def test_CEF_formatter_converts_to_expected_string(self):
formatter = FileEventsOutputFormatter(FileEventsOutputFormat.CEF)
output = formatter.get_formatted_output(self.test_df)
assert (
next(output) ==
"CEF:0|Code42|Advanced Exfiltration Detection|1|C42203|READ_BY_APP|5|externalId=0_1d71796f-af5b-4231-9d8e-df6434da4663_912339407325443353_918253081700247636_16 end=1567996943851 rt=1568069262724 filePath=/Users/testtesterson/Downloads/About Downloads.lpdf/Contents/Resources/English.lproj/ fname=InfoPlist.strings fileType=UNCATEGORIZED fsize=86 fileHash=19b92e63beb08c27ab4489fcfefbbe44 fileCreateTime=1342923569000 fileModificationTime=1355886008000 [email protected] shost=Test's MacBook Air dvchost=192.168.0.3 src=71.34.4.22 deviceExternalId=912339407325443353 suid=912338501981077099 sourceServiceName=Endpoint reason=ApplicationRead spriv=testtesterson sproc=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\n"
)
def test_format_when_unknown_format_raises_CLI_error(self):
with pytest.raises(Code42CLIError):
FileEventsOutputFormatter("NOT_A_FORMAT")
with pytest.raises(Code42CLIError):
formatter = FileEventsOutputFormatter(FileEventsOutputFormat.JSON)
formatter.output_format = "NOT_A_FORMAT"
list(formatter.get_formatted_output(self.test_df))
def search(
state,
format,
begin,
end,
advanced_query,
use_checkpoint,
saved_search,
or_query,
columns,
include_all,
**kwargs,
):
"""Search for file events."""
if format == FileEventsOutputFormat.CEF and columns:
raise click.BadOptionUsage(
"columns", "--columns option can't be used with CEF format.")
# set default table columns
if format == OutputFormat.TABLE:
if not columns and not include_all:
columns = [
"fileName",
"filePath",
"eventType",
"eventTimestamp",
"fileCategory",
"fileSize",
"fileOwner",
"md5Checksum",
"sha256Checksum",
"riskIndicators",
"riskSeverity",
]
if use_checkpoint:
cursor = _get_file_event_cursor_store(state.profile.name)
checkpoint = _handle_timestamp_checkpoint(cursor.get(use_checkpoint),
state)
def checkpoint_func(event):
cursor.replace(use_checkpoint, event["eventId"])
else:
checkpoint = checkpoint_func = None
query = _construct_query(state, begin, end, saved_search, advanced_query,
or_query)
dfs = _get_all_file_events(state, query, checkpoint)
formatter = FileEventsOutputFormatter(format,
checkpoint_func=checkpoint_func)
# sending to pager when checkpointing can be inaccurate due to pager buffering, so disallow pager
force_no_pager = use_checkpoint
formatter.echo_formatted_dataframes(dfs,
columns=columns,
force_no_pager=force_no_pager)
def search(
state,
format,
begin,
end,
advanced_query,
use_checkpoint,
saved_search,
or_query,
include_all,
**kwargs,
):
"""Search for file events."""
output_header = ext.try_get_default_header(include_all,
_create_search_header_map(),
format)
formatter = FileEventsOutputFormatter(format, output_header)
cursor = _get_cursor(state, use_checkpoint)
handlers = ext.create_handlers(
state.sdk,
FileEventExtractor,
cursor,
use_checkpoint,
formatter=formatter,
force_pager=include_all,
)
_extract(state, handlers, begin, end, or_query, advanced_query,
saved_search, **kwargs)
def send_to(
state,
begin,
end,
advanced_query,
use_checkpoint,
saved_search,
or_query,
columns,
**kwargs,
):
"""Send events to the given server address.
HOSTNAME format: address:port where port is optional and defaults to 514.
"""
if use_checkpoint:
cursor = _get_file_event_cursor_store(state.profile.name)
checkpoint = _handle_timestamp_checkpoint(cursor.get(use_checkpoint),
state)
def checkpoint_func(event):
cursor.replace(use_checkpoint, event["eventId"])
else:
checkpoint = checkpoint_func = None
query = _construct_query(state, begin, end, saved_search, advanced_query,
or_query)
dfs = _get_all_file_events(state, query, checkpoint)
formatter = FileEventsOutputFormatter(None,
checkpoint_func=checkpoint_func)
with warn_interrupt():
event = None
for event in formatter.iter_rows(dfs, columns=columns):
state.logger.info(event)
if event is None: # generator was empty
click.echo("No results found.")
def test_format_when_none_passed_defaults_to_raw_json(self):
formatter = FileEventsOutputFormatter(output_format=None)
assert formatter.output_format == FileEventsOutputFormat.RAW
def test_init_sets_format_func_to_table_function_when_no_format_option_is_passed(
self, mock_to_table):
formatter = FileEventsOutputFormatter(None)
for _ in formatter.get_formatted_output("TEST"):
pass
mock_to_table.assert_called_once_with("TEST", None)
def test_init_sets_format_func_to_cef_function_when_cef_format_option_is_passed(
self, mock_to_cef):
formatter = FileEventsOutputFormatter(FileEventsOutputFormat.CEF)
for _ in formatter.get_formatted_output(["TEST"]):
pass
mock_to_cef.assert_called_once_with("TEST")
def test_init_sets_format_func_to_dynamic_csv_function_when_csv_option_is_passed(
self, mock_to_csv):
formatter = FileEventsOutputFormatter(FileEventsOutputFormat.CSV)
for _ in formatter.get_formatted_output("TEST"):
pass
mock_to_csv.assert_called_once_with("TEST")