44from sigma .collection import SigmaCollection
55from sigma .exceptions import SigmaFeatureNotSupportedByBackendError
66
7+
78@pytest .fixture
89def powershell_backend ():
910 pipeline = powershell_pipeline ()
1011 return PowerShellBackend (pipeline )
1112
13+
1214def test_powershell_and_expression (powershell_backend : PowerShellBackend ):
13- assert powershell_backend .convert (
14- SigmaCollection .from_yaml ("""
15+ assert (
16+ powershell_backend .convert (
17+ SigmaCollection .from_yaml (
18+ """
1519 title: Test
1620 status: test
1721 logsource:
@@ -22,12 +26,20 @@ def test_powershell_and_expression(powershell_backend: PowerShellBackend):
2226 EventID: 4688
2327 field: value
2428 condition: selection
25- """ )
26- ) == ['Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 4688} | Read-WinEvent | Where-Object {$_.field -eq "value"}' ]
29+ """
30+ )
31+ )
32+ == [
33+ 'Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 4688} | Read-WinEvent | Where-Object {$_.field -eq "value"}'
34+ ]
35+ )
36+
2737
2838def test_powershell_or_expression (powershell_backend : PowerShellBackend ):
29- assert powershell_backend .convert (
30- SigmaCollection .from_yaml ("""
39+ assert (
40+ powershell_backend .convert (
41+ SigmaCollection .from_yaml (
42+ """
3143 title: Test
3244 status: test
3345 logsource:
@@ -41,12 +53,20 @@ def test_powershell_or_expression(powershell_backend: PowerShellBackend):
4153 selection3:
4254 fieldB: valueB
4355 condition: 1 of sel*
44- """ )
45- ) == ['Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 4688} | Read-WinEvent | Where-Object {$_.fieldA -eq "valueA" -or $_.fieldB -eq "valueB"}' ]
56+ """
57+ )
58+ )
59+ == [
60+ 'Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 4688} | Read-WinEvent | Where-Object {$_.fieldA -eq "valueA" -or $_.fieldB -eq "valueB"}'
61+ ]
62+ )
63+
4664
4765def test_powershell_and_or_expression (powershell_backend : PowerShellBackend ):
48- assert powershell_backend .convert (
49- SigmaCollection .from_yaml ("""
66+ assert (
67+ powershell_backend .convert (
68+ SigmaCollection .from_yaml (
69+ """
5070 title: Test
5171 status: test
5272 logsource:
@@ -61,12 +81,20 @@ def test_powershell_and_or_expression(powershell_backend: PowerShellBackend):
6181 - valueB1
6282 - valueB2
6383 condition: sel
64- """ )
65- ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {($_.fieldA -in ("valueA1", "valueA2")) -and ($_.fieldB -in ("valueB1", "valueB2"))}' ]
84+ """
85+ )
86+ )
87+ == [
88+ 'Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {($_.fieldA -in ("valueA1", "valueA2")) -and ($_.fieldB -in ("valueB1", "valueB2"))}'
89+ ]
90+ )
91+
6692
6793def test_powershell_or_and_expression (powershell_backend : PowerShellBackend ):
68- assert powershell_backend .convert (
69- SigmaCollection .from_yaml ("""
94+ assert (
95+ powershell_backend .convert (
96+ SigmaCollection .from_yaml (
97+ """
7098 title: Test
7199 status: test
72100 logsource:
@@ -80,18 +108,27 @@ def test_powershell_or_and_expression(powershell_backend: PowerShellBackend):
80108 fieldA: valueA2
81109 fieldB: valueB2
82110 condition: 1 of sel*
83- """ )
84- ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {($_.fieldA -eq "valueA1" -and $_.fieldB -eq "valueB1") -or ($_.fieldA -eq "valueA2" -and $_.fieldB -eq "valueB2")}' ]
111+ """
112+ )
113+ )
114+ == [
115+ 'Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {($_.fieldA -eq "valueA1" -and $_.fieldB -eq "valueB1") -or ($_.fieldA -eq "valueA2" -and $_.fieldB -eq "valueB2")}'
116+ ]
117+ )
118+
85119
86120# TODO: add test_powershell_not_expression
87121
88122# TODO: add test_powershell_not_and_expression
89123
90124# TODO: add test_powershell_and_not_expression
91125
126+
92127def test_powershell_in_expression (powershell_backend : PowerShellBackend ):
93- assert powershell_backend .convert (
94- SigmaCollection .from_yaml ("""
128+ assert (
129+ powershell_backend .convert (
130+ SigmaCollection .from_yaml (
131+ """
95132 title: Test
96133 status: test
97134 logsource:
@@ -104,15 +141,23 @@ def test_powershell_in_expression(powershell_backend: PowerShellBackend):
104141 - valueB
105142 - valueC*
106143 condition: sel
107- """ )
108- ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldA -eq "valueA" -or $_.fieldA -eq "valueB" -or $_.fieldA.StartsWith("valueC")}' ]
109- # TODO:
144+ """
145+ )
146+ )
147+ == [
148+ 'Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldA -eq "valueA" -or $_.fieldA -eq "valueB" -or $_.fieldA.StartsWith("valueC")}'
149+ ]
150+ )
151+ # TODO:
110152 # achieve this ($_.fieldA -in ("valueA", "valueB") -or ($_.fieldA -like "valueC*")
111153 # would also involve re-writing how cidr expressions are converted
112154
155+
113156def test_powershell_regex_query (powershell_backend : PowerShellBackend ):
114- assert powershell_backend .convert (
115- SigmaCollection .from_yaml ("""
157+ assert (
158+ powershell_backend .convert (
159+ SigmaCollection .from_yaml (
160+ """
116161 title: Test
117162 status: test
118163 logsource:
@@ -123,12 +168,20 @@ def test_powershell_regex_query(powershell_backend: PowerShellBackend):
123168 fieldA|re: foo.*bar
124169 fieldB: foo
125170 condition: sel
126- """ )
127- ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldA -match "foo.*bar" -and $_.fieldB -eq "foo"}' ]
171+ """
172+ )
173+ )
174+ == [
175+ 'Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldA -match "foo.*bar" -and $_.fieldB -eq "foo"}'
176+ ]
177+ )
178+
128179
129180def test_powershell_cidr_query (powershell_backend : PowerShellBackend ):
130- assert powershell_backend .convert (
131- SigmaCollection .from_yaml ("""
181+ assert (
182+ powershell_backend .convert (
183+ SigmaCollection .from_yaml (
184+ """
132185 title: Test
133186 status: test
134187 logsource:
@@ -139,12 +192,20 @@ def test_powershell_cidr_query(powershell_backend: PowerShellBackend):
139192 EventID: 5156
140193 SourceAddress|cidr: 10.0.0.0/16
141194 condition: sel
142- """ )
143- ) == ['Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 5156} | Read-WinEvent | Where-Object {$_.SourceAddress.StartsWith("10.0.")}' ]
195+ """
196+ )
197+ )
198+ == [
199+ 'Get-WinEvent -FilterHashTable @{LogName = "Security"; Id = 5156} | Read-WinEvent | Where-Object {$_.SourceAddress.StartsWith("10.0.")}'
200+ ]
201+ )
202+
144203
145204def test_powershell_field_name_with_whitespace (powershell_backend : PowerShellBackend ):
146- assert powershell_backend .convert (
147- SigmaCollection .from_yaml ("""
205+ assert (
206+ powershell_backend .convert (
207+ SigmaCollection .from_yaml (
208+ """
148209 title: Test
149210 status: test
150211 logsource:
@@ -154,14 +215,21 @@ def test_powershell_field_name_with_whitespace(powershell_backend: PowerShellBac
154215 sel:
155216 field name: value
156217 condition: sel
157- """ )
158- ) == ['Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldname -eq "value"}' ]
218+ """
219+ )
220+ )
221+ == [
222+ 'Get-WinEvent -LogName "Security" | Read-WinEvent | Where-Object {$_.fieldname -eq "value"}'
223+ ]
224+ )
225+
159226
160227def test_powershell_format1_output (powershell_backend : PowerShellBackend ):
161228 """Test for output format format1."""
162229 # TODO: implement a test for the output format
163230 pass
164231
232+
165233def test_powershell_format2_output (powershell_backend : PowerShellBackend ):
166234 """Test for output format format2."""
167235 # TODO: implement a test for the output format
0 commit comments