[Security Solution] Minimize the use of es_archiver on cypress tests

x-pack/plugins/security_solution/cypress/integration/alerts.spec.ts

@@ -25,7 +25,7 @@ import {
   markInProgressFirstAlert,
   goToInProgressAlerts,
 } from '../tasks/alerts';
-import { removeSignalsIndex } from '../tasks/api_calls';
+import { removeSignalsIndex } from '../tasks/api_calls/rules';
 import { esArchiverLoad, esArchiverUnload } from '../tasks/es_archiver';
 import { loginAndWaitForPage } from '../tasks/login';
 

x-pack/plugins/security_solution/cypress/integration/alerts_detection_exceptions.spec.ts

@@ -16,7 +16,7 @@ import {
   goToOpenedAlerts,
   waitForAlertsIndexToBeCreated,
 } from '../tasks/alerts';
-import { createCustomRule, deleteCustomRule, removeSignalsIndex } from '../tasks/api_calls';
+import { createCustomRule, deleteCustomRule, removeSignalsIndex } from '../tasks/api_calls/rules';
 import { goToRuleDetails } from '../tasks/alerts_detection_rules';
 import { waitForAlertsToPopulate } from '../tasks/create_new_rule';
 import { esArchiverLoad, esArchiverUnload } from '../tasks/es_archiver';
@@ -34,9 +34,8 @@ import { refreshPage } from '../tasks/security_header';
 
 import { DETECTIONS_URL } from '../urls/navigation';
 
-const NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS = 1;
-
 describe('Exceptions', () => {
+  const NUMBER_OF_AUDITBEAT_EXCEPTIONS_ALERTS = 1;
   beforeEach(() => {
     loginAndWaitForPageWithoutDateRange(DETECTIONS_URL);
     waitForAlertsIndexToBeCreated();

x-pack/plugins/security_solution/cypress/integration/alerts_detection_rules_custom.spec.ts

@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import deepMerge from 'deepmerge';
 import { formatMitreAttackDescription } from '../helpers/rules';
 import { newRule, existingRule, indexPatterns, editedRule } from '../objects/rule';
 import {
@@ -85,7 +86,8 @@ import {
   waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded,
   waitForRulesToBeLoaded,
 } from '../tasks/alerts_detection_rules';
-import { removeSignalsIndex } from '../tasks/api_calls';
+import { removeSignalsIndex } from '../tasks/api_calls/rules';
+import { createTimeline, deleteTimeline } from '../tasks/api_calls/timelines';
 import {
   createAndActivateRule,
   fillAboutRule,
@@ -104,24 +106,24 @@ import { loginAndWaitForPageWithoutDateRange } from '../tasks/login';
 
 import { DETECTIONS_URL } from '../urls/navigation';
 
-const expectedUrls = newRule.referenceUrls.join('');
-const expectedFalsePositives = newRule.falsePositivesExamples.join('');
-const expectedTags = newRule.tags.join('');
-const expectedMitre = formatMitreAttackDescription(newRule.mitre);
-const expectedNumberOfRules = 1;
-const expectedEditedtags = editedRule.tags.join('');
-const expectedEditedIndexPatterns =
-  editedRule.index && editedRule.index.length ? editedRule.index : indexPatterns;
-
-describe('Custom detection rules creation', () => {
-  before(() => {
-    esArchiverLoad('timeline');
+describe('Custom detection rules creation', async () => {
+  const expectedUrls = newRule.referenceUrls.join('');
+  const expectedFalsePositives = newRule.falsePositivesExamples.join('');
+  const expectedTags = newRule.tags.join('');
+  const expectedMitre = formatMitreAttackDescription(newRule.mitre);
+  const expectedNumberOfRules = 1;
+
+  let rule: typeof newRule;
+
+  before(async () => {
+    const createdTimeline = await createTimeline(newRule.timeline);
+    rule = deepMerge(newRule, { timeline: { id: createdTimeline[0] } });
   });
 
   after(() => {
     deleteRule();
+    deleteTimeline(rule.timeline.id!);
     removeSignalsIndex();
-    esArchiverUnload('timeline');
   });
 
   it('Creates and activates a new rule', () => {
@@ -131,19 +133,19 @@ describe('Custom detection rules creation', () => {
     goToManageAlertsDetectionRules();
     waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded();
     goToCreateNewRule();
-    fillDefineCustomRuleWithImportedQueryAndContinue(newRule);
-    fillAboutRuleAndContinue(newRule);
-    fillScheduleRuleAndContinue(newRule);
+    fillDefineCustomRuleWithImportedQueryAndContinue(rule);
+    fillAboutRuleAndContinue(rule);
+    fillScheduleRuleAndContinue(rule);
 
     // expect define step to repopulate
     cy.get(DEFINE_EDIT_BUTTON).click();
-    cy.get(CUSTOM_QUERY_INPUT).should('have.value', newRule.customQuery);
+    cy.get(CUSTOM_QUERY_INPUT).should('have.value', rule.customQuery);
     cy.get(DEFINE_CONTINUE_BUTTON).should('exist').click({ force: true });
     cy.get(DEFINE_CONTINUE_BUTTON).should('not.exist');
 
     // expect about step to populate
     cy.get(ABOUT_EDIT_BUTTON).click();
-    cy.get(RULE_NAME_INPUT).invoke('val').should('eql', newRule.name);
+    cy.get(RULE_NAME_INPUT).invoke('val').should('eql', rule.name);
     cy.get(ABOUT_CONTINUE_BTN).should('exist').click({ force: true });
     cy.get(ABOUT_CONTINUE_BTN).should('not.exist');
 
@@ -163,18 +165,18 @@ describe('Custom detection rules creation', () => {
     cy.get(RULES_TABLE).then(($table) => {
       cy.wrap($table.find(RULES_ROW).length).should('eql', 1);
     });
-    cy.get(RULE_NAME).should('have.text', newRule.name);
-    cy.get(RISK_SCORE).should('have.text', newRule.riskScore);
-    cy.get(SEVERITY).should('have.text', newRule.severity);
+    cy.get(RULE_NAME).should('have.text', rule.name);
+    cy.get(RISK_SCORE).should('have.text', rule.riskScore);
+    cy.get(SEVERITY).should('have.text', rule.severity);
     cy.get(RULE_SWITCH).should('have.attr', 'aria-checked', 'true');
 
     goToRuleDetails();
 
-    cy.get(RULE_NAME_HEADER).should('have.text', `${newRule.name}`);
-    cy.get(ABOUT_RULE_DESCRIPTION).should('have.text', newRule.description);
+    cy.get(RULE_NAME_HEADER).should('have.text', `${rule.name}`);
+    cy.get(ABOUT_RULE_DESCRIPTION).should('have.text', rule.description);
     cy.get(ABOUT_DETAILS).within(() => {
-      getDetails(SEVERITY_DETAILS).should('have.text', newRule.severity);
-      getDetails(RISK_SCORE_DETAILS).should('have.text', newRule.riskScore);
+      getDetails(SEVERITY_DETAILS).should('have.text', rule.severity);
+      getDetails(RISK_SCORE_DETAILS).should('have.text', rule.riskScore);
       getDetails(REFERENCE_URLS_DETAILS).should((details) => {
         expect(removeExternalLinkText(details.text())).equal(expectedUrls);
       });
@@ -188,7 +190,7 @@ describe('Custom detection rules creation', () => {
     cy.get(ABOUT_INVESTIGATION_NOTES).should('have.text', INVESTIGATION_NOTES_MARKDOWN);
     cy.get(DEFINITION_DETAILS).within(() => {
       getDetails(INDEX_PATTERNS_DETAILS).should('have.text', indexPatterns.join(''));
-      getDetails(CUSTOM_QUERY_DETAILS).should('have.text', newRule.customQuery);
+      getDetails(CUSTOM_QUERY_DETAILS).should('have.text', rule.customQuery);
       getDetails(RULE_TYPE_DETAILS).should('have.text', 'Query');
       getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');
     });
@@ -207,11 +209,11 @@ describe('Custom detection rules creation', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).invoke('text').then(parseFloat).should('be.above', 0);
-    cy.get(ALERT_RULE_NAME).first().should('have.text', newRule.name);
+    cy.get(ALERT_RULE_NAME).first().should('have.text', rule.name);
     cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
     cy.get(ALERT_RULE_METHOD).first().should('have.text', 'query');
-    cy.get(ALERT_RULE_SEVERITY).first().should('have.text', newRule.severity.toLowerCase());
-    cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', newRule.riskScore);
+    cy.get(ALERT_RULE_SEVERITY).first().should('have.text', rule.severity.toLowerCase());
+    cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', rule.riskScore);
   });
 });
 
@@ -291,6 +293,10 @@ describe('Custom detection rules deletion and edition', () => {
   });
 
   context('Edition', () => {
+    const expectedEditedtags = editedRule.tags.join('');
+    const expectedEditedIndexPatterns =
+      editedRule.index && editedRule.index.length ? editedRule.index : indexPatterns;
+
     it('Allows a rule to be edited', () => {
       editFirstRule();
       waitForKibana();

x-pack/plugins/security_solution/cypress/integration/alerts_detection_rules_eql.spec.ts

@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import deepMerge from 'deepmerge';
 import { formatMitreAttackDescription } from '../helpers/rules';
 import { eqlRule, eqlSequenceRule, indexPatterns } from '../objects/rule';
 
@@ -63,6 +64,7 @@ import {
   waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded,
   waitForRulesToBeLoaded,
 } from '../tasks/alerts_detection_rules';
+import { createTimeline, deleteTimeline } from '../tasks/api_calls/timelines';
 import {
   createAndActivateRule,
   fillAboutRuleAndContinue,
@@ -72,27 +74,28 @@ import {
   waitForAlertsToPopulate,
   waitForTheRuleToBeExecuted,
 } from '../tasks/create_new_rule';
-import { esArchiverLoad, esArchiverUnload } from '../tasks/es_archiver';
 import { loginAndWaitForPageWithoutDateRange } from '../tasks/login';
 
 import { DETECTIONS_URL } from '../urls/navigation';
 
-const expectedUrls = eqlRule.referenceUrls.join('');
-const expectedFalsePositives = eqlRule.falsePositivesExamples.join('');
-const expectedTags = eqlRule.tags.join('');
-const expectedMitre = formatMitreAttackDescription(eqlRule.mitre);
-const expectedNumberOfRules = 1;
-const expectedNumberOfAlerts = 7;
-const expectedNumberOfSequenceAlerts = 1;
-
 describe('Detection rules, EQL', () => {
-  beforeEach(() => {
-    esArchiverLoad('timeline');
+  const expectedUrls = eqlRule.referenceUrls.join('');
+  const expectedFalsePositives = eqlRule.falsePositivesExamples.join('');
+  const expectedTags = eqlRule.tags.join('');
+  const expectedMitre = formatMitreAttackDescription(eqlRule.mitre);
+  const expectedNumberOfRules = 1;
+  const expectedNumberOfAlerts = 7;
+
+  let rule: typeof eqlRule;
+
+  before(async () => {
+    const createdTimeline = await createTimeline(eqlRule.timeline);
+    rule = deepMerge(eqlRule, { timeline: { id: createdTimeline[0] } });
   });
 
-  afterEach(() => {
+  after(() => {
+    deleteTimeline(rule.timeline.id!);
     deleteRule();
-    esArchiverUnload('timeline');
   });
 
   it('Creates and activates a new EQL rule', () => {
@@ -103,9 +106,9 @@ describe('Detection rules, EQL', () => {
     waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded();
     goToCreateNewRule();
     selectEqlRuleType();
-    fillDefineEqlRuleAndContinue(eqlRule);
-    fillAboutRuleAndContinue(eqlRule);
-    fillScheduleRuleAndContinue(eqlRule);
+    fillDefineEqlRuleAndContinue(rule);
+    fillAboutRuleAndContinue(rule);
+    fillScheduleRuleAndContinue(rule);
     createAndActivateRule();
 
     cy.get(CUSTOM_RULES_BTN).should('have.text', 'Custom rules (1)');
@@ -122,18 +125,18 @@ describe('Detection rules, EQL', () => {
     cy.get(RULES_TABLE).then(($table) => {
       cy.wrap($table.find(RULES_ROW).length).should('eql', 1);
     });
-    cy.get(RULE_NAME).should('have.text', eqlRule.name);
-    cy.get(RISK_SCORE).should('have.text', eqlRule.riskScore);
-    cy.get(SEVERITY).should('have.text', eqlRule.severity);
+    cy.get(RULE_NAME).should('have.text', rule.name);
+    cy.get(RISK_SCORE).should('have.text', rule.riskScore);
+    cy.get(SEVERITY).should('have.text', rule.severity);
     cy.get(RULE_SWITCH).should('have.attr', 'aria-checked', 'true');
 
     goToRuleDetails();
 
-    cy.get(RULE_NAME_HEADER).should('have.text', `${eqlRule.name}`);
-    cy.get(ABOUT_RULE_DESCRIPTION).should('have.text', eqlRule.description);
+    cy.get(RULE_NAME_HEADER).should('have.text', `${rule.name}`);
+    cy.get(ABOUT_RULE_DESCRIPTION).should('have.text', rule.description);
     cy.get(ABOUT_DETAILS).within(() => {
-      getDetails(SEVERITY_DETAILS).should('have.text', eqlRule.severity);
-      getDetails(RISK_SCORE_DETAILS).should('have.text', eqlRule.riskScore);
+      getDetails(SEVERITY_DETAILS).should('have.text', rule.severity);
+      getDetails(RISK_SCORE_DETAILS).should('have.text', rule.riskScore);
       getDetails(REFERENCE_URLS_DETAILS).should((details) => {
         expect(removeExternalLinkText(details.text())).equal(expectedUrls);
       });
@@ -147,30 +150,46 @@ describe('Detection rules, EQL', () => {
     cy.get(ABOUT_INVESTIGATION_NOTES).should('have.text', INVESTIGATION_NOTES_MARKDOWN);
     cy.get(DEFINITION_DETAILS).within(() => {
       getDetails(INDEX_PATTERNS_DETAILS).should('have.text', indexPatterns.join(''));
-      getDetails(CUSTOM_QUERY_DETAILS).should('have.text', eqlRule.customQuery);
+      getDetails(CUSTOM_QUERY_DETAILS).should('have.text', rule.customQuery);
       getDetails(RULE_TYPE_DETAILS).should('have.text', 'Event Correlation');
       getDetails(TIMELINE_TEMPLATE_DETAILS).should('have.text', 'None');
     });
     cy.get(SCHEDULE_DETAILS).within(() => {
       getDetails(RUNS_EVERY_DETAILS).should(
         'have.text',
-        `${eqlRule.runsEvery.interval}${eqlRule.runsEvery.type}`
+        `${rule.runsEvery.interval}${rule.runsEvery.type}`
       );
       getDetails(ADDITIONAL_LOOK_BACK_DETAILS).should(
         'have.text',
-        `${eqlRule.lookBack.interval}${eqlRule.lookBack.type}`
+        `${rule.lookBack.interval}${rule.lookBack.type}`
       );
     });
 
     waitForTheRuleToBeExecuted();
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
-    cy.get(ALERT_RULE_NAME).first().should('have.text', eqlRule.name);
+    cy.get(ALERT_RULE_NAME).first().should('have.text', rule.name);
     cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
     cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql');
-    cy.get(ALERT_RULE_SEVERITY).first().should('have.text', eqlRule.severity.toLowerCase());
-    cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', eqlRule.riskScore);
+    cy.get(ALERT_RULE_SEVERITY).first().should('have.text', rule.severity.toLowerCase());
+    cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', rule.riskScore);
+  });
+});
+
+describe('Detection rules, sequence EQL', () => {
+  const expectedNumberOfRules = 1;
+  const expectedNumberOfSequenceAlerts = 1;
+  let rule: typeof eqlSequenceRule;
+
+  before(async () => {
+    const createdTimeline = await createTimeline(eqlSequenceRule.timeline);
+    rule = deepMerge(eqlSequenceRule, { timeline: { id: createdTimeline[0] } });
+  });
+
+  afterEach(() => {
+    deleteTimeline(eqlRule.timeline.id!);
+    deleteRule();
   });
 
   it('Creates and activates a new EQL rule with a sequence', () => {
@@ -181,9 +200,9 @@ describe('Detection rules, EQL', () => {
     waitForLoadElasticPrebuiltDetectionRulesTableToBeLoaded();
     goToCreateNewRule();
     selectEqlRuleType();
-    fillDefineEqlRuleAndContinue(eqlSequenceRule);
-    fillAboutRuleAndContinue(eqlSequenceRule);
-    fillScheduleRuleAndContinue(eqlSequenceRule);
+    fillDefineEqlRuleAndContinue(rule);
+    fillAboutRuleAndContinue(rule);
+    fillScheduleRuleAndContinue(rule);
     createAndActivateRule();
 
     cy.get(CUSTOM_RULES_BTN).should('have.text', 'Custom rules (1)');
@@ -201,10 +220,10 @@ describe('Detection rules, EQL', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfSequenceAlerts);
-    cy.get(ALERT_RULE_NAME).first().should('have.text', eqlSequenceRule.name);
+    cy.get(ALERT_RULE_NAME).first().should('have.text', rule.name);
     cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
     cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql');
-    cy.get(ALERT_RULE_SEVERITY).first().should('have.text', eqlSequenceRule.severity.toLowerCase());
-    cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', eqlSequenceRule.riskScore);
+    cy.get(ALERT_RULE_SEVERITY).first().should('have.text', rule.severity.toLowerCase());
+    cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', rule.riskScore);
   });
 });