def test_enrich_offense_with_events__all_events(self, mocker):
"""
Assert enrich_offense_with_events doesn't add an additional WHERE query when FetchMode.all_events
Given:
- Fetch incidents is set to: FetchMode.all_events
When:
- Event fetch query is built via in enrich_offense_with_event
Then:
- Assert search is created without additional WHERE query
"""
client = QRadarClient("", {}, {"identifier": "*", "password": "******"})
offense = RAW_RESPONSES["fetch-incidents"]
fetch_mode = FetchMode.all_events
events_cols = ""
events_limit = ""
poee_mock = mocker.patch.object(QRadar_v2, "perform_offense_events_enrichment", return_value=offense)
enrich_offense_with_events(client, offense, fetch_mode, events_cols, events_limit)
assert poee_mock.call_args[0][1] == ""
def test_enrich_offense_with_events__correlations(self, mocker):
"""
Assert enrich_offense_with_events adds an additional WHERE query when FetchMode.correlations_only
Given:
- Fetch incidents is set to: FetchMode.correlations_only
When:
- Event fetch query is built via in enrich_offense_with_event
Then:
- Assert search is created with additional WHERE query
"""
client = QRadarClient("", {}, {"identifier": "*", "password": "******"})
offense = RAW_RESPONSES["fetch-incidents"]
fetch_mode = FetchMode.correlations_only
events_cols = ""
events_limit = ""
poee_mock = mocker.patch.object(QRadar_v2, "perform_offense_events_enrichment", return_value=offense)
enrich_offense_with_events(client, offense, fetch_mode, events_cols, events_limit)
assert poee_mock.call_args[0][1] == "AND LOGSOURCETYPENAME(devicetype) = 'Custom Rule Engine'"
