def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
cli_state, alert_extractor, runner, command):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
actual_ts = get_filter_value_from_json(
alert_extractor.extract.call_args[0][0], filter_index=0)
expected_ts = f"{begin_date}T00:00:00.000Z"
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter(
cli_state, alert_cursor_with_checkpoint, alert_extractor, runner
):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
runner.invoke(
cli,
["alerts", "search", "--begin", begin_date, "--use-checkpoint", "test"],
obj=cli_state,
)
assert not filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
runner, cli_state, file_event_extractor, command):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
actual_ts = get_filter_value_from_json(
file_event_extractor.extract.call_args[0][1], filter_index=0)
expected_ts = "{}T00:00:00.000Z".format(begin_date)
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(file_event_extractor,
f.EventTimestamp._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
cli_state, runner, command, search_all_alerts_success
):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0]
query_dict = dict(query)
actual_ts = query_dict["groups"][0]["filters"][0]["value"]
expected_ts = f"{begin_date}T00:00:00.000000Z"
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(query, f.DateObserved._term)
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter(
runner, cli_state, file_event_cursor_with_checkpoint,
file_event_extractor, command):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
runner.invoke(
cli,
[*command, "--begin", begin_date, "--use-checkpoint", "test"],
obj=cli_state,
)
assert not filter_term_is_in_call_args(file_event_extractor,
f.InsertionTimestamp._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
runner, cli_state, command, search_all_file_events_success):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0]
query_dict = dict(query)
actual_ts = query_dict["groups"][1]["filters"][0]["value"]
expected_ts = f"{begin_date}T00:00:00.000Z"
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(query._filter_group_list,
f.EventTimestamp._term)
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter(
runner,
cli_state,
file_event_cursor_with_eventid_checkpoint,
command,
search_all_file_events_success,
):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
runner.invoke(
cli,
[*command, "--begin", begin_date, "--use-checkpoint", "test"],
obj=cli_state,
)
query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0]
assert not filter_term_is_in_call_args(query._filter_group_list,
f.InsertionTimestamp._term)
