[Security Solution][Endpoint] Cypress test to validate that Endpoint can stream alerts to ES/Kibana

[paul-tavares]

Summary

• Adds cypress test that stands up a real endpoint and validates that it can trigger alerts and send those to ES/Kbn and that they show up on the Alerts list

Testing

The test was added to a Test Suite that is not currently running under CI. To run it manually:

• First, ensure that you have Docker and Multipass installed
• Ensure that you have Kibana Running locally with Fleet setup with Fleet-server (Tip: you can execute the run_endpoint_agent.js script, which will setup fleet server locally with Docker)
• Run tests (see command below. Adjust env. variable values if values are different in your local env.)

cd x-pack/plugins/security_solution

CYPRESS_BASE_URL=http://localhost:5601 \
CYPRESS_KIBANA_URL=http://localhost:5601 \
CYPRESS_ELASTICSEARCH_USERNAME=elastic \
CYPRESS_ELASTICSEARCH_PASSWORD=changeme \
CYPRESS_ELASTICSEARCH_URL=http://localhost:9200 yarn cypress:dw:endpoint:open

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[kibana-ci]

💔 Build Failed

• Buildkite Build
• Commit: 9e863b6
• Interpreting CI Failures

Failed CI Steps

• Defend Workflows Cypress Tests
• Defend Workflows Cypress Tests

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	9.1MB	9.1MB	+8.0B

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	17	19	+2
securitySolution	395	399	+4
total			+6

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	18	20	+2
securitySolution	475	479	+4
total			+6

History

• 💚 Build #122257 succeeded 538a681
• 💛 Build #121768 was flaky 9d5d503

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @paul-tavares

[patrykkopycinski]

@paul-tavares have you tried to use https://www.npmjs.com/package/cypress-recurse ?

[paul-tavares]

No, I have not

[paul-tavares]

looks like its available in package.json from kibana. Are you proposing that be used instead?

[paul-tavares]

Going to merge this in, but if you still have feedback, feel free to post it here on the PR and I'll come back around and follow up on it.

[dasansol92]

Left a suggestion but other than that, this LGTM

[dasansol92]

Not needed now, but perhaps we could do this query more accurate to avoid removing extra things.

[paul-tavares]

yeah, I played around with that as well (see a sample query below), but found that as more/other data is added, we are likely to miss it. I wanted to truly try to remove all records that reference the agent ID so that our tests (especially those that use a Real endpoint) clean up properly after themselves.

Here is the query I initially came up with:

# List all indexes where the agent id has data
GET */_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "should": [
              {
                "match": {
                  "agent.id": "180f5edb-2f48-4d4b-af97-2434775a0bb9"
                }
              },
              {
                "match": {
                  "agent_id": "180f5edb-2f48-4d4b-af97-2434775a0bb9"
                }
              },
              {
                "match": {
                  "EndpointActions.action_id": "180f5edb-2f48-4d4b-af97-2434775a0bb9"
                }
              },
              {
                "match": {
                  "agents": "180f5edb-2f48-4d4b-af97-2434775a0bb9"
                }
              },
              {
                "match": {
                  "_id": "180f5edb-2f48-4d4b-af97-2434775a0bb9"
                }
              }
            ],
            "minimum_should_match": 1
          }
        }
      ]
    }
  },
  "_source": false,
  "size": 0,
  "aggs": {
    "unique_indexes": {
      "terms": {
        "field": "_index",
        "size": 10000
      }
    }
  }
}