Skip to content

Commit

Permalink
Updated integration tests when executing detectors to check and asser…
Browse files Browse the repository at this point in the history
…t the findings

Signed-off-by: Stevan Buzejic <[email protected]>
  • Loading branch information
stevanbuzejic committed Nov 15, 2022
1 parent 3e82ee3 commit 92ba4ca
Show file tree
Hide file tree
Showing 4 changed files with 372 additions and 88 deletions.
31 changes: 31 additions & 0 deletions src/test/java/org/opensearch/securityanalytics/TestHelpers.java
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,37 @@ public static String randomAggregationRule(String aggFunction, String signAndVa
"level: high";
return String.format(Locale.ROOT, rule, aggFunction, signAndValue);
}

public static String randomAggregationRule(String aggFunction, String signAndValue, String opCode) {
String rule = "title: Remote Encrypting File System Abuse\n" +
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
"description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
"references:\n" +
" - https://attack.mitre.org/tactics/TA0008/\n" +
" - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
" - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
" - https://github.com/zeronetworks/rpcfirewall\n" +
" - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
"tags:\n" +
" - attack.defense_evasion\n" +
"status: experimental\n" +
"author: Sagie Dulce, Dekel Paz\n" +
"date: 2022/01/01\n" +
"modified: 2022/01/01\n" +
"logsource:\n" +
" product: rpc_firewall\n" +
" category: application\n" +
" definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
"detection:\n" +
" sel:\n" +
" Opcode: %s\n" +
" condition: sel | %s(SeverityValue) by Version %s\n" +
"falsepositives:\n" +
" - Legitimate usage of remote file encryption\n" +
"level: high";
return String.format(Locale.ROOT, rule, opCode, aggFunction, signAndValue);
}

public static String windowsIndexMapping() {
return "\"properties\": {\n" +
" \"AccessList\": {\n" +
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ public void testGetFindings_byDetectorType_success() throws IOException {
" \"partial\":true" +
"}"
);

Response response = client().performRequest(createMappingRequest);
assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode());

// index 2
String index2 = createTestIndex("netflow_test", netFlowMappings());

Expand All @@ -167,7 +171,7 @@ public void testGetFindings_byDetectorType_success() throws IOException {
"}"
);

Response response = client().performRequest(createMappingRequest);
response = client().performRequest(createMappingRequest);
assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode());
// Detector 1 - WINDOWS
Detector detector1 = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of())));
Expand Down Expand Up @@ -223,7 +227,7 @@ public void testGetFindings_byDetectorType_success() throws IOException {
Map<String, Object> executeResults = entityAsMap(executeResponse);

int noOfSigmaRuleMatches = ((List<Map<String, Object>>) ((Map<String, Object>) executeResults.get("input_results")).get("results")).get(0).size();
Assert.assertEquals(3, noOfSigmaRuleMatches);
Assert.assertEquals(5, noOfSigmaRuleMatches);

// execute monitor 2
executeResponse = executeAlertingMonitor(monitorId2, Collections.emptyMap());
Expand Down
Loading

0 comments on commit 92ba4ca

Please sign in to comment.