Skip to content

Commit

Permalink
Added more sentinelasim tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@slincoln-aiq
slincoln-aiq committed Sep 24, 2024
1 parent 5b8b11f commit 8f5c04e
Showing 1 changed file with 119 additions and 14 deletions.
133 changes: 119 additions & 14 deletions tests/test_pipelines_sentinelasim.py
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,129 @@
import pytest

from sigma.backends.kusto import KustoBackend
from sigma.collection import SigmaCollection
from sigma.backends.kusto import KustoBackend
from sigma.pipelines.sentinelasim import sentinel_asim_pipeline
from sigma.exceptions import SigmaTransformationError

def test_sentinel_asim_process_creation_field_mapping():
assert (
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
SigmaCollection.from_yaml(
"""
title: Test Process Creation
status: test
logsource:
category: process_creation
product: windows
detection:
sel:
Image: C:\\Windows\\System32\\cmd.exe
CommandLine: whoami
User: SYSTEM
ProcessId: 1234
condition: sel
"""
)
)
== ["imProcessCreate\n| where TargetProcessName =~ \"C:\\\\Windows\\\\System32\\\\cmd.exe\" and TargetProcessCommandLine =~ \"whoami\" and TargetUsername =~ \"SYSTEM\" and TargetProcessId == 1234"]
)

def test_sentinel_asim_basic_conversion():
"""Tests splitting username up into different fields if it includes a domain"""
assert KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
SigmaCollection.from_yaml("""
title: Test
def test_sentinel_asim_network_connection_field_mapping():
assert (
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
SigmaCollection.from_yaml(
"""
title: Test Network Connection
status: test
logsource:
category: network_connection
product: windows
detection:
sel:
DestinationIp: 8.8.8.8
DestinationPort: 53
Protocol: udp
condition: sel
"""
)
)
== ["imNetworkSession\n| where DstIpAddr =~ \"8.8.8.8\" and DstPortNumber == 53 and NetworkProtocol =~ \"udp\""]
)

def test_sentinel_asim_registry_event_field_mapping():
assert (
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
SigmaCollection.from_yaml(
"""
title: Test Registry Event
status: test
logsource:
category: registry_event
product: windows
detection:
sel:
TargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
EventType: SetValue
condition: sel
"""
)
)
== ["imRegistry\n| where RegistryKey =~ \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" and EventType =~ \"RegistryValueSet\""]
)

def test_sentinel_asim_custom_table():
assert (
KustoBackend(processing_pipeline=sentinel_asim_pipeline(query_table="imFileEvent")).convert(
SigmaCollection.from_yaml(
"""
title: Test Custom Table
status: test
logsource:
category: process_creation
product: windows
detection:
sel:
Image: malware.exe
condition: sel
"""
)
)
== ["imFileEvent\n| where TargetFilePath =~ \"malware.exe\""]
)

def test_sentinel_asim_unsupported_field():
with pytest.raises(SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered: UnsupportedField"):
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
SigmaCollection.from_yaml(
"""
title: Test Unsupported Field
status: test
logsource:
category: process_creation
product: windows
detection:
sel1:
CommandLine: command1
condition: any of sel*
""")
) == ['imProcessCreate\n| '
'where TargetProcessCommandLine =~ "command1"']

sel:
UnsupportedField: value
condition: sel
"""
)
)

def test_sentinel_asim_file_event():
assert (
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert(
SigmaCollection.from_yaml(
"""
title: Test File Event
status: test
logsource:
category: file_event
product: windows
detection:
sel:
Image: C:\\Windows\\explorer.exe
condition: sel
"""
)
)
== ["imFileEvent\n| where TargetFilePath =~ \"C:\\\\Windows\\\\explorer.exe\""]
)

0 comments on commit 8f5c04e

Please sign in to comment.