예제 #1
0
        public void Validate_DetectionTemplates_AllFilesAreYamls()
        {
            List <string> detectionPath = DetectionsYamlFilesTestData.GetDetectionPaths();
            var           yamlFiles     = Directory.GetFiles(detectionPath[0], "*.yaml", SearchOption.AllDirectories).ToList();                                // Detection folder

            yamlFiles.AddRange(Directory.GetFiles(detectionPath[1], "*.yaml", SearchOption.AllDirectories).ToList().Where(s => s.Contains("Analytic Rules"))); // Extending detection validation to solution folder
            var AllFiles = Directory.GetFiles(detectionPath[0], "*", SearchOption.AllDirectories).ToList();

            AllFiles.AddRange(Directory.GetFiles(detectionPath[1], "*", SearchOption.AllDirectories).ToList().Where(s => s.Contains("Analytic Rules")));
            var numberOfNotYamlFiles = 1; //This is the readme.md file in the directory

            Assert.True(AllFiles.Count == yamlFiles.Count + numberOfNotYamlFiles, $"All the files in detections and solution (Analytics rules) folder are supposed to end with .yaml");
        }
예제 #2
0
        public void Validate_DetectionTemplates_NoSameTemplateIdTwice()
        {
            List <string> detectionPath = DetectionsYamlFilesTestData.GetDetectionPaths();
            var           yamlFiles     = Directory.GetFiles(detectionPath[0], "*.yaml", SearchOption.AllDirectories).Where(s => !s.Contains("CiscoUmbrella")).ToList(); // Removing duplicate CiscoUmbrella detections. already present in solution folder

            yamlFiles.AddRange(Directory.GetFiles(detectionPath[1], "*.yaml", SearchOption.AllDirectories).ToList().Where(s => s.Contains("Analytic Rules")));           // Extending it to solution folder for detection validation
            var templatesAsStrings = yamlFiles.Select(yaml => GetYamlFileAsString(Path.GetFileName(yaml)));

            var templatesAsObjects = templatesAsStrings.Select(yaml => JObject.Parse(ConvertYamlToJson(yaml)));
            var duplicationsById   = templatesAsObjects.GroupBy(a => a["id"]).Where(group => group.Count() > 1); //Finds duplications -> ids that there are more than 1 template from
            var duplicatedId       = "";

            if (duplicationsById.Count() > 0)
            {
                duplicatedId = duplicationsById.Last().Select(x => x["id"]).First().ToString();
            }
            Assert.True(duplicationsById.Count() == 0, $"There should not be 2 templates with the same ID, but the id {duplicatedId} is duplicated.");
        }