def test_add_two_outliers_to_doc(self):
test_outlier = Outlier(outlier_type="dummy type",
outlier_reason="dummy reason",
outlier_summary="dummy summary")
test_outlier.outlier_dict["observation"] = "dummy observation"
test_outlier_2 = Outlier(outlier_type="dummy type 2",
outlier_reason="dummy reason 2",
outlier_summary="dummy summary 2")
test_outlier_2.outlier_dict["observation_2"] = "dummy observation 2"
doc = copy.deepcopy(doc_without_outlier_test_file)
doc_with_outlier = helpers.es.add_outlier_to_document(
doc, test_outlier)
doc_with_two_outliers = helpers.es.add_outlier_to_document(
doc_with_outlier, test_outlier_2)
self.assertDictEqual(doc_with_two_outliers,
doc_with_two_outliers_test_file)
def test_add_outlier_to_doc(self):
test_outlier = Outlier(type="dummy type",
reason="dummy reason",
summary="dummy summary")
test_outlier.add_observation(field_name="observation",
field_value="dummy observation")
doc_with_outlier = helpers.es.add_outlier_to_document(
doc_without_outlier_test_file, test_outlier)
self.assertDictEqual(doc_with_outlier_test_file, doc_with_outlier)
def test_whitelist_regexp_mismatch(self):
whitelist_item = r"^.*.exeZZZZZ sync$"
test_outlier = Outlier(type="dummy type",
reason="dummy reason",
summary="dummy summary")
result = test_outlier.matches_specific_whitelist_item(
whitelist_item,
"regexp",
additional_dict_values_to_check=doc_for_whitelist_testing_file)
self.assertFalse(result)
def test_whitelist_literal_mismatch(self):
whitelist_item = r"C:\Windows\system32\msfeedssync.exe syncWRONG"
test_outlier = Outlier(type="dummy type",
reason="dummy reason",
summary="dummy summary")
result = test_outlier.matches_specific_whitelist_item(
whitelist_item,
"literal",
additional_dict_values_to_check=doc_for_whitelist_testing_file)
self.assertFalse(result)
def test_single_literal_not_to_match_in_doc_with_outlier(self):
orig_doc = copy.deepcopy(doc_with_outlier_test_file)
test_outlier = Outlier(outlier_type="dummy type",
outlier_reason="dummy reason",
outlier_summary="dummy summary")
settings.process_configuration_files(
"/app/tests/unit_tests/files/whitelist_tests_03.conf")
self.assertFalse(
test_outlier.is_whitelisted(
additional_dict_values_to_check=orig_doc))
def test_whitelist_config_file_multi_item_mismatch_with_three_fields_and_whitespace(
self):
orig_doc = copy.deepcopy(doc_with_outlier_test_file)
test_outlier = Outlier(outlier_type="dummy type",
outlier_reason="dummy reason",
outlier_summary="dummy summary")
settings.process_configuration_files(
"/app/tests/unit_tests/files/whitelist_tests_05.conf")
self.assertFalse(
test_outlier.is_whitelisted(
additional_dict_values_to_check=orig_doc))
def test_remove_outlier_from_doc(self):
test_outlier = Outlier(outlier_type="dummy type",
outlier_reason="dummy reason",
outlier_summary="dummy summary")
test_outlier.outlier_dict["observation"] = "dummy observation"
doc_with_outlier = helpers.es.add_outlier_to_document(
doc_without_outlier_test_file, test_outlier)
doc_without_outlier = helpers.es.remove_outliers_from_document(
doc_with_outlier)
self.assertDictEqual(doc_without_outlier,
doc_without_outlier_test_file)
def process_outlier(self, fields, doc, extra_outlier_information=dict()):
extra_outlier_information["model_name"] = self.model_name
extra_outlier_information["model_type"] = self.model_type
fields_and_extra_outlier_information = fields.copy()
fields_and_extra_outlier_information.update(extra_outlier_information)
outlier_summary = helpers.utils.replace_placeholder_fields_with_values(
self.model_settings["outlier_summary"],
fields_and_extra_outlier_information)
# for both outlier types and reasons, we also allow the case where multiples values are provided at once.
# example: type = malware, IDS
outlier_type = helpers.utils.replace_placeholder_fields_with_values(
self.model_settings["outlier_type"],
fields_and_extra_outlier_information).split(",")
outlier_reason = helpers.utils.replace_placeholder_fields_with_values(
self.model_settings["outlier_reason"],
fields_and_extra_outlier_information).split(",")
# remove any leading or trailing whitespace from either. For example: "type = malware, IDS" should just return ["malware","IDS"] instead of ["malware", " IDS"]
outlier_type = [item.strip() for item in outlier_type]
outlier_reason = [item.strip() for item in outlier_reason]
outlier_assets = helpers.utils.extract_outlier_asset_information(
fields, settings)
outlier = Outlier(outlier_type=outlier_type,
outlier_reason=outlier_reason,
outlier_summary=outlier_summary)
if len(outlier_assets) > 0:
outlier.outlier_dict["assets"] = outlier_assets
for k, v in extra_outlier_information.items():
outlier.outlier_dict[k] = v
self.outliers.append(outlier)
es.process_outliers(doc=doc,
outliers=[outlier],
should_notify=self.model_settings["should_notify"])
return outlier