Skip to content

Commit

Permalink
remove config parameters from extra data
Browse files Browse the repository at this point in the history
  • Loading branch information
@djkhl
djkhl committed Aug 16, 2024
1 parent 6f19bdb commit 2ae55cc
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 40 deletions.
4 changes: 4 additions & 0 deletions logprep/processor/pre_detector/processor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,10 @@ def _get_detection_result(self, event: dict, rule: PreDetectorRule):

detection_result = self._generate_detection_result(pre_detection_id, event, rule)
self.result.data.append((detection_result, self._config.outputs))
detection_result.pop("source_timezone", "source_formats")
detection_result.pop("source_formats")
detection_result.pop("target_timezone")
detection_result.pop("timestamp_field")

@staticmethod
def _generate_detection_result(pre_detection_id: str, event: dict, rule: PreDetectorRule):
Expand Down
40 changes: 0 additions & 40 deletions tests/unit/processor/pre_detector/test_pre_detector.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,6 @@ def test_perform_successful_pre_detection(self):
"severity": "critical",
"mitre": ["attack.test1", "attack.test2"],
"case_condition": "directly",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule one",
"rule_filter": '(winlog.event_id:"123" AND winlog.event_data.ServiceName:"VERY BAD")', # pylint: disable=line-too-long
},
Expand All @@ -57,10 +53,6 @@ def test_perform_pre_detection_that_fails_if_filter_children_were_slots(self):
"mitre": ["attack.test1", "attack.test2"],
"rule_filter": '(A:"*bar*" AND NOT ((A:"foo*" AND A:"*baz")))',
"severity": "critical",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"title": "RULE_FOUR",
},
({"kafka": "pre_detector_alerts"},),
Expand Down Expand Up @@ -90,10 +82,6 @@ def test_perform_successful_pre_detection_with_host_name(self):
"mitre": ["attack.test1", "attack.test2"],
"case_condition": "directly",
"host": {"name": "Test hostname"},
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule one",
"rule_filter": '(winlog.event_id:"123" AND winlog.event_data.ServiceName:"VERY BAD")', # pylint: disable=line-too-long
},
Expand All @@ -116,10 +104,6 @@ def test_perform_successful_pre_detection_with_same_existing_pre_detection(self)
"severity": "critical",
"mitre": ["attack.test1", "attack.test2"],
"case_condition": "directly",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule one",
"rule_filter": '(winlog.event_id:"123" AND winlog.event_data.ServiceName:"VERY BAD")', # pylint: disable=line-too-long
},
Expand All @@ -144,10 +128,6 @@ def test_perform_successful_pre_detection_with_pre_detector_complex_rule_suceeds
"severity": "critical",
"mitre": [],
"case_condition": "directly",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule two",
"rule_filter": '(tags:"test" AND process.program:"test" AND '
'(message:"test1*xyz" OR message:"test2*xyz"))',
Expand All @@ -171,10 +151,6 @@ def test_perform_successful_pre_detection_with_pre_detector_complex_rule_succeed
"severity": "critical",
"mitre": [],
"case_condition": "directly",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule three",
"rule_filter": '(tags:"test2" AND process.program:"test" AND '
'(message:"test1*xyz" OR message:"test2?xyz"))',
Expand All @@ -199,10 +175,6 @@ def test_perform_successful_pre_detection_with_two_rules(self):
"description": "Test two rules two",
"rule_filter": '"second_match": *',
"severity": "suspicious",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"title": "RULE_TWO",
},
({"kafka": "pre_detector_alerts"},),
Expand All @@ -215,10 +187,6 @@ def test_perform_successful_pre_detection_with_two_rules(self):
"description": "Test two rules one",
"rule_filter": '"first_match": *',
"severity": "critical",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"title": "RULE_ONE",
},
({"kafka": "pre_detector_alerts"},),
Expand Down Expand Up @@ -302,10 +270,6 @@ def test_ignores_case(self):
"severity": "critical",
"mitre": [],
"case_condition": "directly",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule two",
"rule_filter": '(tags:"test" AND process.program:"test" AND (message:"test1*xyz" OR message:"test2*xyz"))', # pylint: disable=line-too-long
},
Expand All @@ -328,10 +292,6 @@ def test_ignores_case_list(self):
"severity": "critical",
"mitre": [],
"case_condition": "directly",
"target_timezone": "UTC",
"source_timezone": "UTC",
"source_formats": "ISO8601",
"timestamp_field": "@timestamp",
"description": "Test rule two",
"rule_filter": '(tags:"test" AND process.program:"test" AND (message:"test1*xyz" OR message:"test2*xyz"))', # pylint: disable=line-too-long
},
Expand Down

0 comments on commit 2ae55cc

Please sign in to comment.