Design the test cases for the Azure integration tests #3355

CarlosRS9 · 2022-09-23T10:49:52Z

Taking into account the different Tiers defined in #3332 we should list and design the different test cases we want to add for the tiers agreed to implement.

Check the following issues to get an idea of the manual tests we want to automate:

Tasks

Create Azure Graph test cases
Create Azure Log Analytics test cases
Create Azure Storage test cases
Create Parset test cases

The text was updated successfully, but these errors were encountered:

nico-stefani · 2022-11-03T20:19:15Z

Parser Test Cases

Tier 0

The ossec.conf parser detects when a mandatory parameter is not present

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case	Expected Result	Configuration
graph, log_analytics and storage tags are missing in the configuration	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> </wodle>
Graph configuration is present but there is no request tag	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> </graph> </wodle>
Log analytics configuration is present but there is no request tag	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> </log_analytics> </wodle>
Storage configuration is present but there is no container tags	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <storage> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> </storage> </wodle>
The auth_path tag is present but the tenantdomain is not for Graph	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> </graph> </wodle>
The tenantdomain tag is present but the auth_path is not present for Graph	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> </graph> </wodle>
The auth_path tag is present but the tenantdomain is not for Log Analytics	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> </log_analytics> </wodle>
The tenantdomain tag is present but the auth_path is not present for Log Analytics	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> </log_analytics> </wodle>
The container tag is present but the auth_path is not for Storage	An error message is present in ossec.log and the module is not triggered.	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <storage> <container name="container-qa"/> </storage> </wodle>

Steps

Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command wasn't called and the expected error message was displayed in ossec.log

The ossec.conf parser handles correctly when several log_analytics and graph and storage tags are used in the same configuration

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case

Expected Result

Configuration

Have two valid configuration for each supported service

The command is invoked two times for storage, two times for log_analytics and two times for graph

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>
        <request>
            <query>AzureActivity</query>
            <workspace>d6b...efa</workspace>
        </request>
        <request>
            <query>AzureActivity</query>
            <workspace>d6b...efa</workspace>
        </request>
    </log_analytics>
    <graph>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>
        <request>
            <query>auditLogs/directoryAudits</query>
        </request>
        <request>
            <query>auditLogs/directoryAudits</query>
        </request>
    </graph>
    <storage>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>wazuh.onmicrosoft.com</tenantdomain>
        <container name="qa_container">
            <blobs>.json</blobs>
            <content_type>json_inline</content_type>
        </container>
        <container name="qa_container_1">
            <blobs>.json</blobs>
            <content_type>json_inline</content_type>
        </container>
        <container name="qa_container"/>
    </storage>
</wodle>

Steps

Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called the expected number of times

nico-stefani · 2022-11-04T21:29:24Z

Log Analytics Test Cases

Tier 0

Log Analytics integration stops with invalid or missing parameters

Pre-conditions

Debug mode is enabled in the internal_configuration file.

Cases

Case

Expected Result

Configuration

The workspace tag has an invalid value

The module is invoked, an error error message is present in ossec.log

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <query>AzureActivity</query>
            <workspace>invalid</workspace>
        </request>
    </log_analytics>
</wodle>

The authentication tags are present but the offset value has an invalid format

The module is invoked, an error error message is present in ossec.log

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <query>AzureActivity</query>
            <workspace>d6b...efa</workspace>
            <time_offset>1</time_offset>
        </request>
    </log_analytics>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check an error message was displayed in ossec.log

Log Analytics integration works properly using the default configuration

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case

Expected Result

Configuration

Generate events and consume with defaults option

The module is invoked with the expected parameters and no error occurs

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <query>AzureActivity</query>
            <workspace>d6b...efa</workspace>
        </request>
    </log_analytics>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check no error messages are present in the ossec.log

Log Analytics integration works properly with query option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
An App Registration with a valid token must be available.
A Log Analytics Workspace properly configured must be available.
A valid Log Analytics log must be generated during the test execution. A valid example would be the creation of a user or a group using a POST request.

Cases

Case

Expected Result

Configuration

Set a query

All logs matching the query value are processed

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <workspace>d6b...efa</workspace>
            <query>AzureActivity</query>
        </request>
    </log_analytics>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check events were forwarded to analysisd
Check no error messages are present in the ossec.log
Check the database was created and updated accordingly

Log Analytics integration works properly with time_offset option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
An App Registration with a valid token must be available.
A Log Analytics Workspace properly configured must be available.
A valid Log Analytics log must be generated during the test execution. A valid example would be the creation of a user or a group using a POST request.

Cases

Case	Expected Result	Configuration
Don't set a time offset in the configuration	Only the log uploaded during execution is processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <workspace>d6b...efa</workspace> <query>AzureActivity</query> </request> </log_analytics> </wodle>
Set an offset using days as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <workspace>d6b...efa</workspace> <query>AzureActivity</query> <time_offset>50d</time_offset> </request> </log_analytics> </wodle>
Set an offset using hours as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <workspace>d6b...efa</workspace> <query>AzureActivity</query> <time_offset>24h</time_offset> </request> </log_analytics> </wodle>
Set an offset using minutes as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <log_analytics> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <workspace>d6b...efa</workspace> <query>AzureActivity</query> <time_offset>30m</time_offset> </request> </log_analytics> </wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check the query used for the Azure call contains the expected datetime
Check events were forwarded to analysisd
Check no error messages are present in the ossec.log
Check the database was created and updated accordingly

Log Analytics integration works properly with tag option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
An App Registration with a valid token must be available.
A Log Analytics Workspace properly configured must be available.
A valid Log Analytics log must be generated during the test execution. A valid example would be the creation of a user or a group using a POST request.

Cases

Case

Expected Result

Configuration

Set a tag

All logs are tagged with correct value

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <log_analytics>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <workspace>d6b...efa</workspace>
            <time_offset>5d</time_offset>
            <query>AzureActivity</query>
            <tag>azure-activity</tag>
        </request>
    </log_analytics>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check the forwarded events have the tag value.

Tier 1

Log Analytics integration don't fetch logs that already were processed

Pre-conditions
- There are already configured credentials in /var/ossec/wodles/azure/credentials.
- An App Registration with a valid token must be available.
- A Log Analytics Workspace properly configured must be available.
- A valid Log Analytics log must be generated during the test execution. A valid example would be the creation of a user or a group using a POST request.
Cases

Case Expected Result

Check Azure Log Analytics integration does not process duplicated events No duplicates were processed

Steps
1. Delete the azure.db file using a fixture
2. Call the module without graph_time_offset. It's not necessary to check if events were processed:
```
/var/ossec/wodles/azure/azure-logs --graph \
    --graph_auth_path /var/ossec/wodles/azure/credentials \
    --graph_tenant_domain tenant.onmicrosoft.com \
    --graph_tag azure-active-directory \
    --graph_query "auditLogs/directoryaudits" \
```
3. Call the module with the same parameters again and check that no events were processed this time.
4. Force the generation of a Graph event and wait for it.
5. Call the module with the same parameters in 2 and check that new event was processed
6. Check the database status.
7. Call the module with the same parameters in 2 and check that no events were processed.
8. Check the database status.

nico-stefani · 2022-11-04T21:51:37Z

Graph Test Cases

Tier 0

Graph integration stops with invalid or missing parameters

Pre-conditions

Debug mode is enabled in the internal_configuration file.

Cases

Case	Expected Result	Configuration
The auth_path tag is present but the tenantdomain is not	The module is invoked, and an error message is present in ossec.log	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> </graph> </wodle>
The tenantdomain tags is present but the auth_path is not	The module is invoked, and an error message is present in ossec.log	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> </graph> </wodle>
The offset value has an invalid format	The module is invoked, and an error message is present in ossec.log	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>activities/audit?api-version=beta</query> <time_offset>1</time_offset> </request> </graph> </wodle>

Steps

Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check an error message was displayed in ossec.log

Graph integration works properly using the default configuration

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case

Expected Result

Configuration

Test the default configuration and auth_path as authentication method

The module is invoked with the expected parameters and no error occurs

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <graph>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <query>activities/audit?api-version=beta</query>
        </request>
    </graph>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check no error messages are present in the ossec.log

Graph integration works properly with query option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
These test cases requires to force the generation of Graph events in Azure.
For DirectoryAudits we can make use of POST requests using endpoints such as Create group.
For SignIns we can manually trigger a sign-in event during the execution. To be able to test sign-in logs an Azure AD Premium P1 or P2 license is required.
For Provisioning we need to create a provisioning template and then create a provisioning job during runtime using this guide to trigger the event.

Cases

Case	Expected Result	Configuration
Set a query with auditLogs/directoryaudits	All logs matching the query value are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>auditLogs/directoryaudits</query> </request> </graph> </wodle>
Set a query with auditLogs/signIns	All logs matching the query value are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>auditLogs/signIns</query> </request> </graph> </wodle>
Set a query with auditLogs/provisioning	All logs matching the query value are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>auditLogs/provisioning</query> </request> </graph> </wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check events were forwarded to analysisd
Check no error messages are present in the ossec.log
Check the database was created and updated accordingly

Graph integration works properly with time_offset option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
These test cases requires to force the generation of Graph events in Azure. In particular we can make use of POST requests using endpoints such as Create group.

Cases

Case	Expected Result	Configuration
Don't set a time offset in the configuration	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>activities/audit?api-version=beta</query> </request> </graph> </wodle>
Set an offset using days as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>activities/audit?api-version=beta</query> <time_offset>50d</time_offset> </request> </graph> </wodle>
Set an offset using hours as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>activities/audit?api-version=beta</query> <time_offset>24h</time_offset> </request> </graph> </wodle>
Set an offset using minutes as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <graph> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <tenantdomain>tenant.onmicrosoft.com</tenantdomain> <request> <query>activities/audit?api-version=beta</query> <time_offset>30m</time_offset> </request> </graph> </wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check the query used for the Azure call contains the expected datetime
Check events were forwarded to analysisd
Check no error messages are present in the ossec.log
Check the database was created and updated accordingly

Graph integration works properly with tag option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
These test cases requires to force the generation of Graph events in Azure. In particular we can make use of POST requests using endpoints such as Create group.

Cases

Case

Expected Result

Configuration

Set a tag

All logs are tagged with correct value

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <graph>
        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
        <tenantdomain>tenant.onmicrosoft.com</tenantdomain>
        <request>
            <query>auditLogs/directoryaudits</query>
            <tag>azure-active_directory</tag>
        </request>
    </graph>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check the forwarded events have the tag value.

Tier 1

Graph integration don't fetch logs that already were processed

Pre-conditions
- There are already configured credentials in /var/ossec/wodles/azure/credentials.
- Graph events must be manually generated during the test execution.
Cases

Case Expected Result

Check Azure Graph integration does not process duplicated events No duplicates were processed

Steps
1. Delete the azure.db file using a fixture
2. Call the module without graph_time_offset. It's not necessary to check if events were processed:
```
/var/ossec/wodles/azure/azure-logs --graph \
    --graph_auth_path /var/ossec/wodles/azure/credentials \
    --graph_tenant_domain tenant.onmicrosoft.com \
    --graph_tag azure-active-directory \
    --graph_query "auditLogs/directoryaudits" \
```
3. Call the module with the same parameters again and check that no events were processed this time.
4. Force the generation of a Graph event and wait for it.
5. Call the module with the same parameters in 2 and check that new event was processed
6. Check the database status.
7. Call the module with the same parameters in 2 and check that no events were processed.
8. Check the database status.

nico-stefani · 2022-11-07T21:41:16Z

Storage Test Cases

Tier 0

Storage integration stops with invalid or missing parameters

Pre-conditions

Debug mode is enabled in the internal_configuration file.

Cases

Case

Expected Result

Configuration

The offset value has an invalid format

The module is invoked, an error error message is present in ossec.log

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <storage>
        <auth_path>/home/manager/Azure/storage_auth.txt</auth_path>
        <container name="container-qa">
            <time_offset>1</time_offset>
        </container>
    </storage>
</wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check an error message was displayed in ossec.log

Storage integration works properly using the default configuration

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case	Expected Result	Configuration
Test the default configuration	The module is invoked with the expected parameters and no error occurs	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> </storage> </wodle>

Steps

Remove the database file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check no error messages are present in the ossec.log

Storage integration works properly with time_offset option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.
There are already logs with timestamps older than the date specified in the configuration.

Cases

Case	Expected Result	Configuration
Don't set a time offset in the configuration	Only the log uploaded during execution is processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> </storage> </wodle>
Set an offset using days as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <storage> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <container name="container-qa"> <time_offset>50d</time_offset> </container> </storage> </wodle>
Set an offset using hours as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <storage> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <container name="container-qa"> <time_offset>24h</time_offset> </container> </storage> </wodle>
Set an offset using minutes as the unit	The query contains the expected date and events were processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <storage> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <container name="container-qa"> <time_offset>30m</time_offset> </container> </storage> </wodle>

Steps

Remove the database file
Upload a new file to the storage bucket
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check the expected number of events were forwarded to analysisd. Only the logs whose timestamp is greater than the date specified in the configuration should be processed
Check no error messages are present in the ossec.log
Check the database was created and updated accordingly
Delete the uploaded log file. This must be done even if the test fails

Storage integration works properly with path option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Cases	Expected Result	Configuration
Use an existing path with data	Only the contents of test_prefix/ are processed and sent to analysisd	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <path>test_prefix</path> </storage> </wodle>
Use an existing path without data	No logs were processed. No logs were sent analysisd	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <path>empty_prefix</path> </storage> </wodle>
Use an inexisting path	No logs were processed. No logs were sent analysisd. A message warning that the path does not exist should be displayed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <path>invalid_prefix</path> </storage> </wodle>

Steps

Remove the database file
Upload a new file to the storage bucket in the root path
Upload a new file to the storage bucket in test_path/
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check no error messages are present in the ossec.log
Checka that only the file from the expected path is processed
Check the database was created and updated accordingly
Delete the uploaded log files. This must be done even if the test fails

Storage integration works properly with specific blobs and content_type options

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case	Expected Result	Configuration
Process plain text logs	Only plain text files are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <blobs>.txt</blobs> <content_type>text</content_type> </storage> </wodle>
Process json logs	Only json log files are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <blobs>.json</blobs> <content_type>json_file</content_type> </storage> </wodle>
Process json inline logs	Only json log files are processed and every line is processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <blobs>.json_inline</blobs> <content_type>json_inline</content_type> </storage> </wodle>
Do not specify a blob extension	No log files are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <blobs>.None</blobs> <content_type>json_inline</content_type> </storage> </wodle>
specifies a file type that does not exist	No log files are processed	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <container name="container-qa"/> <blobs>.None</blobs> <content_type>json_inline</content_type> </storage> </wodle>

Steps

Remove the database file
Upload a new plain text file to the storage bucket with .txt extension
Upload a new file with json event format to the storage bucket with .json extension
Upload a new file with several json inline events to the storage bucket with .json_inline extension
Upload a new plain text file to the storage bucket with no extension to be used as a control file
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check that only the expected files were procesed and there were no error when processing the events
Delete the uploaded log files. This must be done even if the test fails

Storage integration works properly with the generic blobs option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case

Expected Result

Configuration

Process plain text logs

Only plain text files are processed

ossec.conf

<wodle name="azure-logs">
    <disabled>no</disabled>
    <auth_path>/var/ossec/wodles/azure/credentials</auth_path>
    <storage>
        <container name="container-qa"/>
        <blobs>*</blobs>
        <content_type>text</content_type>
    </storage>
</wodle>

Steps

Remove the database file
Upload several files with different extensions (.txt, .json and no extension) with text plain contents only
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check that every file was procesed
Delete the uploaded log file. This must be done even if the test fails

Storage integration works properly with tag option

Pre-conditions

There are already configured credentials in /var/ossec/wodles/azure/credentials.
Debug mode is enabled in the internal_configuration file.

Cases

Case	Expected Result	Configuration
Set a tag	All logs are tagged with correct value	ossec.conf <wodle name="azure-logs"> <disabled>no</disabled> <auth_path>/var/ossec/wodles/azure/credentials</auth_path> <storage> <tag>azure-storage</tag> <container name="container-qa"/> </storage> </wodle>

Steps

Remove the database file
Upload a new file to the storage bucket
Apply the test case configuration to the ossec.conf
Restart wazuh-manager service
Monitor the ossec.log waiting until the wazuh service is restarted or there is a timeout
Monitor the ossec.log waiting until the module is triggered or there is a timeout
Check the command was called with the correct parameters
Check the forwarded events have the tag value
Delete the uploaded log file. This must be done even if the test fails

Tier 1

Storage integration don't fetch logs that already were processed

Pre-conditions
- There are already configured credentials in /var/ossec/wodles/azure/credentials.
- There are already logs generated after the date specified in the configurations.
Cases

Case Expected Result

Call the Azure module multiple times with different time_offset values No duplicates were processed

Steps
1. Delete the azure.db file using a fixture
2. Call the module without storage_time_offset and check that no logs were processed:
```
/var/ossec/wodles/azure/azure-logs --storage \
    --storage_auth_path /var/ossec/wodles/azure/credentials \
    --container "container_qa" \
```
3. Upload a log file for the day of the test execution
4. Call the module with the same parameters in 2 and check that the uploaded logs were processed
5. Call the module with the same parameters in 2 and check that no logs were processed, there were no duplicates
6. Call the module with storage_time_offset setted check that the expected number of logs were processed:
```
/var/ossec/wodles/azure/azure-logs --storage \
    --storage_auth_path /var/ossec/wodles/azure/credentials \
    --container "container_qa" \
    --storage_time_offset <number-of-days>
```
7. Call the module with the same parameters in 6 and check there were no duplicates
8. Call the module with storage_time_offset set with a great value than setted in 6 and check that old logs were processed without duplicates:
```
/var/ossec/wodles/azure/azure-logs --storage \
    --storage_auth_path /var/ossec/wodles/azure/credentials \
    --container "container_qa" \
    --storage_time_offset <great-number-of-days-than-6>
```
9. Call the module with storage_time_offset set with a less value than setted in 6 and check that no logs were processed, there were no duplicates:
```
/var/ossec/wodles/azure/azure-logs --storage \
    --storage_auth_path /var/ossec/wodles/azure/credentials \
    --container "container_qa" \
    --storage_time_offset <less-number-of-days-than-6>
```
10. Delete the uploaded log file. This must be done even if the test fails

This was referenced Sep 23, 2022

Add Azure Graph integration tests #3356

Closed

Add Azure Log Analytics integration tests #3357

Closed

Add Azure Storage integration tests #3358

Closed

jmv74211 added team/framework test/integration feature/gcp design labels Sep 28, 2022

jmv74211 changed the title ~~Design the test cases for the GCP integration tests~~ Design the test cases for the Azure integration tests Sep 28, 2022

jmv74211 added feature/azure and removed feature/gcp labels Sep 28, 2022

nico-stefani self-assigned this Nov 2, 2022

CarlosRS9 self-assigned this Nov 14, 2022

davidjiglesias closed this as completed Dec 20, 2022

wazuhci moved this to Done in Release 4.5.0 Apr 21, 2023

wazuhci added this to Release 4.5.0 Apr 21, 2023

wazuhci added this to Release 4.6.0 Jun 26, 2023

wazuhci moved this to Done in Release 4.6.0 Jun 26, 2023

wazuhci removed this from Release 4.5.0 Jun 26, 2023

Design the test cases for the Azure integration tests #3355

Design the test cases for the Azure integration tests #3355

Comments

CarlosRS9 commented Sep 23, 2022 • edited by nico-stefani Loading

Tasks

nico-stefani commented Nov 3, 2022 • edited by CarlosRS9 Loading

Parser Test Cases

Tier 0

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

nico-stefani commented Nov 4, 2022 • edited by CarlosRS9 Loading

Log Analytics Test Cases

Tier 0

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Tier 1

Pre-conditions

Cases

Steps

nico-stefani commented Nov 4, 2022 • edited by CarlosRS9 Loading

Graph Test Cases

Tier 0

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Tier 1

Pre-conditions

Cases

Steps

nico-stefani commented Nov 7, 2022 • edited by CarlosRS9 Loading

Storage Test Cases

Tier 0

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

Cases

Steps

Pre-conditions

CarlosRS9 commented Sep 23, 2022 •

edited by nico-stefani

Loading

nico-stefani commented Nov 3, 2022 •

edited by CarlosRS9

Loading

nico-stefani commented Nov 4, 2022 •

edited by CarlosRS9

Loading

nico-stefani commented Nov 4, 2022 •

edited by CarlosRS9

Loading

nico-stefani commented Nov 7, 2022 •

edited by CarlosRS9

Loading