Casey McGinley
Casey McGinley
# Context * As part of PEX-363, we wanted to expand integration testing to validate risk message content * If invalid fields are referenced in the risk message, they will...
* The mappings between risk types and observable types/roles is complicated, confusing, and prone to logical errors and edge cases * We should refactor it to be a transparent mapping...
* Similarly to how we match and validate risk objects against observables, we should do the same with threat objects
* The original version of this feature tried to validate that there was en equal amount of matched risk events for each relevant observable * This logic was faulty, as...
* Currently, we do not enforce observable names be unique within a single detection * We should, as we should have no reason to repeat observables * At the time...
* In #241 I refactored risk/notable lookups to use the oldest `orig_sid` instead of the newest * The benefit of this, is that it helps ensure we don't encounter weird...
* In `detection_abstract.py` we look for observable of type `username` * In practice, the valid type (see `SES_OBSERVABLE_TYPE_MAPPING`) is `User Name`; `Username`/`username` is invalid and static validation does not allwo...
* Alongside risk message validation we added the beginnings of some code which can match risk events against observables * We should complete this feature
* add stats around total test cases and unit/integration test sucess/failure? maybe configurable reporting? * add section to summary called "testwise_summary" listing per test metrics (e.g. total test, total tests...