def test_cardinality_min(): rules = {'min_cardinality': 4, 'timeframe': datetime.timedelta(minutes=10), 'query_key': 'user', 'timestamp_field': '@timestamp'} rule = CardinalityRule(rules) # Add 2 different usernames, alert users = ['foo', 'bar'] terms = {datetime.datetime.now(): [{"key": user} for user in users]} rule.add_terms_data(terms) assert len(rule.matches) == 1 rule.matches = [] # Add 3 more unique users = ['foo', 'bar', "baz", "hoo"] terms = {datetime.datetime.now(): [{"key": user} for user in users]} rule.add_terms_data(terms) assert len(rule.matches) == 0
def test_cardinality_max(): rules = {'max_cardinality': 4, 'timeframe': datetime.timedelta(minutes=10), 'query_key': 'user', 'timestamp_field': '@timestamp'} rule = CardinalityRule(rules) # Add 4 different usernames users = ['bill', 'coach', 'zoey', 'louis'] terms = {datetime.datetime.now(): [{"key": user} for user in users]} rule.add_terms_data(terms) assert len(rule.matches) == 0 # Next unique will trigger users2 = ['bill', 'coach', 'zoey', 'louis', "me"] terms = {datetime.datetime.now(): [{"key": user} for user in users2]} rule.add_terms_data(terms) assert len(rule.matches) == 1
def test_cardinality_min(): rules = { 'min_cardinality': 4, 'timeframe': datetime.timedelta(minutes=10), 'query_key': 'user', 'timestamp_field': '@timestamp' } rule = CardinalityRule(rules) # Add 2 different usernames, alert users = ['foo', 'bar'] terms = {datetime.datetime.now(): [{"key": user} for user in users]} rule.add_terms_data(terms) assert len(rule.matches) == 1 rule.matches = [] # Add 3 more unique users = ['foo', 'bar', "baz", "hoo"] terms = {datetime.datetime.now(): [{"key": user} for user in users]} rule.add_terms_data(terms) assert len(rule.matches) == 0
def test_cardinality_max(): rules = { 'max_cardinality': 4, 'timeframe': datetime.timedelta(minutes=10), 'query_key': 'user', 'timestamp_field': '@timestamp' } rule = CardinalityRule(rules) # Add 4 different usernames users = ['bill', 'coach', 'zoey', 'louis'] terms = {datetime.datetime.now(): [{"key": user} for user in users]} rule.add_terms_data(terms) assert len(rule.matches) == 0 # Next unique will trigger users2 = ['bill', 'coach', 'zoey', 'louis', "me"] terms = {datetime.datetime.now(): [{"key": user} for user in users2]} rule.add_terms_data(terms) assert len(rule.matches) == 1