From 4b8896c0a15a7555e7b4298d3655ad432c6fb02d Mon Sep 17 00:00:00 2001
From: Subhobrata Dey <sbcd90@gmail.com>
Date: Thu, 21 Mar 2024 20:42:47 +0000
Subject: [PATCH] fix integtests after add latest sigma rules

---
 .../aws_s3_data_management_tampering.yml      | 36 -------------------
 .../gworkspace_application_removed.yml        | 26 --------------
 .../gworkspace_granted_domain_api_access.yml  | 25 -------------
 .../gworkspace/gworkspace_mfa_disabled.yml    | 28 ---------------
 .../gworkspace_role_modified_or_deleted.yml   | 27 --------------
 .../gworkspace_role_privilege_deleted.yml     | 24 -------------
 ...orkspace_user_granted_admin_privileges.yml | 26 --------------
 .../mapper/MapperRestApiIT.java               |  2 +-
 8 files changed, 1 insertion(+), 193 deletions(-)
 delete mode 100644 src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml
 delete mode 100644 src/main/resources/rules/gworkspace/gworkspace_application_removed.yml
 delete mode 100644 src/main/resources/rules/gworkspace/gworkspace_granted_domain_api_access.yml
 delete mode 100644 src/main/resources/rules/gworkspace/gworkspace_mfa_disabled.yml
 delete mode 100644 src/main/resources/rules/gworkspace/gworkspace_role_modified_or_deleted.yml
 delete mode 100644 src/main/resources/rules/gworkspace/gworkspace_role_privilege_deleted.yml
 delete mode 100644 src/main/resources/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml

diff --git a/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml b/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml
deleted file mode 100644
index 393dbbc73..000000000
--- a/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-title: AWS S3 Data Management Tampering
-id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
-status: test
-description: Detects when a user tampers with S3 data management in Amazon Web Services.
-references:
-    - https://github.com/elastic/detection-rules/pull/1145/files
-    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
-    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
-    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
-    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
-    - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
-    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
-author: Austin Songer @austinsonger
-date: 2021/07/24
-modified: 2022/10/09
-tags:
-    - attack.exfiltration
-    - attack.t1537
-logsource:
-    product: aws
-    service: cloudtrail
-detection:
-    selection:
-        eventSource: s3.amazonaws.com
-        eventName:
-            - PutBucketLogging
-            - PutBucketWebsite
-            - PutEncryptionConfiguration
-            - PutLifecycleConfiguration
-            - PutReplicationConfiguration
-            - ReplicateObject
-            - RestoreObject
-    condition: selection
-falsepositives:
-    - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-level: low
diff --git a/src/main/resources/rules/gworkspace/gworkspace_application_removed.yml b/src/main/resources/rules/gworkspace/gworkspace_application_removed.yml
deleted file mode 100644
index 9f0a63994..000000000
--- a/src/main/resources/rules/gworkspace/gworkspace_application_removed.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Google Workspace Application Removed
-id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
-status: test
-description: Detects when an an application is removed from Google Workspace.
-references:
-    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
-author: Austin Songer
-date: 2021/08/26
-modified: 2022/10/09
-tags:
-    - attack.impact
-logsource:
-    product: google_workspace
-    service: google_workspace.admin
-detection:
-    selection:
-        eventService: admin.googleapis.com
-        eventName:
-            - REMOVE_APPLICATION
-            - REMOVE_APPLICATION_FROM_WHITELIST
-    condition: selection
-falsepositives:
-    - Application being removed may be performed by a System Administrator.
-level: medium
diff --git a/src/main/resources/rules/gworkspace/gworkspace_granted_domain_api_access.yml b/src/main/resources/rules/gworkspace/gworkspace_granted_domain_api_access.yml
deleted file mode 100644
index ea14ab20b..000000000
--- a/src/main/resources/rules/gworkspace/gworkspace_granted_domain_api_access.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Google Workspace Granted Domain API Access
-id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
-status: test
-description: Detects when an API access service account is granted domain authority.
-references:
-    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
-author: Austin Songer
-date: 2021/08/23
-modified: 2022/10/09
-tags:
-    - attack.persistence
-    - attack.t1098
-logsource:
-    product: google_workspace
-    service: google_workspace.admin
-detection:
-    selection:
-        eventService: admin.googleapis.com
-        eventName: AUTHORIZE_API_CLIENT_ACCESS
-    condition: selection
-falsepositives:
-    - Unknown
-
-level: medium
diff --git a/src/main/resources/rules/gworkspace/gworkspace_mfa_disabled.yml b/src/main/resources/rules/gworkspace/gworkspace_mfa_disabled.yml
deleted file mode 100644
index f5e988115..000000000
--- a/src/main/resources/rules/gworkspace/gworkspace_mfa_disabled.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Google Workspace MFA Disabled
-id: 780601d1-6376-4f2a-884e-b8d45599f78c
-status: test
-description: Detects when multi-factor authentication (MFA) is disabled.
-references:
-    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
-author: Austin Songer
-date: 2021/08/26
-modified: 2022/12/25
-tags:
-    - attack.impact
-logsource:
-    product: google_workspace
-    service: google_workspace.admin
-detection:
-    selection_base:
-        eventService: admin.googleapis.com
-        eventName:
-            - ENFORCE_STRONG_AUTHENTICATION
-            - ALLOW_STRONG_AUTHENTICATION
-    selection_eventValue:
-        new_value: 'false'
-    condition: all of selection*
-falsepositives:
-    - MFA may be disabled and performed by a system administrator.
-level: medium
diff --git a/src/main/resources/rules/gworkspace/gworkspace_role_modified_or_deleted.yml b/src/main/resources/rules/gworkspace/gworkspace_role_modified_or_deleted.yml
deleted file mode 100644
index 73f7a484a..000000000
--- a/src/main/resources/rules/gworkspace/gworkspace_role_modified_or_deleted.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-title: Google Workspace Role Modified or Deleted
-id: 6aef64e3-60c6-4782-8db3-8448759c714e
-status: test
-description: Detects when an a role is modified or deleted in Google Workspace.
-references:
-    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
-author: Austin Songer
-date: 2021/08/24
-modified: 2022/10/09
-tags:
-    - attack.impact
-logsource:
-    product: google_workspace
-    service: google_workspace.admin
-detection:
-    selection:
-        eventService: admin.googleapis.com
-        eventName:
-            - DELETE_ROLE
-            - RENAME_ROLE
-            - UPDATE_ROLE
-    condition: selection
-falsepositives:
-    - Unknown
-
-level: medium
diff --git a/src/main/resources/rules/gworkspace/gworkspace_role_privilege_deleted.yml b/src/main/resources/rules/gworkspace/gworkspace_role_privilege_deleted.yml
deleted file mode 100644
index 3ea2480b6..000000000
--- a/src/main/resources/rules/gworkspace/gworkspace_role_privilege_deleted.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-title: Google Workspace Role Privilege Deleted
-id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
-status: test
-description: Detects when an a role privilege is deleted in Google Workspace.
-references:
-    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
-author: Austin Songer
-date: 2021/08/24
-modified: 2022/10/09
-tags:
-    - attack.impact
-logsource:
-    product: google_workspace
-    service: google_workspace.admin
-detection:
-    selection:
-        eventService: admin.googleapis.com
-        eventName: REMOVE_PRIVILEGE
-    condition: selection
-falsepositives:
-    - Unknown
-
-level: medium
diff --git a/src/main/resources/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml b/src/main/resources/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml
deleted file mode 100644
index 08e4b4b68..000000000
--- a/src/main/resources/rules/gworkspace/gworkspace_user_granted_admin_privileges.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Google Workspace User Granted Admin Privileges
-id: 2d1b83e4-17c6-4896-a37b-29140b40a788
-status: test
-description: Detects when an Google Workspace user is granted admin privileges.
-references:
-    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
-    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
-author: Austin Songer
-date: 2021/08/23
-modified: 2022/10/09
-tags:
-    - attack.persistence
-    - attack.t1098
-logsource:
-    product: google_workspace
-    service: google_workspace.admin
-detection:
-    selection:
-        eventService: admin.googleapis.com
-        eventName:
-            - GRANT_DELEGATED_ADMIN_PRIVILEGES
-            - GRANT_ADMIN_PRIVILEGE
-    condition: selection
-falsepositives:
-    - Google Workspace admin role privileges, may be modified by system administrators.
-level: medium
diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java
index 0eb398475..3b064f308 100644
--- a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java
+++ b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java
@@ -1775,7 +1775,7 @@ public void testCloudtrailMappings() throws IOException {
         createDetector(detector);
 
         List<SearchHit> hits = executeSearch(".opensearch-sap-cloudtrail-detectors-queries-000001", matchAllSearchBody);
-        Assert.assertEquals(40, hits.size());
+        Assert.assertEquals(39, hits.size());
     }
 
     public void testS3Mappings() throws IOException {