End-to-end regression test for the SDL Stormshield parser:
- test.py single upload + 150s polling verifier
- send_burst.py 4 varied events (different users, IPs, actions) with current timestamps
- verify_query.py query last 15 min of stormshield events
- run_and_verify.sh burst + 40s wait + verify
- config.example.json template (config.json is gitignored)
- README.md setup, run, behaviour-quirks docs
Use against a real SDL tenant after deploying parsers/stormshield. Confirms
parser='stormshield', dataSource.name='Stormshield', and the 5 OCSF rewrites
(src_endpoint.ip/port, dst_endpoint.ip/port, actor.user.name).
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.
Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
marc