Skip to content
Permalink
Browse files

Update cloudtrail alert tests

  • Loading branch information...
pwnbus committed Jul 10, 2019
1 parent 99470c7 commit 841bfafbef0612dba4c72385808ddc0b7cb834f2
Showing with 15 additions and 33 deletions.
  1. +11 −11 tests/alerts/test_cloudtrail_excessive_describe.py
  2. +4 −22 tests/alerts/test_cloudtrail_public_bucket.py
@@ -19,7 +19,7 @@ class TestCloudtrailExcessiveDescribe(AlertTestSuite):
"source": "cloudtrail",
"details": {
"eventverb": "Describe",
"source": "dynamodb.application-autoscaling.amazonaws.com",
"sourceipv4address": "1.2.3.4",
}
}
}
@@ -29,20 +29,20 @@ class TestCloudtrailExcessiveDescribe(AlertTestSuite):
"category": "access",
"tags": ['cloudtrail'],
"severity": "WARNING",
"summary": 'Excessive Describe calls on dynamodb.application-autoscaling.amazonaws.com (50)',
"summary": 'A production service is generating excessive describe calls.',
}

test_cases = []

test_cases.append(
PositiveAlertTestCase(
description="Positive test with default events and default alert expected",
events=AlertTestSuite.create_events(default_event, 50),
events=AlertTestSuite.create_events(default_event, 5),
expected_alert=default_alert
)
)

events = AlertTestSuite.create_events(default_event, 50)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['source'] = 'bad'
test_cases.append(
@@ -52,7 +52,7 @@ class TestCloudtrailExcessiveDescribe(AlertTestSuite):
)
)

events = AlertTestSuite.create_events(default_event, 50)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['eventverb'] = 'bad'
test_cases.append(
@@ -62,20 +62,20 @@ class TestCloudtrailExcessiveDescribe(AlertTestSuite):
)
)

events = AlertTestSuite.create_events(default_event, 50)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['source'] = None
event['_source']['details']['sourceipv4address'] = None
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with non-existent details.source",
description="Negative test case with events with non-existent details.sourceipv4address",
events=events,
)
)

events = AlertTestSuite.create_events(default_event, 50)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 21})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 21})
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 6})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 6})
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with old timestamp",
@@ -17,19 +17,10 @@ class TestCloudtrailPublicBucket(AlertTestSuite):
"source": "cloudtrail",
"details": {
"requestparameters": {
"bucketpolicy": {
"version": "2012-10-17",
"statement": [{
"action": "s3:GetObject",
"principal": "*",
"resource": "arn:aws:s3:::testbucket/*",
"effect": "Allow",
"sid": "AllowGetObject"
}]
},
"x-amz-acl": "public-read-write",
"bucketname": "testbucket"
},
"eventname": "PutBucketPolicy",
"eventname": "CreateBucket",
},
}
}
@@ -71,19 +62,10 @@ class TestCloudtrailPublicBucket(AlertTestSuite):
)

event = AlertTestSuite.create_event(default_event)
del(event['_source']['details']['requestparameters']['bucketpolicy']['statement'][0]['principal'])
event['_source']['details']['requestparameters']['x-amz-acl'] = 'test'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with missing field",
events=[event],
)
)

event = AlertTestSuite.create_event(default_event)
event['_source']['details']['requestparameters']['bucketpolicy']['statement'][0]['principal'] = 'bad'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with incorrect principal",
description="Negative test case with events with incorrect field",
events=[event],
)
)

0 comments on commit 841bfaf

Please sign in to comment.
You can’t perform that action at this time.