Hallo! Ik ben

Federico Calò

Sviluppatore Software | Divulgatore Tecnico

Creo applicazioni web moderne e strumenti digitali personalizzati per aiutare le attività a crescere attraverso l'innovazione tecnologica. La mia passione è unire informatica ed economia per generare valore reale.

Neem Contact Op

Over Mij

La mia passione per l'informatica è nata tra i banchi dell'Istituto Tecnico Commerciale di Maglie, dove ho scoperto il potere della programmazione e il fascino di creare soluzioni digitali. Fin da subito, ho capito che l'informatica non era solo codice, ma uno strumento straordinario per trasformare idee in realtà.

Durante gli studi superiori in Sistemi Informativi Aziendali, ho iniziato a intrecciare informatica ed economia, comprendendo come la tecnologia possa essere il motore della crescita per qualsiasi attività. Questa visione mi ha accompagnato all'Università degli Studi di Bari, dove ho conseguito la Laurea in Informatica, approfondendo le mie competenze tecniche e la mia passione per lo sviluppo software.

Oggi metto questa esperienza al servizio di imprese, professionisti e startup, creando soluzioni digitali su misura che automatizzano processi, ottimizzano risorse e aprono nuove opportunità di business. Perché la vera innovazione inizia quando la tecnologia incontra le esigenze reali delle persone.

Mijn Vaardigheden

Analisi Dati & Modelli Previsionali

Trasformo i dati in insights strategici con analisi approfondite e modelli predittivi per decisioni informate

Procesautomatisering

Creo strumenti personalizzati che automatizzano operazioni ripetitive e liberano tempo per attività a valore aggiunto

Maatwerksystemen

Sviluppo sistemi software su misura, dalle integrazioni tra piattaforme alle dashboard personalizzate

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

Mijn Missie

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Technologie Democratiseren

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

IT en Business Verenigen

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Maatwerkoplossingen Creëren

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Transformeer Uw Bedrijf met Technologie

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Laten We Praten →

Unisciti alla Community

Entra nella community di sviluppatori dove discutiamo di software, AI, architettura e DevOps. Condividi idee, fai domande e cresci insieme a noi.

Canale

FC Dev Blog

Ricevi notifiche su nuovi articoli, serie complete, tips settimanali e tool in evidenza. Contenuti bilingui IT/EN direttamente nel tuo Telegram.

Nuovi articoli appena pubblicati
Tips e code snippets settimanali
Sondaggi sugli argomenti futuri

Iscriviti al Canale

Gruppo

FC Dev Community

Una community bilingue IT/EN per sviluppatori. Discussioni, Q&A, aiuto reciproco e networking con altri professionisti del settore.

Discussioni su articoli e tecnologie
Help coding e code review
Opportunità di lavoro e collaborazione

Unisciti al Gruppo

Topic di Discussione

Visualizza

Master SQL

RoadMap.sh

Novembre 2024

Visualizza

Oracle Certified Foundations Associate

Oracle

Ottobre 2024

Visualizza

People Leadership Credential

Connect

Settembre 2024

Linguaggi & Tecnologie

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Presente

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italia · Ibrida Analisi e sviluppo di sistemi informatici attraverso l'utilizzo di Java e Quarkus in Health and Public Sector. Formazione continua su tecnologie moderne per la creazione di soluzioni software personalizzate ed efficienti e sugli agenti.

💼

06/2022 - 12/2024

Analista software e Back End Developer Associate Consultant

Links Management and Technology SpA

Esperienza nell'analisi di sistemi software as-is e flussi ETL utilizzando PowerCenter. Formazione completata su Spring Boot per lo sviluppo di applicazioni backend moderne e scalabili. Sviluppatore Backend specializzato in Spring Boot, con esperienza in progettazione di database, analisi, sviluppo e testing dei task assegnati.

💼

02/2021 - 10/2021

Programmatore software

Adesso.it (prima era WebScience srl)

Esperienza nell'analisi AS-IS e TO-BE, evoluzioni SEO ed evoluzioni website per migliorare le performance e l'engagement degli utenti.

🎓

2018 - 2025

Laurea in Informatica

Università degli Studi di Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Sistemi Informativi Aziendali

Istituto Tecnico Commerciale di Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Neem Contact Op

Heeft u een project in gedachten? Laten we praten! Vul het formulier in en ik reageer snel.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

Detectieregels testen: testen van eenheden voor beveiligingslogica

Als u applicatiecode schrijft zonder te testen, wordt u als een slechte ontwikkelaar beschouwd. Als je detectieregels schrijft zonder te testen, word je als... normaal beschouwd. Deze discrepantie culturele tussen software-engineering en beveiligingstechniek en een van de redenen waarom het aantal valse positieven bij detecties is nog steeds zo hoog: ongeteste regels inzetbaar in productie op miljoenen evenementen per dag.

De sector convergeert snel naar een rigoureuzere aanpak. Volgens Splunk is in 2025 zou 63% van de beveiligingsprofessionals Detection-as-Code willen gebruiken bij het testen systematisch, maar slechts 35% doet het ook daadwerkelijk. De kloof en een kans: wie implementeert unit-tests voor uw detectieregels zorgen voor nauwkeurigere regels, minder valse positieven, en een duurzamer onderhoudsproces.

Dit artikel bouwt een compleet unit-testframework voor Sigma-detectieregels: van het genereren van synthetische logs, tot automatisch testen met pytest, tot dekkingsanalyse om detectielacunes te identificeren, tot aan integratie in de CI/CD-pijplijn.

Wat je gaat leren

Unit-testprincipes toegepast op detectieregels
sigma-test: het speciale raamwerk voor het testen van Sigma-regels
Genereren van synthetische logboeken voor echt-positieve en vals-positieve tests
Aangepast pytest-framework voor detectieregels
Dekkingsanalyse om ATT&CK-detectielacunes te identificeren
CI/CD-integratie: kwaliteitspoort vóór implementatie

waarom detectieregels tests moeten hebben

Een detectieregel en code. Het heeft ingangen (loggebeurtenissen), logica (matchingcondities) en uitgangen (waarschuwing). Zoals elke code kan deze bugs bevatten: slechte logica, verkeerde velden, voorwaarden te breed of te smal. Maar in tegenstelling tot applicatiecode, detectiefouten regels hebben consequenties die zich langzaam manifesteren: te veel false positives veroorzaken waarschuwingen Door vermoeidheid kunnen valse negatieven aanvallers onopgemerkt blijven.

De typen tests die nodig zijn voor een detectieregel zijn:

Echte positieve test: de verwachte kwaadaardige gebeurtenis MOET de regel activeren
Vals-positieve test: Algemene legitieme gebeurtenissen mogen NIET worden geactiveerd
Edge Case-test: Varianten van kwaadaardig gedrag (verschillende coderingen, optionele parameters)
Regressietest: zorgt ervoor dat wijzigingen bestaande detecties niet verbreken
Prestatietest: verifieert dat de regel geen invloed heeft op de prestaties van de SIEM

Sigma-test: het toegewijde raamwerk

sigma-test (github.com/bradleyjkemp/sigma-test) en een gespecialiseerde tool voor het testen van Sigma-regels waarmee u testgebeurtenissen rechtstreeks kunt specificeren in het YAML-bestand van de regel, als YAML-annotaties. Deze aanpak handhaaft het testen geplaatst bij de regel, wat het onderhoud vergemakkelijkt.

# Sigma Rule con test integrati (formato sigma-test)
# File: rules/windows/t1059_001_powershell_encoded.yml

title: PowerShell Encoded Command Execution
id: 5b4f6d89-1234-4321-ab12-fedcba987654
status: stable
description: >
  Rileva esecuzione PowerShell con parametri di encoding, frequentemente
  usati da malware per offuscare payload.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Detection Team
date: 2025-01-15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - ' -enc '
      - ' -EncodedCommand '
      - ' -ec '
  condition: selection
falsepositives:
  - Software legittimo enterprise che usa PowerShell con encoding
  - Script di deployment automatizzati
level: medium

# Test cases (formato sigma-test)
tests:
  - name: "TP: PowerShell con -EncodedCommand"
    should_match: true
    event:
      Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
      CommandLine: 'powershell.exe -EncodedCommand SQBFAFgAKABOAGUAdAAgAC4AIAAuACkA'
      ParentImage: 'C:\Windows\System32\cmd.exe'

  - name: "TP: PowerShell con -enc (shorthand)"
    should_match: true
    event:
      Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
      CommandLine: 'powershell.exe -enc SQBFAFgA'
      ParentImage: 'C:\Windows\Explorer.exe'

  - name: "TP: pwsh (PowerShell Core) con encoded"
    should_match: true
    event:
      Image: 'C:\Program Files\PowerShell\7\pwsh.exe'
      CommandLine: 'pwsh -EncodedCommand SQBFAFgA'
      ParentImage: 'C:\Windows\System32\services.exe'

  - name: "FP: PowerShell normale senza encoding"
    should_match: false
    event:
      Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
      CommandLine: 'powershell.exe -ExecutionPolicy Bypass -File C:\scripts\deploy.ps1'
      ParentImage: 'C:\Windows\System32\svchost.exe'

  - name: "FP: PowerShell con parametro simile ma non encoding"
    should_match: false
    event:
      Image: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
      CommandLine: 'powershell.exe Get-Content C:\scripts\encrypted-backup.zip'
      ParentImage: 'C:\Windows\System32\svchost.exe'

Om deze tests uit te voeren, vergelijkt sigma-test de testgebeurtenissen met de regellogica en controleer of de overeenkomst consistent is met should_match:

# Esecuzione sigma-test
# Installa: go install github.com/bradleyjkemp/sigma-test@latest

# Test singola regola
sigma-test rules/windows/t1059_001_powershell_encoded.yml

# Test di tutte le regole in una directory
sigma-test rules/windows/

# Output example:
# PASS rules/windows/t1059_001_powershell_encoded.yml
#   TP: PowerShell con -EncodedCommand ... PASS
#   TP: PowerShell con -enc (shorthand) ... PASS
#   TP: pwsh (PowerShell Core) con encoded ... PASS
#   FP: PowerShell normale senza encoding ... PASS
#   FP: PowerShell con parametro simile ... PASS

Pytest-framework voor geavanceerd testen

Voor complexere tests (multi-platform, echte SIEM-tests, prestatiebenchmarks), pytest biedt superieure flexibiliteit. pySigma, de officiële Python-bibliotheek voor Sigma, gebruikt pytest al als testframework voor zijn backends.

# Framework pytest per Detection Rules
# File: tests/test_detection_rules.py

import pytest
import yaml
from pathlib import Path
from sigma.rule import SigmaRule
from sigma.backends.splunk import SplunkBackend
from sigma.backends.elasticsearch import ElasticsearchQueryStringBackend
import re

RULES_DIR = Path("rules")
TESTS_DIR = Path("tests/test_data")

def load_all_rules() -> list[tuple[str, str]]:
    """Carica tutte le regole Sigma dalla directory rules/."""
    rules = []
    for rule_file in RULES_DIR.glob("**/*.yml"):
        content = rule_file.read_text()
        rules.append((str(rule_file), content))
    return rules

class SigmaRuleSimulator:
    """Simula il matching di una regola Sigma su eventi."""

    def __init__(self, rule_yaml: str):
        self.rule_dict = yaml.safe_load(rule_yaml)
        self.detection = self.rule_dict.get('detection', {})

    def matches(self, event: dict) -> bool:
        """Verifica se l'evento matcha la regola (simulazione semplificata)."""
        condition = self.detection.get('condition', '')
        selectors = {k: v for k, v in self.detection.items() if k != 'condition'}

        # Valuta ogni selettore
        selector_results = {}
        for selector_name, criteria in selectors.items():
            if selector_name.startswith('filter'):
                selector_results[selector_name] = self._eval_criteria(event, criteria)
            else:
                selector_results[selector_name] = self._eval_criteria(event, criteria)

        # Valuta la condition
        return self._eval_condition(condition, selector_results)

    def _eval_criteria(self, event: dict, criteria) -> bool:
        """Valuta un selettore contro l'evento."""
        if not isinstance(criteria, dict):
            return False

        for field, values in criteria.items():
            # Estrai nome campo e modifier
            parts = field.split('|')
            field_name = parts[0]
            modifier = parts[1] if len(parts) > 1 else 'exact'

            event_value = str(event.get(field_name, ''))

            # Controlla lista di valori (OR implicito)
            if isinstance(values, list):
                if not any(self._apply_modifier(event_value, str(v), modifier)
                           for v in values):
                    return False
            else:
                if not self._apply_modifier(event_value, str(values), modifier):
                    return False

        return True

    def _apply_modifier(self, event_val: str,
                         pattern: str, modifier: str) -> bool:
        """Applica il modifier Sigma."""
        ev = event_val.lower()
        pat = pattern.lower().replace('*', '')

        if modifier == 'contains':
            return pat in ev
        elif modifier == 'endswith':
            return ev.endswith(pat)
        elif modifier == 'startswith':
            return ev.startswith(pat)
        elif modifier == 're':
            return bool(re.search(pattern, event_val, re.IGNORECASE))
        else:  # exact
            return ev == pat

    def _eval_condition(self, condition: str,
                         results: dict[str, bool]) -> bool:
        """Valuta la condition Sigma (logica base)."""
        # Gestisce condizioni semplici comuni
        condition = condition.strip()

        # "selection" semplice
        if condition in results:
            return results[condition]

        # "selection and not filter"
        if ' and not ' in condition:
            parts = condition.split(' and not ')
            left = self._eval_condition(parts[0].strip(), results)
            right = self._eval_condition(parts[1].strip(), results)
            return left and not right

        # "selection or selection2"
        if ' or ' in condition:
            parts = condition.split(' or ')
            return any(self._eval_condition(p.strip(), results) for p in parts)

        # "selection and selection2"
        if ' and ' in condition:
            parts = condition.split(' and ')
            return all(self._eval_condition(p.strip(), results) for p in parts)

        # "not selection"
        if condition.startswith('not '):
            inner = condition[4:].strip()
            return not self._eval_condition(inner, results)

        return results.get(condition, False)

# ===== TEST CLASSES =====

class TestSigmaRuleSyntax:
    """Test sintattici: tutte le regole devono essere YAML valido."""

    @pytest.mark.parametrize("rule_path,rule_content", load_all_rules())
    def test_valid_yaml(self, rule_path: str, rule_content: str):
        """Ogni regola deve essere YAML valido e parsabile."""
        try:
            rule_dict = yaml.safe_load(rule_content)
            assert rule_dict is not None, f"YAML vuoto: {rule_path}"
        except yaml.YAMLError as e:
            pytest.fail(f"YAML invalido in {rule_path}: {e}")

    @pytest.mark.parametrize("rule_path,rule_content", load_all_rules())
    def test_required_fields(self, rule_path: str, rule_content: str):
        """Ogni regola deve avere i campi obbligatori."""
        rule_dict = yaml.safe_load(rule_content)
        required = ['title', 'description', 'logsource', 'detection']

        for field in required:
            assert field in rule_dict, \
                f"Campo '{field}' mancante in {rule_path}"

    @pytest.mark.parametrize("rule_path,rule_content", load_all_rules())
    def test_detection_has_condition(self, rule_path: str, rule_content: str):
        """Ogni regola deve avere una 'condition' in detection."""
        rule_dict = yaml.safe_load(rule_content)
        detection = rule_dict.get('detection', {})
        assert 'condition' in detection, \
            f"'condition' mancante in detection di {rule_path}"

    @pytest.mark.parametrize("rule_path,rule_content", load_all_rules())
    def test_valid_level(self, rule_path: str, rule_content: str):
        """Il level deve essere uno dei valori standard."""
        rule_dict = yaml.safe_load(rule_content)
        valid_levels = {'informational', 'low', 'medium', 'high', 'critical'}
        level = rule_dict.get('level', '')
        if level:
            assert level in valid_levels, \
                f"Level '{level}' non valido in {rule_path}"

    @pytest.mark.parametrize("rule_path,rule_content", load_all_rules())
    def test_pysigma_parseable(self, rule_path: str, rule_content: str):
        """Ogni regola deve essere parsabile da pySigma."""
        from sigma.exceptions import SigmaError
        try:
            SigmaRule.from_yaml(rule_content)
        except SigmaError as e:
            pytest.fail(f"pySigma non riesce a parsare {rule_path}: {e}")

Genereren van synthetische logboeken voor testen

Echt-positieve en fout-positieve testen vereisen realistische loggebeurtenissen. De generatie Testhandleiding verouderd, vervelend en onvolledig. Een geautomatiseerde generator produceert evenementen systematisch die alle variaties van de regel omvat.

# Generatore di Log Sintetici
# File: tests/log_generator.py

from dataclasses import dataclass
from datetime import datetime, timedelta
import random
import string
import uuid

@dataclass
class WindowsProcessEvent:
    """Evento di process_creation Windows (Sysmon Event ID 1)."""
    EventID: str = "1"
    ComputerName: str = "WORKSTATION01"
    User: str = "DOMAIN\\user"
    Image: str = "C:\\Windows\\System32\\cmd.exe"
    CommandLine: str = "cmd.exe"
    ParentImage: str = "C:\\Windows\\Explorer.exe"
    ParentCommandLine: str = "explorer.exe"
    ProcessId: str = "1234"
    ParentProcessId: str = "5678"
    MD5: str = ""
    SHA256: str = ""
    Hashes: str = ""
    UtcTime: str = ""

    def __post_init__(self):
        if not self.UtcTime:
            self.UtcTime = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S.%f")
        if not self.MD5:
            self.MD5 = ''.join(random.choices(string.hexdigits, k=32)).upper()

    def to_dict(self) -> dict:
        return {k: v for k, v in self.__dict__.items()}

class SyntheticLogGenerator:
    """Genera log sintetici per scenari di testing specifici."""

    # Template per tecniche ATT&CK comuni
    TEMPLATES = {
        'T1059.001_encoded': [
            # True Positives
            {
                'should_match': True,
                'name': 'PS encoded via cmd',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
                    CommandLine='powershell.exe -EncodedCommand SQBFAFgAKABOAGUAdAAgAC4AIAAuACkA',
                    ParentImage='C:\\Windows\\System32\\cmd.exe'
                )
            },
            {
                'should_match': True,
                'name': 'PS enc shorthand',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
                    CommandLine='powershell -ec SQBFAFgA',
                    ParentImage='C:\\Windows\\Explorer.exe'
                )
            },
            # False Positives
            {
                'should_match': False,
                'name': 'PS script normale',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
                    CommandLine='powershell.exe -ExecutionPolicy Bypass -File deploy.ps1',
                    ParentImage='C:\\Windows\\System32\\svchost.exe'
                )
            },
            {
                'should_match': False,
                'name': 'PS word encrypted (FP trap)',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',
                    CommandLine='powershell.exe Get-Content C:\\backup\\encrypted.zip',
                    ParentImage='C:\\Windows\\System32\\TaskScheduler.exe'
                )
            },
        ],

        'T1003.001_lsass_dump': [
            {
                'should_match': True,
                'name': 'Procdump lsass',
                'event': WindowsProcessEvent(
                    Image='C:\\Tools\\procdump.exe',
                    CommandLine='procdump.exe -ma lsass.exe lsass_dump.dmp',
                    ParentImage='C:\\Windows\\System32\\cmd.exe'
                )
            },
            {
                'should_match': True,
                'name': 'Task Manager lsass dump',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\taskmgr.exe',
                    CommandLine='taskmgr.exe',
                    ParentImage='C:\\Windows\\Explorer.exe'
                )
            },
            {
                'should_match': False,
                'name': 'Normal lsass activity',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\lsass.exe',
                    CommandLine='lsass.exe',
                    ParentImage='C:\\Windows\\System32\\wininit.exe'
                )
            },
        ],

        'T1053.005_scheduled_task': [
            {
                'should_match': True,
                'name': 'schtasks create con cmd',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\schtasks.exe',
                    CommandLine='schtasks.exe /create /tn "Windows Update" /tr "cmd.exe /c evil.exe" /sc daily',
                    ParentImage='C:\\Windows\\System32\\cmd.exe'
                )
            },
            {
                'should_match': False,
                'name': 'schtasks query legittimo',
                'event': WindowsProcessEvent(
                    Image='C:\\Windows\\System32\\schtasks.exe',
                    CommandLine='schtasks.exe /query /fo LIST',
                    ParentImage='C:\\Windows\\System32\\svchost.exe'
                )
            },
        ]
    }

    def get_test_cases(self, technique_id: str) -> list[dict]:
        """Restituisce i test case per una tecnica ATT&CK."""
        key = technique_id.replace('.', '_').replace('T', 'T', 1)
        # Cerca per prefix (es. 'T1059_001')
        for template_key, cases in self.TEMPLATES.items():
            if template_key.startswith(key.replace('T', 'T', 1)):
                return [{
                    'should_match': c['should_match'],
                    'name': c['name'],
                    'event': c['event'].to_dict()
                } for c in cases]
        return []

    def generate_random_events(self, count: int = 100) -> list[dict]:
        """Genera eventi casuali per stress testing (tutti FP)."""
        events = []
        legitimate_processes = [
            'C:\\Windows\\System32\\cmd.exe',
            'C:\\Windows\\System32\\svchost.exe',
            'C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE',
            'C:\\Windows\\System32\\notepad.exe',
            'C:\\Windows\\explorer.exe',
        ]
        for _ in range(count):
            events.append(WindowsProcessEvent(
                Image=random.choice(legitimate_processes),
                CommandLine=f"process.exe {''.join(random.choices(string.ascii_lowercase, k=20))}",
                ParentImage=random.choice(legitimate_processes),
                ComputerName=f"WS-{random.randint(1000, 9999)}"
            ).to_dict())
        return events

Voltooi tests met pytest

Door het testframework, de regelsimulator en de loggenerator te combineren, creëren we geparametriseerde tests die systematisch elke regel in de repository bestrijken.

# Test completi con pytest
# File: tests/test_rule_logic.py

class TestRuleLogicWithSyntheticLogs:
    """Test della logica di detection con log sintetici."""

    @pytest.fixture
    def generator(self) -> SyntheticLogGenerator:
        return SyntheticLogGenerator()

    def test_powershell_encoded_true_positives(self, generator):
        """Verifica che tutti i TP vengano rilevati."""
        rule_content = Path(
            "rules/windows/t1059_001_powershell_encoded.yml"
        ).read_text()
        simulator = SigmaRuleSimulator(rule_content)

        test_cases = generator.get_test_cases('T1059.001')
        tp_cases = [tc for tc in test_cases if tc['should_match']]

        assert len(tp_cases) > 0, "Nessun test case TP trovato"

        for tc in tp_cases:
            result = simulator.matches(tc['event'])
            assert result, \
                f"FALSE NEGATIVE: '{tc['name']}' non ha triggerato la regola\n" \
                f"Event: {tc['event']}"

    def test_powershell_encoded_false_positives(self, generator):
        """Verifica che gli eventi legittimi NON vengano rilevati."""
        rule_content = Path(
            "rules/windows/t1059_001_powershell_encoded.yml"
        ).read_text()
        simulator = SigmaRuleSimulator(rule_content)

        test_cases = generator.get_test_cases('T1059.001')
        fp_cases = [tc for tc in test_cases if not tc['should_match']]

        for tc in fp_cases:
            result = simulator.matches(tc['event'])
            assert not result, \
                f"FALSE POSITIVE: '{tc['name']}' ha triggerato la regola inaspettatamente\n" \
                f"Event: {tc['event']}"

    def test_stress_no_false_positives(self, generator):
        """Stress test: 100 eventi casuali non devono triggherare."""
        rule_content = Path(
            "rules/windows/t1059_001_powershell_encoded.yml"
        ).read_text()
        simulator = SigmaRuleSimulator(rule_content)

        random_events = generator.generate_random_events(100)
        fp_count = sum(1 for ev in random_events if simulator.matches(ev))

        # Accettiamo max 2% di false positive su eventi casuali
        fp_rate = fp_count / len(random_events)
        assert fp_rate <= 0.02, \
            f"Tasso FP troppo alto: {fp_rate:.1%} ({fp_count}/{len(random_events)})"

class TestRuleCoverage:
    """Test di coverage: ogni tecnica ATT&CK deve avere almeno una regola."""

    CRITICAL_TECHNIQUES = [
        'T1059.001',  # PowerShell
        'T1003.001',  # LSASS Dump
        'T1055',      # Process Injection
        'T1053.005',  # Scheduled Task
        'T1078',      # Valid Accounts
        'T1021.002',  # SMB/Windows Admin Shares
        'T1562.001',  # Disable Security Tools
        'T1070.004',  # File Deletion
    ]

    def test_critical_techniques_have_rules(self):
        """Verifica che tutte le tecniche critiche abbiano almeno una regola."""
        # Carica tutti i tag dalle regole
        covered_techniques = set()
        for rule_file in RULES_DIR.glob("**/*.yml"):
            content = yaml.safe_load(rule_file.read_text())
            tags = content.get('tags', [])
            for tag in tags:
                if tag.startswith('attack.t'):
                    # Converti tag.t1059.001 -> T1059.001
                    technique = tag.replace('attack.', '').upper()
                    covered_techniques.add(technique)

        uncovered = [t for t in self.CRITICAL_TECHNIQUES
                     if t not in covered_techniques]

        assert not uncovered, \
            f"Tecniche critiche senza copertura: {uncovered}"

    def test_coverage_report(self):
        """Genera report di coverage ATT&CK (informativo, non fail)."""
        covered = set()
        for rule_file in RULES_DIR.glob("**/*.yml"):
            content = yaml.safe_load(rule_file.read_text())
            for tag in content.get('tags', []):
                if tag.startswith('attack.t'):
                    covered.add(tag.replace('attack.', '').upper())

        print(f"\n=== ATT&CK Coverage Report ===")
        print(f"Tecniche coperte: {len(covered)}")
        print(f"Tecniche critiche coperte: "
              f"{len([t for t in self.CRITICAL_TECHNIQUES if t in covered])}"
              f"/{len(self.CRITICAL_TECHNIQUES)}")
        print("Dettaglio critico:")
        for tech in self.CRITICAL_TECHNIQUES:
            status = "OK" if tech in covered else "MANCANTE"
            print(f"  {tech}: {status}")

CI/CD-integratie: Quality Gate

Tests moeten automatisch worden uitgevoerd in elke Pull Request vóór de regel wordt samengevoegd met de hoofdrepository. Een defecte poort verhindert de inzet van gebrekkige regels in de productie.

# GitHub Actions CI/CD per Detection Rules
# File: .github/workflows/test-detection-rules.yml

"""
name: Detection Rules CI

on:
  pull_request:
    paths:
      - 'rules/**'
      - 'tests/**'
  push:
    branches: [main]

jobs:
  syntax-validation:
    name: Syntax Validation
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
          cache: pip

      - name: Install dependencies
        run: |
          pip install pySigma pySigma-backend-splunk pyyaml pytest pytest-cov

      - name: Run syntax tests
        run: pytest tests/test_detection_rules.py::TestSigmaRuleSyntax -v

  logic-testing:
    name: Logic Testing
    runs-on: ubuntu-latest
    needs: syntax-validation
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
          cache: pip

      - name: Install dependencies
        run: pip install pySigma pyyaml pytest pytest-cov

      - name: Run logic tests with coverage
        run: |
          pytest tests/test_rule_logic.py -v --tb=short \
            --cov=rules --cov-report=xml --cov-report=term

      - name: Coverage gate
        run: |
          # Verifica che almeno l'80% delle regole abbia test
          python -c "
          import xml.etree.ElementTree as ET
          tree = ET.parse('coverage.xml')
          root = tree.getroot()
          rate = float(root.attrib.get('line-rate', 0))
          print(f'Coverage: {rate:.1%}')
          assert rate >= 0.8, f'Coverage {rate:.1%} sotto la soglia 80%'
          "

  sigma-test:
    name: sigma-test Inline Tests
    runs-on: ubuntu-latest
    needs: syntax-validation
    steps:
      - uses: actions/checkout@v4

      - name: Install sigma-test
        run: go install github.com/bradleyjkemp/sigma-test@latest

      - name: Run sigma-test on all rules
        run: sigma-test rules/ --exit-on-failure

  coverage-check:
    name: ATT&CK Coverage Check
    runs-on: ubuntu-latest
    needs: [syntax-validation, logic-testing]
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Check critical technique coverage
        run: |
          pytest tests/test_rule_logic.py::TestRuleCoverage -v

  notify-on-failure:
    name: Notify on Failure
    runs-on: ubuntu-latest
    needs: [syntax-validation, logic-testing, sigma-test, coverage-check]
    if: failure()
    steps:
      - name: Notify Slack
        run: |
          curl -X POST ${{ secrets.SLACK_WEBHOOK }} \
            -H 'Content-type: application/json' \
            --data '{"text": "Detection Rule CI fallita! PR: ${{ github.event.pull_request.html_url }}"}'
"""

Dekkingsstrategie voor detectieregels

Een goede dekkingsstrategie voor detectieregels meet geen regels code, maar getest gedrag. Aanbevolen minimumdoelstellingen:

Elke regel moet minimaal 2 TP-tests en 2 FP-tests bevatten
'Hoge' en 'kritieke' regels moeten minimaal 3 TP en 3 FP hebben
100% van de ATT&CK-technieken die als "kritisch" zijn geclassificeerd, moeten dekking hebben
Stresstest (100 willekeurige gebeurtenissen) op alle regels met FP-percentage < 2%

Beperking van simulatoren: ze vervangen geen echte SIEM-testen

De Python-simulator en Sigma-test zijn uitstekende pre-validatietools, maar dat is niet zo simuleer perfect de normalisatie van de doel-SIEM-velden. Een regel die slaagt voor alle lokale tests, kan mislukken op Splunk omdat het veld wordt aangeroepen process_path in plaats van Image. Voeg altijd een test toe staging-omgeving met echte SIEM voordat deze naar productie wordt geïmplementeerd.

Conclusies en belangrijkste conclusies

Het testen van eenheden voor detectieregels is geen overhead: het is de investering die het mogelijk maakt om een opslagplaats van honderden regels bij te houden zonder dat de kwaliteit in de loop van de tijd achteruitgaat. Met het beschreven raamwerk heeft elke regel een expliciet contract van wat hij moet detecteren en wat het niet mag detecteren, automatisch gecontroleerd bij elke wijziging.

Belangrijkste afhaalrestaurants

Detectieregels zijn code: ze moeten net als elke andere code worden getest
sigma-test maakt door regels gekoloniseerde tests in native YAML-indeling mogelijk
pytest biedt flexibiliteit voor geavanceerd testen: stresstesten, dekking, parametrisering
Automatisch gegenereerde synthetische logboeken bestrijken meer gevallen dan handmatige gebeurtenissen
De CI/CD-poort voorkomt dat slechte regels in de productie worden ingezet
ATT&CK-dekking identificeert detectielacunes bij kritische technieken
Simulators vervangen het testen op een echte SIEM bij enscenering niet