Skip to content

Commit

Permalink
testing failures
Browse files Browse the repository at this point in the history
  • Loading branch information
patel-bhavin committed Jul 2, 2024
1 parent f4c07b8 commit 3b2acdd
Show file tree
Hide file tree
Showing 2 changed files with 306 additions and 30 deletions.
60 changes: 30 additions & 30 deletions .github/workflows/unit-testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,7 @@ on:
schedule:
- cron: "44 4 * * *"
jobs:
# validate-tag-if-present:
# runs-on: ubuntu-latest

# steps:
# - name: TAGGED, Validate that the tag is in the correct format

# run: |
# echo "The GITHUB_REF: $GITHUB_REF"
# #First check to see if the release is a tag
# if [[ $GITHUB_REF =~ refs/tags/* ]]; then
# #Yes, this is a tag, so we need to test to make sure that the tag
# #is in the correct format (like v1.10.20)
# if [[ $GITHUB_REF =~ refs/tags/v[0-9]+.[0-9]+.[0-9]+ ]]; then
# echo "PASS: Tagged release with good format"
# exit 0
# else
# echo "FAIL: Tagged release with bad format"
# exit 1
# fi
# else
# echo "PASS: Not a tagged release"
# exit 0
# fi

docker-unit-testing-setup:
contentctl-unit-testing-setup:
runs-on: ubuntu-latest
if: "!contains(github.ref, 'refs/tags/')" #don't run on tags - future steps won't run either since they depend on this job
# needs: [validate-tag-if-present, quit-for-dependabot]
Expand Down Expand Up @@ -68,8 +44,32 @@ jobs:
- name: Run ContentCTL test for changes against develop
run: |
git status
git pull
source .venv/bin/activate
git checkout unit-testing
contentctl test --post-test-behavior never_pause mode:changes --mode.target-branch develop
cat summary.xml
# git status
# git pull
# source .venv/bin/activate
# git checkout unit-testing
# contentctl test --post-test-behavior never_pause mode:changes --mode.target-branch develop
summarize-test-results:
needs: contentctl-unit-testing-setup
runs-on: ubuntu-latest
if: "!contains(github.ref, 'refs/tags/')" #don't run on tags - future steps won't run either since they depend on this job
# needs: [validate-tag-if-present, quit-for-dependabot]
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Install dependencies
run: sudo apt-get install -y jq

- name: Check Test Summary
run: |
total_fail=$(cat security_content/test_results/summary.yml | yq e '.summary.total_fail' -)
if [ "$total_fail" != "0" ]; then
echo "CI Failure: There are failed tests."
cat security_content/test_results/summary.yml | yq e '.summary' -
exit 1
else
echo "CI Success: No failed tests."
fi
276 changes: 276 additions & 0 deletions summary.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,276 @@
summary:
success: true
total_detections: 8
total_pass: 8
total_fail: 0
total_skipped: 0
total_untested: 0
total_experimental_or_deprecated: 0
success_rate: 100.0%
tested_detections:
- name: Detect Password Spray Attempts
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts
values(Authentication.app) as app count(Authentication.user) as total_failures
from datamodel=Authentication.Authentication where Authentication.action="failure"
by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype,
_time span=2m | `drop_dm_object_name("Authentication")` ```fill out time buckets
for 0-count events during entire search length``` | appendpipe [| timechart limit=0
span=5m count | table _time] | fillnull value=0 unique_accounts, unique_src ```
remove duplicate & empty time buckets``` | sort - total_failures | dedup _time
``` Create aggregation field & apply to all null events``` | eval counter=src+"__"+sourcetype+"__"+signature_id
| eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std
by counter | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts
> 30 and unique_accounts >= upperBound, 1, 0) | replace "::ffff:*" with * in src
| where isOutlier=1 | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
| table _time, src, action, app, unique_accounts, total_failures, sourcetype,
signature_id | `detect_password_spray_attempts_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 6.78
wait_duration: null
resultCount: '1'
runDuration: '1.397'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Internal Horizontal Port Scan
search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone)
as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic
where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by
All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport
| `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime
| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount
values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone)
as src_zone by src_ip dest_port gtime transport | where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port | stats min(_time) as _time values(action)
as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category
values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone)
as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 7.82
wait_duration: null
resultCount: '1'
runDuration: '2.207'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Internal Vertical Port Scan
search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as
action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone)
as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic
where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by
All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport
span=1s _time | `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin
span=1h gtime | stats min(_time) as _time values(action) as action dc(eval(if(dest_port<1024
AND transport="tcp",dest_port,null))) as privilegedDestTcpPortCount dc(eval(if(transport="tcp",dest_port,null)))
as totalDestTcpPortCount dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null)))
as privilegedDestUdpPortCount dc(eval(if(transport="udp",dest_port,null))) as
totalDestUdpPortCount values(src_category) as src_category values(dest_zone) as
dest_zone values(src_zone) as src_zone by src_ip dest_ip transport gtime | eval
totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount|
where (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime
| `internal_vertical_port_scan_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 11.52
wait_duration: null
resultCount: '1'
runDuration: '5.078'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Windows AD add Self to Group
search: '`wineventlog_security` EventCode IN (4728) | where user=src_user | stats
min(_time) as _time dc(user) as usercount, values(user) as user values(user_category)
as user_category values(src_user_category) as src_user_category values(dvc) as
dvc by signature, Group_Name, src_user | `windows_ad_add_self_to_group_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 5.61
wait_duration: null
resultCount: '1'
runDuration: '0.635'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Windows Increase in Group or Object Modification Activity
search: '`wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) | bucket
span=5m _time | stats values(object) as object, dc(object) as objectCount, values(src_user_category)
as src_user_category, values(dest) as dest, values(dest_category) as dest_category
by _time, src_user, signature, status | eventstats avg(objectCount) as comp_avg,
stdev(objectCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std)
| eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) |
search isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 6.36
wait_duration: null
resultCount: '2'
runDuration: '1.390'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Windows Increase in User Modification Activity
search: '`wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780)
| bucket span=5m _time | stats values(TargetDomainName) as TargetDomainName,
values(user) as user, dc(user) as userCount, values(user_category) as user_category,
values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category)
as dest_category by _time, src_user, signature, status | eventstats avg(userCount)
as comp_avg , stdev(userCount) as comp_std by src_user, signature | eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) | search
isOutlier=1 | stats values(TargetDomainName) as TargetDomainName, values(user)
as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category)
as src_user_category, values(dest) as dest, values(dest_category) as dest_category
values(signature) as signature by _time, src_user, status | `windows_increase_in_user_modification_activity_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 6.18
wait_duration: null
resultCount: '1'
runDuration: '0.722'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Windows Network Share Discovery With Net
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit)
as user_bunit FROM datamodel=Endpoint.Processes WHERE ((Processes.process_name="net.exe"
OR Processes.orig_process_name="net.exe") AND (Processes.process="*net*view*"
OR Processes.process="*net*share*")) BY Processes.user Processes.dest Processes.process_exec
Processes.parent_process_exec Processes.process Processes.parent_process | `drop_dm_object_name(Processes)`
| regex process="net\s+view|net\s+share" | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `windows_network_share_discovery_with_net_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 6.05
wait_duration: null
resultCount: '1'
runDuration: '0.886'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
- name: Windows Vulnerable Driver Installed
search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" |
table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers
driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver
= TRUE | `windows_vulnerable_driver_installed_filter`'
success: true
tests:
- name: True Positive Test
test_type: unit
success: true
message: TEST PASSED
exception: null
status: pass
duration: 6.11
wait_duration: null
resultCount: '3'
runDuration: '0.857'
- name: True Positive Test
test_type: integration
success: true
message: 'TEST SKIPPED: Skipping all integration tests'
exception: null
status: skip
duration: 0
wait_duration: null
resultCount: null
runDuration: null
untested_detections: []
percent_complete: UKNOWN
deprecated_detections: []
experimental_detections: []

0 comments on commit 3b2acdd

Please sign in to comment.