def test_process_with_created_files(self) -> None:
# Given: a process with a pid 100 & process_name word.exe,
local_client = DgraphClient(DgraphClientStub("localhost:9080"))
created_timestamp = int(time.time())
parent_process = {
"process_id": 100,
"process_name": "word.exe",
"created_timestamp": created_timestamp,
} # type: Dict[str, Property]
parent_process_view = upsert(
local_client,
"Process",
ProcessView,
"763ddbda-8812-4a07-acfe-83402b92379d",
parent_process,
)
created_file = {
"file_path": "/folder/file.txt",
"created_timestamp": created_timestamp + 1000,
} # type: Dict[str, Property]
created_file_view = upsert(
local_client,
"File",
FileView,
"575f103e-1a11-4650-9f1b-5b72e44dfec3",
created_file,
)
create_edge(
local_client,
parent_process_view.uid,
"created_files",
created_file_view.uid,
)
queried_process = (
ProcessQuery()
.with_node_key(eq="763ddbda-8812-4a07-acfe-83402b92379d")
.with_process_id(eq=100)
.with_process_name(contains="word")
.with_created_timestamp(eq=created_timestamp)
.with_created_files(
FileQuery()
.with_node_key(eq="575f103e-1a11-4650-9f1b-5b72e44dfec3")
.with_file_path(eq="/folder/file.txt")
)
.query_first(local_client)
)
assert queried_process
assert queried_process.process_id == 100
assert len(queried_process.created_files) == 1
created_file = queried_process.created_files[0]
assert created_file.file_path == "/folder/file.txt"
def test_with_wrote_files(self) -> None:
# Given: a process with a pid 100 & process_name word.exe,
local_client = MasterGraphClient()
created_timestamp = int(time.time())
parent_process = {
"process_id": 100,
"process_name": "word.exe",
"created_timestamp": created_timestamp,
} # type: Dict[str, Property]
parent_process_view = upsert(
local_client,
"Process",
ProcessView,
"test_with_wrote_files-8f0761fb-2ffe-4d4b-ab38-68e5489f56dc",
parent_process,
)
wrote_file = {
"file_path": "/folder/file.txt",
"created_timestamp": created_timestamp + 1000,
} # type: Dict[str, Property]
wrote_file_view = upsert(
local_client,
"File",
FileView,
"test_with_wrote_files-2325c49a-95b4-423f-96d0-99539fe03833",
wrote_file,
)
create_edge(
local_client,
parent_process_view.uid,
"wrote_files",
wrote_file_view.uid,
)
queried_process = (ProcessQuery().with_node_key(
eq="test_with_wrote_files-8f0761fb-2ffe-4d4b-ab38-68e5489f56dc"
).with_process_id(eq=100).with_process_name(
contains="word"
).with_created_timestamp(eq=created_timestamp).with_wrote_files(
FileQuery().with_node_key(
eq="test_with_wrote_files-2325c49a-95b4-423f-96d0-99539fe03833"
).with_file_path(eq="/folder/file.txt")).query_first(local_client))
assert queried_process
assert (queried_process.node_key ==
"test_with_wrote_files-8f0761fb-2ffe-4d4b-ab38-68e5489f56dc")
assert queried_process.process_id == 100
assert queried_process.process_name == "word.exe"
assert len(queried_process.wrote_files) == 1
assert (queried_process.wrote_files[0].node_key ==
"test_with_wrote_files-2325c49a-95b4-423f-96d0-99539fe03833")
assert queried_process.wrote_files[0].file_path == "/folder/file.txt"
def test_with_bin_file(self) -> None:
# Given: a process with a pid 100 & process_name word.exe,
local_client = MasterGraphClient()
created_timestamp = int(time.time())
parent_process = {
"process_id": 100,
"process_name": "word.exe",
"created_timestamp": created_timestamp,
} # type: Dict[str, Property]
parent_process_view = upsert(
local_client,
"Process",
ProcessView,
"635952af-87f3-4a2a-a65d-3f1859db9525",
parent_process,
)
bin_file = {
"file_path": "/folder/file.txt",
"created_timestamp": created_timestamp + 1000,
} # type: Dict[str, Property]
bin_file_view = upsert(
local_client,
"File",
FileView,
"9f16e0c9-33c0-4d18-9878-ef686373570b",
bin_file,
)
create_edge(
local_client,
parent_process_view.uid,
"bin_file",
bin_file_view.uid,
)
queried_process = (ProcessQuery().with_node_key(
eq="635952af-87f3-4a2a-a65d-3f1859db9525"
).with_process_id(eq=100).with_process_name(
contains="word").with_created_timestamp(
eq=created_timestamp).with_bin_file(FileQuery().with_node_key(
eq="9f16e0c9-33c0-4d18-9878-ef686373570b").with_file_path(
eq="/folder/file.txt")).query_first(local_client))
assert queried_process
assert "635952af-87f3-4a2a-a65d-3f1859db9525"
assert queried_process.process_id == 100
assert queried_process.process_name == "word.exe"
assert queried_process.created_timestamp == created_timestamp
bin_file = queried_process.bin_file
assert bin_file.node_key == "9f16e0c9-33c0-4d18-9878-ef686373570b"
assert bin_file.file_path == "/folder/file.txt"
def test_with_read_files(self) -> None:
# Given: a process with a pid 100 & process_name word.exe,
local_client = MasterGraphClient()
created_timestamp = int(time.time())
parent_process = {
"process_id": 100,
"process_name": "word.exe",
"created_timestamp": created_timestamp,
} # type: Dict[str, Property]
parent_process_view = upsert(
local_client,
"Process",
ProcessView,
"test_with_read_files-669a3693-d960-401c-8d29-5d669ffcd660",
parent_process,
)
read_file = {
"file_path": "/folder/file.txt",
"created_timestamp": created_timestamp + 1000,
} # type: Dict[str, Property]
read_file_view = upsert(
local_client,
"File",
FileView,
"test_with_read_files-aa9248ec-36ee-4177-ba1a-999de735e682",
read_file,
)
create_edge(
local_client,
parent_process_view.uid,
"read_files",
read_file_view.uid,
)
queried_process = (ProcessQuery().with_process_id(
eq=100).with_process_name(contains="word").with_created_timestamp(
eq=created_timestamp).with_read_files(
FileQuery().with_file_path(
eq="/folder/file.txt")).query_first(local_client))
assert queried_process
assert (queried_process.node_key ==
"test_with_read_files-669a3693-d960-401c-8d29-5d669ffcd660")
assert queried_process.process_id == 100
assert queried_process.process_name == "word.exe"
assert len(queried_process.read_files) == 1
assert (queried_process.read_files[0].node_key ==
"test_with_read_files-aa9248ec-36ee-4177-ba1a-999de735e682")
assert queried_process.read_files[0].file_path == "/folder/file.txt"
def test_with_deleted_files(self) -> None:
# Given: a process with a pid 100 & process_name word.exe,
local_client = DgraphClient(DgraphClientStub("localhost:9080"))
created_timestamp = int(time.time())
parent_process = {
"process_id": 100,
"process_name": "word.exe",
"created_timestamp": created_timestamp,
} # type: Dict[str, Property]
parent_process_view = upsert(
local_client,
"Process",
ProcessView,
"test_with_deleted_files-47527d73-22c4-4e0f-bf7d-184bf1f206e2",
parent_process,
)
deleted_file = {
"file_path": "/folder/file.txt",
"created_timestamp": created_timestamp + 1000,
} # type: Dict[str, Property]
deleted_file_view = upsert(
local_client,
"File",
FileView,
"test_with_deleted_files8b8364ea-9b47-476b-8cf0-0f724adff10f",
deleted_file,
)
create_edge(
local_client,
parent_process_view.uid,
"deleted_files",
deleted_file_view.uid,
)
queried_process = (
ProcessQuery()
.with_process_id(eq=100)
.with_process_name(contains="word")
.with_created_timestamp(eq=created_timestamp)
.with_deleted_files(FileQuery().with_file_path(eq="/folder/file.txt"))
.query_first(local_client)
)
assert queried_process
assert queried_process.process_id == 100
def get_or_create_process_node_deprecated(
local_client: DgraphClient,
node_key: str,
# properties
process_id: str,
arguments: str,
created_timestamp: str,
terminate_time: str,
image_name: str,
process_name: str,
) -> ProcessView:
"""
Deprecated in favor of property_view_strategy.py
"""
node_props = {
"process_id": process_id,
"arguments": arguments,
"created_timestamp": created_timestamp,
"terminate_time": terminate_time,
"image_name": image_name,
"process_name": process_name,
} # type: Dict[str, Property]
return cast(
ProcessView, upsert(local_client, "Process", ProcessView, node_key, node_props)
)
def get_or_create_asset(
test: unittest.TestCase, local_client: DgraphClient, node_props: AssetProps
) -> AssetView:
node_key = node_key_for_test(test, str(node_props["node_key"]))
return cast(
AssetView, upsert(local_client, "Asset", AssetView, node_key, node_props)
)
def get_or_create_ip_address_node(
local_client: DgraphClient,
node_key: str,
first_seen_timestamp: Millis,
last_seen_timestamp: Millis,
ip_address: str,
# ip connections todo
) -> IpAddressView:
ip_addr_props = {
"first_seen_timestamp": first_seen_timestamp,
"last_seen_timestamp": last_seen_timestamp,
"ip_address": ip_address,
#'ip_connections': None
} # type: Dict[str, Property]
return cast(
IpAddressView,
upsert(
client=local_client,
type_name="IpAddress",
view_type=IpAddressView,
node_key=node_key,
node_props=ip_addr_props,
),
)
def get_or_create_file_node(
local_client: DgraphClient,
node_key,
file_path: Optional[str] = None,
file_extension: Optional[str] = None,
file_mime_type: Optional[str] = None,
file_version: Optional[str] = None,
file_description: Optional[str] = None,
file_product: Optional[str] = None,
file_company: Optional[str] = None,
file_directory: Optional[str] = None,
file_hard_links: Optional[str] = None,
signed: Optional[str] = None,
signed_status: Optional[str] = None,
md5_hash: Optional[str] = None,
sha1_hash: Optional[str] = None,
sha256_hash: Optional[str] = None,
file_size: Optional[str] = None,
file_inode: Optional[int] = None,
) -> FileView:
file = {
"node_key": node_key,
"file_path": file_path,
"file_extension": file_extension,
"file_mime_type": file_mime_type,
"file_size": file_size,
"file_version": file_version,
"file_description": file_description,
"file_product": file_product,
"file_company": file_company,
"file_directory": file_directory,
"file_inode": file_inode,
"file_hard_links": file_hard_links,
"signed": signed,
"signed_status": signed_status,
"md5_hash": md5_hash,
"sha1_hash": sha1_hash,
"sha256_hash": sha256_hash,
}
file = {k: v for (k, v) in file.items() if v is not None}
return cast(FileView, upsert(local_client, "File", FileView, node_key,
file))
def test_parent_children_edge(self) -> None:
# Given: a process with a pid 100 & process_name word.exe,
local_client = DgraphClient(DgraphClientStub("localhost:9080"))
created_timestamp = int(time.time())
parent_process = {
"process_id": 100,
"process_name": "word.exe",
"created_timestamp": created_timestamp,
} # type: Dict[str, Property]
parent_process_view = upsert(
local_client,
"Process",
ProcessView,
"0e84f2ce-f711-46ce-bc9e-1b13c9ba6d6c",
parent_process,
)
child_process = {
"process_id": 110,
"process_name": "malware.exe",
"created_timestamp": created_timestamp + 1000,
} # type: Dict[str, Property]
child_process_view = upsert(
local_client,
"Process",
ProcessView,
"46d2862f-cb58-4062-b35e-bb310b8d5b0d",
child_process,
)
create_edge(
local_client, parent_process_view.uid, "children", child_process_view.uid,
)
queried_process = (
ProcessQuery()
.with_node_key(eq="0e84f2ce-f711-46ce-bc9e-1b13c9ba6d6c")
.with_process_id(eq=100)
.with_process_name(contains="word")
.with_created_timestamp(eq=created_timestamp)
.with_children(
ProcessQuery()
.with_node_key(eq="46d2862f-cb58-4062-b35e-bb310b8d5b0d")
.with_process_id(eq=110)
.with_process_name(eq="malware.exe")
.with_created_timestamp(eq=created_timestamp + 1000)
)
.query_first(local_client)
)
assert queried_process
assert queried_process.node_key == "0e84f2ce-f711-46ce-bc9e-1b13c9ba6d6c"
assert queried_process.process_id == 100
assert queried_process.process_name == "word.exe"
assert queried_process.created_timestamp == created_timestamp
assert len(queried_process.children) == 1
child = queried_process.children[0]
assert child.node_key == "46d2862f-cb58-4062-b35e-bb310b8d5b0d"
assert child.process_id == 110
assert child.process_name == "malware.exe"
assert child.created_timestamp == created_timestamp + 1000
def get_or_create_process(test: unittest.TestCase, local_client: DgraphClient,
node_props: ProcessProps) -> ProcessView:
node_key = node_key_for_test(test, str(node_props["node_key"]))
return cast(
ProcessView,
upsert(local_client, "Process", ProcessView, node_key, node_props))
