def get_queries(self) -> OneOrMany[IpcQuery]: return (IpcQuery().with_ipc_creator(ProcessQuery().with_bin_file( FileQuery().with_file_path(eq=[ Not("/usr/bin/ssh-add"), Not("/bin/ssh"), Not("/usr/bin/ssh") ]))).with_ipc_recipient(ProcessQuery().with_process_name( eq='ssh-agent').with_process_name(eq='sshd')))
def test_process_query_view_miss(self, process_props: ProcessProps) -> None: local_client = DgraphClient(DgraphClientStub("localhost:9080")) created_proc = get_or_create_process(self, local_client, process_props) assert ( created_proc.process_id is not None and created_proc.arguments is not None and created_proc.created_timestamp is not None and created_proc.terminate_time is not None and created_proc.image_name is not None and created_proc.process_name is not None ) queried_proc = ( ProcessQuery() .with_node_key(eq=created_proc.node_key) .with_process_id(eq=Not(created_proc.process_id)) .with_arguments(eq=Not(created_proc.arguments)) .with_created_timestamp(eq=Not(created_proc.created_timestamp)) .with_terminate_time(eq=Not(created_proc.terminate_time)) .with_image_name(eq=Not(created_proc.image_name)) .with_process_name(eq=Not(created_proc.process_name)) .query_first(local_client) ) assert not queried_proc
def get_queries(self) -> OneOrMany[ProcessQuery]: invalid_parents = [ Not("services.exe"), Not("smss.exe"), Not("ngentask.exe"), Not("userinit.exe"), Not("GoogleUpdate.exe"), Not("conhost.exe"), Not("MpCmdRun.exe"), ] return (ProcessQuery().with_process_name( eq=invalid_parents).with_children( ProcessQuery().with_process_name(eq="svchost.exe")))
def test_process_query_view_miss( self, node_key, process_id, created_timestamp, asset_id, terminate_time, image_name, process_name, arguments, ): node_key = "test_process_query_view_miss" + str(node_key) local_client = DgraphClient(DgraphClientStub("localhost:9080")) process = { "process_id": process_id, "arguments": arguments, "created_timestamp": created_timestamp, "asset_id": asset_id, "terminate_time": terminate_time, "image_name": image_name, "process_name": process_name, } # type: Dict[str, Property] process_view = cast(ProcessView, upsert(local_client, "Process", ProcessView, node_key, process)) # type: ProcessView queried_proc = (ProcessQuery().with_node_key( eq=node_key).with_process_id(eq=Not(process_id)).with_arguments( eq=Not(arguments)).with_created_timestamp( eq=Not(created_timestamp)).with_asset_id( eq=Not(asset_id)).with_terminate_time( eq=Not(terminate_time)).with_image_name( eq=Not(image_name)).with_process_name(eq=Not( process_name)).query_first(local_client)) assert not queried_proc