Unit Test to validate from field in toml file

[shashank-elastic]

Issues

• https://github.com/elastic/detection-rules/issues/2416

Summary

• Add a unit test case to match the applicable from field data for rule(s) with date-math documentation
• From the above documentation we would be mostly interested in now-{criteria} for rule writing.
• The formats such as Add one hour or Round down to the nearest day are mostly useful in other usecases and not on prebuilt detection rules. Hence these are excluded.

Additional Context

• Validate the string with a regex to match the date-math

Testing

❯ pytest tests/test_all_rules.py::TestValidRules::test_from_filed_value
================================================================================= test session starts ==================================================================================
platform darwin -- Python 3.12.3, pytest-8.1.1, pluggy-1.4.0
rootdir: /Users/shashankks/elastic_workspace/detection-rules
configfile: pyproject.toml
plugins: typeguard-3.0.2
collected 1 item                                                                                                                                                                       

tests/test_all_rules.py F                                                                                                                                                        [100%]

======================================================================================= FAILURES =======================================================================================
_________________________________________________________________________ TestValidRules.test_from_filed_value _________________________________________________________________________

E           AssertionError: 
E                       The following rules have invalid 'from' filed value 
E           
E                       97aba1ef-6034-4bd3-8c1a-1e0996b27afa - Suspicious Zoom Child Process -> has invalid value now-9W
E           d563aaba-2e72-462b-8658-3e5ea22db3a6 - Privilege Escalation via Windir Environment Variable -> has invalid value never-9m
E           e707a7be-cc52-41ac-8ab3-d34b38c20005 - Potential Credential Access via Memory Dump File Creation -> has invalid value now-9Y
E           c1e79a70-fa6f-11ee-8bc8-f661ea17fbce - Attempt to Retrieve User Data from AWS EC2 Instance -> has invalid value now-m119
E           ee53d67a-5f0c-423c-a53c-8084ae562b5c - Shortcut File Written or Modified on Startup Folder -> has invalid value now-9S

tests/test_all_rules.py:188: AssertionError
=============================================================================== short test summary info ================================================================================
FAILED tests/test_all_rules.py::TestValidRules::test_from_filed_value - AssertionError: 
================================================================================== 1 failed in 46.28s ==================================================================================

• Testing after addressing Nit changes

  
  pytest tests/test_all_rules.py::TestValidRules::test_from_filed_value
  ======================================================================================================== test session starts =========================================================================================================
  platform darwin -- Python 3.12.3, pytest-8.1.1, pluggy-1.4.0
  rootdir: /Users/shashankks/elastic_workspace/detection-rules
  configfile: pyproject.toml
  plugins: typeguard-3.0.2
  collected 1 item                                                                                                                                                                                                                     

tests/test_all_rules.py F [100%]

============================================================================================================== FAILURES ============================================================================================================== ____ TestValidRules.test_from_filed_value ____

self =

def test_from_filed_value(self):
    """ Add "from" Field Validation for All Rules"""
    failures = []
    valid_format = re.compile(r'^now-\d+[yMwdhHms]$')
    for rule in self.all_rules:
        from_field = rule.contents.data.get('from_')
        if from_field is not None:
            if not valid_format.match(from_field):
                err_msg = f'{self.rule_str(rule)} has invalid value {from_field}'
                failures.append(err_msg)
    if failures:
        fail_msg = """
        The following rules have invalid 'from' filed value \n
        """

      self.fail(fail_msg + '\n'.join(failures))

E AssertionError: E The following rules have invalid 'from' filed value E
E 7e23dfef-da2c-4d64-b11d-5f285b638853 - Microsoft Management Console File from Unusual Path -> has invalid value now-9D E ee53d67a-5f0c-423c-a53c-8084ae562b5c - Shortcut File Written or Modified on Startup Folder -> has invalid value now-9S

tests/test_all_rules.py:188: AssertionError ====================================================================================================== short test summary info ======================================================================================================= FAILED tests/test_all_rules.py::TestValidRules::test_from_filed_value - AssertionError: ========================================================================================================= 1 failed in 46.32s ========================================================================================================= (.venv) ```