Fixed bug in test_rule() of security_rules.py

[sidxparab]

Issue:

There exists an bug in the test_rule tool that causes it to fail consistently.

The tool fails because the end_time value passed to the SecOps API is invalid. SecOps doesn't make the recently ingested logs for the 'Test Rule Function'(this can verified via the UI). Hence, the API requires that the end_time be rounded down to the beginning of the current hour. However, the current implementation on line #472 uses the exact current time (datetime.now()), which the API rejects as being later than the allowed maximum.
This results in an error stating that the end_time is greater than expected.

(Attach screenshot of the error below)

Solution:

I suggest replacing the current time calculation logic with the snippet below. This code rounds the end_time down to the start of the current hour, which will satisfy the API's requirement and resolve the error.

        current_time = datetime.now(timezone.utc)
        # Buffer back to the start of the current hour
        end_time = current_time.replace(minute=0, second=0, microsecond=0)  # Rounds down to the start of current hour
        start_time = end_time - timedelta(hours=hours_back)

        logger.info(f'Rule test time range: {start_time} to {end_time} (buffered to start of current hour)')

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[mihirvala08]

Test Evidence

Tested on Cline (VS Code extension) using following prompt: Can you test SomaEntityOnlyLiveRuleProbeRule detection rule against past logs of 19 hours?