[Security Solution][Detections] Completes alert details for Indicator…

… Match Rules (#99671) (#99889) * adds 'Displays threat summary data on alerts details' test * adds 'Displays threat indicator data on the threat indicator tab' test * changes name of the test from 'threat indicator tab' to 'threat intel tab' * adds an extra assertion
elastic · May 12, 2021 · 4dab3f3 · 4dab3f3
1 parent a696658
commit 4dab3f3
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 3 deletions.
diff --git a/...lugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/...lugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
@@ -16,7 +16,16 @@ import {
   ALERT_RULE_VERSION,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
-import { JSON_LINES } from '../../screens/alerts_details';
+import {
+  JSON_LINES,
+  TABLE_CELL,
+  TABLE_ROWS,
+  THREAT_CONTENT,
+  THREAT_DETAILS_VIEW,
+  THREAT_INTEL_TAB,
+  THREAT_SUMMARY_VIEW,
+  TITLE,
+} from '../../screens/alerts_details';
 import {
   CUSTOM_RULES_BTN,
   RISK_SCORE,
@@ -63,7 +72,11 @@ import {
   waitForAlertsIndexToBeCreated,
   waitForAlertsPanelToBeLoaded,
 } from '../../tasks/alerts';
-import { openJsonView, scrollJsonViewToBottom } from '../../tasks/alerts_details';
+import {
+  openJsonView,
+  openThreatIndicatorDetails,
+  scrollJsonViewToBottom,
+} from '../../tasks/alerts_details';
 import {
   changeRowsPerPageTo300,
   duplicateFirstRule,
@@ -585,6 +598,90 @@ describe('indicator match', () => {
           });
         });
       });
+
+      it('Displays threat summary data on alerts details', () => {
+        const expectedThreatSummary = [
+          { field: 'matched.field', value: 'myhash.mysha256' },
+          { field: 'matched.type', value: 'file' },
+          { field: 'first_seen', value: '2021-03-10T08:02:14.000Z' },
+        ];
+
+        expandFirstAlert();
+
+        cy.get(THREAT_SUMMARY_VIEW).within(() => {
+          cy.get(TABLE_ROWS).should('have.length', expectedThreatSummary.length);
+          expectedThreatSummary.forEach((row, index) => {
+            cy.get(TABLE_ROWS)
+              .eq(index)
+              .within(() => {
+                cy.get(TITLE).should('have.text', row.field);
+                cy.get(THREAT_CONTENT).should('have.text', row.value);
+              });
+          });
+        });
+      });
+
+      it('Displays threat indicator data on the threat intel tab', () => {
+        const expectedThreatIndicatorData = [
+          { field: 'first_seen', value: '2021-03-10T08:02:14.000Z' },
+          { field: 'file.size', value: '80280' },
+          { field: 'file.type', value: 'elf' },
+          {
+            field: 'file.hash.sha256',
+            value: 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3',
+          },
+          {
+            field: 'file.hash.tlsh',
+            value: '6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE',
+          },
+          {
+            field: 'file.hash.ssdeep',
+            value:
+              '1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL',
+          },
+          { field: 'file.hash.md5', value: '9b6c3518a91d23ed77504b5416bfb5b3' },
+          { field: 'type', value: 'file' },
+          {
+            field: 'event.reference',
+            value:
+              'https://urlhaus-api.abuse.ch/v1/download/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/(opens in a new tab or window)',
+          },
+          { field: 'event.ingested', value: '2021-03-10T14:51:09.809069Z' },
+          { field: 'event.created', value: '2021-03-10T14:51:07.663Z' },
+          { field: 'event.kind', value: 'enrichment' },
+          { field: 'event.module', value: 'threatintel' },
+          { field: 'event.category', value: 'threat' },
+          { field: 'event.type', value: 'indicator' },
+          { field: 'event.dataset', value: 'threatintel.abusemalware' },
+          {
+            field: 'matched.atomic',
+            value: 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3',
+          },
+          { field: 'matched.field', value: 'myhash.mysha256' },
+          {
+            field: 'matched.id',
+            value: '84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f',
+          },
+          { field: 'matched.index', value: 'filebeat-7.12.0-2021.03.10-000001' },
+          { field: 'matched.type', value: 'file' },
+        ];
+
+        expandFirstAlert();
+        openThreatIndicatorDetails();
+
+        cy.get(THREAT_INTEL_TAB).should('have.text', 'Threat Intel (1)');
+        cy.get(THREAT_DETAILS_VIEW).within(() => {
+          cy.get(TABLE_ROWS).should('have.length', expectedThreatIndicatorData.length);
+          expectedThreatIndicatorData.forEach((row, index) => {
+            cy.get(TABLE_ROWS)
+              .eq(index)
+              .within(() => {
+                cy.get(TABLE_CELL).eq(0).should('have.text', row.field);
+                cy.get(TABLE_CELL).eq(1).should('have.text', row.value);
+              });
+          });
+        });
+      });
     });
 
     describe('Duplicates the indicator rule', () => {

diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts
@@ -13,6 +13,18 @@ export const JSON_LINES = '.ace_line';
 
 export const JSON_VIEW_TAB = '[data-test-subj="jsonViewTab"]';
 
+export const TABLE_CELL = '.euiTableRowCell';
+
 export const TABLE_TAB = '[data-test-subj="tableTab"]';
 
 export const TABLE_ROWS = '.euiTableRow';
+
+export const THREAT_CONTENT = '[data-test-subj^=draggable-content-threat]';
+
+export const THREAT_DETAILS_VIEW = '[data-test-subj="threat-details-view-0"]';
+
+export const THREAT_INTEL_TAB = '[data-test-subj="threatIntelTab"]';
+
+export const THREAT_SUMMARY_VIEW = '[data-test-subj="threat-summary-view"]';
+
+export const TITLE = '.euiTitle';
diff --git a/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts b/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts
@@ -5,7 +5,12 @@
  * 2.0.
  */
 
-import { JSON_CONTENT, JSON_VIEW_TAB, TABLE_TAB } from '../screens/alerts_details';
+import {
+  JSON_CONTENT,
+  JSON_VIEW_TAB,
+  TABLE_TAB,
+  THREAT_INTEL_TAB,
+} from '../screens/alerts_details';
 
 export const openJsonView = () => {
   cy.get(JSON_VIEW_TAB).click();
@@ -15,6 +20,10 @@ export const openTable = () => {
   cy.get(TABLE_TAB).click();
 };
 
+export const openThreatIndicatorDetails = () => {
+  cy.get(THREAT_INTEL_TAB).click();
+};
+
 export const scrollJsonViewToBottom = () => {
   cy.get(JSON_CONTENT).click({ force: true });
   cy.get(JSON_CONTENT).type('{pagedown}{pagedown}{pagedown}');

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
@@ -136,6 +136,7 @@ const EventDetailsComponent: React.FC<Props> = ({
       isAlert
         ? {
             id: EventsViewType.threatIntelView,
+            'data-test-subj': 'threatIntelTab',
             name: `${i18n.THREAT_INTEL} (${threatCount})`,
             content: <ThreatDetailsView threatData={threatData} />,
           }