-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding risk message validation++ #92
base: main
Are you sure you want to change the base?
Conversation
…ll as some skeleton code
…ily with risk message checks and the scaffolding for forthcoming risk/observable matching
@@ -416,7 +412,7 @@ def test_detection(self, detection: Detection) -> None: | |||
""" | |||
# TODO: do we want to return a failure here if no test exists for a production detection? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pyth0n1c there is a check elsewhere that handles the case where a production detection lacks test cases, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
|
||
# Suppress logging by default; enable for local testing | ||
ENABLE_LOGGING = False | ||
ENABLE_LOGGING = True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will set this back to False after a final full test w/in an SCA pipeline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cmcginley-splunk : Should we set this back to false now that we have ran this a few times in SCA repo?
…ttern matching; added docstrings and JIRA ticket IDs
Some detections seem to be generating false positives (test failures that are not actual failures); e.g.: Windows Excessive Disabled Services Event |
Resolve conflicts associated with update to Pydantic2
Context
Code changes
RiskEvent
model for the events returned by ESCorrelationSearch
to only search for events which match the appropriate search name$...$
literalsNotableEvent
model for the events returned by ES (will support additional notable validation, potentially added in the future)format_pbar_string
s.t. it uses thestart_time
instance attribute if none is provided explicitlyobservable.py
New detection failures
I spot checked these, but did not do a deep dive on every single one; but I believe they are all legitimate validation issues
$...$
literal -> represents a bad field substitution, likely because the referenced field doesn't exist in final SPL outputNOTE: this testing was performed locally, and some detections failed due to networking issues, likely due to my ISP bandwidth; so there may be more legitimate failures similar to the above not captured in this initial test
Testing
Will post some results from an SCA pipeline when that run completes
TODO
CorrelationSearch
Future work