def test_search_all_file_events_handles_escaped_quote_chars_in_token(
self,
connection,
preservation_data_service,
saved_search_service,
storage_service_factory,
):
file_event_service = FileEventService(connection)
security_client = SecurityDataClient(
file_event_service,
preservation_data_service,
saved_search_service,
storage_service_factory,
)
escaped_token = r"1234_\"abcde\""
security_client.search_all_file_events(FileEventQuery.all(),
escaped_token)
expected = {
"groupClause": "AND",
"groups": [],
"srtDir": "asc",
"srtKey": "eventId",
"pgToken": escaped_token,
"pgSize": 10000,
}
connection.post.assert_called_once_with(FILE_EVENT_URI, json=expected)
def test_search_all_file_events_calls_search_with_expected_params_when_pg_token_is_passed(
self,
connection,
preservation_data_service,
saved_search_service,
storage_service_factory,
):
file_event_service = FileEventService(connection)
successful_response = {
"totalCount": None,
"fileEvents": None,
"nextPgToken": "pqr",
"problems": None,
}
connection.post.return_value = successful_response
security_client = SecurityDataClient(
file_event_service,
preservation_data_service,
saved_search_service,
storage_service_factory,
)
query = FileEventQuery.all()
response = security_client.search_all_file_events(query, "abc")
expected = {
"groupClause": "AND",
"groups": [],
"srtDir": "asc",
"srtKey": "eventId",
"pgToken": "abc",
"pgSize": 10000,
}
connection.post.assert_called_once_with(FILE_EVENT_URI, json=expected)
assert response is successful_response
def test_search_file_events(self, connection):
start_date = datetime.utcnow() - timedelta(1)
end_date = datetime.utcnow()
start_timestamp = convert_datetime_to_epoch(start_date)
end_timestamp = convert_datetime_to_epoch(end_date)
date_query = EventTimestamp.in_range(start_timestamp, end_timestamp)
query = FileEventQuery.all(date_query)
response = connection.securitydata.search_file_events(query)
assert_successful_response(response)
def test_search_all_file_events_when_token_is_none_succeeds(
self,
connection,
preservation_data_service,
saved_search_service,
storage_service_factory,
):
file_event_service = FileEventService(connection)
security_client = SecurityDataClient(
file_event_service,
preservation_data_service,
saved_search_service,
storage_service_factory,
)
security_client.search_all_file_events(FileEventQuery.all(),
page_token=None)
def my_command(state, username):
# get user devices
user = state.sdk.users.get_by_username(username)
devices = state.sdk.devices.get_all(user_uid=user["users"][0]["userUid"])
devices_df = pd.json_normalize(
next(devices)["computers"])[["name", "active", "guid", "alertStates"]]
# get recent file events
query = FileEventQuery.all(
DeviceUsername.eq(username),
EventTimestamp.within_the_last(EventTimestamp.THREE_DAYS),
)
search_results = state.sdk.securitydata.search_file_events(query)
events_df = pd.json_normalize(search_results["fileEvents"])[[
"eventType", "eventTimestamp", "fileName", "fileSize", "fileCategory"
]]
# print results
click.echo_via_pager("Devices:\n{}\n\nEvents:\n{}".format(
devices_df.to_string(index=False), events_df.to_string(index=False)))
def _search_by_hash(self, checksum, checksum_type):
query = FileEventQuery.all(checksum_type.eq(checksum))
query.sort_key = u"eventTimestamp"
query.sort_direction = u"desc"
response = self.search_file_events(query)
return response
def _search_by_hash(self, hash, type):
query = FileEventQuery.all(type.eq(hash))
response = self.search_file_events(query)
return response
def to_all_query(self):
"""Convert list of search criteria to *args"""
query = FileEventQuery.all(*self._filters)
if self._pg_size:
query.page_size = self._pg_size
return query
