Added additional cypress tests for Security Analytics Dashboards plugin.

.github/workflows/security-analytics-release-e2e-workflow.yml

@@ -1,10 +1,7 @@
 name: Security Analytics Release tests workflow in Bundled OpenSearch Dashboards
 on:
   pull_request:
-    branches:
-      - main
-      - dev-*
-      - 2.x
+    branches: [ '**' ]
 jobs:
   changes:
     runs-on: ubuntu-latest

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_data.json

@@ -0,0 +1,57 @@
+{
+  "type": "detector",
+  "detector_type": "dns",
+  "name": "Cypress DNS Detector",
+  "enabled": true,
+  "createdBy": "",
+  "schedule": {
+    "period": {
+      "interval": 1,
+      "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "detector_input": {
+        "description": "Detects DNS names.",
+        "indices": ["cypress-index-dns"],
+        "pre_packaged_rules": [],
+        "custom_rules": [
+          {
+            "id": "25b9c01c-350d-4b95-bed1-836d04a4f325"
+          }
+        ]
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "name": "DNS name alert",
+      "sev_levels": ["low"],
+      "tags": ["dns.low"],
+      "actions": [
+        {
+          "id": "",
+          "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector",
+          "destination_id": "",
+          "subject_template": {
+            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: Cypress DNS Detector",
+            "lang": "mustache"
+          },
+          "message_template": {
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: Cypress DNS Detector\nDescription: Detects DNS names.\nDetector data sources:\n\tdns",
+            "lang": "mustache"
+          },
+          "throttle_enabled": false,
+          "throttle": {
+            "value": 10,
+            "unit": "MINUTES"
+          }
+        }
+      ],
+      "types": ["dns"],
+      "severity": "1",
+      "ids": ["R1ng94QBbw8UQ2Cvqe6h"]
+    }
+  ]
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_dns_detector_mappings_data.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "dns-answers-type": {
+      "type": "alias",
+      "path": "DnsAnswerType"
+    },
+    "dns-question-name": {
+      "type": "alias",
+      "path": "DnsQuestionName"
+    },
+    "dns-question-registered_domain": {
+      "type": "alias",
+      "path": "DnsQuestionRegisteredDomain"
+    }
+  }
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_data.json

@@ -0,0 +1,57 @@
+{
+  "type": "detector",
+  "detector_type": "windows",
+  "name": "Cypress USB Detector",
+  "enabled": true,
+  "createdBy": "",
+  "schedule": {
+    "period": {
+      "interval": 1,
+      "unit": "MINUTES"
+    }
+  },
+  "inputs": [
+    {
+      "detector_input": {
+        "description": "Detect USB plugged in.",
+        "indices": ["cypress-index-windows"],
+        "pre_packaged_rules": [],
+        "custom_rules": [
+          {
+            "id": "25b9c01c-350d-4b95-bed1-836d04a4f324"
+          }
+        ]
+      }
+    }
+  ],
+  "triggers": [
+    {
+      "name": "USB plugged in alert",
+      "sev_levels": ["low"],
+      "tags": ["windows.usb"],
+      "actions": [
+        {
+          "id": "",
+          "name": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: USB Detector",
+          "destination_id": "",
+          "subject_template": {
+            "source": "Triggered alert condition:  - Severity: 1 (Highest) - Threat detector: USB Detector",
+            "lang": "mustache"
+          },
+          "message_template": {
+            "source": "Triggered alert condition: \nSeverity: 1 (Highest)\nThreat detector: USB Detector\nDescription: Detect USB plugged in.\nDetector data sources:\n\twindows",
+            "lang": "mustache"
+          },
+          "throttle_enabled": false,
+          "throttle": {
+            "value": 10,
+            "unit": "MINUTES"
+          }
+        }
+      ],
+      "types": ["windows"],
+      "severity": "1",
+      "ids": ["25b9c01c-350d-4b95-bed1-836d04a4f123"]
+    }
+  ]
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/detector/create_usb_detector_mappings_data.json

@@ -0,0 +1,28 @@
+{
+  "properties": {
+    "event_uid": {
+      "type": "alias",
+      "path": "EventID"
+    },
+    "windows-event_data-CommandLine": {
+      "type": "alias",
+      "path": "CommandLine"
+    },
+    "windows-hostname": {
+      "type": "alias",
+      "path": "HostName"
+    },
+    "windows-message": {
+      "type": "alias",
+      "path": "Message"
+    },
+    "windows-provider-name": {
+      "type": "alias",
+      "path": "Provider_Name"
+    },
+    "windows-servicename": {
+      "type": "alias",
+      "path": "ServiceName"
+    }
+  }
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/index/add_dns_index_data.json

@@ -0,0 +1,5 @@
+{
+  "DnsAnswerType": "QWE",
+  "DnsQuestionRegisteredDomain": "EC2AMAZ-EPWO7HKA",
+  "DnsQuestionName": "QWE"
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/index/add_windows_index_data.json

@@ -0,0 +1,39 @@
+{
+  "EventTime": "2020-02-04T14:59:39.343541+00:00",
+  "HostName": "EC2AMAZ-EPO7HKA",
+  "Keywords": "9223372036854775808",
+  "SeverityValue": 2,
+  "Severity": "ERROR",
+  "EventID": 2003,
+  "SourceName": "Microsoft-Windows-Sysmon",
+  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
+  "Version": 5,
+  "TaskValue": 22,
+  "OpcodeValue": 0,
+  "RecordNumber": 9532,
+  "ExecutionProcessID": 1996,
+  "ExecutionThreadID": 2616,
+  "Channel": "Microsoft-Windows-Sysmon/Operational",
+  "Domain": "NT AUTHORITY",
+  "AccountName": "SYSTEM",
+  "UserID": "S-1-5-18",
+  "AccountType": "User",
+  "Message": "Dns query:\r\nRuleName: \r\nUtcTime: 2020-02-04 14:59:38.349\r\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\r\nProcessId: 1904\r\nQueryName: EC2AMAZ-EPO7HKA\r\nQueryStatus: 0\r\nQueryResults: 172.31.46.38;\r\nImage: C:\\Program Files\\nxlog\\nxlog.exe",
+  "Category": "Dns query (rule: DnsQuery)",
+  "Opcode": "Info",
+  "UtcTime": "2020-02-04 14:59:38.349",
+  "ProcessGuid": "{b3c285a4-3cda-5dc0-0000-001077270b00}",
+  "ProcessId": "1904",
+  "QueryName": "EC2AMAZ-EPO7HKA",
+  "QueryStatus": "0",
+  "QueryResults": "172.31.46.38;",
+  "Image": "C:\\Program Files\\nxlog\\regsvr32.exe",
+  "EventReceivedTime": "2020-02-04T14:59:40.780905+00:00",
+  "SourceModuleName": "in",
+  "SourceModuleType": "im_msvistalog",
+  "CommandLine": "eachtest",
+  "Initiated": "true",
+  "Provider_Name": "Service_ws_Control_ws_Manager",
+  "TargetObject": "\\SOFTWARE\\Microsoft\\Office\\Outlook\\Security",
+  "EventType": "SetValue"
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/index/create_dns_settings.json

@@ -0,0 +1,21 @@
+{
+  "mappings": {
+    "properties": {
+      "DnsAnswerType": {
+        "type": "text"
+      },
+      "DnsQuestionRegisteredDomain": {
+        "type": "text"
+      },
+      "DnsQuestionName": {
+        "type": "text"
+      }
+    }
+  },
+  "settings": {
+    "index": {
+      "number_of_shards": "1",
+      "number_of_replicas": "1"
+    }
+  }
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/index/create_windows_settings.json

@@ -0,0 +1,30 @@
+{
+  "mappings": {
+    "properties": {
+      "CommandLine": {
+        "type": "text"
+      },
+      "EventID": {
+        "type": "integer"
+      },
+      "HostName": {
+        "type": "text"
+      },
+      "Message": {
+        "type": "text"
+      },
+      "Provider_Name": {
+        "type": "text"
+      },
+      "ServiceName": {
+        "type": "text"
+      }
+    }
+  },
+  "settings": {
+    "index": {
+      "number_of_shards": "1",
+      "number_of_replicas": "1"
+    }
+  }
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/rule/create_dns_rule.json

@@ -0,0 +1,26 @@
+{
+  "id": "25b9c01c-350d-4b95-bed1-836d04a4f325",
+  "category": "dns",
+  "title": "Cypress DNS Rule",
+  "description": "Detects DNS name as QWE",
+  "status": "experimental",
+  "author": "Cypress Tests",
+  "references": [
+    {
+      "value": ""
+    }
+  ],
+  "tags": [
+    {
+      "value": "dns.low"
+    }
+  ],
+  "log_source": "",
+  "detection": "selection:\n  DnsQuestionName:\n    - QWE\n    - ASD\n    - YXC\ncondition: selection",
+  "level": "low",
+  "false_positives": [
+    {
+      "value": ""
+    }
+  ]
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/integration_tests/rule/create_windows_usb_rule.json

@@ -0,0 +1,26 @@
+{
+  "id": "25b9c01c-350d-4b95-bed1-836d04a4f123",
+  "category": "windows",
+  "title": "Cypress USB Rule",
+  "description": "USB plugged-in rule",
+  "status": "experimental",
+  "author": "Cypress Tests",
+  "references": [
+    {
+      "value": ""
+    }
+  ],
+  "tags": [
+    {
+      "value": "windows.usb"
+    }
+  ],
+  "log_source": "",
+  "detection": "selection:\n  EventID:\n    - 2003\n    - 2100\n    - 2102\ncondition: selection",
+  "level": "low",
+  "false_positives": [
+    {
+      "value": ""
+    }
+  ]
+}

cypress/fixtures/plugins/security-analytics-dashboards-plugin/sample_alias_mappings.json

@@ -0,0 +1,16 @@
+{
+  "properties": {
+    "source_ip": {
+      "type": "alias",
+      "path": "src_ip"
+    },
+    "windows-event_data-CommandLine": {
+      "path": "CommandLine",
+      "type": "alias"
+    },
+    "event_uid": {
+      "path": "EventID",
+      "type": "alias"
+    }
+  }
+}