def test_parse_data_offset():
"""Test the data offset operation."""
def get_diff(offset_string):
start_date, end_date = utils.parse_date_offset(offset_string)
start_date_dt = datetime.datetime.strptime(start_date, TIME_FMT)
end_date_dt = datetime.datetime.strptime(end_date, TIME_FMT)
return end_date_dt - start_date_dt
diff_dt = get_diff("LAST 3 DAYS")
assert diff_dt.days == 3
diff_dt = get_diff("LAST 23 MINUTES")
assert diff_dt.total_seconds() == (23 * 60)
diff_dt = get_diff("LAST 16 SECONDS")
assert diff_dt.total_seconds() == 16
with pytest.raises(ValueError):
_ = utils.parse_date_offset("HIMA")
with pytest.raises(ValueError):
_ = utils.parse_date_offset("FIRST 132 DAYS")
with pytest.raises(ValueError):
_ = utils.parse_date_offset("LAST 132")
with pytest.raises(ValueError):
_ = utils.parse_date_offset("LAST 132 YEARS")
def _get_alert_frame_from_ctx(start_time, end_time, ctx):
"""
Returns a dataframe resulting from calling the Alerts API.
:param str start_time: ISO formatted start time for the API call.
Defaults to fetching time from context, falling back to going
two days back in time if not provided and no time stored in cache.
:param str end_time: ISO formatted end time for the API call.
Defaults to fetching time from context, falling back to going
two days back in time if not provided and no time stored in cache.
:param obj ctx: The context object.
:raises ValueError: If the context object is not set, since that is
required for this operation.
:return: A pandas DataFrame with the results of callin the Alerts API.
"""
if not ctx:
raise ValueError("The context is required for this operation.")
lw_client = ctx.client
if not lw_client:
lw_client = client.get_client(ctx=ctx)
default_start, default_end = main_utils.parse_date_offset("LAST 2 DAYS")
if not start_time:
start_time = ctx.get("start_time", default_start)
if not end_time:
end_time = ctx.get("end_time", default_end)
return lw_client.alerts.get(start_time=start_time, end_time=end_time)
def parse_date_offset(offset_string, ctx=None):
"""
Parse date offset string and return a start and end time.
:param str offset_string: The offset string describing the time period.
:param obj ctx: The Lacework context object.
:raises ValueError: If not able to convert the string to dates.
:return: A tuple with start and end time as ISO 8601 formatted strings.
"""
start_time, end_time = utils.parse_date_offset(offset_string)
ctx.add("start_time", start_time)
ctx.add("end_time", end_time)
return start_time, end_time
def _get_arguments(days=0, start_time="", end_time=""):
"""
Returns an argument dict for LQL queries.
:param int days: Optional number of days from today.
:param str start_time: Start date in an ISO format.
:param str end_tune: End date in an ISO format.
:return: A dict with arguments that can be passed on to a LQL query API.
"""
if days:
start_time, end_time = utils.parse_date_offset(f"LAST {days} DAYS")
start_time, _, _ = start_time.partition(".")
start_time = f"{start_time}Z"
end_time, _, _ = end_time.partition(".")
end_time = f"{end_time}Z"
return {
"StartTimeRange": start_time,
"EndTimeRange": end_time,
}
def get_start_and_end_time(ctx):
"""
Return start and end time from cache.
This function returns the currently stored start and end time
in the cache. If there aren't any values stored in the cache
the values for last two days are returned.
:return: A tuple, with two strings, start and end time.
"""
start_time = ctx.get("start_time")
end_time = ctx.get("end_time")
if not (start_time and end_time):
start_time, end_time = main_utils.parse_date_offset('LAST 2 DAYS')
start_time, _, _ = start_time.partition('.')
start_time = f'{start_time}Z'
end_time, _, _ = end_time.partition('.')
end_time = f'{end_time}Z'
return start_time, end_time
def get_diff(offset_string):
start_date, end_date = utils.parse_date_offset(offset_string)
start_date_dt = datetime.datetime.strptime(start_date, TIME_FMT)
end_date_dt = datetime.datetime.strptime(end_date, TIME_FMT)
return end_date_dt - start_date_dt