diff --git a/stream_alert/rule_processor/rules_engine.py b/stream_alert/rule_processor/rules_engine.py index 291251460..98ef18c7a 100644 --- a/stream_alert/rule_processor/rules_engine.py +++ b/stream_alert/rule_processor/rules_engine.py @@ -195,7 +195,7 @@ def match_types_helper(cls, record, normalized_types, datatypes): Args: record (dict): Parsed data normalized_types (dict): Normalized types - datatypes (list): normalized types users interested in. + datatypes (list): Normalized types users interested in Returns: (dict): A dict of normalized_types with original key names @@ -219,6 +219,15 @@ def update(cls, results, parent_key, nested_results): """Update nested_results by inserting parent key to beginning of list. Also combine results and nested_results into one dictionary + Args: + results (dict): A dict of normalized_types with original key names + parent_key (str): Parent key of values in nested_results. The values + in nested_results are original keys of normalized types. + nested_results (dict): A dict of normalized_types from nested record + + Returns: + (dict): A dict of normalized_types with original key names + Example 1: results = { 'ipv4': [['key1']] diff --git a/tests/unit/stream_alert_rule_processor/test_rule_helpers.py b/tests/unit/stream_alert_rule_processor/test_rule_helpers.py index d0a5c4e1c..81531dbc0 100644 --- a/tests/unit/stream_alert_rule_processor/test_rule_helpers.py +++ b/tests/unit/stream_alert_rule_processor/test_rule_helpers.py @@ -77,49 +77,49 @@ def test_in_network(): def test_fetch_values_by_datatype(): """Helpers - Fetch values from a record by normalized type""" rec = { - u'account': 12345, - u'region': '123456123456', - u'detail': { - u'eventVersion': u'...', - u'eventID': u'...', - u'eventTime': u'...', - u'additionalEventData': { - u'MFAUsed': u'Yes', - u'LoginTo': u'...', - u'MobileVersion': u'No' + 'account': 12345, + 'region': '123456123456', + 'detail': { + 'eventVersion': '...', + 'eventID': '...', + 'eventTime': '...', + 'additionalEventData': { + 'MFAUsed': 'Yes', + 'LoginTo': '...', + 'MobileVersion': 'No' }, - u'requestParameters': None, - u'eventType': u'AwsConsoleSignIn', - u'responseElements': { - u'ConsoleLogin': u'...' + 'requestParameters': None, + 'eventType': 'AwsConsoleSignIn', + 'responseElements': { + 'ConsoleLogin': '...' }, - u'awsRegion': u'...', - u'eventName': u'ConsoleLogin', - u'userIdentity': { - u'userName': u'alice', - u'type': u'Root', - u'principalId': u'12345', - u'arn': u'arn:aws:iam::12345:root', - u'accountId': u'12345' + 'awsRegion': '...', + 'eventName': 'ConsoleLogin', + 'userIdentity': { + 'userName': 'alice', + 'type': 'Root', + 'principalId': '12345', + 'arn': 'arn:aws:iam::12345:root', + 'accountId': '12345' }, - u'eventSource': u'...', - u'userAgent': u'...', - u'sourceIPAddress': u'1.1.1.2', - u'recipientAccountId': u'12345' + 'eventSource': '...', + 'userAgent': '...', + 'sourceIPAddress': '1.1.1.2', + 'recipientAccountId': '12345' }, - u'detail-type': '...', - u'source': '1.1.1.2', - u'version': '1.05', + 'detail-type': '...', + 'source': '1.1.1.2', + 'version': '1.05', 'normalized_types': { - 'ipv4': [[u'detail', u'sourceIPAddress'], [u'source']], + 'ipv4': [['detail', 'sourceIPAddress'], ['source']], 'username': [['detail', 'userIdentity', 'userName']] }, - u'time': '...', - u'id': '12345', - u'resources': { - u'test': u'...' + 'time': '...', + 'id': '12345', + 'resources': { + 'test': '...' } } assert_equal(len(base.fetch_values_by_datatype(rec, 'ipv4')), 2) assert_equal(len(base.fetch_values_by_datatype(rec, 'cmd')), 0) - assert_equal(base.fetch_values_by_datatype(rec, 'username'), [u'alice']) + assert_equal(base.fetch_values_by_datatype(rec, 'username'), ['alice'])