Skip to content

Commit

Permalink
Updated API & Sel tests for suspiscious powershell panel (#405)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rishagg01
rishagg01 committed Aug 14, 2024
1 parent 4032fd9 commit dd01647
Show file tree
Hide file tree
Showing 4 changed files with 264 additions and 3 deletions.
25 changes: 25 additions & 0 deletions testing/tests/api_tests/data_insertion_tests/fixtures/suspiciouspowershell.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{
"process": {
"parent": {
"name": "powershell.exe",
"executable": "powershell.exe",
"args": "test"
},
"command_line": "invoke",
"executable" : "powershell.exe",
"args" : "test"
},
"event": {
"code": "11",
"provider": "Microsoft-Windows-Sysmon",
"action": "Download",
"outcome": "test"
},
"user": {
"name": "APItestuserid",
"domain": "test"
},
"host": {
"name": "C2.lme.local"
}
}
230 changes: 230 additions & 0 deletions testing/tests/api_tests/data_insertion_tests/queries/filter_suspiciouspowershell.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
{
"aggs": {
"2": {
"terms": {
"field": "process.executable",
"order": {"_count": "desc"},
"size": 100
}
}
},
"size": 100,
"script_fields": {},
"stored_fields": ["*"],
"_source": {"excludes": []},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"bool": {
"should": [
{
"term": {
"process.parent.name": {"value": "powershell.exe"}
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"term": {
"process.name": {"value": "powershell.exe"}
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"term": {
"winlog.event_data.OriginalFileName": {
"value": "PowerShell.EXE"
}
}
}
],
"minimum_should_match": 1
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"bool": {
"should": [
{
"match_phrase": {
"process.command_line.text": "invoke"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"process.command_line.text": "bypass"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {"process.command_line.text": "iex"}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {"process.command_line.text": "ex"}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {"process.command_line.text": "icm"}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"process.command_line.text": "new-object"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {"process.command_line.text": "set"}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {"process.command_line.text": "get"}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"process.command_line.text": "write"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {"process.command_line.text": "out"}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"process.command_line.text": "download"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"process.command_line.text": "encoded"
}
}
],
"minimum_should_match": 1
}
}
],
"minimum_should_match": 1
}
}
]
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte" : "2024-08-07T17:00:57.337Z" ,
"lte" : "2024-08-07T17:15:57.337Z"
}
}
}
],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": ["@kibana-highlighted-field@"],
"post_tags": ["@/kibana-highlighted-field@"],
"fields": {"*": {}},
"fragment_size": 2147483647
}
}

7 changes: 7 additions & 0 deletions testing/tests/api_tests/data_insertion_tests/test_server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,4 +60,11 @@ def test_file_downloads_insert(es_host, es_port, username, password):
assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'C:\\Users\\admin.ackbar\\Downloads\\test.txt')


def test_file_suspicious_powershell(es_host, es_port, username, password):

second_response_loaded=insert_winlog_data(es_host, es_port, username, password, 'filter_suspiciouspowershell.json', 'suspiciouspowershell.json', 1)

# Check to make sure the data was inserted
assert(second_response_loaded['aggregations']['2']['buckets'][0]['key'] == 'powershell.exe')


5 changes: 2 additions & 3 deletions testing/tests/selenium_tests/cluster/test_user_security_dashboard.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,11 +107,10 @@ def test_powershell_events_by_computer(self, setup_login, kibana_url, timeout):
driver = setup_login
dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "Powershell events by computer", ".echChart",".euiText")

@pytest.mark.skip(reason="Skipping this test")
#@pytest.mark.skip(reason="Skipping this test")
def test_potentially_suspicious_powershell(self, setup_login, kibana_url, timeout):
driver = setup_login
dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "Potentially suspicious powershell", ".needarealvaluehere",".euiDataGrid__noResults")
#This dashboard panel needs test data. Currently the panel only gives No Result found
dashboard_test_function(driver, kibana_url, timeout, self.dashboard_id, "Potentially suspicious powershell", ".euiDataGrid",".euiDataGrid__noResults")

@pytest.mark.skip(reason="Skipping this test")
def test_powershell_network_connections(self, setup_login, kibana_url, timeout):
Expand Down

0 comments on commit dd01647

Please sign in to comment.