feat: schema changes for LR notes (#862)

kkedziak-splunk · web-flow · commit 168b91563f21 · 2024-07-03T10:04:37.000+02:00
diff --git a/pytest_splunk_addon/sample_generation/schema.xsd b/pytest_splunk_addon/sample_generation/schema.xsd
@@ -83,6 +83,7 @@
                   </xs:sequence>
                 </xs:complexType>
               </xs:element>
+              <xs:element type="xs:string" name="note" minOccurs="0" />
               <xs:element type="xs:string" name="raw"/>
               <xs:element name="cim">
                 <xs:complexType>
@@ -103,6 +104,7 @@
                                 <xs:extension base="xs:string">
                                   <xs:attribute type="xs:string" name="name" use="optional"/>
                                   <xs:attribute type="xs:string" name="value" use="optional"/>
+                                  <xs:attribute type="xs:string" name="note" use="optional"/>
                                 </xs:extension>
                               </xs:simpleContent>
                             </xs:complexType>
diff --git a/tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_incorrect.xml b/tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_incorrect.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<device>
+  <vendor>Microsoft</vendor>
+  <product>Sysmon</product>
+  <version id="15.0" />
+  <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format="">
+    <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" />
+    <NONEXISTING>HELLO</NONEXISTING>
+    <source>
+      <jira id="" />
+      <comment>lab, index = * EventCode=19</comment>
+    </source>
+    <note>Some event level note!!!</note>
+    <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw>
+    <cim>
+      <models>
+        <model>Change:Endpoint_Changes</model>
+      </models>
+      <cim_fields>
+        <field name="action" value="created" note="some field level note!!!" />
+        <field name="change_type" value="filesystem" />
+        <field name="dest" value="server1" />
+        <field name="dvc" value="server1" />
+        <field name="object_category" value="wmi" />
+        <field name="result" value="created" />
+        <field name="src" value="server1" />
+        <field name="status" value="success" />
+        <field name="user" value="Administrator" />
+        <field name="user_name" value="Administrator" />
+        <field name="vendor_product" value="Microsoft Sysmon" />
+        <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" />
+        <field name="signature_id" value="19" />
+      </cim_fields>
+      <missing_recommended_fields>
+        <field>command</field>
+        <field>object</field>
+        <field>object_attrs</field>
+        <field>object_id</field>
+        <field>object_path</field>
+        <field>result_id</field>
+      </missing_recommended_fields>
+    </cim>
+  </event>
+</device>
diff --git a/tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_notes.xml b/tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_notes.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<device>
+  <vendor>Microsoft</vendor>
+  <product>Sysmon</product>
+  <version id="15.0" />
+  <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format="">
+    <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" />
+    <source>
+      <jira id="" />
+      <comment>lab, index = * EventCode=19</comment>
+    </source>
+    <note>Some event level note!!!</note>
+    <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw>
+    <cim>
+      <models>
+        <model>Change:Endpoint_Changes</model>
+      </models>
+      <cim_fields>
+        <field name="action" value="created" note="some field level note!!!" />
+        <field name="change_type" value="filesystem" />
+        <field name="dest" value="server1" />
+        <field name="dvc" value="server1" />
+        <field name="object_category" value="wmi" />
+        <field name="result" value="created" />
+        <field name="src" value="server1" />
+        <field name="status" value="success" />
+        <field name="user" value="Administrator" />
+        <field name="user_name" value="Administrator" />
+        <field name="vendor_product" value="Microsoft Sysmon" />
+        <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" />
+        <field name="signature_id" value="19" />
+      </cim_fields>
+      <missing_recommended_fields>
+        <field>command</field>
+        <field>object</field>
+        <field>object_attrs</field>
+        <field>object_id</field>
+        <field>object_path</field>
+        <field>result_id</field>
+      </missing_recommended_fields>
+    </cim>
+  </event>
+</device>
diff --git a/tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_without_notes.xml b/tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_without_notes.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<device>
+  <vendor>Microsoft</vendor>
+  <product>Sysmon</product>
+  <version id="15.0" />
+  <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format="">
+    <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" />
+    <source>
+      <jira id="" />
+      <comment>lab, index = * EventCode=19</comment>
+    </source>
+    <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw>
+    <cim>
+      <models>
+        <model>Change:Endpoint_Changes</model>
+      </models>
+      <cim_fields>
+        <field name="action" value="created" />
+        <field name="change_type" value="filesystem" />
+        <field name="dest" value="server1" />
+        <field name="dvc" value="server1" />
+        <field name="object_category" value="wmi" />
+        <field name="result" value="created" />
+        <field name="src" value="server1" />
+        <field name="status" value="success" />
+        <field name="user" value="Administrator" />
+        <field name="user_name" value="Administrator" />
+        <field name="vendor_product" value="Microsoft Sysmon" />
+        <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" />
+        <field name="signature_id" value="19" />
+      </cim_fields>
+      <missing_recommended_fields>
+        <field>command</field>
+        <field>object</field>
+        <field>object_attrs</field>
+        <field>object_id</field>
+        <field>object_path</field>
+        <field>result_id</field>
+      </missing_recommended_fields>
+    </cim>
+  </event>
+</device>
diff --git a/tests/unit/tests_standard_lib/tests_sample_generation/test_schema.py b/tests/unit/tests_standard_lib/tests_sample_generation/test_schema.py
@@ -0,0 +1,31 @@
+import os.path
+
+import pytest
+from xmlschema import XMLSchema, XMLSchemaChildrenValidationError
+
+from pytest_splunk_addon.sample_generation.pytest_splunk_addon_data_parser import (
+    SCHEMA_PATH,
+)
+
+
+@pytest.fixture
+def validator() -> XMLSchema:
+    return XMLSchema(SCHEMA_PATH)
+
+
+def get_xml(name: str) -> str:
+    with open(os.path.join(os.path.dirname(__file__), "test_data", "xmls", name)) as fp:
+        return fp.read()
+
+
+def test_validate_schema(validator):
+    validator.validate(get_xml("lr_without_notes.xml"))
+
+
+def test_validate_schema_incorrect_event_element(validator):
+    with pytest.raises(XMLSchemaChildrenValidationError):
+        validator.validate(get_xml("lr_incorrect.xml"))
+
+
+def test_validate_schema_notes(validator):
+    validator.validate(get_xml("lr_notes.xml"))
