message "version field is required" | ||
|
|
||
| Scenario: Importing an existing custom rule missing a version field | ||
| Given the import payload contains an existing custom rule without a version field | ||
| When the user imports the rule | ||
| Then the rule should be updated | ||
| And the ruleSource type should be "internal" | ||
| And the "version" field should be set to the existing rule's "version" | ||
|
|
||
| Scenario: Importing a new custom rule missing a version field | ||
| Given the import payload contains a new custom rule without a version field | ||
| When the user imports the rule | ||
| Then the rule should be created | ||
| And the ruleSource type should be "internal" | ||
| And the "version" field should be set to 1 | ||
|
|
||
| Scenario: Importing a rule with overwrite flag set to true | ||
| Given the import payload contains a rule with an existing rule_id | ||
| And the overwrite flag is set to true | ||
| When the user imports the rule | ||
| Then the rule should be overwritten | ||
| And the ruleSource type should be calculated based on the rule_id and version | ||
|
|
||
| Scenario: Importing a rule with overwrite flag set to false | ||
| Given the import payload contains a rule with an existing rule_id | ||
| And the overwrite flag is set to false | ||
| When the user imports the rule | ||
| Then the import should be rejected with a message "rule_id already exists" | ||
|
|
||
| Scenario: Importing both custom and prebuilt rules | ||
| Given the import payload contains modified and unmodified, custom and prebuilt rules | ||
| When the user imports the rule | ||
| Then custom rules should be created or updated, with versions defaulted to 1 | ||
| And prebuilt rules should be created or updated, | ||
| And prebuilt rules missing versions should be rejected | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth having the specificity between these two here? What causes the rule to be created vs updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dplumlee @pborgonovi brought up similar questions, which were discussed here, but the TL;DR:
But since that's all orthogonal to the prebuilt customization stuff, I didn't think it was an important thing to split out in these tests.