def test_query_flow(self, mock_results_response, mock_status_response, mock_query_response, mock_api_client): mock_api_client.return_value = None query_mock = '{"search_id": "108cb8b0-0744-4dd9-8e35-ea8311cd6211"}' status_mock = '{"search_id": "108cb8b0-0744-4dd9-8e35-ea8311cd6211", "status": "COMPLETED", "progress": "100"}' results_mock = """{ "search_id": "108cb8b0-0744-4dd9-8e35-ea8311cd6211", "events": { "events": [ { "sourceIP":"9.21.122.81" }, { "sourceIP":"9.21.122.81" } ] } }""" mock_results_response.return_value = QRadarMockResponse( 200, results_mock) mock_status_response.return_value = QRadarMockResponse( 200, status_mock) mock_query_response.return_value = QRadarMockResponse(201, query_mock) config = {"auth": {"sec": "bla"}} connection = { "host": "hostbla", "port": "8080", "selfSignedCert": "cert" } query = '{"query":"SELECT sourceIP from events"}' entry_point = EntryPoint(connection, config) query_response = entry_point.create_query_connection(query) transmission = stix_transmission.StixTransmission( 'qradar', connection, config) query_response = transmission.query(query) assert query_response is not None assert 'search_id' in query_response assert query_response[ 'search_id'] == "108cb8b0-0744-4dd9-8e35-ea8311cd6211" search_id = "108cb8b0-0744-4dd9-8e35-ea8311cd6211" status_response = entry_point.create_status_connection(search_id) assert status_response is not None assert 'status' in status_response assert status_response['status'] == Status.COMPLETED.value offset = 0 length = 1 results_response = entry_point.create_results_connection( search_id, offset, length) assert results_response is not None assert 'data' in results_response assert 'events' in results_response['data'] assert len(results_response['data']) > 0
def test_is_async(self, mock_api_client): mock_api_client.return_value = None entry_point = EntryPoint() config = {"auth": {"SEC": "bla"}} connection = {"host": "hostbla", "port": "8080", "ceft": "cert"} check_async = entry_point.is_async() assert check_async
from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator from stix_shifter_utils.stix_translation.src.utils import transformers from stix_shifter_modules.qradar.entry_point import EntryPoint from stix_shifter.stix_translation import stix_translation import json import base64 entry_point = EntryPoint() map_file = open( entry_point.get_results_translator().default_mapping_file_path).read() map_data = json.loads(map_file) # Using default mapping in modules/qradar/json/to_stix_map.json map_data = json.loads(map_file) data_source = { "type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events" } options = {} class TestTransform(object): @staticmethod def get_first(itr, constraint): return next((obj for obj in itr if constraint(obj)), None) @staticmethod def get_first_of_type(itr, typ): return TestTransform.get_first( itr, lambda o: type(o) == dict and o.get('type') == typ)
import json import base64 from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator from stix_shifter_modules.qradar.entry_point import EntryPoint from stix_shifter.stix_translation import stix_translation from stix_shifter_utils.stix_translation.src.utils.transformer_utils import get_module_transformers MODULE = 'qradar' RESULTS = 'results' TRANSFORMERS = get_module_transformers(MODULE) epoch_to_timestamp_class = TRANSFORMERS.get('EpochToTimestamp') EPOCH_START = 1531169112 EPOCH_END = 1531169254 START_TIMESTAMP = epoch_to_timestamp_class.transform(EPOCH_START) END_TIMESTAMP = epoch_to_timestamp_class.transform(EPOCH_END) entry_point = EntryPoint() MAP_DATA = entry_point.get_results_translator().map_data DATA_SOURCE = { "type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events" } options = {} class TestTransform(object): @staticmethod def get_first(itr, constraint): return next((obj for obj in itr if constraint(obj)), None)