def test_search_and_send_to_when_given_begin_and_end_date_and_time_uses_expected_query(
runner, cli_state, command, search_all_file_events_success):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
time = "15:33:02"
runner.invoke(
cli,
[
*command, "--begin", f"{begin_date} {time}", "--end",
f"{end_date} {time}"
],
obj=cli_state,
)
query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0]
query_dict = dict(query)
actual_begin = query_dict["groups"][1]["filters"][0]["value"]
expected_begin = f"{begin_date}T{time}.000Z"
actual_end = query_dict["groups"][1]["filters"][1]["value"]
expected_end = f"{end_date}T{time}.000Z"
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_send_to_when_given_begin_and_end_date_and_times_uses_expected_query(
cli_state, alert_extractor, runner
):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
time = "15:33:02"
runner.invoke(
cli,
[
"alerts",
"search",
"--begin",
"{} {}".format(begin_date, time),
"--end",
"{} {}".format(end_date, time),
],
obj=cli_state,
)
filters = alert_extractor.extract.call_args[0][0]
actual_begin = get_filter_value_from_json(filters, filter_index=0)
expected_begin = "{}T{}.000Z".format(begin_date, time)
actual_end = get_filter_value_from_json(filters, filter_index=1)
expected_end = "{}T{}.000Z".format(end_date, time)
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_send_to_when_end_date_is_before_begin_date_causes_exit(cli_state, runner):
begin_date = get_test_date_str(days_ago=1)
end_date = get_test_date_str(days_ago=3)
result = runner.invoke(
cli,
["alerts", "send-to", "0.0.0.0", "--begin", begin_date, "--end", end_date],
obj=cli_state,
)
assert result.exit_code == 2
assert "'--begin': cannot be after --end date" in result.output
def test_search_when_end_date_is_before_begin_date_causes_exit(
runner, cli_state):
begin_date = get_test_date_str(days_ago=1)
end_date = get_test_date_str(days_ago=3)
result = runner.invoke(
cli,
["security-data", "search", "--begin", begin_date, "--end", end_date],
obj=cli_state,
)
assert result.exit_code == 2
assert "'--begin': cannot be after --end date" in result.output
def test_search_and_send_to_when_given_end_date_and_time_uses_expected_query(
cli_state, alert_extractor, runner, command):
begin_date = get_test_date_str(days_ago=10)
end_date = get_test_date_str(days_ago=1)
time = "15:33"
runner.invoke(
cli,
[*command, "--begin", begin_date, "--end", f"{end_date} {time}"],
obj=cli_state,
)
actual = get_filter_value_from_json(
alert_extractor.extract.call_args[0][0], filter_index=1)
expected = f"{end_date}T{time}:00.000Z"
assert actual == expected
def test_command_when_given_begin_and_end_dates_uses_expected_query(
runner, cli_state, file_event_extractor, command):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
runner.invoke(
cli,
command,
obj=cli_state,
)
filters = file_event_extractor.extract.call_args[0][1]
actual_begin = get_filter_value_from_json(filters, filter_index=0)
expected_begin = "{}T00:00:00.000Z".format(begin_date)
actual_end = get_filter_value_from_json(filters, filter_index=1)
expected_end = "{}T23:59:59.999Z".format(end_date)
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_search_and_send_to_when_given_begin_date_more_than_ninety_days_back_errors(
cli_state, runner, command):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
result = runner.invoke(cli, [*command, "--begin", begin_date],
obj=cli_state)
assert "must be within 90 days" in result.output
assert result.exit_code == 2
def test_search_and_send_to_when_given_end_date_and_time_uses_expected_query(
cli_state, runner, command, search_all_alerts_success
):
begin_date = get_test_date_str(days_ago=10)
end_date = get_test_date_str(days_ago=1)
time = "15:33"
runner.invoke(
cli,
[*command, "--begin", begin_date, "--end", f"{end_date} {time}"],
obj=cli_state,
)
query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0]
query_dict = dict(query)
actual = query_dict["groups"][0]["filters"][1]["value"]
expected = f"{end_date}T{time}:00.000000Z"
assert actual == expected
def test_search_and_send_to_when_given_begin_and_end_dates_uses_expected_query(
cli_state, alert_extractor, runner, command
):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
runner.invoke(
cli, [*command, "--begin", begin_date, "--end", end_date], obj=cli_state,
)
filters = alert_extractor.extract.call_args[0][0]
actual_begin = get_filter_value_from_json(filters, filter_index=0)
expected_begin = "{}T00:00:00.000Z".format(begin_date)
actual_end = get_filter_value_from_json(filters, filter_index=1)
expected_end = "{}T23:59:59.999Z".format(end_date)
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_send_to_when_given_begin_date_more_than_ninety_days_back_errors(
cli_state, runner
):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
result = runner.invoke(
cli, ["alerts", "send-to", "0.0.0.0", "--begin", begin_date], obj=cli_state
)
assert "must be within 90 days" in result.output
def test_search_and_send_to_when_given_end_date_and_time_uses_expected_query(
runner, cli_state, file_event_extractor, command):
begin_date = get_test_date_str(days_ago=10)
end_date = get_test_date_str(days_ago=1)
time = "15:33"
runner.invoke(
cli,
[
*command, "--begin", begin_date, "--end", "{} {}".format(
end_date, time)
],
obj=cli_state,
)
actual = get_filter_value_from_json(
file_event_extractor.extract.call_args[0][1], filter_index=1)
expected = "{}T{}:00.000Z".format(end_date, time)
assert actual == expected
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
cli_state, alert_extractor, runner, command):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
actual_ts = get_filter_value_from_json(
alert_extractor.extract.call_args[0][0], filter_index=0)
expected_ts = f"{begin_date}T00:00:00.000Z"
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter(
cli_state, alert_cursor_with_checkpoint, alert_extractor, runner
):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
runner.invoke(
cli,
["alerts", "search", "--begin", begin_date, "--use-checkpoint", "test"],
obj=cli_state,
)
assert not filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
runner, cli_state, file_event_extractor, command):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
actual_ts = get_filter_value_from_json(
file_event_extractor.extract.call_args[0][1], filter_index=0)
expected_ts = "{}T00:00:00.000Z".format(begin_date)
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(file_event_extractor,
f.EventTimestamp._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
runner, cli_state, command, search_all_file_events_success):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0]
query_dict = dict(query)
actual_ts = query_dict["groups"][1]["filters"][0]["value"]
expected_ts = f"{begin_date}T00:00:00.000Z"
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(query._filter_group_list,
f.EventTimestamp._term)
def test_search_when_given_begin_and_end_date_and_times_uses_expected_query(
cli_state, alert_extractor, runner, command):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
time = "15:33:02"
runner.invoke(
cli,
[
*command, "--begin", f"{begin_date} {time}", "--end",
f"{end_date} {time}"
],
obj=cli_state,
)
filters = alert_extractor.extract.call_args[0][0]
actual_begin = get_filter_value_from_json(filters, filter_index=0)
expected_begin = f"{begin_date}T{time}.000Z"
actual_end = get_filter_value_from_json(filters, filter_index=1)
expected_end = f"{end_date}T{time}.000Z"
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter(
runner, cli_state, file_event_cursor_with_checkpoint,
file_event_extractor, command):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
runner.invoke(
cli,
[*command, "--begin", begin_date, "--use-checkpoint", "test"],
obj=cli_state,
)
assert not filter_term_is_in_call_args(file_event_extractor,
f.InsertionTimestamp._term)
def test_search_and_send_to_when_given_begin_and_end_dates_uses_expected_query(
cli_state, runner, command, search_all_alerts_success
):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
runner.invoke(
cli, [*command, "--begin", begin_date, "--end", end_date], obj=cli_state,
)
query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0]
query_dict = dict(query)
actual_begin = query_dict["groups"][0]["filters"][0]["value"]
expected_begin = f"{begin_date}T00:00:00.000000Z"
actual_end = query_dict["groups"][0]["filters"][1]["value"]
expected_end = f"{end_date}T23:59:59.999999Z"
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_search_when_given_begin_date_and_time_without_seconds_uses_expected_query(
cli_state, alert_extractor, runner, command
):
date = get_test_date_str(days_ago=89)
time = "15:33"
runner.invoke(cli, [*command, "--begin", "{} {}".format(date, time)], obj=cli_state)
actual = get_filter_value_from_json(
alert_extractor.extract.call_args[0][0], filter_index=0
)
expected = "{}T{}:00.000Z".format(date, time)
assert actual == expected
def test_search_and_send_to_with_or_query_flag_produces_expected_query(
runner, cli_state, command, search_all_alerts_success
):
begin_date = get_test_date_str(days_ago=10)
test_actor = "*****@*****.**"
test_rule_type = "FedEndpointExfiltration"
runner.invoke(
cli,
[
*command,
"--or-query",
"--begin",
begin_date,
"--actor",
test_actor,
"--rule-type",
test_rule_type,
],
obj=cli_state,
)
expected_query = {
"tenantId": None,
"groupClause": "AND",
"groups": [
{
"filterClause": "AND",
"filters": [
{
"operator": "ON_OR_AFTER",
"term": "createdAt",
"value": f"{begin_date}T00:00:00.000000Z",
}
],
},
{
"filterClause": "OR",
"filters": [
{"operator": "IS", "term": "actor", "value": "*****@*****.**"},
{
"operator": "IS",
"term": "type",
"value": "FedEndpointExfiltration",
},
],
},
],
"pgNum": 0,
"pgSize": 25,
"srtDirection": "asc",
"srtKey": "CreatedAt",
}
query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0]
actual_query = dict(query)
assert actual_query == expected_query
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date(
cli_state, runner, command, search_all_alerts_success
):
begin_date = get_test_date_str(days_ago=1)
runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state)
query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0]
query_dict = dict(query)
actual_ts = query_dict["groups"][0]["filters"][0]["value"]
expected_ts = f"{begin_date}T00:00:00.000000Z"
assert actual_ts == expected_ts
assert filter_term_is_in_call_args(query, f.DateObserved._term)
def test_search_with_or_query_flag_produces_expected_query(runner, cli_state):
begin_date = get_test_date_str(days_ago=10)
test_actor = "*****@*****.**"
test_rule_type = "FedEndpointExfiltration"
runner.invoke(
cli,
[
"alerts",
"search",
"--or-query",
"--begin",
begin_date,
"--actor",
test_actor,
"--rule-type",
test_rule_type,
],
obj=cli_state,
)
expected_query = {
"tenantId": None,
"groupClause": "AND",
"groups": [
{
"filterClause": "AND",
"filters": [
{
"operator": "ON_OR_AFTER",
"term": "createdAt",
"value": "{}T00:00:00.000Z".format(begin_date),
}
],
},
{
"filterClause": "OR",
"filters": [
{"operator": "IS", "term": "actor", "value": "*****@*****.**"},
{
"operator": "IS",
"term": "type",
"value": "FedEndpointExfiltration",
},
],
},
],
"pgNum": 0,
"pgSize": 500,
"srtDirection": "asc",
"srtKey": "CreatedAt",
}
actual_query = json.loads(str(cli_state.sdk.alerts.search.call_args[0][0]))
assert actual_query == expected_query
def test_search_and_send_to_when_given_begin_and_end_dates_uses_expected_query(
runner, cli_state, file_event_extractor, command):
begin_date = get_test_date_str(days_ago=89)
end_date = get_test_date_str(days_ago=1)
runner.invoke(
cli,
[
*command,
"--begin",
get_test_date_str(days_ago=89),
"--end",
get_test_date_str(days_ago=1),
],
obj=cli_state,
)
filters = file_event_extractor.extract.call_args[0][1]
actual_begin = get_filter_value_from_json(filters, filter_index=0)
expected_begin = f"{begin_date}T00:00:00.000Z"
actual_end = get_filter_value_from_json(filters, filter_index=1)
expected_end = f"{end_date}T23:59:59.999Z"
assert actual_begin == expected_begin
assert actual_end == expected_end
def test_search_and_send_to_when_given_begin_date_and_time_without_seconds_uses_expected_query(
runner, cli_state, file_event_extractor, command):
date = get_test_date_str(days_ago=89)
time = "15:33"
runner.invoke(
cli,
[*command, "--begin", f"{date} {time}"],
obj=cli_state,
)
actual = get_filter_value_from_json(
file_event_extractor.extract.call_args[0][1], filter_index=0)
expected = f"{date}T{time}:00.000Z"
assert actual == expected
def test_search_when_given_end_date_and_time_uses_expected_query(
cli_state, alert_extractor, runner
):
begin_date = get_test_date_str(days_ago=10)
end_date = get_test_date_str(days_ago=1)
time = "15:33"
runner.invoke(
cli,
[
"alerts",
"search",
"--begin",
begin_date,
"--end",
"{} {}".format(end_date, time),
],
obj=cli_state,
)
actual = get_filter_value_from_json(
alert_extractor.extract.call_args[0][0], filter_index=1
)
expected = "{}T{}:00.000Z".format(end_date, time)
assert actual == expected
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter(
runner,
cli_state,
file_event_cursor_with_eventid_checkpoint,
command,
search_all_file_events_success,
):
begin_date = get_test_date_str(days_ago=91) + " 12:51:00"
runner.invoke(
cli,
[*command, "--begin", begin_date, "--use-checkpoint", "test"],
obj=cli_state,
)
query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0]
assert not filter_term_is_in_call_args(query._filter_group_list,
f.InsertionTimestamp._term)
def test_search_with_or_query_flag_produces_expected_query(runner, cli_state):
begin_date = get_test_date_str(days_ago=10)
test_username = "******"
test_filename = "test.txt"
runner.invoke(
cli,
[
"security-data",
"search",
"--or-query",
"--begin",
begin_date,
"--c42-username",
test_username,
"--file-name",
test_filename,
],
obj=cli_state,
)
expected_query = {
"groupClause":
"AND",
"groups": [
{
"filterClause":
"AND",
"filters": [
{
"operator": "EXISTS",
"term": "exposure",
"value": None
},
{
"operator": "ON_OR_AFTER",
"term": "eventTimestamp",
"value": "{}T00:00:00.000Z".format(begin_date),
},
],
},
{
"filterClause":
"OR",
"filters": [
{
"operator": "IS",
"term": "deviceUserName",
"value": "*****@*****.**",
},
{
"operator": "IS",
"term": "fileName",
"value": "test.txt"
},
],
},
],
"pgNum":
1,
"pgSize":
10000,
"srtDir":
"asc",
"srtKey":
"insertionTimestamp",
}
actual_query = json.loads(
str(cli_state.sdk.securitydata.search_file_events.call_args[0][0]))
assert actual_query == expected_query
["security-data", "search", "--saved-search", "test_id", *arg],
obj=cli_state,
)
assert result.exit_code == 2
assert "{} can't be used with: --saved-search".format(
arg[0]) in result.output
@pytest.mark.parametrize(
"command",
(
[
"security-data",
"search",
"--begin",
get_test_date_str(days_ago=89),
"--end",
get_test_date_str(days_ago=1),
],
[
"security-data",
"send-to",
"0.0.0.0",
"--begin",
get_test_date_str(days_ago=89),
"--end",
get_test_date_str(days_ago=1),
],
),
)
def test_command_when_given_begin_and_end_dates_uses_expected_query(
