From 59a10be7c8173b45cab932475e9b0cda289e8763 Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Wed, 10 Jul 2024 22:41:53 +0530
Subject: [PATCH] Unit Test to validate from field in toml file (#3866)

---
 tests/test_all_rules.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
index 2158368c6..3a740c8ed 100644
--- a/tests/test_all_rules.py
+++ b/tests/test_all_rules.py
@@ -171,6 +171,22 @@ class TestValidRules(BaseRuleTest):
                               f'Expected: {max_signal_standard_setup}\n\n'
                               f'Actual: {rule.contents.data.setup}')
 
+    def test_from_filed_value(self):
+        """ Add "from" Field Validation for All Rules"""
+        failures = []
+        valid_format = re.compile(r'^now-\d+[yMwdhHms]$')
+        for rule in self.all_rules:
+            from_field = rule.contents.data.get('from_')
+            if from_field is not None:
+                if not valid_format.match(from_field):
+                    err_msg = f'{self.rule_str(rule)} has invalid value {from_field}'
+                    failures.append(err_msg)
+        if failures:
+            fail_msg = """
+            The following rules have invalid 'from' filed value \n
+            """
+            self.fail(fail_msg + '\n'.join(failures))
+
 
 class TestThreatMappings(BaseRuleTest):
     """Test threat mapping data for rules."""