feat(phase-32): add automated tests V3 for data sources, scoring, campaigns and snapshots (T-235 to T-237)

backend/tests/fixtures/sample_caldera_ability.yml

@@ -0,0 +1,44 @@
+---
+id: caldera-test-001
+name: Get System Info
+description: Collect basic system information using whoami and systeminfo commands
+tactic: discovery
+technique:
+  attack_id: T1082
+  name: System Information Discovery
+platforms:
+  windows:
+    psh:
+      command: |
+        whoami /all
+        systeminfo
+      cleanup: ""
+    cmd:
+      command: |
+        whoami
+        systeminfo
+  linux:
+    sh:
+      command: |
+        uname -a
+        cat /etc/os-release
+      cleanup: ""
+---
+id: caldera-test-002
+name: List Network Connections
+description: Enumerate active network connections and listening ports
+tactic: discovery
+technique:
+  attack_id: T1049
+  name: System Network Connections Discovery
+platforms:
+  windows:
+    psh:
+      command: |
+        Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State
+      cleanup: ""
+  linux:
+    sh:
+      command: |
+        netstat -tulnp 2>/dev/null || ss -tulnp
+      cleanup: ""

backend/tests/fixtures/sample_elastic_rule.toml

@@ -0,0 +1,36 @@
+[metadata]
+creation_date = "2025/01/15"
+updated_date = "2025/06/01"
+maturity = "production"
+
+[rule]
+author = ["Test Author"]
+description = "Detects the creation of a scheduled task via schtasks.exe, which is commonly used by adversaries for persistence."
+name = "Scheduled Task Created via Schtasks"
+severity = "medium"
+type = "eql"
+language = "eql"
+query = '''
+process where process.name : "schtasks.exe" and
+  process.args : ("/create", "-create") and
+  process.args : ("/sc", "-sc") and
+  not process.parent.executable : ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*")
+'''
+risk_score = 47
+rule_id = "test-elastic-001"
+tags = ["Persistence", "Windows"]
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1053"
+name = "Scheduled Task/Job"
+reference = "https://attack.mitre.org/techniques/T1053/"
+[[rule.threat.technique.subtechnique]]
+id = "T1053.005"
+name = "Scheduled Task"
+reference = "https://attack.mitre.org/techniques/T1053/005/"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

backend/tests/fixtures/sample_lolbas_entry.yml

@@ -0,0 +1,26 @@
+Name: Mshta.exe
+Description: Used to execute .HTA files
+Author: Test Author
+Created: 2025-01-15
+Commands:
+  - Command: mshta.exe evilfile.hta
+    Description: Open an HTA file from disk
+    Usecase: Execute arbitrary HTA scripts
+    Category: Execute
+    Privileges: User
+    MitreID: T1218.005
+    OperatingSystem: Windows 10, Windows 11
+  - Command: mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""calc.exe"")")
+    Description: Execute VBScript via mshta
+    Usecase: Execute inline VBScript
+    Category: Execute
+    Privileges: User
+    MitreID: T1059.005
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\mshta.exe
+  - Path: C:\Windows\SysWOW64\mshta.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta.yml
+Resources:
+  - Link: https://lolbas-project.github.io/#/mshta

backend/tests/fixtures/sample_sigma_rule.yml

@@ -0,0 +1,27 @@
+title: Windows PowerShell Execution Policy Bypass
+id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
+status: stable
+description: Detects attempts to bypass PowerShell execution policy
+author: Test Author
+date: 2025/01/15
+references:
+  - https://example.com/sigma-test
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    CommandLine|contains:
+      - '-ExecutionPolicy Bypass'
+      - '-ep bypass'
+      - 'Set-ExecutionPolicy Bypass'
+  condition: selection
+falsepositives:
+  - Legitimate admin scripts
+  - CI/CD pipelines
+level: high
+tags:
+  - attack.execution
+  - attack.t1059.001
+  - attack.defense_evasion
+  - attack.t1562.001

backend/tests/fixtures/sample_stix_bundle.json

@@ -0,0 +1,112 @@
+{
+  "type": "bundle",
+  "id": "bundle--test-001",
+  "spec_version": "2.0",
+  "objects": [
+    {
+      "type": "intrusion-set",
+      "id": "intrusion-set--test-apt1",
+      "name": "APT1",
+      "aliases": ["Comment Crew", "Comment Panda"],
+      "description": "APT1 is a Chinese cyber espionage group attributed to PLA Unit 61398.",
+      "first_seen": "2006-06-01T00:00:00Z",
+      "last_seen": "2023-12-31T00:00:00Z",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "url": "https://attack.mitre.org/groups/G0006/",
+          "external_id": "G0006"
+        },
+        {
+          "source_name": "Mandiant Report",
+          "url": "https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units",
+          "description": "Mandiant APT1 Report"
+        }
+      ],
+      "created": "2017-05-31T21:31:48.664Z",
+      "modified": "2023-03-22T03:52:18.000Z"
+    },
+    {
+      "type": "intrusion-set",
+      "id": "intrusion-set--test-apt28",
+      "name": "APT28",
+      "aliases": ["Fancy Bear", "Sofacy", "Pawn Storm"],
+      "description": "APT28 is a threat group attributed to Russia's GRU military intelligence.",
+      "first_seen": "2004-01-01T00:00:00Z",
+      "last_seen": "2024-06-30T00:00:00Z",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "url": "https://attack.mitre.org/groups/G0007/",
+          "external_id": "G0007"
+        }
+      ],
+      "created": "2017-05-31T21:31:48.664Z",
+      "modified": "2024-01-15T00:00:00.000Z"
+    },
+    {
+      "type": "attack-pattern",
+      "id": "attack-pattern--test-t1566",
+      "name": "Phishing",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "url": "https://attack.mitre.org/techniques/T1566/",
+          "external_id": "T1566"
+        }
+      ]
+    },
+    {
+      "type": "attack-pattern",
+      "id": "attack-pattern--test-t1059",
+      "name": "Command and Scripting Interpreter",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "url": "https://attack.mitre.org/techniques/T1059/",
+          "external_id": "T1059"
+        }
+      ]
+    },
+    {
+      "type": "attack-pattern",
+      "id": "attack-pattern--test-t1078",
+      "name": "Valid Accounts",
+      "external_references": [
+        {
+          "source_name": "mitre-attack",
+          "url": "https://attack.mitre.org/techniques/T1078/",
+          "external_id": "T1078"
+        }
+      ]
+    },
+    {
+      "type": "relationship",
+      "id": "relationship--test-r1",
+      "relationship_type": "uses",
+      "source_ref": "intrusion-set--test-apt1",
+      "target_ref": "attack-pattern--test-t1566"
+    },
+    {
+      "type": "relationship",
+      "id": "relationship--test-r2",
+      "relationship_type": "uses",
+      "source_ref": "intrusion-set--test-apt1",
+      "target_ref": "attack-pattern--test-t1059"
+    },
+    {
+      "type": "relationship",
+      "id": "relationship--test-r3",
+      "relationship_type": "uses",
+      "source_ref": "intrusion-set--test-apt28",
+      "target_ref": "attack-pattern--test-t1566"
+    },
+    {
+      "type": "relationship",
+      "id": "relationship--test-r4",
+      "relationship_type": "uses",
+      "source_ref": "intrusion-set--test-apt28",
+      "target_ref": "attack-pattern--test-t1078"
+    }
+  ]
+}