Skip to content

Commit

Permalink
Update tests for autoenable changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@defensivedepth
defensivedepth committed Nov 20, 2024
1 parent 9104578 commit 2255df3
Showing 1 changed file with 27 additions and 8 deletions.
35 changes: 27 additions & 8 deletions server/modules/elastalert/elastalert_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,29 +42,48 @@ import (

func TestCheckAutoEnabledSigmaRule(t *testing.T) {
e := &ElastAlertEngine{
autoEnabledSigmaRules: []string{"securityonion-resources+high", "core+critical"},
autoEnabledSigmaRules: []RuleCriteria{
{
Ruleset: []string{"securityonion-resources", "core"},
Level: []string{"high"},
Product: []string{"windows"},
Category: []string{"process_creation"},
Service: []string{"sysmon"},
},
{
Ruleset: []string{"*"},
Level: []string{"critical"},
Product: []string{"*"},
Category: []string{"*"},
Service: []string{"*"},
},
},
}

tests := []struct {
name string
ruleset string
severity model.Severity
product string
category string
service string
expected bool
}{
{"securityonion-resources rule with high severity, rule enabled", "securityonion-resources", model.SeverityHigh, true},
{"securityonion-resources rule with high severity upper case, rule enabled", "securityonion-RESOURCES", model.SeverityHigh, true},
{"core rule with critical severity, rule enabled", "core", model.SeverityCritical, true},
{"core rule with high severity, rule not enabled", "core", model.SeverityHigh, false},
{"empty ruleset, high severity, rule not enabled", "", model.SeverityHigh, false},
{"core ruleset, empty severity, rule not enabled", "core", "", false},
{"empty ruleset, empty severity, rule not enabled", "", "", false},
{"core rule with matching fields and upper case, rule enabled", "core", model.SeverityHigh, "WINDOWS", "process_creation", "sysmon", true},
{"core rule with wrong category, rule disabled", "core", model.SeverityHigh, "windows", "file_creation", "windows", false},
{"securityonion-resources rule with matching fields, rule enabled", "securityonion-resources", model.SeverityHigh, "windows", "process_creation", "sysmon", true},
{"core++ rule with critical severity, rule enabled", "core++", model.SeverityCritical, "linux", "file_event", "auditd", true},
{"core++ rule with medium severity, rule disabled", "core++", model.SeverityMedium, "windows", "process_creation", "sysmon", false},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
det := &model.Detection{
Ruleset: tt.ruleset,
Severity: tt.severity,
Product: tt.product,
Category: tt.category,
Service: tt.service,
}
checkRulesetEnabled(e, det)
assert.Equal(t, tt.expected, det.IsEnabled)
Expand Down

0 comments on commit 2255df3

Please sign in to comment.