security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

removed query var; using is_sequence method; removed integration var (#3395)

Browse Source
This commit is contained in:
Terrance DeJesus
2024-01-22 15:23:07 -05:00
committed by GitHub
parent 442435830f
commit 164b7d4028
1 changed files with 1 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_all_rules.py
+1 -5
View File
@@ -964,10 +964,6 @@ class TestRuleTiming(BaseRuleTest):
# QueryRuleData should inheritenly ignore machine learning rules
if isinstance(rule.contents.data, QueryRuleData):
rule_language = rule.contents.data.language
rule_integrations = rule.contents.metadata.get('integration')
if isinstance(rule_integrations, str):
rule_integrations = [rule_integrations]
rule_query = rule.contents.data.get('query')
has_event_ingested = rule.contents.data.get('timestamp_override') == 'event.ingested'
rule_str = self.rule_str(rule, trailer=None)
@@ -975,7 +971,7 @@ class TestRuleTiming(BaseRuleTest):
# TODO: determine if we expand this to ES|QL
# ignores any rule that does not use EQL or KQL queries specifically
# this does not avoid rule types where variants of KQL are used (e.g. new terms)
if rule_language not in ('eql', 'kuery') or "sequence" in rule_query:
if rule_language not in ('eql', 'kuery') or rule.contents.data.is_sequence:
continue
else:
errors.append(f'{rule_str} - rule must have `timestamp_override: event.ingested`')