From 73dbdf6431e02fd812648f568c1eaf1eda191d54 Mon Sep 17 00:00:00 2001
From: ppcad <45867125+ppcad@users.noreply.github.com>
Date: Fri, 20 Dec 2024 12:55:24 +0100
Subject: [PATCH] reduce to one rule tree (#731)
---
CHANGELOG.md | 1 +
README.md | 25 +-
.../architecture/diagramms/pipeline.drawio | 598 +++++++++---------
.../diagramms/pipeline.drawio.html | 7 +-
.../diagramms/process-Combined.drawio | 94 ++-
.../diagramms/process-Combined.drawio.html | 7 +-
.../processor_examples/calculator.ipynb | 5 +-
.../processor_examples/concatenator.ipynb | 5 +-
.../processor_examples/dissector.ipynb | 5 +-
.../processor_examples/field_manager.ipynb | 9 +-
.../processor_examples/generic_adder.ipynb | 5 +-
.../geo_ip_enricher_custom_outputfields.ipynb | 7 +-
.../processor_examples/grokker.ipynb | 5 +-
.../processor_examples/ip_informer.ipynb | 7 +-
.../processor_examples/key_checker.ipynb | 5 +-
.../notebooks/processor_examples/regex.ipynb | 3 +-
.../processor_examples/requester.ipynb | 5 +-
.../processor_examples/string_splitter.ipynb | 9 +-
.../processor_examples/timestamp_differ.ipynb | 5 +-
.../processor_examples/timestamper.ipynb | 5 +-
doc/source/development/processor_how_to.rst | 10 +-
.../programaticly_start_logprep.rst | 14 +-
examples/exampledata/config/pipeline.yml | 39 +-
.../amides_generic.yml => rules/amides_1.yml} | 0
.../amides_2.yml} | 0
.../example_rule_1.yml} | 0
.../example_rule_2.yml} | 0
.../{generic => rules}/example_rule.yml | 0
.../rules/dropper/specific/example_rule.yml | 6 -
.../{generic => rules}/example_rule.yml | 0
.../rules/labeler/specific/example_rule.yml | 7 -
.../example_rule_1.yml} | 0
.../example_rule_2.yml} | 0
.../{generic => rules}/example_rule.yml | 0
.../pseudonymizer/specific/example_rule.yml | 6 -
logprep/abc/processor.py | 88 +--
logprep/framework/rule_tree/rule_tree.py | 13 -
logprep/processor/amides/processor.py | 6 +-
logprep/processor/base/rule.py | 7 +-
logprep/processor/calculator/processor.py | 6 +-
logprep/processor/clusterer/processor.py | 20 +-
logprep/processor/concatenator/processor.py | 6 +-
.../processor/datetime_extractor/processor.py | 6 +-
logprep/processor/deleter/processor.py | 6 +-
logprep/processor/dissector/processor.py | 6 +-
.../domain_label_extractor/processor.py | 6 +-
.../processor/domain_resolver/processor.py | 6 +-
logprep/processor/dropper/processor.py | 6 +-
logprep/processor/field_manager/processor.py | 6 +-
logprep/processor/generic_adder/processor.py | 6 +-
.../processor/generic_resolver/processor.py | 6 +-
logprep/processor/geoip_enricher/processor.py | 6 +-
logprep/processor/grokker/processor.py | 6 +-
.../processor/hyperscan_resolver/processor.py | 6 +-
logprep/processor/ip_informer/processor.py | 6 +-
logprep/processor/key_checker/processor.py | 6 +-
logprep/processor/labeler/processor.py | 8 +-
.../processor/list_comparison/processor.py | 8 +-
logprep/processor/pre_detector/processor.py | 6 +-
logprep/processor/pseudonymizer/processor.py | 8 +-
logprep/processor/requester/processor.py | 6 +-
.../selective_extractor/processor.py | 6 +-
.../processor/string_splitter/processor.py | 6 +-
.../processor/template_replacer/processor.py | 6 +-
.../processor/timestamp_differ/processor.py | 6 +-
logprep/processor/timestamper/processor.py | 6 +-
.../util/auto_rule_tester/auto_rule_tester.py | 88 +--
logprep/util/configuration.py | 56 +-
logprep/util/template_processor.py.j2 | 6 +-
logprep/util/template_processor_test.py.j2 | 7 +-
tests/acceptance/test_amides.py | 3 +-
tests/acceptance/test_file_input.py | 3 +-
tests/acceptance/test_full_configuration.py | 13 +-
.../test_http_input_with_requests.py | 3 +-
tests/acceptance/test_multiple_outputs.py | 22 +-
tests/acceptance/test_pre_detection.py | 3 +-
tests/acceptance/test_preprocessing.py | 3 +-
..._selective_extractor_full_pipeline_pass.py | 6 +-
.../acceptance/test_wineventlog_processing.py | 33 +-
.../test_wineventlog_pseudonymization.py | 9 +-
tests/acceptance/util.py | 5 +-
...sector_rule.json => dissector_rule_1.json} | 0
...sector_rule.json => dissector_rule_2.json} | 0
.../labeling/schema.json | 0
.../rules}/id_1_SecurityCenter.json | 0
.../rules}/id_400_PowerShell.json | 0
...d_50036_Microsoft-Windows-Dhcp-Client.json | 0
...51047_Microsoft-Windows-DHCPv6-Client.json | 0
.../rules}/id_5615_Microsoft-Windows-WMI.json | 0
.../rules}/id_6005_EventLog.json | 0
.../rules}/id_6006_EventLog.json | 0
.../id_7040_Service_Control_Manager.json | 0
.../rules}/id_8212_System_Restore.json | 0
.../action/event_data_Started_to_execute.json | 0
.../event_data_Stopped_to_terminate.json | 0
.../action/event_data_paused_to_modify.json | 0
.../event_data_power_off_to_terminate.json | 0
.../action/event_data_running_to_execute.json | 0
.../keywords_Audit_Failure_to_failed.json | 0
.../keywords_Audit_Success_to_success.json | 0
.../windows/action/level_Error_to_failed.json | 0
.../event_data_logontype_2_or_7_to_user.json | 0
...vent_data_logontype_4_or_5_to_service.json | 0
..._Audit_Policy_Change_to_configuration.json | 0
...k_Logoff_to_authenticate_and_accounts.json | 0
...sk_Logon_to_authenticate_and_accounts.json | 0
.../Desktop_Window_Manager_to_system.json | 0
.../windows/reporter/ESENT_to_database.json | 0
.../windows/reporter/EventLog_to_system.json | 0
.../reporter/FreeSSHDService_to_service.json | 0
...dows-Application-Experience_to_system.json | 0
...osoft-Windows-DHCPv6-Client_to_system.json | 0
...crosoft-Windows-Dhcp-Client_to_system.json | 0
...crosoft-Windows-EventSystem_to_system.json | 0
...osoft-Windows-FilterManager_to_system.json | 0
...crosoft-Windows-GroupPolicy_to_system.json | 0
...soft-Windows-Kernel-General_to_system.json | 0
...rosoft-Windows-Kernel-Power_to_system.json | 0
...dows-Kernel-Processor-Power_to_system.json | 0
...t-Windows-Security-Auditing_to_system.json | 0
...rosoft-Windows-Security-SPP_to_system.json | 0
...rosoft-Windows-Time-Service_to_system.json | 0
...ndows-User-Profiles-Service_to_system.json | 0
.../Microsoft-Windows-UserPnp_to_system.json | 0
.../Microsoft-Windows-WMI_to_system.json | 0
...soft-Windows-WMPNSS-Service_to_system.json | 0
.../Microsoft-Windows-Winlogon_to_system.json | 0
.../windows/reporter/NETLOGON_to_system.json | 0
.../reporter/PowerShell_to_system.json | 0
.../reporter/SecurityCenter_to_system.json | 0
.../Service_Control_Manager_to_system.json | 0
.../reporter/System_Restore_to_system.json | 0
.../windows/reporter/VSS_to_service.json | 0
.../windows/reporter/volsnap_to_system.json | 0
.../reporter/wineventlog_to_windows.json | 0
.../labeling/schema.json | 0
.../rules}/computer_name_label.json | 0
.../rules}/event_data_Binary_label.json | 0
.../event_data_TargetLogonID_to_label.json | 0
...vent_data_param1_auto_discovery_label.json | 0
.../event_data_param1_crypto_label.json | 0
.../event_data_param1_flash_player_label.json | 0
..._data_param1_font_cache_service_label.json | 0
.../rules}/message_to_logon_label.json | 0
.../provider_guid_to_test_guid_label.json | 0
.../rules}/this_is_not_a_rule.not_json | 0
.../rules}/version_to_label.json | 0
.../{rules_static => }/regex_mapping.yml | 0
..._NewProcessId_New_ProcessName_id_4688.json | 0
...ubjectUserName_SubjectUserSid_id_4611.json | 0
...ubjectUserName_SubjectUserSid_id_4672.json | 0
...event_data_ClientAddress_to_client_ip.json | 0
.../event_data_FromFolder_to_file_path.json | 0
...vent_data_IpAddress_to_client_address.json | 0
.../event_data_IpAddress_to_client_ip.json | 0
.../event_data_IpPort_to_client_port.json | 0
...data_LogonProcessName_to_process_name.json | 0
...ata_ProcessId_NOT_4688_to_process_pid.json | 0
...ata_ProcessName_to_process_executable.json | 0
...data_TargetUserName_to_host_user_name.json | 0
...nt_data_TargetUserSid_to_host_user_id.json | 0
...ent_data_ToFolder_to_file_target_path.json | 0
.../event_data_UserSid_to_host_user_id.json | 0
.../param1_to_client_address_id_1104.json | 0
.../param1_to_client_address_id_1106.json | 0
.../param1_to_host_user_name_id_8.json | 0
.../param1_to_host_user_name_id_9.json | 0
.../param2_to_host_user_name_id_2000.json | 0
.../param2_to_host_user_name_id_2001.json | 0
.../param3_to_client_address_id_1104.json | 0
.../param3_to_client_address_id_1107.json | 0
.../param4_to_error_code_id_4098.json | 0
.../this_is_not_a_rule.not_json | 0
.../pre_detect_acceptance_one.json | 0
...ne.json => pre_detect_acceptance_two.json} | 0
.../{rules_static => }/regex_mapping.yml | 0
.../MetaFrameEvents_id_1104.json | 0
.../MetaFrameEvents_id_1106.json | 0
...minal-RemoteConnectionManager_id_1060.json | 0
.../specific => rules}/TdIca_id_1004.json | 0
.../specific => rules}/TdIca_id_1007.json | 0
.../generic => rules}/client_address.json | 0
.../generic => rules}/client_ip.json | 0
.../event_data_IpAddress.json | 0
.../event_data_SubjectUserName.json | 0
.../event_data_SubjectUserSid.json | 0
.../event_data_TargetUserName.json | 0
.../event_data_TargetUserSid.json | 0
.../event_data_ToFolder.json | 0
.../generic => rules}/event_data_UserSid.json | 0
.../generic => rules}/file_target_path.json | 0
.../generic => rules}/host_user_id.json | 0
.../generic => rules}/host_user_name.json | 0
.../rules}/this_is_not_a_rule.not_json | 0
.../generic => rules}/user_identifier.json | 0
.../generic => rules}/user_name.json | 0
.../specific/this_is_not_a_rule.not_json | 1 -
.../{generic/rules.json => rules_1.json} | 0
.../{specific/rules.json => rules_2.json} | 0
...tests.yml => rule_with_custom_tests_1.yml} | 0
...tests.yml => rule_with_custom_tests_2.yml} | 0
.../rules/{generic => }/auto_test_match.json | 0
.../{generic => }/auto_test_match_test.json | 0
.../{specific => }/auto_test_mismatch.json | 0
.../auto_test_mismatch_test.json | 0
.../{specific => }/auto_test_no_test_.json | 0
.../drop_field.json => drop_field_1.json} | 0
...field_test.json => drop_field_1_test.json} | 0
.../drop_field.json => drop_field_2.json} | 0
...field_test.json => drop_field_2_test.json} | 0
.../auto_test_labeling_match.json | 0
.../auto_test_labeling_match_existing.json | 0
...uto_test_labeling_match_existing_test.json | 0
.../auto_test_labeling_match_test.json | 0
.../auto_test_labeling_mismatch.json | 0
.../auto_test_labeling_mismatch_test.json | 0
.../auto_test_labeling_no_test_.json | 0
.../auto_test_pre_detector_match.json | 0
.../auto_test_pre_detector_match_test.json | 0
.../auto_test_pre_detector_mismatch.json | 0
.../auto_test_pre_detector_mismatch_test.json | 0
.../auto_test_pre_detector_no_test_.json | 0
.../auto_test_pseudonymizer_dotted_list.json | 0
...o_test_pseudonymizer_dotted_list_test.json | 0
.../auto_test_pseudonymizer_list.json | 0
.../auto_test_pseudonymizer_list_escaped.json | 0
..._test_pseudonymizer_list_escaped_test.json | 0
.../auto_test_pseudonymizer_list_test.json | 0
.../auto_test_pseudonymizer_match.json | 0
.../auto_test_pseudonymizer_match_test.json | 0
.../auto_test_pseudonymizer_mismatch.json | 0
...auto_test_pseudonymizer_mismatch_test.json | 0
.../auto_test_pseudonymizer_no_test_.json | 0
...replacer.json => template_replacer_1.json} | 0
...est.json => template_replacer_1_test.json} | 0
...replacer.json => template_replacer_2.json} | 0
...est.json => template_replacer_2_test.json} | 0
tests/testdata/config/config-auto-tests.yml | 42 +-
tests/testdata/config/config-docker.yml | 6 +-
tests/testdata/config/config.yml | 26 +-
tests/testdata/config/config2.yml | 6 +-
.../amides_generic.yml => amides_1.yml} | 0
.../amides_specific.yml => amides_2.yml} | 0
.../calculator_1.json} | 0
.../calculator_2.json} | 0
.../clusterer/rules/{generic => }/rules.json | 0
.../unit/clusterer/rules/specific/rules.json | 11 -
.../add_fields.json => add_fields_1.json} | 0
.../add_fields.json => add_fields_2.json} | 0
...tractor.json => datetime_extractor_1.json} | 0
...tractor.json => datetime_extractor_2.json} | 0
.../generic_delete.json => delete_1.json} | 0
.../specific_delete.json => delete_2.json} | 2 +-
.../rules/{specific => }/delete_test.json | 0
.../deleter/rules/{specific => }/test.json | 0
.../dissector_rule_1.json} | 0
.../dissector_rule_2.json} | 0
...gen.json => domain_label_extractor_1.json} | 0
...tor.json => domain_label_extractor_2.json} | 0
...ain_resolver.yml => domain_resolver_1.yml} | 0
...n_resolver.json => domain_resolver_2.json} | 0
.../drop_field.json => drop_field_1.json} | 0
.../drop_field.json => drop_field_2.json} | 0
.../field_manager_1.json} | 0
.../field_manager_2.json} | 0
.../rules/{generic/rules.json => rule_1.json} | 0
.../specific_rules.json => rule_2.json} | 0
.../{generic/rule_01.json => rule_1.json} | 0
.../{specific/rule_01.json => rule_2.json} | 0
.../rules/{generic => }/geoip_all.json | 0
.../rules/specific/geoip_all.json | 21 -
.../rule.yml => rules/rule_1.yml} | 0
.../rule.yml => rules/rule_2.yml} | 0
.../{generic/rule_01.json => rule_1.json} | 0
.../{specific/rule_01.json => rule_2.json} | 0
.../{generic/rule.json => rules/rule_1.json} | 0
.../{specific/rule.json => rules/rule_2.json} | 0
.../key_checker_rule_1.json} | 0
.../key_checker_rule_2.json} | 0
.../labeler/rules/{specific => }/first.json | 0
.../labeler/rules/{generic => }/rule.json | 0
.../user_check.json => user_check_1.json} | 0
..._check_specific.json => user_check_2.json} | 0
.../rules/{generic => }/pre_detect_four.yml | 0
.../rules/{generic => }/pre_detect_one.json | 0
.../rules/{generic => }/pre_detect_three.json | 0
.../rules/{generic => }/pre_detect_two.json | 0
.../{generic => }/pre_detect_two_rules.json | 0
.../rules/specific/pre_detect_one.json | 16 -
.../rules/specific/pre_detect_three.json | 16 -
.../rules/specific/pre_detect_two.json | 16 -
.../rules/specific/pre_detect_two_rules.json | 30 -
.../{rules => }/regex_mapping.yml | 0
.../rules/{specific => }/Test123_id_789.json | 0
.../rules/{specific => }/Test456_id_1234.json | 0
.../{generic => }/event_data_IpAddress.json | 0
.../rules/generic/this_is_not_a_rule.not_json | 1 -
.../rules}/this_is_not_a_rule.not_json | 0
.../requester.json => rules/requester_1.json} | 0
.../requester.json => rules/requester_2.json} | 0
.../{generic/rules.json => rules_1.json} | 0
.../{specific/rules.json => rules_2.json} | 0
.../{generic/generic.json => rules/rule.json} | 0
.../string_splitter/specific/specific.json | 11 -
.../rules/specific/template_replacer.json | 7 -
.../{generic => }/template_replacer.json | 0
.../timestamp_differ_rule.json | 0
.../specific_rules/timestamp_differ_rule.json | 9 -
.../timestamper_rule.yml | 2 +-
.../specific_rules/timestamper_rule.yml | 3 -
.../framework/rule_tree/test_rule_tree.py | 3 +-
tests/unit/framework/test_pipeline.py | 6 +-
tests/unit/processor/amides/test_amides.py | 3 +-
tests/unit/processor/base.py | 120 +---
.../processor/calculator/test_calculator.py | 7 +-
.../processor/clusterer/test_clusterer.py | 104 +--
.../concatenator/test_concatenator.py | 15 +-
.../concatenator/test_concatenator_rule.py | 14 +-
.../test_datetime_extractor.py | 17 +-
.../test_datetime_extractor_rule.py | 14 +-
tests/unit/processor/deleter/test_deleter.py | 3 +-
.../processor/deleter/test_deleter_rule.py | 14 +-
.../processor/dissector/test_dissector.py | 7 +-
.../test_domain_label_extractor.py | 25 +-
.../test_domain_label_extractor_rule.py | 14 +-
.../domain_resolver/test_domain_resolver.py | 23 +-
.../test_domain_resolver_rule.py | 8 +-
tests/unit/processor/dropper/test_dropper.py | 39 +-
.../processor/dropper/test_dropper_rule.py | 18 +-
.../field_manager/test_field_manager.py | 15 +-
.../generic_adder/test_generic_adder.py | 19 +-
.../generic_adder/test_generic_adder_rule.py | 8 +-
.../generic_resolver/test_generic_resolver.py | 63 +-
.../test_generic_resolver_rule.py | 10 +-
.../geoip_enricher/test_geoip_enricher.py | 28 +-
.../test_geoip_enricher_rule.py | 10 +-
tests/unit/processor/grokker/test_grokker.py | 11 +-
.../test_hyperscan_resolver.py | 69 +-
.../test_hyperscan_resolver_rule.py | 20 +-
.../processor/ip_informer/test_ip_informer.py | 7 +-
tests/unit/processor/key_checker/__init__.py | 0
.../processor/key_checker/test_key_checker.py | 7 +-
tests/unit/processor/labeler/test_labeler.py | 43 +-
.../list_comparison/test_list_comparison.py | 24 +-
.../test_list_comparison_rule.py | 14 +-
.../pre_detector/test_pre_detector.py | 11 +-
.../pre_detector/test_pre_detector_rule.py | 26 +-
.../pseudonymizer/test_pseudonymizer.py | 37 +-
.../pseudonymizer/test_pseudonymizer_rule.py | 10 +-
.../processor/requester/test_requester.py | 7 +-
.../test_selective_extractor.py | 28 +-
.../test_selective_extractor_rule.py | 14 +-
.../string_splitter/test_string_splitter.py | 7 +-
.../test_template_replacer.py | 11 +-
tests/unit/processor/test_process.py | 89 +--
.../timestamp_differ/test_timestamp_differ.py | 7 +-
.../processor/timestamper/test_timestamper.py | 7 +-
tests/unit/test_configuration.py | 36 +-
tests/unit/test_factory.py | 52 +-
tests/unit/util/test_auto_rule_tester.py | 55 +-
tests/unit/util/test_configuration.py | 111 +---
tests/unit/util/test_rule_dry_runner.py | 28 +-
362 files changed, 1105 insertions(+), 1909 deletions(-)
rename examples/exampledata/rules/amides/{generic/amides_generic.yml => rules/amides_1.yml} (100%)
rename examples/exampledata/rules/amides/{specific/amides_specific.yml => rules/amides_2.yml} (100%)
rename examples/exampledata/rules/dissector/{generic/example_rule.yml => rules/example_rule_1.yml} (100%)
rename examples/exampledata/rules/dissector/{specific/example_rule.yml => rules/example_rule_2.yml} (100%)
rename examples/exampledata/rules/dropper/{generic => rules}/example_rule.yml (100%)
delete mode 100644 examples/exampledata/rules/dropper/specific/example_rule.yml
rename examples/exampledata/rules/labeler/{generic => rules}/example_rule.yml (100%)
delete mode 100644 examples/exampledata/rules/labeler/specific/example_rule.yml
rename examples/exampledata/rules/pre_detector/{generic/example_rule.yml => rules/example_rule_1.yml} (100%)
rename examples/exampledata/rules/pre_detector/{specific/example_rule.yml => rules/example_rule_2.yml} (100%)
rename examples/exampledata/rules/pseudonymizer/{generic => rules}/example_rule.yml (100%)
delete mode 100644 examples/exampledata/rules/pseudonymizer/specific/example_rule.yml
rename tests/testdata/acceptance/dissector/rules/{generic/dissector_rule.json => dissector_rule_1.json} (100%)
rename tests/testdata/acceptance/dissector/rules/{specific/dissector_rule.json => dissector_rule_2.json} (100%)
rename tests/testdata/acceptance/labeler/{rules_static => no_regex}/labeling/schema.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_1_SecurityCenter.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_400_PowerShell.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_50036_Microsoft-Windows-Dhcp-Client.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_51047_Microsoft-Windows-DHCPv6-Client.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_5615_Microsoft-Windows-WMI.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_6005_EventLog.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_6006_EventLog.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_7040_Service_Control_Manager.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/specific => no_regex/rules}/id_8212_System_Restore.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/event_data_Started_to_execute.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/event_data_Stopped_to_terminate.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/event_data_paused_to_modify.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/event_data_power_off_to_terminate.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/event_data_running_to_execute.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/keywords_Audit_Failure_to_failed.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/keywords_Audit_Success_to_success.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/action/level_Error_to_failed.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/actor/event_data_logontype_2_or_7_to_user.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/actor/event_data_logontype_4_or_5_to_service.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/multiple/task_Audit_Policy_Change_to_configuration.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/multiple/task_Logoff_to_authenticate_and_accounts.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/multiple/task_Logon_to_authenticate_and_accounts.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Desktop_Window_Manager_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/ESENT_to_database.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/EventLog_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/FreeSSHDService_to_service.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Application-Experience_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-DHCPv6-Client_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Dhcp-Client_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-EventSystem_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-FilterManager_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-GroupPolicy_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Kernel-General_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Kernel-Power_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Kernel-Processor-Power_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Security-Auditing_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Security-SPP_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Time-Service_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-User-Profiles-Service_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-UserPnp_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-WMI_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-WMPNSS-Service_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Microsoft-Windows-Winlogon_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/NETLOGON_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/PowerShell_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/SecurityCenter_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/Service_Control_Manager_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/System_Restore_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/VSS_to_service.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/volsnap_to_system.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static/rules/generic => no_regex/rules}/windows/reporter/wineventlog_to_windows.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex => only_regex}/labeling/schema.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/computer_name_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/event_data_Binary_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/event_data_TargetLogonID_to_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/event_data_param1_auto_discovery_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/event_data_param1_crypto_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/event_data_param1_flash_player_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/event_data_param1_font_cache_service_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/generic => only_regex/rules}/message_to_logon_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/provider_guid_to_test_guid_label.json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/this_is_not_a_rule.not_json (100%)
rename tests/testdata/acceptance/labeler/{rules_static_only_regex/rules/specific => only_regex/rules}/version_to_label.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static => }/regex_mapping.yml (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/ProcessId_NewProcessId_New_ProcessName_id_4688.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/SubjectUserName_SubjectUserSid_id_4611.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/SubjectUserName_SubjectUserSid_id_4672.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_ClientAddress_to_client_ip.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_FromFolder_to_file_path.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_IpAddress_to_client_address.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_IpAddress_to_client_ip.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_IpPort_to_client_port.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_LogonProcessName_to_process_name.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_ProcessId_NOT_4688_to_process_pid.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_ProcessName_to_process_executable.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_TargetUserName_to_host_user_name.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_TargetUserSid_to_host_user_id.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_ToFolder_to_file_target_path.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/event_data_UserSid_to_host_user_id.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param1_to_client_address_id_1104.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param1_to_client_address_id_1106.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param1_to_host_user_name_id_8.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param1_to_host_user_name_id_9.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param2_to_host_user_name_id_2000.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param2_to_host_user_name_id_2001.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param3_to_client_address_id_1104.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param3_to_client_address_id_1107.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/specific => rules}/param4_to_error_code_id_4098.json (100%)
rename tests/testdata/acceptance/normalizer/{rules_static/generic => rules}/this_is_not_a_rule.not_json (100%)
rename tests/testdata/acceptance/pre_detector/rules/{generic => }/pre_detect_acceptance_one.json (100%)
rename tests/testdata/acceptance/pre_detector/rules/{specific/pre_detect_acceptance_one.json => pre_detect_acceptance_two.json} (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static => }/regex_mapping.yml (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/specific => rules}/MetaFrameEvents_id_1104.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/specific => rules}/MetaFrameEvents_id_1106.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/specific => rules}/Microsoft-Windows-Terminal-RemoteConnectionManager_id_1060.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/specific => rules}/TdIca_id_1004.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/specific => rules}/TdIca_id_1007.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/client_address.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/client_ip.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_IpAddress.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_SubjectUserName.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_SubjectUserSid.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_TargetUserName.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_TargetUserSid.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_ToFolder.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/event_data_UserSid.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/file_target_path.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/host_user_id.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/host_user_name.json (100%)
rename tests/testdata/acceptance/{normalizer/rules_static/specific => pseudonymizer/rules}/this_is_not_a_rule.not_json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/user_identifier.json (100%)
rename tests/testdata/acceptance/pseudonymizer/{rules_static/generic => rules}/user_name.json (100%)
delete mode 100644 tests/testdata/acceptance/pseudonymizer/rules_static/specific/this_is_not_a_rule.not_json
rename tests/testdata/acceptance/selective_extractor/rules/{generic/rules.json => rules_1.json} (100%)
rename tests/testdata/acceptance/selective_extractor/rules/{specific/rules.json => rules_2.json} (100%)
rename tests/testdata/auto_tests/clusterer/rules/{generic/rule_with_custom_tests.yml => rule_with_custom_tests_1.yml} (100%)
rename tests/testdata/auto_tests/clusterer/rules/{specific/rule_with_custom_tests.yml => rule_with_custom_tests_2.yml} (100%)
rename tests/testdata/auto_tests/dissector/rules/{generic => }/auto_test_match.json (100%)
rename tests/testdata/auto_tests/dissector/rules/{generic => }/auto_test_match_test.json (100%)
rename tests/testdata/auto_tests/dissector/rules/{specific => }/auto_test_mismatch.json (100%)
rename tests/testdata/auto_tests/dissector/rules/{specific => }/auto_test_mismatch_test.json (100%)
rename tests/testdata/auto_tests/dissector/rules/{specific => }/auto_test_no_test_.json (100%)
rename tests/testdata/auto_tests/dropper/rules/{generic/drop_field.json => drop_field_1.json} (100%)
rename tests/testdata/auto_tests/dropper/rules/{generic/drop_field_test.json => drop_field_1_test.json} (100%)
rename tests/testdata/auto_tests/dropper/rules/{specific/drop_field.json => drop_field_2.json} (100%)
rename tests/testdata/auto_tests/dropper/rules/{specific/drop_field_test.json => drop_field_2_test.json} (100%)
rename tests/testdata/auto_tests/labeler/rules/{generic => }/auto_test_labeling_match.json (100%)
rename tests/testdata/auto_tests/labeler/rules/{generic => }/auto_test_labeling_match_existing.json (100%)
rename tests/testdata/auto_tests/labeler/rules/{generic => }/auto_test_labeling_match_existing_test.json (100%)
rename tests/testdata/auto_tests/labeler/rules/{generic => }/auto_test_labeling_match_test.json (100%)
rename tests/testdata/auto_tests/labeler/rules/{specific => }/auto_test_labeling_mismatch.json (100%)
rename tests/testdata/auto_tests/labeler/rules/{specific => }/auto_test_labeling_mismatch_test.json (100%)
rename tests/testdata/auto_tests/labeler/rules/{specific => }/auto_test_labeling_no_test_.json (100%)
rename tests/testdata/auto_tests/pre_detector/rules/{generic => }/auto_test_pre_detector_match.json (100%)
rename tests/testdata/auto_tests/pre_detector/rules/{generic => }/auto_test_pre_detector_match_test.json (100%)
rename tests/testdata/auto_tests/pre_detector/rules/{specific => }/auto_test_pre_detector_mismatch.json (100%)
rename tests/testdata/auto_tests/pre_detector/rules/{specific => }/auto_test_pre_detector_mismatch_test.json (100%)
rename tests/testdata/auto_tests/pre_detector/rules/{specific => }/auto_test_pre_detector_no_test_.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_dotted_list.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_dotted_list_test.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_list.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_list_escaped.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_list_escaped_test.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_list_test.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{generic => }/auto_test_pseudonymizer_match.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{generic => }/auto_test_pseudonymizer_match_test.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_mismatch.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_mismatch_test.json (100%)
rename tests/testdata/auto_tests/pseudonymizer/rules/{specific => }/auto_test_pseudonymizer_no_test_.json (100%)
rename tests/testdata/auto_tests/template_replacer/rules/{generic/template_replacer.json => template_replacer_1.json} (100%)
rename tests/testdata/auto_tests/template_replacer/rules/{generic/template_replacer_test.json => template_replacer_1_test.json} (100%)
rename tests/testdata/auto_tests/template_replacer/rules/{specific/template_replacer.json => template_replacer_2.json} (100%)
rename tests/testdata/auto_tests/template_replacer/rules/{specific/template_replacer_test.json => template_replacer_2_test.json} (100%)
rename tests/testdata/unit/amides/rules/{generic/amides_generic.yml => amides_1.yml} (100%)
rename tests/testdata/unit/amides/rules/{specific/amides_specific.yml => amides_2.yml} (100%)
rename tests/testdata/unit/calculator/{generic_rules/calculator.json => rules/calculator_1.json} (100%)
rename tests/testdata/unit/calculator/{specific_rules/calculator.json => rules/calculator_2.json} (100%)
rename tests/testdata/unit/clusterer/rules/{generic => }/rules.json (100%)
delete mode 100644 tests/testdata/unit/clusterer/rules/specific/rules.json
rename tests/testdata/unit/concatenator/rules/{generic/add_fields.json => add_fields_1.json} (100%)
rename tests/testdata/unit/concatenator/rules/{specific/add_fields.json => add_fields_2.json} (100%)
rename tests/testdata/unit/datetime_extractor/rules/{generic/datetime_extractor.json => datetime_extractor_1.json} (100%)
rename tests/testdata/unit/datetime_extractor/rules/{specific/datetime_extractor.json => datetime_extractor_2.json} (100%)
rename tests/testdata/unit/deleter/rules/{generic/generic_delete.json => delete_1.json} (100%)
rename tests/testdata/unit/deleter/rules/{specific/specific_delete.json => delete_2.json} (71%)
rename tests/testdata/unit/deleter/rules/{specific => }/delete_test.json (100%)
rename tests/testdata/unit/deleter/rules/{specific => }/test.json (100%)
rename tests/testdata/unit/dissector/{generic_rules/dissector_rule.json => rules/dissector_rule_1.json} (100%)
rename tests/testdata/unit/dissector/{specific_rules/dissector_rule.json => rules/dissector_rule_2.json} (100%)
rename tests/testdata/unit/domain_label_extractor/rules/{generic/domain_label_extractor_gen.json => domain_label_extractor_1.json} (100%)
rename tests/testdata/unit/domain_label_extractor/rules/{specific/domain_label_extractor.json => domain_label_extractor_2.json} (100%)
rename tests/testdata/unit/domain_resolver/rules/{generic/domain_resolver.yml => domain_resolver_1.yml} (100%)
rename tests/testdata/unit/domain_resolver/rules/{specific/domain_resolver.json => domain_resolver_2.json} (100%)
rename tests/testdata/unit/dropper/rules/{generic/drop_field.json => drop_field_1.json} (100%)
rename tests/testdata/unit/dropper/rules/{specific/drop_field.json => drop_field_2.json} (100%)
rename tests/testdata/unit/field_manager/{generic_rules/field_manager.json => rules/field_manager_1.json} (100%)
rename tests/testdata/unit/field_manager/{specific_rules/field_manager.json => rules/field_manager_2.json} (100%)
rename tests/testdata/unit/generic_adder/rules/{generic/rules.json => rule_1.json} (100%)
rename tests/testdata/unit/generic_adder/rules/{specific/specific_rules.json => rule_2.json} (100%)
rename tests/testdata/unit/generic_resolver/rules/{generic/rule_01.json => rule_1.json} (100%)
rename tests/testdata/unit/generic_resolver/rules/{specific/rule_01.json => rule_2.json} (100%)
rename tests/testdata/unit/geoip_enricher/rules/{generic => }/geoip_all.json (100%)
delete mode 100644 tests/testdata/unit/geoip_enricher/rules/specific/geoip_all.json
rename tests/testdata/unit/grokker/{generic_rules/rule.yml => rules/rule_1.yml} (100%)
rename tests/testdata/unit/grokker/{specific_rules/rule.yml => rules/rule_2.yml} (100%)
rename tests/testdata/unit/hyperscan_resolver/rules/{generic/rule_01.json => rule_1.json} (100%)
rename tests/testdata/unit/hyperscan_resolver/rules/{specific/rule_01.json => rule_2.json} (100%)
rename tests/testdata/unit/ip_informer/{generic/rule.json => rules/rule_1.json} (100%)
rename tests/testdata/unit/ip_informer/{specific/rule.json => rules/rule_2.json} (100%)
rename tests/testdata/unit/key_checker/{generic_rules/key_checker_rule.json => rules/key_checker_rule_1.json} (100%)
rename tests/testdata/unit/key_checker/{specific_rules/key_checker_rule.json => rules/key_checker_rule_2.json} (100%)
rename tests/testdata/unit/labeler/rules/{specific => }/first.json (100%)
rename tests/testdata/unit/labeler/rules/{generic => }/rule.json (100%)
rename tests/testdata/unit/list_comparison/rules/{generic/user_check.json => user_check_1.json} (100%)
rename tests/testdata/unit/list_comparison/rules/{specific/user_check_specific.json => user_check_2.json} (100%)
rename tests/testdata/unit/pre_detector/rules/{generic => }/pre_detect_four.yml (100%)
rename tests/testdata/unit/pre_detector/rules/{generic => }/pre_detect_one.json (100%)
rename tests/testdata/unit/pre_detector/rules/{generic => }/pre_detect_three.json (100%)
rename tests/testdata/unit/pre_detector/rules/{generic => }/pre_detect_two.json (100%)
rename tests/testdata/unit/pre_detector/rules/{generic => }/pre_detect_two_rules.json (100%)
delete mode 100644 tests/testdata/unit/pre_detector/rules/specific/pre_detect_one.json
delete mode 100644 tests/testdata/unit/pre_detector/rules/specific/pre_detect_three.json
delete mode 100644 tests/testdata/unit/pre_detector/rules/specific/pre_detect_two.json
delete mode 100644 tests/testdata/unit/pre_detector/rules/specific/pre_detect_two_rules.json
rename tests/testdata/unit/pseudonymizer/{rules => }/regex_mapping.yml (100%)
rename tests/testdata/unit/pseudonymizer/rules/{specific => }/Test123_id_789.json (100%)
rename tests/testdata/unit/pseudonymizer/rules/{specific => }/Test456_id_1234.json (100%)
rename tests/testdata/unit/pseudonymizer/rules/{generic => }/event_data_IpAddress.json (100%)
delete mode 100644 tests/testdata/unit/pseudonymizer/rules/generic/this_is_not_a_rule.not_json
rename tests/testdata/{acceptance/pseudonymizer/rules_static/generic => unit/pseudonymizer/rules}/this_is_not_a_rule.not_json (100%)
rename tests/testdata/unit/requester/{generic_rules/requester.json => rules/requester_1.json} (100%)
rename tests/testdata/unit/requester/{specific_rules/requester.json => rules/requester_2.json} (100%)
rename tests/testdata/unit/selective_extractor/rules/{generic/rules.json => rules_1.json} (100%)
rename tests/testdata/unit/selective_extractor/rules/{specific/rules.json => rules_2.json} (100%)
rename tests/testdata/unit/string_splitter/{generic/generic.json => rules/rule.json} (100%)
delete mode 100644 tests/testdata/unit/string_splitter/specific/specific.json
delete mode 100644 tests/testdata/unit/template_replacer/rules/specific/template_replacer.json
rename tests/testdata/unit/template_replacer/rules/{generic => }/template_replacer.json (100%)
rename tests/testdata/unit/timestamp_differ/{generic_rules => rules}/timestamp_differ_rule.json (100%)
delete mode 100644 tests/testdata/unit/timestamp_differ/specific_rules/timestamp_differ_rule.json
rename tests/testdata/unit/timestamper/{generic_rules => rules}/timestamper_rule.yml (65%)
delete mode 100644 tests/testdata/unit/timestamper/specific_rules/timestamper_rule.yml
create mode 100644 tests/unit/processor/key_checker/__init__.py
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 903a26ea8..a06ada075 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
* removed the configuration `tld_lists` in `domain_resolver`, `domain_label_extractor` and `pseudonymizer` as
the list is now fixed inside the packaged logprep
* remove SQL feature from `generic_adder`, fields can only be added from rule config or from file
+* use a single rule tree instead of a generic and a specific rule tree
### Features
diff --git a/README.md b/README.md
index 6d42602df..2177db99e 100644
--- a/README.md
+++ b/README.md
@@ -91,7 +91,7 @@ and secondly they specify how to process the message.
For example which fields should be deleted or to which IP-address the geolocation should be
retrieved.
-For performance reasons on startup all rules per processor are aggregated to a generic and a specific rule tree, respectively.
+For performance reasons on startup all rules per processor are aggregated to a rule tree.
Instead of evaluating all rules independently for each log message the message is checked against
the rule tree.
Each node in the rule tree represents a condition that has to be meet,
@@ -131,11 +131,6 @@ This configuration will lead to the prioritization of `tags` and `message` in th
}
```
-Instead of writing very specific rules that apply to single log messages, it is also possible
-to define generic rules that apply to multiple messages.
-It is possible to define a set of generic and specific rules for each processor, resulting
-in two rule trees.
-
### Connectors
Connectors are responsible for reading the input and writing the result to a desired output.
@@ -169,24 +164,20 @@ timeout: 0.1
pipeline:
- dissector:
type: dissector
- specific_rules:
+ rules:
- https://your-api/dissector/
- generic_rules:
- - rules/01_dissector/generic/
+ - rules/01_dissector/rules/
- geoip_enricher:
type: geoip_enricher
- specific_rules:
+ rules:
- https://your-api/geoip/
- generic_rules:
- - rules/02_geoip_enricher/generic/
+ - rules/02_geoip_enricher/rules/
tree_config: artifacts/tree_config.json
db_path: artifacts/GeoDB.mmdb
- dropper:
type: dropper
- specific_rules:
- - rules/03_dropper/specific/
- generic_rules:
- - rules/03_dropper/generic/
+ rules:
+ - rules/03_dropper/rules/
input:
mykafka:
@@ -213,7 +204,7 @@ output:
```
The following yaml represents a dropper rule which according to the previous configuration
-should be in the `rules/03_dropper/generic/` directory.
+should be in the `rules/03_dropper/rules/` directory.
```yaml
filter: "message"
diff --git a/doc/source/development/architecture/diagramms/pipeline.drawio b/doc/source/development/architecture/diagramms/pipeline.drawio
index 576852ac0..5fda47137 100644
--- a/doc/source/development/architecture/diagramms/pipeline.drawio
+++ b/doc/source/development/architecture/diagramms/pipeline.drawio
@@ -1,299 +1,299 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/doc/source/development/architecture/diagramms/pipeline.drawio.html b/doc/source/development/architecture/diagramms/pipeline.drawio.html
index e29358005..00467e61d 100644
--- a/doc/source/development/architecture/diagramms/pipeline.drawio.html
+++ b/doc/source/development/architecture/diagramms/pipeline.drawio.html
@@ -5,7 +5,8 @@
pipeline
-
-
+
+
+
-
\ No newline at end of file
+