Monitor execution and finding integration tests (#139)

Signed-off-by: Stevan Buzejic <stevan.buzejic@htecgroup.com>
opensearch-project · Nov 18, 2022 · a4a542d · a4a542d
1 parent 7d07189
commit a4a542d
Show file tree

Hide file tree

Showing 5 changed files with 1,098 additions and 196 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
@@ -177,7 +177,7 @@ protected void doExecute(Task task, IndexDetectorRequest request, ActionListener
         asyncAction.start();
     }
 
-    private void createMonitorFromQueries(String index, List<Pair<String, Rule>> rulesById, Detector detector, ActionListener<List<IndexMonitorResponse>>listener, WriteRequest.RefreshPolicy refreshPolicy) throws SigmaError, IOException {
+    private void createMonitorFromQueries(String index, List<Pair<String, Rule>> rulesById, Detector detector, ActionListener<List<IndexMonitorResponse>> listener, WriteRequest.RefreshPolicy refreshPolicy) throws SigmaError, IOException {
         List<Pair<String, Rule>> docLevelRules = rulesById.stream().filter(it -> !it.getRight().isAggregationRule()).collect(
             Collectors.toList());
         List<Pair<String, Rule>> bucketLevelRules = rulesById.stream().filter(it -> it.getRight().isAggregationRule()).collect(

diff --git a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java
@@ -457,6 +457,66 @@ public static String productIndexAvgAggRule(){
             "                condition: sel | avg(fieldA) by fieldC > 110";
     }
 
+    public static String randomAggregationRule(String aggFunction,  String signAndValue) {
+        String rule = "title: Remote Encrypting File System Abuse\n" +
+            "id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
+            "description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
+            "references:\n" +
+            "    - https://attack.mitre.org/tactics/TA0008/\n" +
+            "    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
+            "    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
+            "    - https://github.com/zeronetworks/rpcfirewall\n" +
+            "    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
+            "tags:\n" +
+            "    - attack.defense_evasion\n" +
+            "status: experimental\n" +
+            "author: Sagie Dulce, Dekel Paz\n" +
+            "date: 2022/01/01\n" +
+            "modified: 2022/01/01\n" +
+            "logsource:\n" +
+            "    product: rpc_firewall\n" +
+            "    category: application\n" +
+            "    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
+            "detection:\n" +
+            "    sel:\n" +
+            "        Opcode: Info\n" +
+            "    condition: sel | %s(SeverityValue) by Version %s\n" +
+            "falsepositives:\n" +
+            "    - Legitimate usage of remote file encryption\n" +
+            "level: high";
+        return String.format(Locale.ROOT, rule, aggFunction, signAndValue);
+    }
+
+    public static String randomAggregationRule(String aggFunction,  String signAndValue, String opCode) {
+        String rule = "title: Remote Encrypting File System Abuse\n" +
+            "id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
+            "description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\n" +
+            "references:\n" +
+            "    - https://attack.mitre.org/tactics/TA0008/\n" +
+            "    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n" +
+            "    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/main/documents/MS-EFSR.md\n" +
+            "    - https://github.com/zeronetworks/rpcfirewall\n" +
+            "    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/\n" +
+            "tags:\n" +
+            "    - attack.defense_evasion\n" +
+            "status: experimental\n" +
+            "author: Sagie Dulce, Dekel Paz\n" +
+            "date: 2022/01/01\n" +
+            "modified: 2022/01/01\n" +
+            "logsource:\n" +
+            "    product: rpc_firewall\n" +
+            "    category: application\n" +
+            "    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\n" +
+            "detection:\n" +
+            "    sel:\n" +
+            "        Opcode: %s\n" +
+            "    condition: sel | %s(SeverityValue) by Version %s\n" +
+            "falsepositives:\n" +
+            "    - Legitimate usage of remote file encryption\n" +
+            "level: high";
+        return String.format(Locale.ROOT, rule, opCode, aggFunction, signAndValue);
+    }
+
     public static String windowsIndexMapping() {
         return "\"properties\": {\n" +
                 "      \"AccessList\": {\n" +
@@ -1455,6 +1515,45 @@ public static String windowsIndexMapping() {
                 "    }";
     }
 
+    public static String randomDoc(int severity,  int version, String opCode) {
+        String doc =  "{\n" +
+            "\"EventTime\":\"2020-02-04T14:59:39.343541+00:00\",\n" +
+            "\"HostName\":\"EC2AMAZ-EPO7HKA\",\n" +
+            "\"Keywords\":\"9223372036854775808\",\n" +
+            "\"SeverityValue\":%s,\n" +
+            "\"Severity\":\"INFO\",\n" +
+            "\"EventID\":22,\n" +
+            "\"SourceName\":\"Microsoft-Windows-Sysmon\",\n" +
+            "\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\n" +
+            "\"Version\":%s,\n" +
+            "\"TaskValue\":22,\n" +
+            "\"OpcodeValue\":0,\n" +
+            "\"RecordNumber\":9532,\n" +
+            "\"ExecutionProcessID\":1996,\n" +
+            "\"ExecutionThreadID\":2616,\n" +
+            "\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\n" +
+            "\"Domain\":\"NT AUTHORITY\",\n" +
+            "\"AccountName\":\"SYSTEM\",\n" +
+            "\"UserID\":\"S-1-5-18\",\n" +
+            "\"AccountType\":\"User\",\n" +
+            "\"Message\":\"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2020-02-04 14:59:38.349\\r\\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\\r\\nProcessId: 1904\\r\\nQueryName: EC2AMAZ-EPO7HKA\\r\\nQueryStatus: 0\\r\\nQueryResults: 172.31.46.38;\\r\\nImage: C:\\\\Program Files\\\\nxlog\\\\nxlog.exe\",\n" +
+            "\"Category\":\"Dns query (rule: DnsQuery)\",\n" +
+            "\"Opcode\":\"%s\",\n" +
+            "\"UtcTime\":\"2020-02-04 14:59:38.349\",\n" +
+            "\"ProcessGuid\":\"{b3c285a4-3cda-5dc0-0000-001077270b00}\",\n" +
+            "\"ProcessId\":\"1904\",\"QueryName\":\"EC2AMAZ-EPO7HKA\",\"QueryStatus\":\"0\",\n" +
+            "\"QueryResults\":\"172.31.46.38;\",\n" +
+            "\"Image\":\"C:\\\\Program Files\\\\nxlog\\\\regsvr32.exe\",\n" +
+            "\"EventReceivedTime\":\"2020-02-04T14:59:40.780905+00:00\",\n" +
+            "\"SourceModuleName\":\"in\",\n" +
+            "\"SourceModuleType\":\"im_msvistalog\",\n" +
+            "\"CommandLine\": \"eachtest\",\n" +
+            "\"Initiated\": \"true\"\n" +
+            "}";
+        return String.format(Locale.ROOT, doc, severity, version, opCode);
+
+    }
+
     public static String randomDoc() {
         return "{\n" +
                 "\"EventTime\":\"2020-02-04T14:59:39.343541+00:00\",\n" +

diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java
@@ -165,6 +165,10 @@ public void testGetFindings_byDetectorType_success() throws IOException {
                         "  \"partial\":true" +
                         "}"
         );
+
+        Response response = client().performRequest(createMappingRequest);
+        assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode());
+
         // index 2
         String index2 = createTestIndex("netflow_test", netFlowMappings());
 
@@ -178,7 +182,7 @@ public void testGetFindings_byDetectorType_success() throws IOException {
                         "}"
         );
 
-        Response response = client().performRequest(createMappingRequest);
+        response = client().performRequest(createMappingRequest);
         assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode());
         // Detector 1 - WINDOWS
         Detector detector1 = randomDetectorWithTriggers(getRandomPrePackagedRules(), List.of(new DetectorTrigger(null, "test-trigger", "1", List.of(randomDetectorType()), List.of(), List.of(), List.of(), List.of())));
@@ -234,7 +238,7 @@ public void testGetFindings_byDetectorType_success() throws IOException {
         Map<String, Object> executeResults = entityAsMap(executeResponse);
 
         int noOfSigmaRuleMatches = ((List<Map<String, Object>>) ((Map<String, Object>) executeResults.get("input_results")).get("results")).get(0).size();
-        Assert.assertEquals(3, noOfSigmaRuleMatches);
+        Assert.assertEquals(5, noOfSigmaRuleMatches);
 
         // execute monitor 2
         executeResponse = executeAlertingMonitor(monitorId2, Collections.emptyMap());