wip

tests/files/sigma_filter.yml

@@ -3,11 +3,12 @@ description: The valid administrator account start with adm_
 logsource:
     category: process_creation
     product: windows
-global_filter:
+filter:
   rules:
     - 5013332f-8a70-4e04-bcc1-06a98a2cca2e
     - 6f3e2987-db24-4c78-a860-b4f4095a7095 # Data Compressed - rar.exe
     - df0841c0-9846-4e9f-ad8a-7df91571771b # Login on jump host
+    - 5d8fd9da-6916-45ef-8d4d-3fa9d19d1a64 # Base rule
   selection:
       User|startswith: "ADM_"
   condition: not selection

tests/test_filters.py

@@ -54,22 +54,21 @@ def test_filter_with_pipeline_mapping():
 
 
 
-def test_filter_with_correlation_rules():
-    cli = CliRunner(
-        mix_stderr=True
-    )
-    result = cli.invoke(
-        convert, [
-
-            "-t",
-            "splunk",
-            "--pipeline",
-            "splunk_windows",
-            "--filter",
-            "./test.yml",
-            "./tests/files/valid/sigma_rule.yml",
-            "./tests/files/valid/sigma_correlation_rules.yml"
-        ],
-    )
-
-    assert 'some_other_string endswith "\\httpd.exe" and Image endswith "\\cmd.exe" and not username startswith "ADM_"\n' in result.stdout
+# def test_filter_with_correlation_rules():
+#     cli = CliRunner(
+#         mix_stderr=True
+#     )
+#     result = cli.invoke(
+#         convert, [
+#
+#             "-t",
+#             "text_query_test",
+#             "-p",
+#             "tests/files/custom_pipeline.yml",
+#             "--filter",
+#             "tests/files/sigma_filter.yml",
+#             "./tests/files/valid/sigma_correlation_rules.yml"
+#         ],
+#     )
+#
+#     assert 'some_other_string endswith "\\httpd.exe" and Image endswith "\\cmd.exe" and not username startswith "ADM_"\n' in result.stdout