Skip to content

Commit f907c49

Browse files
thomaspatzkethomaspatzke
committed
Improved test coverage
* Added test case * Removed unused code
1 parent 05ced1a commit f907c49

File tree

2 files changed

+5
-26
lines changed

2 files changed

+5
-26
lines changed

Makefile

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,10 @@ test-sigmac:
3232
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
3333
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
3434
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null
35-
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
36-
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
37-
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
35+
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c sysmon -c winlogbeat -O case_insensitive_whitelist=* rules/windows/process_creation > /dev/null
36+
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
37+
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
38+
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
3839
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
3940
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
4041
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null

tools/sigma/backends/ala.py

Lines changed: 1 addition & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -33,29 +33,7 @@
3333
from .data import sysmon_schema
3434
from .exceptions import NotSupportedError
3535

36-
class DeepFieldMappingMixin(object):
37-
38-
def fieldNameMapping(self, fieldname, value):
39-
if isinstance(fieldname, str):
40-
get_config = self.sigmaconfig.fieldmappings.get(fieldname)
41-
if not get_config and '|' in fieldname:
42-
fieldname = fieldname.split('|', 1)[0]
43-
get_config = self.sigmaconfig.fieldmappings.get(fieldname)
44-
if isinstance(get_config, ConditionalFieldMapping):
45-
condition = self.sigmaconfig.fieldmappings.get(fieldname).conditions
46-
for key, item in self.logsource.items():
47-
if condition.get(key) and condition.get(key, {}).get(item):
48-
new_fieldname = condition.get(key, {}).get(item)
49-
if any(new_fieldname):
50-
return super().fieldNameMapping(new_fieldname[0], value)
51-
return super().fieldNameMapping(fieldname, value)
52-
53-
54-
def generate(self, sigmaparser):
55-
self.logsource = sigmaparser.parsedyaml.get("logsource", {})
56-
return super().generate(sigmaparser)
57-
58-
class AzureLogAnalyticsBackend(DeepFieldMappingMixin, SingleTextQueryBackend):
36+
class AzureLogAnalyticsBackend(SingleTextQueryBackend):
5937
"""Converts Sigma rule into Azure Log Analytics Queries."""
6038
identifier = "ala"
6139
active = True

0 commit comments

Comments
 (0)