Add Amazon Security Hub E2E test template

[fdalmaup]

Target version	Related issue	Related PR/dev branch
4.9.0	wazuh/wazuh#21209

Description

In wazuh/wazuh#23203, the team has added the integration with Amazon Security Hub to the AWS module. The related documentation has been added to the 4.9.0 branch at wazuh/wazuh-documentation#7111.

We need to develop a new E2E UX test template to properly check the complete flow to configure and get running the new feature.

[davidjiglesias]

We are not developing automated E2E tests at this point, although your petition makes a lot of sense.

For that reason, I propose we add a new E2E UX test case to our spreadsheet, ensuring we test it in all minor and major releases (at least).

[rafabailon]

Test Proposal

The purpose of the test is to test the Security Hub Integration of the AWS module. AWS Security Hub is a cloud security posture management (CSPM) service that automates security best practice checks, aggregates security alerts into a unified format, and helps the user understand the overall security posture across all of the AWS accounts.

Test Description

• Configure (or check the configuration) in AWS following the Documentation
• Configure (or check the configuration) Wazuh following the Documentation
• Check ossec.log to see that the logs related to the Security Hub are displayed. You can enable debug to get more information in the logs.

[Rebits]

Good job on the proposed test cases, as they ensure the configuration stages of the new integration. However, we need to extend our testing to cover the end-to-end (E2E) viability of the integration within the product.

Here are some suggestions to achieve this:

• Check Newly Included Alerts:
  • Replicate a use case to trigger specific alerts, such as the AWS Security Hub - CodeBuild Bitbucket source repository URL contains sensitive credentials alert.
  • Verify that this alert appears in the dashboard under the expected menu (AWS).
• Test Different Wodle Configuration Options
  • Experiment with various Wodle configuration options for the new integration. For instance, use discard_regex (refer to the Wazuh documentation) to filter out specific types of events.

Finally, standardize your proposed E2E UX test cases following the scheme of the E2E UX test cases in our spreadsheet

These steps will help ensure that the integration is not only correctly configured but also fully functional within a real environment.

[rafabailon]

Test Proposal

Information

Name	Category
Amazon Security Hub	Cloud Security

Description

AWS Security Hub is a cloud security posture management (CSPM) service that automates security best practice checks, aggregates security alerts into a unified format, and helps the user understand the overall security posture across all of the AWS accounts.

The first step is to set up Amazon Security Hub on Wazuh:

• Configure AWS
  • Enabling Amazon Security Hub
  • Integrating Security Hub with EventBridge
  • Enabling an Amazon SQS queue
  • Enabling an Amazon S3 bucket including Event notifications
• Set up the Wazuh integration for Amazon Security Hub

Once the environment has been configured, it is necessary to perform a series of tests to check that everything is working correctly:

• Generate Amazon Security Hub alerts. The list of alerts is available at 0998-aws-security-hub-rules.xml.
• Check that alerts appear on the dashboard.
• Check the logs in ossec.log. For alerts below the Alert threshold, activate debug mode.
• Test different configurations: Bucket, Services and Subscribers. The documentation provides an example configuration.

Environment

Wazuh Indexer Installation	Wazuh Indexer Type	Wazuh Indexer OS	Wazuh Server Installation	Wazuh Server Type	Wazuh Server OS	Wazuh Dashboard Installation	Wazuh Dashboard OS	Wazuh Agent Installation	Wazuh Agent OS
All-In-One Installation	Single Node	Ubuntu 22.04 x86_64	Same as Indexer	Single Node	Same as Indexer	Same as Indexer	Same as Indexer	Install Wazuh Agent	Debian 12 x86_64

Known Issues

None

Reviewer Assignee

None

[Rebits]

To align with the current structure of the E2E UX tests, the following description has been proposed in collaboration with @rafabailon:

- Configure AWS Security Hub in a Wazuh Manager and a Wazuh Agent.  
- Generate Amazon Security Hub alerts. Check that generated alerts appear on the dashboard.
- Use [discard_regex option](https://documentation-dev.wazuh.com/tag/user-manual/reference/ossec-conf/wodle-s3.html#bucket-discard-regex) to effectively discard certain types of events. 

Final Considerations Regarding the Original Proposal

Original proposal: #5454 (comment)

1. Module Description
   The detailed module description and links to .rst documentation files have been omitted as they are not standard in E2E tests.

2. Alert Generation and Dashboard Verification
   The steps "Generate Amazon Security Hub alerts" and "Check that alerts appear on the dashboard" have been combined for clarity. The tester is expected to verify the alerts on the dashboard by default.

3. Specific Testing Task
   The original task, "Test different configurations: Bucket, Services, and Subscribers. The documentation provides an example configuration," has been replaced with the more specific task of using the discard_regex option.

4. Log Checking
   The step "Check the logs in ossec.log. For alerts below the alert threshold, activate debug mode," has been removed as it is not part of the official documentation. If the tester cannot integrate the module with Wazuh and logs are insufficient for troubleshooting, we should consider updating the documentation or modifying the logging messages to ensure clarity.

[juliamagan]

Please add some documentation links so the tester can check them to configure the module.

[Rebits]

Done @juliamagan