def query_tests(self):
tests = {
WildcardMatch('summary', 'te*'): [
{
'summary': 'example summary'
},
{
'summary': 'tabs 4 spaces'
},
],
WildcardMatch('details.ip', '19*'): [
{
'details': {
'ip': '10.1.1.1'
}
},
{
'details': {
'ip': '2.168.1.192'
}
},
{
'details': {
'ip': '10.19.1.1'
}
},
{
'details': {
'ipaddress': '10.19.1.1'
}
},
],
}
return tests
def query_tests(self):
tests = {
WildcardMatch('summary', 'te*'): [
{'summary': 'test'},
{'summary': 'test summary'},
{'summary': 'example test summary'},
{'summary': 'example summary test'},
],
WildcardMatch('summary', '*te*'): [
{'summary': 'abcteabc'},
{'summary': 'abc te abc'},
{'summary': 'abc te'},
],
WildcardMatch('details.ip', '19*'): [
{'details': {'ip': '192.168.1.1'}},
{'details': {'ip': '19.168.1.1'}},
],
WildcardMatch('details.ip', '*1.0'): [
{'details': {'ip': '192.168.1.0'}},
],
}
return tests
def main(self):
search_query = SearchQuery(minutes=15)
search_query.add_must([
TermMatch('category', 'ldapChange'),
TermMatch('details.changetype', 'modify'),
PhraseMatch("summary", "groups")
])
# ignore test accounts and attempts to create accounts that already exist.
search_query.add_must_not([
WildcardMatch('details.actor', '*bind*'),
WildcardMatch('details.changepairs', 'delete:*member*')
])
self.filtersManual(search_query)
self.searchEventsAggregated('details.email', samplesLimit=50)
self.walkAggregations(threshold=1, config={})
def main(self):
search_query = SearchQuery(minutes=15)
search_query.add_must([
TermMatch('category', 'ldapChange'),
TermMatch('details.changetype', 'modify'),
PhraseMatch("summary", "groups")
])
# ignore test accounts and attempts to create accounts that already exist.
search_query.add_must_not([
WildcardMatch('details.actor', '*bind*'),
WildcardMatch('details.changepairs', '*delete:member*')
])
self.filtersManual(search_query)
# Search events
self.searchEventsSimple()
self.walkEvents()
def main(self):
search_query = SearchQuery(minutes=15)
search_query.add_must([
TermMatch('category', 'ldapChange'),
TermMatch('details.changetype', 'add')
])
# ignore test accounts and attempts to create accounts that already exist.
search_query.add_must_not([
WildcardMatch('details.actor', '*bind*'),
])
self.filtersManual(search_query)
# Search events
self.searchEventsSimple()
self.walkEvents()
def main(self):
search_query = SearchQuery(minutes=10)
search_query.add_must([
TermMatch('tags', 'firefoxaccounts'),
PhraseMatch('details.action', 'accountCreate')
])
# ignore test accounts and attempts to create accounts that already exist.
search_query.add_must_not([
WildcardMatch('details.email', '*restmail.net'),
])
self.filtersManual(search_query)
# Search aggregations on field 'ip', keep X samples of events at most
self.searchEventsAggregated('details.ip', samplesLimit=10)
# alert when >= X matching events in an aggregation
self.walkAggregations(threshold=10)