-
-
Notifications
You must be signed in to change notification settings - Fork 109
/
Copy pathtest_pipelines_common.py
165 lines (151 loc) · 6.4 KB
/
test_pipelines_common.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
import pytest
from sigma.pipelines.common import (
windows_logsource_mapping,
logsource_linux_network_connection,
logsource_linux_file_create,
logsource_linux_process_creation,
logsource_windows_dns_query,
logsource_windows_file_change,
logsource_windows_file_event,
logsource_windows_network_connection,
logsource_windows_network_connection_initiated,
logsource_windows_process_creation,
logsource_windows_registry_add,
logsource_windows_registry_delete,
logsource_windows_registry_event,
logsource_windows_registry_set,
logsource_windows_file_delete,
logsource_windows_file_access,
logsource_windows_file_rename,
logsource_windows_image_load,
logsource_windows_pipe_created,
logsource_windows_ps_classic_start,
logsource_windows_ps_module,
logsource_windows_ps_script,
logsource_windows_process_access,
logsource_windows_raw_access_thread,
logsource_windows_wmi_event,
logsource_windows_driver_load,
logsource_windows_create_stream_hash,
logsource_windows_create_remote_thread,
logsource_macos_process_creation,
logsource_macos_file_create,
logsource_azure_riskdetection,
logsource_azure_pim,
logsource_azure_auditlogs,
logsource_azure_azureactivity,
logsource_azure_signinlogs,
logsource_linux,
logsource_macos,
logsource_windows,
generate_windows_logsource_items,
logsource_category,
)
from sigma.processing.conditions import (
LogsourceCondition,
RuleContainsDetectionItemCondition,
)
from sigma.processing.pipeline import ProcessingItem
from sigma.processing.transformations import AddConditionTransformation
def test_windows_logsource_mapping():
assert isinstance(windows_logsource_mapping, dict)
assert len(windows_logsource_mapping) > 15
assert windows_logsource_mapping["security"] == "Security"
@pytest.mark.parametrize(
("func", "service", "product"),
[
(logsource_windows, "test", "windows"),
(logsource_linux, "test", "linux"),
(logsource_macos, "test", "macos"),
],
)
def test_generic_service_sources(func, service, product):
assert func(service) == LogsourceCondition(service=service, product=product)
@pytest.mark.parametrize(
("func", "category", "product"),
[
(logsource_windows_process_creation, "process_creation", "windows"),
(logsource_windows_registry_add, "registry_add", "windows"),
(logsource_windows_registry_set, "registry_set", "windows"),
(logsource_windows_registry_delete, "registry_delete", "windows"),
(logsource_windows_registry_event, "registry_event", "windows"),
(logsource_windows_file_change, "file_change", "windows"),
(logsource_windows_file_event, "file_event", "windows"),
(logsource_windows_network_connection, "network_connection", "windows"),
(logsource_windows_dns_query, "dns_query", "windows"),
(logsource_windows_file_delete, "file_delete", "windows"),
(logsource_windows_file_access, "file_access", "windows"),
(logsource_windows_file_rename, "file_rename", "windows"),
(logsource_windows_image_load, "image_load", "windows"),
(logsource_windows_pipe_created, "pipe_created", "windows"),
(logsource_windows_ps_classic_start, "ps_classic_start", "windows"),
(logsource_windows_ps_module, "ps_module", "windows"),
(logsource_windows_ps_script, "ps_script", "windows"),
(logsource_windows_process_access, "process_access", "windows"),
(logsource_windows_raw_access_thread, "raw_access_thread", "windows"),
(logsource_windows_wmi_event, "wmi_event", "windows"),
(logsource_windows_driver_load, "driver_load", "windows"),
(logsource_windows_create_stream_hash, "create_stream_hash", "windows"),
(logsource_windows_create_remote_thread, "create_remote_thread", "windows"),
(logsource_linux_process_creation, "process_creation", "linux"),
(logsource_linux_network_connection, "network_connection", "linux"),
(logsource_linux_file_create, "file_create", "linux"),
(logsource_macos_process_creation, "process_creation", "macos"),
(logsource_macos_file_create, "file_create", "macos"),
(logsource_azure_riskdetection, "riskdetection", "azure"),
(logsource_azure_pim, "pim", "azure"),
(logsource_azure_auditlogs, "auditlogs", "azure"),
(logsource_azure_azureactivity, "azureactivity", "azure"),
(logsource_azure_signinlogs, "signinlogs", "azure"),
],
)
def test_generic_log_sources(func, category, product):
assert func() == LogsourceCondition(category=category, product=product)
@pytest.mark.parametrize(
("initiated", "result"),
[
(True, "true"),
(False, "false"),
],
)
def test_logsource_windows_network_connection_initiated(initiated, result):
assert logsource_windows_network_connection_initiated(
initiated
) == RuleContainsDetectionItemCondition(
field="Initiated",
value=result,
)
def test_generate_windows_logsource_items():
items = generate_windows_logsource_items("logsource", "Windows:{source}", "test-{service}")
assert items[0] == ProcessingItem(
identifier="test-security",
transformation=AddConditionTransformation({"logsource": "Windows:Security"}),
rule_conditions=[logsource_windows("security")],
)
# Check if multi log source items are mapped as array into the condition.
multi_source_mapping_item_names = {
"test-" + service
for service, source in windows_logsource_mapping.items()
if isinstance(source, list)
}
assert (
len(multi_source_mapping_item_names) > 0
) # ensure there are multi-mappings, else this and the next test parts are obsolete and can be removed.
multi_source_mapping_items = {
item.identifier: item
for item in items
if item.identifier in multi_source_mapping_item_names
}
assert len(multi_source_mapping_items) == len(multi_source_mapping_item_names)
assert multi_source_mapping_items[
"test-powershell"
].transformation == AddConditionTransformation(
{
"logsource": [
"Windows:Microsoft-Windows-PowerShell/Operational",
"Windows:PowerShellCore/Operational",
]
}
)
def test_logsource_category():
assert logsource_category("test") == LogsourceCondition(category="test")