[Security Solution] [Attack discovery] Additional Attack discovery te…

…sts (elastic#199659) ### [Security Solution] [Attack discovery] Additional Attack discovery tests This PR adds additional unit test coverage to Attack discovery.
andrew-goldstein · Nov 13, 2024 · 53d4580 · 53d4580
1 parent 55da11e
commit 53d4580
Show file tree

Hide file tree

Showing 33 changed files with 2,195 additions and 29 deletions.
diff --git a/x-pack/packages/kbn-elastic-assistant/impl/knowledge_base/alerts_range.test.tsx b/x-pack/packages/kbn-elastic-assistant/impl/knowledge_base/alerts_range.test.tsx
@@ -0,0 +1,86 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { fireEvent, render, screen } from '@testing-library/react';
+import React from 'react';
+
+import { AlertsRange } from './alerts_range';
+import {
+  MAX_LATEST_ALERTS,
+  MIN_LATEST_ALERTS,
+} from '../assistant/settings/alerts_settings/alerts_settings';
+import { KnowledgeBaseConfig } from '../assistant/types';
+
+const nonDefaultMin = MIN_LATEST_ALERTS + 5000;
+const nonDefaultMax = nonDefaultMin + 5000;
+
+describe('AlertsRange', () => {
+  beforeEach(() => jest.clearAllMocks());
+
+  it('renders the expected default min alerts', () => {
+    render(<AlertsRange value={200} />);
+
+    expect(screen.getByText(`${MIN_LATEST_ALERTS}`)).toBeInTheDocument();
+  });
+
+  it('renders the expected NON-default min alerts', () => {
+    render(
+      <AlertsRange maxAlerts={nonDefaultMax} minAlerts={nonDefaultMin} value={nonDefaultMin} />
+    );
+
+    expect(screen.getByText(`${nonDefaultMin}`)).toBeInTheDocument();
+  });
+
+  it('renders the expected default max alerts', () => {
+    render(<AlertsRange value={200} />);
+
+    expect(screen.getByText(`${MAX_LATEST_ALERTS}`)).toBeInTheDocument();
+  });
+
+  it('renders the expected NON-default max alerts', () => {
+    render(
+      <AlertsRange maxAlerts={nonDefaultMax} minAlerts={nonDefaultMin} value={nonDefaultMax} />
+    );
+
+    expect(screen.getByText(`${nonDefaultMax}`)).toBeInTheDocument();
+  });
+
+  it('calls onChange when the range value changes', () => {
+    const mockOnChange = jest.fn();
+    render(<AlertsRange onChange={mockOnChange} value={MIN_LATEST_ALERTS} />);
+
+    fireEvent.click(screen.getByText(`${MAX_LATEST_ALERTS}`));
+
+    expect(mockOnChange).toHaveBeenCalled();
+  });
+
+  it('calls setUpdatedKnowledgeBaseSettings with the expected arguments', () => {
+    const mockSetUpdatedKnowledgeBaseSettings = jest.fn();
+    const knowledgeBase: KnowledgeBaseConfig = { latestAlerts: 150 };
+
+    render(
+      <AlertsRange
+        knowledgeBase={knowledgeBase}
+        setUpdatedKnowledgeBaseSettings={mockSetUpdatedKnowledgeBaseSettings}
+        value={MIN_LATEST_ALERTS}
+      />
+    );
+
+    fireEvent.click(screen.getByText(`${MAX_LATEST_ALERTS}`));
+
+    expect(mockSetUpdatedKnowledgeBaseSettings).toHaveBeenCalledWith({
+      ...knowledgeBase,
+      latestAlerts: MAX_LATEST_ALERTS,
+    });
+  });
+
+  it('renders with the correct initial value', () => {
+    render(<AlertsRange value={250} />);
+
+    expect(screen.getByTestId('alertsRange')).toHaveValue('250');
+  });
+});
diff --git a/x-pack/plugins/elastic_assistant/server/__mocks__/raw_attack_discoveries.ts b/x-pack/plugins/elastic_assistant/server/__mocks__/raw_attack_discoveries.ts
diff --git a/...c_assistant/server/lib/attack_discovery/evaluation/__mocks__/mock_anonymization_fields.ts b/...c_assistant/server/lib/attack_discovery/evaluation/__mocks__/mock_anonymization_fields.ts
@@ -0,0 +1,65 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { AnonymizationFieldResponse } from '@kbn/elastic-assistant-common/impl/schemas/anonymization_fields/bulk_crud_anonymization_fields_route.gen';
+
+export const getMockAnonymizationFieldResponse = (): AnonymizationFieldResponse[] => [
+  {
+    id: '6UDO45IBoEQSo_rIK1EW',
+    timestamp: '2024-10-31T18:19:52.468Z',
+    field: '_id',
+    allowed: true,
+    anonymized: false,
+    createdAt: '2024-10-31T18:19:52.468Z',
+    namespace: 'default',
+  },
+  {
+    id: '6kDO45IBoEQSo_rIK1EW',
+    timestamp: '2024-10-31T18:19:52.468Z',
+    field: '@timestamp',
+    allowed: true,
+    anonymized: false,
+    createdAt: '2024-10-31T18:19:52.468Z',
+    namespace: 'default',
+  },
+  {
+    id: '60DO45IBoEQSo_rIK1EW',
+    timestamp: '2024-10-31T18:19:52.468Z',
+    field: 'cloud.availability_zone',
+    allowed: true,
+    anonymized: false,
+    createdAt: '2024-10-31T18:19:52.468Z',
+    namespace: 'default',
+  },
+  {
+    id: '_EDO45IBoEQSo_rIK1EW',
+    timestamp: '2024-10-31T18:19:52.468Z',
+    field: 'host.name',
+    allowed: true,
+    anonymized: true,
+    createdAt: '2024-10-31T18:19:52.468Z',
+    namespace: 'default',
+  },
+  {
+    id: 'SkDO45IBoEQSo_rIK1IW',
+    timestamp: '2024-10-31T18:19:52.468Z',
+    field: 'user.name',
+    allowed: true,
+    anonymized: true,
+    createdAt: '2024-10-31T18:19:52.468Z',
+    namespace: 'default',
+  },
+  {
+    id: 'TUDO45IBoEQSo_rIK1IW',
+    timestamp: '2024-10-31T18:19:52.468Z',
+    field: 'user.target.name',
+    allowed: true,
+    anonymized: true,
+    createdAt: '2024-10-31T18:19:52.468Z',
+    namespace: 'default',
+  },
+];
diff --git a/...ult_attack_discovery_graph/nodes/generate/helpers/get_alerts_context_prompt/index.test.ts b/...ult_attack_discovery_graph/nodes/generate/helpers/get_alerts_context_prompt/index.test.ts
@@ -12,7 +12,7 @@ describe('getAlertsContextPrompt', () => {
   it('generates the correct prompt', () => {
     const anonymizedAlerts = ['Alert 1', 'Alert 2', 'Alert 3'];
 
-    const expected = `You are a cyber security analyst tasked with analyzing security events from Elastic Security to identify and report on potential cyber attacks or progressions. Your report should focus on high-risk incidents that could severely impact the organization, rather than isolated alerts. Present your findings in a way that can be easily understood by anyone, regardless of their technical expertise, as if you were briefing the CISO. Break down your response into sections based on timing, hosts, and users involved. When correlating alerts, use kibana.alert.original_time when it's available, otherwise use @timestamp. Include appropriate context about the affected hosts and users. Describe how the attack progression might have occurred and, if feasible, attribute it to known threat groups. Prioritize high and critical alerts, but include lower-severity alerts if desired. In the description field, provide as much detail as possible, in a bulleted list explaining any attack progressions. Accuracy is of utmost importance. You MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds).
+    const expected = `${getDefaultAttackDiscoveryPrompt()}
 
 Use context from the following alerts to provide insights: