def test_change():
events = hits(10, username='******', term='good')
events[8].pop('term')
events[9]['term'] = 'bad'
rules = {'compare_key': 'term',
'query_key': 'username',
'ignore_null': True,
'timestamp_field': '@timestamp'}
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad')])
# Unhashable QK
events2 = hits(10, username=['qlo'], term='good')
events2[9]['term'] = 'bad'
rule = ChangeRule(rules)
rule.add_data(events2)
assert_matches_have(rule.matches, [('term', 'bad')])
# Don't ignore nulls
rules['ignore_null'] = False
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('username', 'qlo'), ('term', 'bad')])
# With timeframe
rules['timeframe'] = datetime.timedelta(seconds=2)
rules['ignore_null'] = True
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad')])
# With timeframe, doesn't match
events = events[:8] + events[9:]
rules['timeframe'] = datetime.timedelta(seconds=1)
rule = ChangeRule(rules)
rule.add_data(events)
assert rule.matches == []
def test_change():
events = hits(10, username='******', term='good')
events[8].pop('term')
events[9]['term'] = 'bad'
rules = {
'compare_key': 'term',
'query_key': 'username',
'ignore_null': True,
'timestamp_field': '@timestamp'
}
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad')])
# Unhashable QK
events2 = hits(10, username=['qlo'], term='good')
events2[9]['term'] = 'bad'
rule = ChangeRule(rules)
rule.add_data(events2)
assert_matches_have(rule.matches, [('term', 'bad')])
# Don't ignore nulls
rules['ignore_null'] = False
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('username', 'qlo'), ('term', 'bad')])
# With timeframe
rules['timeframe'] = datetime.timedelta(seconds=2)
rules['ignore_null'] = True
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad')])
# With timeframe, doesn't match
events = events[:8] + events[9:]
rules['timeframe'] = datetime.timedelta(seconds=1)
rule = ChangeRule(rules)
rule.add_data(events)
assert rule.matches == []
def test_change():
events = hits(10, username="******", term="good")
events[8].pop("term")
events[9]["term"] = "bad"
rules = {"compare_key": "term", "query_key": "username", "ignore_null": True, "timestamp_field": "@timestamp"}
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [("term", "bad")])
# Unhashable QK
events2 = hits(10, username=["qlo"], term="good")
events2[9]["term"] = "bad"
rule = ChangeRule(rules)
rule.add_data(events2)
assert_matches_have(rule.matches, [("term", "bad")])
# Don't ignore nulls
rules["ignore_null"] = False
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [("username", "qlo"), ("term", "bad")])
# With timeframe
rules["timeframe"] = datetime.timedelta(seconds=2)
rules["ignore_null"] = True
rule = ChangeRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [("term", "bad")])
# With timeframe, doesn't match
events = events[:8] + events[9:]
rules["timeframe"] = datetime.timedelta(seconds=1)
rule = ChangeRule(rules)
rule.add_data(events)
assert rule.matches == []
