From add3527b8055e9a3b354332cdadd5b346c15a14e Mon Sep 17 00:00:00 2001 From: Petar Dzepina Date: Thu, 22 Jun 2023 03:12:54 +0200 Subject: [PATCH] Sigma Aggregation rule fixes --- .../securityanalytics/model/Rule.java | 1 + .../rules/aggregation/AggregationItem.java | 10 +++ .../rules/backend/OSQueryBackend.java | 4 +- .../rules/backend/QueryBackend.java | 1 + .../rules/objects/SigmaDetections.java | 16 ++++- .../TransportIndexDetectorAction.java | 6 +- .../securityanalytics/util/RuleIndices.java | 2 +- .../securityanalytics/TestHelpers.java | 25 +++++++ .../resthandler/DetectorRestApiIT.java | 71 +++++++++++++++++-- .../resthandler/RuleRestApiIT.java | 2 +- .../aggregation/AggregationBackendTests.java | 10 ++- .../rules/condition/ConditionTests.java | 6 +- .../rules/objects/SigmaDetectionsTests.java | 2 +- .../rules/objects/SigmaRuleTests.java | 6 +- 14 files changed, 141 insertions(+), 21 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/model/Rule.java b/src/main/java/org/opensearch/securityanalytics/model/Rule.java index fcbd95349..4131252ee 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/Rule.java +++ b/src/main/java/org/opensearch/securityanalytics/model/Rule.java @@ -481,6 +481,7 @@ public List getAggregationItemsFromRule () throws SigmaError { for (SigmaCondition condition: sigmaRule.getDetection().getParsedCondition()) { Pair parsedItems = condition.parsed(); AggregationItem aggItem = parsedItems.getRight(); + aggItem.setTimeframe(sigmaRule.getDetection().getTimeframe()); aggregationItems.add(aggItem); } return aggregationItems; diff --git a/src/main/java/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.java b/src/main/java/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.java index c25ed9b43..0d9e8ae7a 100644 --- a/src/main/java/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.java +++ b/src/main/java/org/opensearch/securityanalytics/rules/aggregation/AggregationItem.java @@ -20,6 +20,8 @@ public class AggregationItem implements Serializable { private Double threshold; + private String timeframe; + public void setAggFunction(String aggFunction) { this.aggFunction = aggFunction; } @@ -59,4 +61,12 @@ public void setThreshold(Double threshold) { public Double getThreshold() { return threshold; } + + public void setTimeframe(String timeframe) { + this.timeframe = timeframe; + } + + public String getTimeframe() { + return timeframe; + } } \ No newline at end of file diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java index 004c9d146..7e0be9ddc 100644 --- a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java +++ b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java @@ -381,10 +381,10 @@ public AggregationQueries convertAggregation(AggregationItem aggregation) { fmtAggQuery = String.format(Locale.getDefault(), aggCountQuery, "result_agg", aggregation.getGroupByField()); } aggBuilder.field(fieldName); - fmtBucketTriggerQuery = String.format(Locale.getDefault(), bucketTriggerQuery, "_cnt", "_cnt", "result_agg", "_cnt", aggregation.getCompOperator(), aggregation.getThreshold()); + fmtBucketTriggerQuery = String.format(Locale.getDefault(), bucketTriggerQuery, "_cnt", "_count", "result_agg", "_cnt", aggregation.getCompOperator(), aggregation.getThreshold()); Script script = new Script(String.format(Locale.getDefault(), bucketTriggerScript, "_cnt", aggregation.getCompOperator(), aggregation.getThreshold())); - condition = new BucketSelectorExtAggregationBuilder(bucketTriggerSelectorId, Collections.singletonMap("_cnt", "_cnt"), script, "result_agg", null); + condition = new BucketSelectorExtAggregationBuilder(bucketTriggerSelectorId, Collections.singletonMap("_cnt", "_count"), script, "result_agg", null); } else { fmtAggQuery = String.format(Locale.getDefault(), aggQuery, "result_agg", aggregation.getGroupByField(), aggregation.getAggField(), aggregation.getAggFunction(), aggregation.getAggField()); fmtBucketTriggerQuery = String.format(Locale.getDefault(), bucketTriggerQuery, aggregation.getAggField(), aggregation.getAggField(), "result_agg", aggregation.getAggField(), aggregation.getCompOperator(), aggregation.getThreshold()); diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java index 8a3e4d17c..c63dce05d 100644 --- a/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java +++ b/src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java @@ -97,6 +97,7 @@ public List convertRule(SigmaRule rule) throws SigmaError { } queries.add(query); if (aggItem != null) { + aggItem.setTimeframe(rule.getDetection().getTimeframe()); queries.add(convertAggregation(aggItem)); } } diff --git a/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetections.java b/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetections.java index 235a7df9b..7937ac9fd 100644 --- a/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetections.java +++ b/src/main/java/org/opensearch/securityanalytics/rules/objects/SigmaDetections.java @@ -21,11 +21,14 @@ public class SigmaDetections { private List condition; + private String timeframe; + private List parsedCondition; - public SigmaDetections(Map detections, List condition) throws SigmaDetectionError { + public SigmaDetections(Map detections, List condition, String timeframe) throws SigmaDetectionError { this.detections = detections; this.condition = condition; + this.timeframe = timeframe; if (this.detections.isEmpty()) { throw new SigmaDetectionError("No detections defined in Sigma rule"); @@ -55,7 +58,12 @@ protected static SigmaDetections fromDict(Map detectionMap) thro } } - return new SigmaDetections(detections, conditionList); + String timeframe = null; + if (detectionMap.containsKey("timeframe")) { + timeframe = detectionMap.get("timeframe").toString(); + } + + return new SigmaDetections(detections, conditionList, timeframe); } public Map getDetections() { @@ -69,4 +77,8 @@ public List getCondition() { public List getParsedCondition() { return parsedCondition; } + + public String getTimeframe() { + return timeframe; + } } \ No newline at end of file diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java index ecda06469..71c383249 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java @@ -90,6 +90,7 @@ import org.opensearch.securityanalytics.model.DetectorTrigger; import org.opensearch.securityanalytics.model.Rule; import org.opensearch.securityanalytics.model.Value; +import org.opensearch.securityanalytics.rules.aggregation.AggregationItem; import org.opensearch.securityanalytics.rules.backend.OSQueryBackend; import org.opensearch.securityanalytics.rules.backend.OSQueryBackend.AggregationQueries; import org.opensearch.securityanalytics.rules.backend.QueryBackend; @@ -784,7 +785,8 @@ private IndexMonitorRequest createBucketLevelMonitorRequest( List indices = detector.getInputs().get(0).getIndices(); - AggregationQueries aggregationQueries = queryBackend.convertAggregation(rule.getAggregationItemsFromRule().get(0)); + AggregationItem aggItem = rule.getAggregationItemsFromRule().get(0); + AggregationQueries aggregationQueries = queryBackend.convertAggregation(aggItem); SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder() .seqNoAndPrimaryTerm(true) @@ -814,7 +816,7 @@ private IndexMonitorRequest createBucketLevelMonitorRequest( ? new BoolQueryBuilder() : QueryBuilders.boolQuery().must(searchSourceBuilder.query()); RangeQueryBuilder timeRangeFilter = QueryBuilders.rangeQuery(TIMESTAMP_FIELD_ALIAS) - .gt("{{period_end}}||-1h") + .gt("{{period_end}}||-" + aggItem.getTimeframe()) .lte("{{period_end}}") .format("epoch_millis"); boolQueryBuilder.must(timeRangeFilter); diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java index 53c0a516f..900ba9247 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java @@ -295,7 +295,7 @@ private List getQueries(QueryBackend backend, String category, List(queryFieldNames), ruleStr ); diff --git a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java index a361c5394..fac9cc7a3 100644 --- a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java +++ b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java @@ -349,6 +349,7 @@ public static String productIndexMaxAggRule() { public static String randomProductDocument(){ return "{\n" + + " \"name\": \"laptop\",\n" + " \"fieldA\": 123,\n" + " \"mappedB\": 111,\n" + " \"fieldC\": \"valueC\"\n" + @@ -560,6 +561,9 @@ public static String netFlowMappings() { public static String productIndexMapping(){ return "\"properties\":{\n" + + " \"name\":{\n" + + " \"type\":\"keyword\"\n" + + " },\n" + " \"fieldA\":{\n" + " \"type\":\"long\"\n" + " },\n" + @@ -588,6 +592,7 @@ public static String productIndexAvgAggRule(){ " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: 123\n" + " fieldB: 111\n" + @@ -595,6 +600,24 @@ public static String productIndexAvgAggRule(){ " condition: sel | avg(fieldA) by fieldC > 110"; } + public static String productIndexCountAggRule(){ + return " title: Test\n" + + " id: 39f918f3-981b-4e6f-a975-8af7e507ef2b\n" + + " status: test\n" + + " level: critical\n" + + " description: Detects QuarksPwDump clearing access history in hive\n" + + " author: Florian Roth\n" + + " date: 2017/05/15\n" + + " logsource:\n" + + " category: test_category\n" + + " product: test_product\n" + + " detection:\n" + + " timeframe: 5m\n" + + " sel:\n" + + " name: laptop\n" + + " condition: sel | count(*) by name > 2"; + } + public static String randomAggregationRule(String aggFunction, String signAndValue) { String rule = "title: Remote Encrypting File System Abuse\n" + "id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" + @@ -616,6 +639,7 @@ public static String randomAggregationRule(String aggFunction, String signAndVa " category: application\n" + " definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" + "detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " Opcode: Info\n" + " condition: sel | %s(SeverityValue) by Version %s\n" + @@ -646,6 +670,7 @@ public static String randomAggregationRule(String aggFunction, String signAndVa " category: application\n" + " definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" + "detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " Opcode: %s\n" + " condition: sel | %s(SeverityValue) by Version %s\n" + diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java index ff5ff9849..bbaf4cd6d 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java @@ -38,6 +38,7 @@ import java.util.stream.Collectors; import org.opensearch.securityanalytics.model.DetectorTrigger; +import static org.junit.Assert.assertNotNull; import static org.opensearch.securityanalytics.TestHelpers.*; import static org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings.ENABLE_WORKFLOW_USAGE; @@ -182,7 +183,7 @@ public void test_searchDetectors_detectorsIndexNotExists() throws IOException { HttpEntity requestEntity = new StringEntity(request, ContentType.APPLICATION_JSON); Response searchResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + "_search", Collections.emptyMap(), requestEntity); Map searchResponseBody = asMap(searchResponse); - Assert.assertNotNull("response is not null", searchResponseBody); + assertNotNull("response is not null", searchResponseBody); Map searchResponseHits = (Map) searchResponseBody.get("hits"); Map searchResponseTotal = (Map) searchResponseHits.get("total"); Assert.assertEquals(0, searchResponseTotal.get("value")); @@ -409,7 +410,7 @@ public void testGettingADetector() throws IOException { Response getResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + createdId, Collections.emptyMap(), null); Map responseBody = asMap(getResponse); Assert.assertEquals(createdId, responseBody.get("_id")); - Assert.assertNotNull(responseBody.get("detector")); + assertNotNull(responseBody.get("detector")); String detectorTypeInResponse = (String) ((Map)responseBody.get("detector")).get("detector_type"); Assert.assertEquals("Detector type incorrect", randomDetectorType().toLowerCase(Locale.ROOT), detectorTypeInResponse); @@ -445,7 +446,7 @@ public void testSearchingDetectors() throws IOException { HttpEntity requestEntity = new StringEntity(queryJson, ContentType.APPLICATION_JSON); Response searchResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + "_search", Collections.emptyMap(), requestEntity); Map searchResponseBody = asMap(searchResponse); - Assert.assertNotNull("response is not null", searchResponseBody); + assertNotNull("response is not null", searchResponseBody); Map searchResponseHits = (Map) searchResponseBody.get("hits"); Map searchResponseTotal = (Map) searchResponseHits.get("total"); Assert.assertEquals(1, searchResponseTotal.get("value")); @@ -613,11 +614,73 @@ public void testCreatingADetectorWithAggregationRules() throws IOException { HashMap docLevelQuery = (HashMap) ((List) finding.get("queries")).get(0); String ruleId = docLevelQuery.get("id").toString(); // Verify if the rule id in bucket level finding is the same as rule used for bucket monitor creation - assertEquals(customAvgRuleId, ruleId); + Assert.assertEquals(customAvgRuleId, ruleId); + Response getResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), null); + String getDetectorResponseString = new String(getResponse.getEntity().getContent().readAllBytes()); + Assert.assertTrue(getDetectorResponseString.contains(ruleId)); + } + + public void testAggRuleCount() throws IOException { + String index = createTestIndex(randomIndex(), productIndexMapping()); + + String customAggRule = createRule(productIndexCountAggRule()); + + DetectorInput input = new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(customAggRule)), + getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList())); + Detector detector = randomDetectorWithInputs(List.of(input)); + + Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); + Assert.assertEquals("Create detector failed", RestStatus.CREATED, restStatus(createResponse)); + + Map responseBody = asMap(createResponse); + String detectorId = responseBody.get("_id").toString(); + + String request = "{\n" + + " \"query\" : {\n" + + " \"match\":{\n" + + " \"_id\": \"" + detectorId + "\"\n" + + " }\n" + + " }\n" + + "}"; + List hits = executeSearch(Detector.DETECTORS_INDEX, request); + SearchHit hit = hits.get(0); + + Map detectorAsMap = (Map) hit.getSourceAsMap().get("detector"); + + String bucketLevelMonitorId = ((List) (detectorAsMap).get("monitor_id")).get(1); + // condition: sel | count(*) by name > 2 + indexDoc(index, "1", randomProductDocument()); + indexDoc(index, "2", randomProductDocument()); + // Verify that 2 documents aren't enough to satisfy trigger condition + Map executeResults = entityAsMap(executeAlertingMonitor(bucketLevelMonitorId, Collections.emptyMap())); + Map trigger = (Map) ((Map)executeResults.get("trigger_results")).entrySet().iterator().next().getValue(); + assertEquals(0, ((Map)(trigger.get("agg_result_buckets"))).size() ); + // 3 will be fine + indexDoc(index, "3", randomProductDocument()); + + executeResults = entityAsMap(executeAlertingMonitor(bucketLevelMonitorId, Collections.emptyMap())); + trigger = (Map) ((Map)executeResults.get("trigger_results")).entrySet().iterator().next().getValue(); + assertEquals(1, ((Map)(trigger.get("agg_result_buckets"))).size() ); + // verify bucket level monitor findings + Map params = new HashMap<>(); + params.put("detector_id", detectorId); + Response getFindingsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.FINDINGS_BASE_URI + "/_search", params, null); + Map getFindingsBody = entityAsMap(getFindingsResponse); + assertNotNull(getFindingsBody); + Assert.assertEquals(1, getFindingsBody.get("total_findings")); + List findings = (List) getFindingsBody.get("findings"); + Assert.assertEquals(findings.size(), 1); + HashMap finding = (HashMap) findings.get(0); + Assert.assertTrue(finding.containsKey("queries")); + HashMap docLevelQuery = (HashMap) ((List) finding.get("queries")).get(0); + String ruleId = docLevelQuery.get("id").toString(); + // Verify if the rule id in bucket level finding is the same as rule used for bucket monitor creation + Assert.assertEquals(customAggRule, ruleId); Response getResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), null); String getDetectorResponseString = new String(getResponse.getEntity().getContent().readAllBytes()); Assert.assertTrue(getDetectorResponseString.contains(ruleId)); } + public void testUpdateADetector() throws IOException { String index = createTestIndex(randomIndex(), windowsIndexMapping()); diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java index 9a483b9e4..2e1121d7a 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java @@ -149,7 +149,7 @@ public void testCreatingAggregationRule() throws SigmaError, IOException { Rule result = Rule.docParse(xcp, null, null); Assert.assertEquals(1, result.getAggregationQueries().size()); - String expected = "{\"aggQuery\":\"{\\\"result_agg\\\":{\\\"terms\\\":{\\\"field\\\":\\\"_index\\\"}}}\",\"bucketTriggerQuery\":\"{\\\"buckets_path\\\":{\\\"_cnt\\\":\\\"_cnt\\\"},\\\"parent_bucket_path\\\":\\\"result_agg\\\",\\\"script\\\":{\\\"source\\\":\\\"params._cnt > 1.0\\\",\\\"lang\\\":\\\"painless\\\"}}\"}"; + String expected = "{\"aggQuery\":\"{\\\"result_agg\\\":{\\\"terms\\\":{\\\"field\\\":\\\"_index\\\"}}}\",\"bucketTriggerQuery\":\"{\\\"buckets_path\\\":{\\\"_cnt\\\":\\\"_count\\\"},\\\"parent_bucket_path\\\":\\\"result_agg\\\",\\\"script\\\":{\\\"source\\\":\\\"params._cnt > 1.0\\\",\\\"lang\\\":\\\"painless\\\"}}\"}"; Assert.assertEquals(expected, result.getAggregationQueries().get(0).getValue()); } diff --git a/src/test/java/org/opensearch/securityanalytics/rules/aggregation/AggregationBackendTests.java b/src/test/java/org/opensearch/securityanalytics/rules/aggregation/AggregationBackendTests.java index 43db549c8..395f15a79 100644 --- a/src/test/java/org/opensearch/securityanalytics/rules/aggregation/AggregationBackendTests.java +++ b/src/test/java/org/opensearch/securityanalytics/rules/aggregation/AggregationBackendTests.java @@ -36,6 +36,7 @@ public void testCountAggregation() throws SigmaError, IOException { " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: valueA\n" + " fieldB: valueB\n" + @@ -50,7 +51,7 @@ public void testCountAggregation() throws SigmaError, IOException { String bucketTriggerQuery = aggQueries.getBucketTriggerQuery(); Assert.assertEquals("{\"result_agg\":{\"terms\":{\"field\":\"_index\"}}}", aggQuery); - Assert.assertEquals("{\"buckets_path\":{\"_cnt\":\"_cnt\"},\"parent_bucket_path\":\"result_agg\",\"script\":{\"source\":\"params._cnt > 1.0\",\"lang\":\"painless\"}}", bucketTriggerQuery); + Assert.assertEquals("{\"buckets_path\":{\"_cnt\":\"_count\"},\"parent_bucket_path\":\"result_agg\",\"script\":{\"source\":\"params._cnt > 1.0\",\"lang\":\"painless\"}}", bucketTriggerQuery); } public void testCountAggregationWithGroupBy() throws IOException, SigmaError { @@ -67,6 +68,7 @@ public void testCountAggregationWithGroupBy() throws IOException, SigmaError { " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: valueA\n" + " fieldB: valueB\n" + @@ -81,7 +83,7 @@ public void testCountAggregationWithGroupBy() throws IOException, SigmaError { String bucketTriggerQuery = aggQueries.getBucketTriggerQuery(); Assert.assertEquals("{\"result_agg\":{\"terms\":{\"field\":\"fieldB\"}}}", aggQuery); - Assert.assertEquals("{\"buckets_path\":{\"_cnt\":\"_cnt\"},\"parent_bucket_path\":\"result_agg\",\"script\":{\"source\":\"params._cnt > 1.0\",\"lang\":\"painless\"}}", bucketTriggerQuery); + Assert.assertEquals("{\"buckets_path\":{\"_cnt\":\"_count\"},\"parent_bucket_path\":\"result_agg\",\"script\":{\"source\":\"params._cnt > 1.0\",\"lang\":\"painless\"}}", bucketTriggerQuery); } public void testSumAggregationWithGroupBy() throws IOException, SigmaError { @@ -98,6 +100,7 @@ public void testSumAggregationWithGroupBy() throws IOException, SigmaError { " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: valueA\n" + " fieldB: valueB\n" + @@ -132,6 +135,7 @@ public void testMinAggregationWithGroupBy() throws IOException, SigmaError { " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: valueA\n" + " fieldB: valueB\n" + @@ -163,6 +167,7 @@ public void testMaxAggregationWithGroupBy() throws IOException, SigmaError { " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: valueA\n" + " fieldB: valueB\n" + @@ -194,6 +199,7 @@ public void testAvgAggregationWithGroupBy() throws IOException, SigmaError { " category: test_category\n" + " product: test_product\n" + " detection:\n" + + " timeframe: 5m\n" + " sel:\n" + " fieldA: valueA\n" + " fieldB: valueB\n" + diff --git a/src/test/java/org/opensearch/securityanalytics/rules/condition/ConditionTests.java b/src/test/java/org/opensearch/securityanalytics/rules/condition/ConditionTests.java index 5d778406e..cd1f2d969 100644 --- a/src/test/java/org/opensearch/securityanalytics/rules/condition/ConditionTests.java +++ b/src/test/java/org/opensearch/securityanalytics/rules/condition/ConditionTests.java @@ -345,7 +345,7 @@ private SigmaDetections sigmaSimpleDetections() throws SigmaError { detections.put("other", other); - return new SigmaDetections(detections, Collections.emptyList()); + return new SigmaDetections(detections, Collections.emptyList(), null); } private SigmaDetections sigmaDetections() throws SigmaError { @@ -394,7 +394,7 @@ private SigmaDetections sigmaDetections() throws SigmaError { SigmaDetection detection7 = new SigmaDetection(List.of(Either.left(detectionItem11)), null); detections.put("empty-field", detection7); - return new SigmaDetections(detections, Collections.emptyList()); + return new SigmaDetections(detections, Collections.emptyList(), null); } private SigmaDetections sigmaInvalidDetections() throws SigmaError { @@ -405,6 +405,6 @@ private SigmaDetections sigmaInvalidDetections() throws SigmaError { SigmaDetection detection = new SigmaDetection(List.of(Either.left(detectionItem)), null); detections.put("null-keyword", detection); - return new SigmaDetections(detections, Collections.emptyList()); + return new SigmaDetections(detections, Collections.emptyList(), null); } } \ No newline at end of file diff --git a/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java b/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java index dba65b1d0..dcab12544 100644 --- a/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java +++ b/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaDetectionsTests.java @@ -50,7 +50,7 @@ public void testSigmaDetectionsFromDict() throws SigmaError{ SigmaDetection detection = new SigmaDetection(List.of(Either.left(detectionItem1), Either.left(detectionItem2), Either.left(detectionItem4)), Either.right(ConditionOR.class)); - SigmaDetections expectedSigmaDetections = new SigmaDetections(Collections.singletonMap("selection", detection), Collections.singletonList("selection")); + SigmaDetections expectedSigmaDetections = new SigmaDetections(Collections.singletonMap("selection", detection), Collections.singletonList("selection"), null); Assert.assertEquals(expectedSigmaDetections.getCondition().size(), actualSigmaDetections.getCondition().size()); Assert.assertEquals(expectedSigmaDetections.getCondition().get(0), actualSigmaDetections.getCondition().get(0)); diff --git a/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaRuleTests.java b/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaRuleTests.java index 385d31ecb..2246404e5 100644 --- a/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaRuleTests.java +++ b/src/test/java/org/opensearch/securityanalytics/rules/objects/SigmaRuleTests.java @@ -134,7 +134,7 @@ public void testSigmaRuleNoneToList() throws SigmaRegularExpressionError, SigmaV SigmaDetection detection = new SigmaDetection(Collections.singletonList(Either.left(detectionItem)), Either.right(ConditionOR.class)); - SigmaDetections detections = new SigmaDetections(Collections.singletonMap("selection", detection), Collections.singletonList("selection")); + SigmaDetections detections = new SigmaDetections(Collections.singletonMap("selection", detection), Collections.singletonList("selection"), null); SigmaRule rule = new SigmaRule("Test", logSource, detections, null, null, null, null, null, null, null, null, null, null, null); @@ -195,7 +195,7 @@ public void testSigmaRuleFromYaml() throws SigmaError, ParseException { public void testEmptyDetection() { Exception exception = assertThrows(SigmaDetectionError.class, () -> { - new SigmaDetections(Collections.emptyMap(), Collections.emptyList()); + new SigmaDetections(Collections.emptyMap(), Collections.emptyList(), null); }); String expectedMessage = "No detections defined in Sigma rule"; @@ -216,7 +216,7 @@ private SigmaRule sigmaRule() throws SigmaRegularExpressionError, SigmaValueErro SigmaDetection detection = new SigmaDetection(List.of(Either.left(detectionItem1), Either.left(detectionItem2), Either.left(detectionItem4)), Either.right(ConditionOR.class)); - SigmaDetections detections = new SigmaDetections(Collections.singletonMap("selection", detection), Collections.singletonList("selection")); + SigmaDetections detections = new SigmaDetections(Collections.singletonMap("selection", detection), Collections.singletonList("selection"), null); SimpleDateFormat formatter = new SimpleDateFormat("yyyy/MM/dd", Locale.getDefault()); Date ruleDate = formatter.parse("2017/05/15");