-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5b8b11f
commit 8f5c04e
Showing
1 changed file
with
119 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,129 @@ | ||
import pytest | ||
|
||
from sigma.backends.kusto import KustoBackend | ||
from sigma.collection import SigmaCollection | ||
from sigma.backends.kusto import KustoBackend | ||
from sigma.pipelines.sentinelasim import sentinel_asim_pipeline | ||
from sigma.exceptions import SigmaTransformationError | ||
|
||
def test_sentinel_asim_process_creation_field_mapping(): | ||
assert ( | ||
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( | ||
SigmaCollection.from_yaml( | ||
""" | ||
title: Test Process Creation | ||
status: test | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
sel: | ||
Image: C:\\Windows\\System32\\cmd.exe | ||
CommandLine: whoami | ||
User: SYSTEM | ||
ProcessId: 1234 | ||
condition: sel | ||
""" | ||
) | ||
) | ||
== ["imProcessCreate\n| where TargetProcessName =~ \"C:\\\\Windows\\\\System32\\\\cmd.exe\" and TargetProcessCommandLine =~ \"whoami\" and TargetUsername =~ \"SYSTEM\" and TargetProcessId == 1234"] | ||
) | ||
|
||
def test_sentinel_asim_basic_conversion(): | ||
"""Tests splitting username up into different fields if it includes a domain""" | ||
assert KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( | ||
SigmaCollection.from_yaml(""" | ||
title: Test | ||
def test_sentinel_asim_network_connection_field_mapping(): | ||
assert ( | ||
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( | ||
SigmaCollection.from_yaml( | ||
""" | ||
title: Test Network Connection | ||
status: test | ||
logsource: | ||
category: network_connection | ||
product: windows | ||
detection: | ||
sel: | ||
DestinationIp: 8.8.8.8 | ||
DestinationPort: 53 | ||
Protocol: udp | ||
condition: sel | ||
""" | ||
) | ||
) | ||
== ["imNetworkSession\n| where DstIpAddr =~ \"8.8.8.8\" and DstPortNumber == 53 and NetworkProtocol =~ \"udp\""] | ||
) | ||
|
||
def test_sentinel_asim_registry_event_field_mapping(): | ||
assert ( | ||
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( | ||
SigmaCollection.from_yaml( | ||
""" | ||
title: Test Registry Event | ||
status: test | ||
logsource: | ||
category: registry_event | ||
product: windows | ||
detection: | ||
sel: | ||
TargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run | ||
EventType: SetValue | ||
condition: sel | ||
""" | ||
) | ||
) | ||
== ["imRegistry\n| where RegistryKey =~ \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" and EventType =~ \"RegistryValueSet\""] | ||
) | ||
|
||
def test_sentinel_asim_custom_table(): | ||
assert ( | ||
KustoBackend(processing_pipeline=sentinel_asim_pipeline(query_table="imFileEvent")).convert( | ||
SigmaCollection.from_yaml( | ||
""" | ||
title: Test Custom Table | ||
status: test | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
sel: | ||
Image: malware.exe | ||
condition: sel | ||
""" | ||
) | ||
) | ||
== ["imFileEvent\n| where TargetFilePath =~ \"malware.exe\""] | ||
) | ||
|
||
def test_sentinel_asim_unsupported_field(): | ||
with pytest.raises(SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered: UnsupportedField"): | ||
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( | ||
SigmaCollection.from_yaml( | ||
""" | ||
title: Test Unsupported Field | ||
status: test | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
sel1: | ||
CommandLine: command1 | ||
condition: any of sel* | ||
""") | ||
) == ['imProcessCreate\n| ' | ||
'where TargetProcessCommandLine =~ "command1"'] | ||
|
||
sel: | ||
UnsupportedField: value | ||
condition: sel | ||
""" | ||
) | ||
) | ||
|
||
def test_sentinel_asim_file_event(): | ||
assert ( | ||
KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( | ||
SigmaCollection.from_yaml( | ||
""" | ||
title: Test File Event | ||
status: test | ||
logsource: | ||
category: file_event | ||
product: windows | ||
detection: | ||
sel: | ||
Image: C:\\Windows\\explorer.exe | ||
condition: sel | ||
""" | ||
) | ||
) | ||
== ["imFileEvent\n| where TargetFilePath =~ \"C:\\\\Windows\\\\explorer.exe\""] | ||
) |