Improved test coverage

* Added test case * Removed unused code
SigmaHQ · Jun 12, 2020 · f907c49 · f907c49
1 parent 05ced1a
commit f907c49
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 26 deletions.
diff --git a/Makefile b/Makefile
@@ -32,9 +32,10 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ee-outliers -c tools/config/winlogbeat.yml rules/ > /dev/null
-	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs  -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
-	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule  -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
-	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana  -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c sysmon -c winlogbeat -O case_insensitive_whitelist=* rules/windows/process_creation > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher  -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert  -c tools/config/ecs-cloudtrail.yml rules/ > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null

diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py
@@ -33,29 +33,7 @@
 from .data import sysmon_schema
 from .exceptions import NotSupportedError
 
-class DeepFieldMappingMixin(object):
-
-    def fieldNameMapping(self, fieldname, value):
-        if isinstance(fieldname, str):
-            get_config = self.sigmaconfig.fieldmappings.get(fieldname)
-            if not get_config and '|' in fieldname:
-                fieldname = fieldname.split('|', 1)[0]
-                get_config = self.sigmaconfig.fieldmappings.get(fieldname)
-            if isinstance(get_config, ConditionalFieldMapping):
-                condition = self.sigmaconfig.fieldmappings.get(fieldname).conditions
-                for key, item in self.logsource.items():
-                    if condition.get(key) and condition.get(key, {}).get(item):
-                        new_fieldname = condition.get(key, {}).get(item)
-                        if any(new_fieldname):
-                           return super().fieldNameMapping(new_fieldname[0], value)
-        return super().fieldNameMapping(fieldname, value)
-
-
-    def generate(self, sigmaparser):
-        self.logsource = sigmaparser.parsedyaml.get("logsource", {})
-        return super().generate(sigmaparser)
-
-class AzureLogAnalyticsBackend(DeepFieldMappingMixin, SingleTextQueryBackend):
+class AzureLogAnalyticsBackend(SingleTextQueryBackend):
     """Converts Sigma rule into Azure Log Analytics Queries."""
     identifier = "ala"
     active = True