From bdd8048ef9a630f3b69be43b8be037dec988afe4 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 9 Oct 2024 23:19:29 +0200 Subject: [PATCH] Added test for placeholders in fields with string replacements pySigma issue 284 --- tests/test_processing_pipelines.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/test_processing_pipelines.py b/tests/test_processing_pipelines.py index d5528e1..32c33fe 100644 --- a/tests/test_processing_pipelines.py +++ b/tests/test_processing_pipelines.py @@ -2,6 +2,8 @@ from sigma.exceptions import SigmaTransformationError from sigma.backends.test import TextQueryTestBackend from sigma.processing.resolver import ProcessingPipelineResolver +from sigma.processing.pipeline import ProcessingPipeline, ProcessingItem +from sigma.processing.transformations import ValueListPlaceholderTransformation from sigma.pipelines.crowdstrike import ( crowdstrike_fdr_pipeline, crowdstrike_falcon_pipeline, @@ -481,6 +483,27 @@ def test_crowdstrike_falcon_pipeline_process_creation( == "event_platform=/^Win$/i #event_simpleName=/^ProcessRollup2$/i or #event_simpleName=/^SyntheticProcessRollup2$/i CommandLine=/^test\\.exe foo bar$/i ImageFileName=/\\\\test\\.exe$/i" ) +def test_crowdstrike_falcon_image_with_placeholder(resolver : ProcessingPipelineResolver): + sigma_rule = SigmaCollection.from_yaml(""" + title: Image with Placeholder Test + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Image|expand: "%var%" + condition: sel + """) + pipeline = resolver.resolve_pipeline("crowdstrike_falcon") + ProcessingPipeline( + items=[ + ProcessingItem(transformation=ValueListPlaceholderTransformation()) + ], + vars={"var": ["foo.exe", "bar.exe", "test.exe"]}, + ) + backend = LogScaleBackend(pipeline) + assert backend.convert(sigma_rule) == "event_platform=/^Win$/i #event_simpleName=/^ProcessRollup2$/i or #event_simpleName=/^SyntheticProcessRollup2$/i ImageFileName=/^foo\\.exe$/i or ImageFileName=/^bar\\.exe$/i or ImageFileName=/^test\\.exe$/i" + def test_crowdstrike_falcon_pipeline_parentimage( resolver: ProcessingPipelineResolver, process_creation_sigma_rule_parentimage