Skip to content

Commit

Permalink
Merge pull request #3 from SecureHats/azurekid/update-test
Browse files Browse the repository at this point in the history 
Azurekid/update test
  • Loading branch information
@azurekid
azurekid authored May 22, 2023
2 parents 885cfcb + 3595568 commit d30aaa9
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 27 deletions.
6 changes: 5 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
![logo](https://raw.githubusercontent.com/SecureHats/SecureHacks/main/media/sh-banners.png)
=========
[![Maintenance](https://img.shields.io/maintenance/yes/2023.svg?style=flat-square)]()
[![Issues](https://img.shields.io/github/issues/SecureHats/validate-detections/enhancement?color=green&label=enhancement&style=flat)](https://github.com/SecureHats/kusto-aliasvalidate-detections/issues?q=is%3Aissue+is%3Aopen+label%3A%22enhancement%22)
[![Needs Feedback](https://img.shields.io/github/issues/SecureHats/validate-detections/needs%20feedback?color=blue&label=needs%20feedback%20&style=flat)](https://github.com/SecureHats/validate-detections/issues?q=is%3Aopen+is%3Aissue+label%3A%22needs+feedback%22)
[![GitHub release (latest by date)](https://img.shields.io/github/v/release/SecureHats/validate-detections)](https://github.com/SecureHats/validate-detections/releases/latest)

# Microsoft Sentinel - Analytics Rules Validator

This GitHub action can be used to validate Microsoft Sentinel Analytics rules in both JSON and YML format.
Expand All @@ -21,7 +25,7 @@ jobs:
uses: SecureHats/validate-detections@v2
with:
filesPath: templates
logLevel: Minimal
logLevel: Normal
```
### Inputs
Expand Down
29 changes: 16 additions & 13 deletions analytics.tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,21 +275,24 @@ Describe "Detections" {
$file,
$properties
)
$tactics = $properties.tactics
$techniques = $properties.techniques

foreach ($technique in $techniques) {
$tactics = @( $attack | Where-Object id -eq "$technique" ).tactics -split ',' | Sort-Object -Unique #2 + #1
[int]$totalTactics = $totalTactics + $tactics.count
Write-Output "Total Tactics $tactics = [$totalTactics]"
foreach ($tactic in $tactics) {
if ($tactic -in $properties.tactics) {
[int]$i = $i + $tactics.count
Write-Output "Current Count is with $tactics [$i]"
if (($techniques) -and ($tactics)) {
foreach ($technique in $techniques) {
$tactics = @( $attack | Where-Object id -eq "$technique" ).tactics -split ',' | Sort-Object -Unique #2 + #1
[int]$totalTactics = $totalTactics + $tactics.count
Write-Output "Total Tactics $tactics = [$totalTactics]"
foreach ($tactic in $tactics) {
if ($tactic -in $properties.tactics) {
[int]$i = $i + $tactics.count
Write-Output "Current Count is with $tactics [$i]"
}
}
Write-Output "$i"
if ($i -lt $totalTactics) {
$tactic | Should -BeIn $properties.tactics -Because "[$($technique)] is specified in 'techniques'"
}
}
Write-Output "$i"
if ($i -lt $totalTactics) {
$tactic | Should -BeIn $properties.tactics -Because "[$($technique)] is specified in 'techniques'"
}
}
}
Expand All @@ -306,7 +309,7 @@ Describe "Detections" {
$relevantTechnique -replace '\..*$'
}

if ($null -ne $relevantTechniques) {
if (($relevantTechniques) -and ($tactics)) {
foreach ($tactic in $tactics) {
$techniques = @( $attack | Where-Object tactics -like "*$tactic*" ).id -split ',' | Sort-Object -Descending -Unique
[int]$totalTechniques = $totalTechniques + $techniques.count
Expand Down
29 changes: 16 additions & 13 deletions yaml-analytics.tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,21 +246,24 @@ Describe "Detections" {
$file,
$yamlObject
)
$tactics = $yamlObject.tactics
$techniques = $yamlObject.relevantTechniques

foreach ($technique in $techniques) {
$tactics = @( $attack | Where-Object id -eq "$technique" ).tactics -split ',' | Sort-Object -Unique #2 + #1
[int]$totalTactics = $totalTactics + $tactics.count
Write-Output "Total Tactics $tactics = [$totalTactics]"
foreach ($tactic in $tactics) {
if ($tactic -in $yamlObject.tactics) {
[int]$i = $i + $tactics.count
Write-Output "Current Count is with $tactics [$i]"
if (($relevantTechniques) -and ($tactics)) {
foreach ($technique in $techniques) {
$tactics = @( $attack | Where-Object id -eq "$technique" ).tactics -split ',' | Sort-Object -Unique #2 + #1
[int]$totalTactics = $totalTactics + $tactics.count
Write-Output "Total Tactics $tactics = [$totalTactics]"
foreach ($tactic in $tactics) {
if ($tactic -in $yamlObject.tactics) {
[int]$i = $i + $tactics.count
Write-Output "Current Count is with $tactics [$i]"
}
}
Write-Output "$i"
if ($i -lt $totalTactics) {
$tactic | Should -BeIn $tactics -Because "[$($technique)] is specified in 'relevantTechniques'"
}
}
Write-Output "$i"
if ($i -lt $totalTactics) {
$tactic | Should -BeIn $yamlObject.tactics -Because "[$($technique)] is specified in 'relevantTechniques'"
}
}
}
Expand All @@ -277,7 +280,7 @@ Describe "Detections" {
$relevantTechnique -replace '\..*$'
}

if ($null -ne $relevantTechniques) {
if (($relevantTechniques) -and ($tactics)) {
foreach ($tactic in $tactics) {
$techniques = @( $attack | Where-Object tactics -like "*$tactic*" ).id -split ',' | Sort-Object -Descending -Unique
[int]$totalTechniques = $totalTechniques + $techniques.count
Expand Down

0 comments on commit d30aaa9

Please sign in to comment.