def test_with_wrote_files(self) -> None: # Given: a process with a pid 100 & process_name word.exe, graph_client = GraphClient() created_timestamp = int(time.time()) parent_process = { "process_id": 100, "process_name": "word.exe", "created_timestamp": created_timestamp, } # type: Dict[str, Property] parent_process_view = upsert( graph_client, "Process", ProcessView, "test_with_wrote_files-8f0761fb-2ffe-4d4b-ab38-68e5489f56dc", parent_process, ) wrote_file = { "file_path": "/folder/file.txt", "created_timestamp": created_timestamp + 1000, } # type: Dict[str, Property] wrote_file_view = upsert( graph_client, "File", FileView, "test_with_wrote_files-2325c49a-95b4-423f-96d0-99539fe03833", wrote_file, ) create_edge( graph_client, parent_process_view.uid, "wrote_files", wrote_file_view.uid, ) queried_process = (ProcessQuery().with_node_key( eq="test_with_wrote_files-8f0761fb-2ffe-4d4b-ab38-68e5489f56dc" ).with_process_id(eq=100).with_process_name( contains="word" ).with_created_timestamp(eq=created_timestamp).with_wrote_files( FileQuery().with_node_key( eq="test_with_wrote_files-2325c49a-95b4-423f-96d0-99539fe03833" ).with_file_path(eq="/folder/file.txt")).query_first(graph_client)) assert queried_process assert (queried_process.node_key == "test_with_wrote_files-8f0761fb-2ffe-4d4b-ab38-68e5489f56dc") assert queried_process.process_id == 100 assert queried_process.process_name == "word.exe" assert len(queried_process.wrote_files) == 1 assert (queried_process.wrote_files[0].node_key == "test_with_wrote_files-2325c49a-95b4-423f-96d0-99539fe03833") assert queried_process.wrote_files[0].file_path == "/folder/file.txt"
def test_with_bin_file(self) -> None: # Given: a process with a pid 100 & process_name word.exe, graph_client = GraphClient() created_timestamp = int(time.time()) parent_process = { "process_id": 100, "process_name": "word.exe", "created_timestamp": created_timestamp, } # type: Dict[str, Property] parent_process_view = upsert( graph_client, "Process", ProcessView, "635952af-87f3-4a2a-a65d-3f1859db9525", parent_process, ) bin_file = { "file_path": "/folder/file.txt", "created_timestamp": created_timestamp + 1000, } # type: Dict[str, Property] bin_file_view = upsert( graph_client, "File", FileView, "9f16e0c9-33c0-4d18-9878-ef686373570b", bin_file, ) create_edge( graph_client, parent_process_view.uid, "bin_file", bin_file_view.uid, ) queried_process = (ProcessQuery().with_node_key( eq="635952af-87f3-4a2a-a65d-3f1859db9525" ).with_process_id(eq=100).with_process_name( contains="word").with_created_timestamp( eq=created_timestamp).with_bin_file(FileQuery().with_node_key( eq="9f16e0c9-33c0-4d18-9878-ef686373570b").with_file_path( eq="/folder/file.txt")).query_first(graph_client)) assert queried_process assert "635952af-87f3-4a2a-a65d-3f1859db9525" assert queried_process.process_id == 100 assert queried_process.process_name == "word.exe" assert queried_process.created_timestamp == created_timestamp bin_file = queried_process.bin_file assert bin_file.node_key == "9f16e0c9-33c0-4d18-9878-ef686373570b" assert bin_file.file_path == "/folder/file.txt"
def test_with_read_files(self) -> None: # Given: a process with a pid 100 & process_name word.exe, graph_client = GraphClient() created_timestamp = int(time.time()) parent_process = { "process_id": 100, "process_name": "word.exe", "created_timestamp": created_timestamp, } # type: Dict[str, Property] parent_process_view = upsert( graph_client, "Process", ProcessView, "test_with_read_files-669a3693-d960-401c-8d29-5d669ffcd660", parent_process, ) read_file = { "file_path": "/folder/file.txt", "created_timestamp": created_timestamp + 1000, } # type: Dict[str, Property] read_file_view = upsert( graph_client, "File", FileView, "test_with_read_files-aa9248ec-36ee-4177-ba1a-999de735e682", read_file, ) create_edge( graph_client, parent_process_view.uid, "read_files", read_file_view.uid, ) queried_process = (ProcessQuery().with_process_id( eq=100).with_process_name(contains="word").with_created_timestamp( eq=created_timestamp).with_read_files( FileQuery().with_file_path( eq="/folder/file.txt")).query_first(graph_client)) assert queried_process assert (queried_process.node_key == "test_with_read_files-669a3693-d960-401c-8d29-5d669ffcd660") assert queried_process.process_id == 100 assert queried_process.process_name == "word.exe" assert len(queried_process.read_files) == 1 assert (queried_process.read_files[0].node_key == "test_with_read_files-aa9248ec-36ee-4177-ba1a-999de735e682") assert queried_process.read_files[0].file_path == "/folder/file.txt"
def test_process_with_created_files(self) -> None: # Given: a process with a pid 100 & process_name word.exe, graph_client = GraphClient() created_timestamp = int(time.time()) parent_process = { "process_id": 100, "process_name": "word.exe", "created_timestamp": created_timestamp, } # type: Dict[str, Property] parent_process_view = upsert( graph_client, "Process", ProcessView, "763ddbda-8812-4a07-acfe-83402b92379d", parent_process, ) created_file = { "file_path": "/folder/file.txt", "created_timestamp": created_timestamp + 1000, } # type: Dict[str, Property] created_file_view = upsert( graph_client, "File", FileView, "575f103e-1a11-4650-9f1b-5b72e44dfec3", created_file, ) create_edge( graph_client, parent_process_view.uid, "created_files", created_file_view.uid, ) queried_process = ( ProcessQuery().with_node_key( eq="763ddbda-8812-4a07-acfe-83402b92379d").with_process_id( eq=100).with_process_name(contains="word"). with_created_timestamp(eq=created_timestamp).with_created_files( FileQuery().with_node_key( eq="575f103e-1a11-4650-9f1b-5b72e44dfec3").with_file_path( eq="/folder/file.txt")).query_first(graph_client)) assert queried_process assert queried_process.process_id == 100 assert len(queried_process.created_files) == 1 created_file = queried_process.created_files[0] assert created_file.file_path == "/folder/file.txt"
def test_with_deleted_files(self) -> None: # Given: a process with a pid 100 & process_name word.exe, graph_client = GraphClient() created_timestamp = int(time.time()) parent_process = { "process_id": 100, "process_name": "word.exe", "created_timestamp": created_timestamp, } # type: Dict[str, Property] parent_process_view = upsert( graph_client, "Process", ProcessView, "test_with_deleted_files-47527d73-22c4-4e0f-bf7d-184bf1f206e2", parent_process, ) deleted_file = { "file_path": "/folder/file.txt", "created_timestamp": created_timestamp + 1000, } # type: Dict[str, Property] deleted_file_view = upsert( graph_client, "File", FileView, "test_with_deleted_files8b8364ea-9b47-476b-8cf0-0f724adff10f", deleted_file, ) create_edge( graph_client, parent_process_view.uid, "deleted_files", deleted_file_view.uid, ) queried_process = (ProcessQuery().with_process_id( eq=100).with_process_name(contains="word").with_created_timestamp( eq=created_timestamp).with_deleted_files( FileQuery().with_file_path( eq="/folder/file.txt")).query_first(graph_client)) assert queried_process assert queried_process.process_id == 100
def get_or_create_asset( test: unittest.TestCase, graph_client: GraphClient, node_props: AssetProps ) -> AssetView: # Introduce randomness here, because otherwise Hypothesis would generate # key collisions at the @given stage node_key = random_key_for_test(test) return upsert(graph_client, "Asset", AssetView, node_key, node_props)
def get_or_create_process_node_deprecated( graph_client: GraphClient, node_key: str, # properties process_id: str, arguments: str, created_timestamp: str, terminate_time: str, image_name: str, process_name: str, ) -> ProcessView: """ Deprecated in favor of property_view_strategy.py """ node_props: Dict[str, Property] = { "process_id": process_id, "arguments": arguments, "created_timestamp": created_timestamp, "terminate_time": terminate_time, "image_name": image_name, "process_name": process_name, } return cast( ProcessView, upsert(graph_client, "Process", ProcessView, node_key, node_props))
def get_or_create_file_node( graph_client: GraphClient, node_key, file_path: Optional[str] = None, file_extension: Optional[str] = None, file_mime_type: Optional[str] = None, file_version: Optional[str] = None, file_description: Optional[str] = None, file_product: Optional[str] = None, file_company: Optional[str] = None, file_directory: Optional[str] = None, file_hard_links: Optional[str] = None, signed: Optional[str] = None, signed_status: Optional[str] = None, md5_hash: Optional[str] = None, sha1_hash: Optional[str] = None, sha256_hash: Optional[str] = None, file_size: Optional[str] = None, file_inode: Optional[int] = None, ) -> FileView: file = { "node_key": node_key, "file_path": file_path, "file_extension": file_extension, "file_mime_type": file_mime_type, "file_size": file_size, "file_version": file_version, "file_description": file_description, "file_product": file_product, "file_company": file_company, "file_directory": file_directory, "file_inode": file_inode, "file_hard_links": file_hard_links, "signed": signed, "signed_status": signed_status, "md5_hash": md5_hash, "sha1_hash": sha1_hash, "sha256_hash": sha256_hash, } file = {k: v for (k, v) in file.items() if v is not None} return cast(FileView, upsert(graph_client, "File", FileView, node_key, file))
def test_parent_children_edge(self) -> None: # Given: a process with a pid 100 & process_name word.exe, graph_client = GraphClient() created_timestamp = int(time.time()) parent_process = { "process_id": 100, "process_name": "word.exe", "created_timestamp": created_timestamp, } # type: Dict[str, Property] parent_process_view = upsert( graph_client, "Process", ProcessView, "0e84f2ce-f711-46ce-bc9e-1b13c9ba6d6c", parent_process, ) child_process = { "process_id": 110, "process_name": "malware.exe", "created_timestamp": created_timestamp + 1000, } # type: Dict[str, Property] child_process_view = upsert( graph_client, "Process", ProcessView, "46d2862f-cb58-4062-b35e-bb310b8d5b0d", child_process, ) create_edge( graph_client, parent_process_view.uid, "children", child_process_view.uid, ) queried_process = (ProcessQuery().with_node_key( eq="0e84f2ce-f711-46ce-bc9e-1b13c9ba6d6c").with_process_id( eq=100).with_process_name( contains="word").with_created_timestamp( eq=created_timestamp).with_children( ProcessQuery().with_node_key( eq="46d2862f-cb58-4062-b35e-bb310b8d5b0d"). with_process_id(eq=110).with_process_name( eq="malware.exe").with_created_timestamp( eq=created_timestamp + 1000)).query_first(graph_client)) assert queried_process assert queried_process.node_key == "0e84f2ce-f711-46ce-bc9e-1b13c9ba6d6c" assert queried_process.process_id == 100 assert queried_process.process_name == "word.exe" assert queried_process.created_timestamp == created_timestamp assert len(queried_process.children) == 1 child = queried_process.children[0] assert child.node_key == "46d2862f-cb58-4062-b35e-bb310b8d5b0d" assert child.process_id == 110 assert child.process_name == "malware.exe" assert child.created_timestamp == created_timestamp + 1000