def test_whitelist_correctly_reload_after_update_config(self):
self.test_settings.change_configuration_path(test_whitelist_single_literal_file)
dummy_doc_gen = DummyDocumentsGenerate()
doc = dummy_doc_gen.generate_document({"create_outlier": True, "outlier_observation": "dummy observation",
"filename": "osquery_get_all_processes_with_listening_conns.log"})
# With this configuration, outlier is not whitlisted
self.assertFalse(Outlier.is_whitelisted_doc(doc))
# Update configuration
self.test_settings.change_configuration_path(test_whitelist_multiple_literal_file)
# Now outlier is whitelisted
self.assertTrue(Outlier.is_whitelisted_doc(doc))
def test_whitelist_literal_match(self):
self.test_settings.change_configuration_path(
test_file_outliers_path_config)
# Contain: "C:\Windows\system32\msfeedssync.exe sync"
dummy_doc_gen = DummyDocumentsGenerate()
doc = dummy_doc_gen.generate_document(
{"command_query": r'C:\Windows\system32\msfeedssync.exe sync'})
result = Outlier.is_whitelisted_doc(doc)
self.assertTrue(result)
def is_document_whitelisted(self, document, extract_field=True):
document_to_check = copy.deepcopy(document)
if extract_field:
fields = es.extract_fields_from_document(
document_to_check,
extract_derived_fields=self.
model_settings["use_derived_fields"])
else:
fields = document
outlier_param = self._prepare_outlier_parameters(dict(), fields)
document_to_check['__whitelist_extra'] = outlier_param
return Outlier.is_whitelisted_doc(document_to_check)
