forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add pipeline test for Juniper SRX (elastic#443)
There were pipeline errors while evaluating pipeline. One of the `if` conditions was causing an error due to a null value so I change them do use the null-safe `?.`. This might be due to how the tests are run without the beats processor (.e.g. add_locale), but it's still a safe change to make. event.risk_category and event.severity needed `convert` processors to change their types.
- Loading branch information
1 parent
1a59046
commit 6af42b0
Showing
23 changed files
with
6,344 additions
and
14 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] | ||
<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] | ||
<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] | ||
<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] |
5 changes: 5 additions & 0 deletions
5
packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"dynamic_fields": { | ||
"event.ingested": ".*" | ||
} | ||
} |
316 changes: 316 additions & 0 deletions
316
packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,316 @@ | ||
{ | ||
"expected": [ | ||
{ | ||
"server": { | ||
"port": 80, | ||
"ip": "187.19.188.200" | ||
}, | ||
"_temp_": {}, | ||
"log": { | ||
"level": "informational" | ||
}, | ||
"destination": { | ||
"geo": { | ||
"continent_name": "South America", | ||
"region_iso_code": "BR-CE", | ||
"city_name": "Juazeiro do Norte", | ||
"country_iso_code": "BR", | ||
"country_name": "Brazil", | ||
"region_name": "Ceara", | ||
"location": { | ||
"lon": -39.247, | ||
"lat": -7.1467 | ||
} | ||
}, | ||
"as": { | ||
"number": 28126, | ||
"organization": { | ||
"name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA" | ||
} | ||
}, | ||
"port": 80, | ||
"ip": "187.19.188.200" | ||
}, | ||
"source": { | ||
"port": 57116, | ||
"user": { | ||
"name": "user1" | ||
}, | ||
"ip": "10.10.10.1" | ||
}, | ||
"juniper": { | ||
"srx": { | ||
"process": "RT_AAMW", | ||
"policy_name": "argon_policy", | ||
"action": "BLOCK", | ||
"verdict_number": "8", | ||
"session_id_32": "50000002", | ||
"tag": "SRX_AAMW_ACTION_LOG", | ||
"verdict_source": "”cloud/blacklist/whitelist”", | ||
"file_category": "executable" | ||
} | ||
}, | ||
"url": { | ||
"domain": "www.mytest.com" | ||
}, | ||
"network": { | ||
"iana_number": "6" | ||
}, | ||
"observer": { | ||
"name": "pinarello", | ||
"ingress": { | ||
"zone": "untrust" | ||
}, | ||
"product": "SRX", | ||
"type": "firewall", | ||
"vendor": "Juniper", | ||
"egress": { | ||
"zone": "trust" | ||
} | ||
}, | ||
"@timestamp": "2013-12-14T16:06:59.134Z", | ||
"related": { | ||
"hosts": [ | ||
"www.mytest.com" | ||
], | ||
"ip": [ | ||
"10.10.10.1", | ||
"187.19.188.200" | ||
] | ||
}, | ||
"client": { | ||
"port": 57116, | ||
"ip": "10.10.10.1" | ||
}, | ||
"event": { | ||
"severity": 14, | ||
"ingested": "2020-12-03T23:08:17.811974900Z", | ||
"original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", | ||
"kind": "alert", | ||
"module": "juniper", | ||
"action": "malware_detected", | ||
"category": [ | ||
"network", | ||
"malware" | ||
], | ||
"type": [ | ||
"info", | ||
"denied", | ||
"connection" | ||
], | ||
"dataset": "juniper.srx", | ||
"outcome": "success" | ||
} | ||
}, | ||
{ | ||
"observer": { | ||
"name": "host-example", | ||
"product": "SRX", | ||
"type": "firewall", | ||
"vendor": "Juniper" | ||
}, | ||
"_temp_": {}, | ||
"@timestamp": "2016-09-20T17:43:30.330Z", | ||
"related": { | ||
"hosts": [ | ||
"host.example.com" | ||
], | ||
"ip": [ | ||
"192.0.2.0" | ||
] | ||
}, | ||
"log": { | ||
"level": "informational" | ||
}, | ||
"source": { | ||
"user": { | ||
"name": "admin" | ||
}, | ||
"domain": "host.example.com", | ||
"ip": "192.0.2.0" | ||
}, | ||
"juniper": { | ||
"srx": { | ||
"tenant_id": "ABC123456", | ||
"process": "RT_AAMW", | ||
"verdict_number": "9", | ||
"sample_sha256": "ABC123", | ||
"tag": "AAMW_MALWARE_EVENT_LOG", | ||
"malware_info": "Eicar:TestVirus", | ||
"timestamp": "2016-06-23T09:55:38.000Z" | ||
} | ||
}, | ||
"event": { | ||
"severity": 14, | ||
"ingested": "2020-12-03T23:08:17.811985700Z", | ||
"original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", | ||
"kind": "alert", | ||
"module": "juniper", | ||
"action": "malware_detected", | ||
"category": [ | ||
"network", | ||
"malware" | ||
], | ||
"type": [ | ||
"info", | ||
"denied", | ||
"connection" | ||
], | ||
"dataset": "juniper.srx", | ||
"outcome": "success" | ||
} | ||
}, | ||
{ | ||
"observer": { | ||
"name": "host-example", | ||
"product": "SRX", | ||
"type": "firewall", | ||
"vendor": "Juniper" | ||
}, | ||
"_temp_": {}, | ||
"@timestamp": "2016-09-20T17:40:30.050Z", | ||
"related": { | ||
"hosts": [ | ||
"host.example.com" | ||
], | ||
"ip": [ | ||
"192.0.2.0" | ||
] | ||
}, | ||
"log": { | ||
"level": "error" | ||
}, | ||
"source": { | ||
"domain": "host.example.com", | ||
"ip": "192.0.2.0" | ||
}, | ||
"juniper": { | ||
"srx": { | ||
"tenant_id": "ABC123456", | ||
"reason": "malware", | ||
"process": "RT_AAMW", | ||
"th": "7", | ||
"policy_name": "default", | ||
"state": "added", | ||
"tag": "AAMW_HOST_INFECTED_EVENT_LOG", | ||
"message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", | ||
"timestamp": "2016-06-23T09:55:38.000Z", | ||
"status": "in_progress" | ||
} | ||
}, | ||
"event": { | ||
"severity": 11, | ||
"ingested": "2020-12-03T23:08:17.812027400Z", | ||
"original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", | ||
"kind": "alert", | ||
"module": "juniper", | ||
"category": [ | ||
"network", | ||
"malware" | ||
], | ||
"type": [ | ||
"allowed", | ||
"connection" | ||
], | ||
"dataset": "juniper.srx", | ||
"outcome": "success" | ||
} | ||
}, | ||
{ | ||
"server": { | ||
"port": 80, | ||
"ip": "10.0.0.1" | ||
}, | ||
"_temp_": {}, | ||
"log": { | ||
"level": "notification" | ||
}, | ||
"destination": { | ||
"port": 80, | ||
"ip": "10.0.0.1" | ||
}, | ||
"source": { | ||
"geo": { | ||
"continent_name": "Oceania", | ||
"country_name": "Australia", | ||
"location": { | ||
"lon": 143.2104, | ||
"lat": -33.494 | ||
}, | ||
"country_iso_code": "AU" | ||
}, | ||
"as": { | ||
"number": 13335, | ||
"organization": { | ||
"name": "Cloudflare, Inc." | ||
} | ||
}, | ||
"port": 60148, | ||
"ip": "1.1.1.1", | ||
"domain": "dummy_host" | ||
}, | ||
"juniper": { | ||
"srx": { | ||
"process": "RT_AAMW", | ||
"file_hash_lookup": "FALSE", | ||
"file_name": "dummy_file", | ||
"policy_name": "test-policy", | ||
"verdict_number": "10", | ||
"sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", | ||
"malware_info": "Testfile", | ||
"url": "dummy_url", | ||
"file_category": "executable", | ||
"application": "HTTP", | ||
"action": "PERMIT", | ||
"session_id_32": "502156", | ||
"tag": "AAMW_ACTION_LOG" | ||
} | ||
}, | ||
"network": { | ||
"iana_number": "6" | ||
}, | ||
"observer": { | ||
"name": "aamw1", | ||
"ingress": { | ||
"zone": "Inside" | ||
}, | ||
"product": "SRX", | ||
"type": "firewall", | ||
"vendor": "Juniper", | ||
"egress": { | ||
"zone": "Outside" | ||
} | ||
}, | ||
"@timestamp": "2007-02-15T09:17:15.719Z", | ||
"related": { | ||
"hosts": [ | ||
"dummy_host" | ||
], | ||
"ip": [ | ||
"1.1.1.1", | ||
"10.0.0.1" | ||
] | ||
}, | ||
"client": { | ||
"port": 60148, | ||
"ip": "1.1.1.1" | ||
}, | ||
"event": { | ||
"severity": 165, | ||
"ingested": "2020-12-03T23:08:17.812037900Z", | ||
"original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", | ||
"kind": "event", | ||
"module": "juniper", | ||
"category": [ | ||
"network" | ||
], | ||
"type": [ | ||
"allowed", | ||
"connection" | ||
], | ||
"dataset": "juniper.srx", | ||
"outcome": "success" | ||
} | ||
} | ||
] | ||
} |
Oops, something went wrong.