Skip to content

Commit

Permalink
[ML] API integration tests - security_linux and security_windows modu…
Browse files Browse the repository at this point in the history 
…les (#85743) (#85780)

This PR adds API integration tests to create and setup the security_linux and security_windows modules.
  • Loading branch information
@pheyos
pheyos authored Dec 14, 2020
1 parent 3cc2de0 commit 68d885f
Show file tree
Hide file tree
Showing 5 changed files with 7,895 additions and 0 deletions.
2 changes: 2 additions & 0 deletions x-pack/test/api_integration/apis/ml/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
await ml.testResources.deleteIndexPatternByTitle('ft_module_siem_packetbeat');
await ml.testResources.deleteIndexPatternByTitle('ft_module_siem_winlogbeat');
await ml.testResources.deleteIndexPatternByTitle('ft_farequote');
await ml.testResources.deleteIndexPatternByTitle('ft_logs-endpoint.events.*');

await esArchiver.unload('ml/ecommerce');
await esArchiver.unload('ml/categorization');
Expand All @@ -45,6 +46,7 @@ export default function ({ getService, loadTestFile }: FtrProviderContext) {
await esArchiver.unload('ml/module_nginx');
await esArchiver.unload('ml/module_sample_ecommerce');
await esArchiver.unload('ml/module_sample_logs');
await esArchiver.unload('ml/module_security_endpoint');
await esArchiver.unload('ml/module_siem_auditbeat');
await esArchiver.unload('ml/module_siem_packetbeat');
await esArchiver.unload('ml/module_siem_winlogbeat');
Expand Down
10 changes: 10 additions & 0 deletions x-pack/test/api_integration/apis/ml/modules/recognize_module.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,16 @@ export default ({ getService }: FtrProviderContext) => {
moduleIds: ['auditbeat_process_hosts_ecs', 'security_linux', 'siem_auditbeat'],
},
},
{
testTitleSuffix: 'for security endpoint dataset',
sourceDataArchive: 'ml/module_security_endpoint',
indexPattern: 'ft_logs-endpoint.events.*',
user: USER.ML_POWERUSER,
expected: {
responseCode: 200,
moduleIds: ['security_linux', 'security_windows'],
},
},
];

async function executeRecognizeModuleRequest(indexPattern: string, user: USER, rspCode: number) {
Expand Down
128 changes: 128 additions & 0 deletions x-pack/test/api_integration/apis/ml/modules/setup_module.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -520,6 +520,134 @@ export default ({ getService }: FtrProviderContext) => {
] as string[],
},
},
{
testTitleSuffix:
'for security_linux with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_security_endpoint',
indexPattern: { name: 'ft_logs-endpoint.events.*', timeField: '@timestamp' },
module: 'security_linux',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf15_',
indexPatternName: 'ft_logs-endpoint.events.*',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf15_v2_rare_process_by_host_linux_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_rare_metadata_user',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_rare_metadata_process',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_anomalous_user_name_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_anomalous_process_all_hosts_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf15_v2_linux_anomalous_network_port_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
{
testTitleSuffix:
'for security_windows with prefix, startDatafeed true and estimateModelMemory true',
sourceDataArchive: 'ml/module_security_endpoint',
indexPattern: { name: 'ft_logs-endpoint.events.*', timeField: '@timestamp' },
module: 'security_windows',
user: USER.ML_POWERUSER,
requestBody: {
prefix: 'pf16_',
indexPatternName: 'ft_logs-endpoint.events.*',
startDatafeed: true,
end: Date.now(),
},
expected: {
responseCode: 200,
jobs: [
{
jobId: 'pf16_v2_rare_process_by_host_windows_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_network_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_path_activity_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '10mb',
},
{
jobId: 'pf16_v2_windows_anomalous_process_all_hosts_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_process_creation',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_anomalous_user_name_ecs',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_rare_metadata_process',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
{
jobId: 'pf16_v2_windows_rare_metadata_user',
jobState: JOB_STATE.CLOSED,
datafeedState: DATAFEED_STATE.STOPPED,
modelMemoryLimit: '11mb',
},
],
searches: [] as string[],
visualizations: [] as string[],
dashboards: [] as string[],
},
},
];

const testDataListNegative = [
Expand Down
Binary file added x-pack/test/functional/es_archives/ml/module_security_endpoint/data.json.gz
View file
Binary file not shown.
Loading

0 comments on commit 68d885f

Please sign in to comment.