def test_whitelist_correctly_reload_after_update_config(self): self.test_settings.change_configuration_path(test_whitelist_single_literal_file) dummy_doc_gen = DummyDocumentsGenerate() doc = dummy_doc_gen.generate_document({"create_outlier": True, "outlier_observation": "dummy observation", "filename": "osquery_get_all_processes_with_listening_conns.log"}) # With this configuration, outlier is not whitlisted self.assertFalse(Outlier.is_whitelisted_doc(doc)) # Update configuration self.test_settings.change_configuration_path(test_whitelist_multiple_literal_file) # Now outlier is whitelisted self.assertTrue(Outlier.is_whitelisted_doc(doc))
def test_whitelist_literal_match(self): self.test_settings.change_configuration_path( test_file_outliers_path_config) # Contain: "C:\Windows\system32\msfeedssync.exe sync" dummy_doc_gen = DummyDocumentsGenerate() doc = dummy_doc_gen.generate_document( {"command_query": r'C:\Windows\system32\msfeedssync.exe sync'}) result = Outlier.is_whitelisted_doc(doc) self.assertTrue(result)
def is_document_whitelisted(self, document, extract_field=True): document_to_check = copy.deepcopy(document) if extract_field: fields = es.extract_fields_from_document( document_to_check, extract_derived_fields=self. model_settings["use_derived_fields"]) else: fields = document outlier_param = self._prepare_outlier_parameters(dict(), fields) document_to_check['__whitelist_extra'] = outlier_param return Outlier.is_whitelisted_doc(document_to_check)