def test_map_source_2(self): """Payload Source Mapping 2""" data_encoded = base64.b64encode('test_map_source_data_2') payload = self.payload_generator(kinesis_stream='test_stream_2', kinesis_data=data_encoded) classifier = StreamClassifier(config=self.config) classifier.map_source(payload) test_stream_2_logs = { 'test_multiple_schemas:01', 'test_multiple_schemas:02', 'test_log_type_json_2', 'test_log_type_json_nested_osquery', 'test_log_type_syslog' } metadata = classifier._log_metadata() # service, entity, metadata test assert_equal(payload.service, 'kinesis') assert_equal(payload.entity, 'test_stream_2') assert_equal(set(metadata.keys()), test_stream_2_logs)
def test_rule(self, rule_name, test_record, formatted_record): """Feed formatted records into StreamAlert and check for alerts Args: rule_name [str]: The rule name being tested test_record [dict]: A single record to test formatted_record [dict]: A dictionary that includes the 'data' from the test record, formatted into a structure that is resemblant of how an incoming record from a service would format it. See test/integration/templates for example of how each service formats records. Returns: [list] alerts that hit for this rule [integer] count of expected alerts for this rule [bool] boolean where False indicates errors occurred during processing """ event = {'Records': [formatted_record]} expected_alert_count = test_record.get('trigger_count') if not expected_alert_count: expected_alert_count = 1 if test_record['trigger'] else 0 # Run the rule processor. Passing mocked context object with fake # values and False for suppressing sending of alerts processor = StreamAlert(self.context, False) all_records_matched_schema = processor.run(event) if not all_records_matched_schema: payload = StreamPayload(raw_record=formatted_record) classifier = StreamClassifier(config=load_config()) classifier.map_source(payload) logs = classifier._log_metadata() self.analyze_record_delta(logs, rule_name, test_record) alerts = processor.get_alerts() # we only want alerts for the specific rule being tested alerts = [alert for alert in alerts if alert['rule_name'] == rule_name] return alerts, expected_alert_count, all_records_matched_schema
def test_map_source_1(self): """Payload Source Mapping 1""" data_encoded = base64.b64encode('test_map_source data') payload = self.payload_generator(kinesis_stream='test_kinesis_stream', kinesis_data=data_encoded) classifier = StreamClassifier(config=self.config) classifier.map_source(payload) test_kinesis_stream_logs = { 'test_log_type_json', 'test_log_type_json_2', 'test_log_type_json_nested', 'test_log_type_json_nested_with_data', 'test_log_type_csv', 'test_log_type_csv_nested', 'test_log_type_kv_auditd' } metadata = classifier._log_metadata() # service, entity, metadata test assert_equal(payload.service, 'kinesis') assert_equal(payload.entity, 'test_kinesis_stream') assert_equal(set(metadata.keys()), test_kinesis_stream_logs)