Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve notable validation #34

Merged
merged 22 commits into from
Oct 9, 2023
Merged

Improve notable validation #34

merged 22 commits into from
Oct 9, 2023

Conversation

pyth0n1c
Copy link
Contributor

@pyth0n1c pyth0n1c commented Jul 31, 2023
edited
Loading

The following PR ensures that the following validation takes places on observables during STATIC validation (contentctl validate):

  1. Each observable (which could appear in the message in the format $name$ or in the declaration of an observable) appears as a string in the search itself. This check occurs during the validate phase
  2. Each observable above which is called our in the format $name$ appears as a field in the results generated from executing the search. This check occurs during the test phase.

Finally, after contentctl test runs and a search is tested with data, we make sure that all the fields in the search appear, populated with values (the value of the field is not 'null') in the results of the search.

It also includes a large number of other changes:

  1. When a search references a macro or lookup, we ensure that the macro/lookups exists. If not, we throw a descriptive error.
  2. Some updates to the format of the contentctl_test.yml file to support more fine-grained control over the infrastructure tests are run against (server vs container).
  3. The ability to pass the credentials for one or more servers on the command line. This way, credentials and addresses do NOT need to be hardcoded into the configuration file.

@pyth0n1c
Create an Observable type instead
b81582a 
of having it be a dictionary.  This allows
for better validation and is more
Pythonic.  Also, validate that
only valid observables are used in
the message field of a detection and that
every observable declared is used in
the message field.
@pyth0n1c
Improve validation to check
db06257 
search as well for the
notables that we have called out.
A more thorough check will also
be done after the search runs
in contentctl test, but this static
check will likely catch most
simple issues.
@pyth0n1c
More enhancements to catch
7b3b5da 
when fields are missing after
running a search with real
data on a splunk instance.
This helps determine to
and even higher degree
if notables were declared
correctly and gives a high
degree of certainty that they
will be generated correctly
in ES.
@pyth0n1c
Fixing template detection which was
ea5c86f 
missing a notable field in the
underlying search
@pyth0n1c
Fix testEndToEndWorkflow
9e591a3 
by removing un-needed
libraries
@pyth0n1c
Fix and update poetry.lock
dc9fa25 
file
@pyth0n1c pyth0n1c added enhancement New feature or request WIP labels Jul 31, 2023
@pyth0n1c pyth0n1c mentioned this pull request Jul 31, 2023
Closed
@pyth0n1c pyth0n1c linked an issue Jul 31, 2023 that may be closed by this pull request
Validation checks improvements #33
Closed
@pyth0n1c
Fix bug where lookup folder was not generated properly in app.
081fd7a
@pyth0n1c
Do not require validation between observable
3838937 
and message fields - these should be allowed
to be independent.  Still require that all
fields called out in the message or in the
observable are present in the search. This
commit adds in the static checks.
@pyth0n1c
Significantly improved validation
816f4f7 
for macros and lookups.  Now, if we
do not find a macro or a lookup
instead of just ignoring it we will
throw an error.
@pyth0n1c
Progress on implementing --mode changes
174a0c3
@pyth0n1c
Better support for getting modified content
06dd1a4
@pyth0n1c
Proper support for contentctl test checking
1c3a8a8 
detections which have been affected by updated
macros and/or lookups, to include lookup CSV
and/or YML files.
@pyth0n1c
Improve error message
c11bf16 
by removing quotes.
@pyth0n1c
Huge number of overhauls and updates in
e0d3b23 
a number of areas centered around the
contentctl_test.yml configuration file
and underlying object.  This will support
better for testing against multiple
targets.
@pyth0n1c
Fixes to incorrect fields called for objects
8bf2d47
@pyth0n1c
Clean up container when done.
29c1848 
Don't override default test options
unless CLI arguments are actually
passed.
@pyth0n1c
Fix typo in variable name
79b7fbd
@pyth0n1c
Fix missing sid when there is an error.
32bb047
@pyth0n1c
Better support for the --num_containers command line argument. Initia…
2ef4d89 
…l support for passing the address and credentials of servers on the command line.
@pyth0n1c
Should now accept command line
b770bb5 
or environment variable environments!
@pyth0n1c
Fix so that notable validation
dba2ad8 
WORKS, but only produces
a warning message. It
is presently disabled due to
a large amount of nonconformant
content.
@pyth0n1c
Throw errors during build
90717ee 
process when an appinspect
throws any kind of
errors/warnings/failures/
manual checks.  All of these
can prevent automatic approval
in Splunkbase or deployment of
an app.
@P4T12ICK P4T12ICK mentioned this pull request Sep 15, 2023
Merged
@pyth0n1c pyth0n1c merged commit 5421566 into main Oct 9, 2023
0 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request WIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validation checks improvements
1 participant
@pyth0n1c