def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( cli_state, alert_extractor, runner, command): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) actual_ts = get_filter_value_from_json( alert_extractor.extract.call_args[0][0], filter_index=0) expected_ts = f"{begin_date}T00:00:00.000Z" assert actual_ts == expected_ts assert filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter( cli_state, alert_cursor_with_checkpoint, alert_extractor, runner ): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" runner.invoke( cli, ["alerts", "search", "--begin", begin_date, "--use-checkpoint", "test"], obj=cli_state, ) assert not filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( runner, cli_state, file_event_extractor, command): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) actual_ts = get_filter_value_from_json( file_event_extractor.extract.call_args[0][1], filter_index=0) expected_ts = "{}T00:00:00.000Z".format(begin_date) assert actual_ts == expected_ts assert filter_term_is_in_call_args(file_event_extractor, f.EventTimestamp._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( cli_state, runner, command, search_all_alerts_success ): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0] query_dict = dict(query) actual_ts = query_dict["groups"][0]["filters"][0]["value"] expected_ts = f"{begin_date}T00:00:00.000000Z" assert actual_ts == expected_ts assert filter_term_is_in_call_args(query, f.DateObserved._term)
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter( runner, cli_state, file_event_cursor_with_checkpoint, file_event_extractor, command): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" runner.invoke( cli, [*command, "--begin", begin_date, "--use-checkpoint", "test"], obj=cli_state, ) assert not filter_term_is_in_call_args(file_event_extractor, f.InsertionTimestamp._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( runner, cli_state, command, search_all_file_events_success): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0] query_dict = dict(query) actual_ts = query_dict["groups"][1]["filters"][0]["value"] expected_ts = f"{begin_date}T00:00:00.000Z" assert actual_ts == expected_ts assert filter_term_is_in_call_args(query._filter_group_list, f.EventTimestamp._term)
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter( runner, cli_state, file_event_cursor_with_eventid_checkpoint, command, search_all_file_events_success, ): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" runner.invoke( cli, [*command, "--begin", begin_date, "--use-checkpoint", "test"], obj=cli_state, ) query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0] assert not filter_term_is_in_call_args(query._filter_group_list, f.InsertionTimestamp._term)