Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: validation of detections against cms_main #303

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Feature: validation of detections against cms_main #303

wants to merge 18 commits into from

Conversation

cmcginley-splunk
Copy link
Collaborator

@cmcginley-splunk cmcginley-splunk commented Oct 8, 2024
edited
Loading

Context

  • We need to validate that our detections not only work in ES, but are also being parsed correctly by the content versioning service

Code change

  • Added ContentVersioningService
    • Enables content versioning
    • Activates CMS parser
    • Validates detections against CMS events, reports any missing detections or other validation issues. Validations include:
      • Counts between cms_main and detections based on YAMLs match
      • Each detection can be matched to a cms_event
      • Each cms_event can be matched to a detection
      • No cms_event is repeated
      • UUIDs match between cms/detection pairs
      • Versions match between cms/detection pairs
      • Full search name matches between cms/detection pairs
      • Correlationsearch label matches between cms/detection pairs
      • Sourcetype matches between cms/detection pairs
    • Returns a list of setup functions which are optionally inserted into the main setup of DetectionTestingInfrastructure
  • Aggregating errors across all threads (setup, testing, view, view shutdown) and reporting en masse
  • Broke up setup functions list to allow for optional inclusion of the content versioning setup functions
  • NOTE: Now we raise any exceptions that crop up during setup, instead of just logging them
  • Added logic to DetectionTestingInfrastructure to query installed ES version, so we can determine when it is appropriate to run content versioning validation
    • Content versioning validation is only run when 1) integration testing is enabled, 2) ES 8.0.0+ is installed, and 3) when the testing mode is All
  • Moved logging utility in CorrelationSearch (useful for debugging) to helper.utils.Utils so it could be re-used in ContentVersioningService

Testing

  • I've tested locally w/ some quick and dirty edits to the savedsearches.conf file and all seems to work well
  • Want to test in CI, but currently the changes to dashboards in contentctl preclude me from testing this on the security_content repo as it exists today
Screenshot 2024-10-08 at 12 38 55 PM

Caveats

  • Note that we now raise exceptions from setup, instead of logging and dropping them; I believe this is desirable
  • I went back and forth as to whether this validation should happen as part of setup, OR if I should create some new type of test case. I opted for the former as this type of testing doesn't fit our current testing paradigm; validation against the cms_main index should happen in aggregate, a test of the whole package, not individual detections. We do not have an easy way to insert testing at that level presently.
  • Additionally, this validation probably only needs to be run against a single instance and not necessarily all instances in a single run, but I don't see an easy or clean way to do that as well, and there's no harm or impact on execution time as far as I can tell

TODOs

  • disable logging
  • remove TODOs or create follow up issues
  • Test in CI when able

@cmcginley-splunk cmcginley-splunk changed the title Feature/validation against cms main Feature: validation of detections against cms_main Oct 8, 2024
@cmcginley-splunk cmcginley-splunk marked this pull request as ready for review October 8, 2024 19:50
@pyth0n1c pyth0n1c added the Draft label Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pyth0n1c pyth0n1c Awaiting requested review from pyth0n1c

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Draft
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cmcginley-splunk @pyth0n1c