Esempio n. 1
0
    def test_query_flow(self, mock_results_response, mock_status_response,
                        mock_query_response, mock_api_client):
        mock_api_client.return_value = None
        query_mock = '{"search_id": "108cb8b0-0744-4dd9-8e35-ea8311cd6211"}'
        status_mock = '{"search_id": "108cb8b0-0744-4dd9-8e35-ea8311cd6211", "status": "COMPLETED", "progress": "100"}'
        results_mock = """{
            "search_id": "108cb8b0-0744-4dd9-8e35-ea8311cd6211",
            "events": {
                "events": [
                    {
                        "sourceIP":"9.21.122.81"
                    },
                    {
                        "sourceIP":"9.21.122.81"
                    }
                ]
            }
        }"""
        mock_results_response.return_value = QRadarMockResponse(
            200, results_mock)
        mock_status_response.return_value = QRadarMockResponse(
            200, status_mock)
        mock_query_response.return_value = QRadarMockResponse(201, query_mock)

        config = {"auth": {"sec": "bla"}}
        connection = {
            "host": "hostbla",
            "port": "8080",
            "selfSignedCert": "cert"
        }

        query = '{"query":"SELECT sourceIP from events"}'
        entry_point = EntryPoint(connection, config)

        query_response = entry_point.create_query_connection(query)
        transmission = stix_transmission.StixTransmission(
            'qradar', connection, config)
        query_response = transmission.query(query)

        assert query_response is not None
        assert 'search_id' in query_response
        assert query_response[
            'search_id'] == "108cb8b0-0744-4dd9-8e35-ea8311cd6211"

        search_id = "108cb8b0-0744-4dd9-8e35-ea8311cd6211"
        status_response = entry_point.create_status_connection(search_id)

        assert status_response is not None
        assert 'status' in status_response
        assert status_response['status'] == Status.COMPLETED.value

        offset = 0
        length = 1
        results_response = entry_point.create_results_connection(
            search_id, offset, length)

        assert results_response is not None
        assert 'data' in results_response
        assert 'events' in results_response['data']
        assert len(results_response['data']) > 0
Esempio n. 2
0
    def test_is_async(self, mock_api_client):
        mock_api_client.return_value = None
        entry_point = EntryPoint()

        config = {"auth": {"SEC": "bla"}}
        connection = {"host": "hostbla", "port": "8080", "ceft": "cert"}
        check_async = entry_point.is_async()

        assert check_async
Esempio n. 3
0
from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator
from stix_shifter_utils.stix_translation.src.utils import transformers
from stix_shifter_modules.qradar.entry_point import EntryPoint
from stix_shifter.stix_translation import stix_translation
import json
import base64

entry_point = EntryPoint()
map_file = open(
    entry_point.get_results_translator().default_mapping_file_path).read()
map_data = json.loads(map_file)
# Using default mapping in modules/qradar/json/to_stix_map.json
map_data = json.loads(map_file)
data_source = {
    "type": "identity",
    "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3",
    "name": "QRadar",
    "identity_class": "events"
}
options = {}


class TestTransform(object):
    @staticmethod
    def get_first(itr, constraint):
        return next((obj for obj in itr if constraint(obj)), None)

    @staticmethod
    def get_first_of_type(itr, typ):
        return TestTransform.get_first(
            itr, lambda o: type(o) == dict and o.get('type') == typ)
import json
import base64
from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator
from stix_shifter_modules.qradar.entry_point import EntryPoint
from stix_shifter.stix_translation import stix_translation
from stix_shifter_utils.stix_translation.src.utils.transformer_utils import get_module_transformers

MODULE = 'qradar'
RESULTS = 'results'
TRANSFORMERS = get_module_transformers(MODULE)
epoch_to_timestamp_class = TRANSFORMERS.get('EpochToTimestamp')
EPOCH_START = 1531169112
EPOCH_END = 1531169254
START_TIMESTAMP = epoch_to_timestamp_class.transform(EPOCH_START)
END_TIMESTAMP = epoch_to_timestamp_class.transform(EPOCH_END)
entry_point = EntryPoint()
MAP_DATA = entry_point.get_results_translator().map_data
DATA_SOURCE = {
    "type": "identity",
    "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3",
    "name": "QRadar",
    "identity_class": "events"
}
options = {}


class TestTransform(object):
    @staticmethod
    def get_first(itr, constraint):
        return next((obj for obj in itr if constraint(obj)), None)