def test_run_command_failure_sensor_offline(requests_mock, mocker):
from CrowdStrikeFalcon import run_command
return_error_mock = mocker.patch(RETURN_ERROR_TARGET)
mocker.patch.object(demisto,
'args',
return_value={
'host_ids': '284771ee197e422d5176d6634a62b934',
'command_type': 'ls',
'full_command': 'cd C:\some_directory'
})
error_object = {
"meta": {
"query_time": 0.505762223,
"powered_by": "empower-api",
"trace_id": "07kk11c3-496g-42df-9157-834e499e279d"
},
"batch_id":
"",
"resources": {
"284771ee197e422d5176d6634a62b934": {
"session_id":
"",
"complete":
False,
"stdout":
"",
"stderr":
"",
"aid":
"284771ee197e422d5176d6634a62b934",
"errors": [{
"code": 40407,
"message": "Sensor appears to be offline"
}],
"query_time":
0
}
},
"errors": [{
"code": 404,
"message": "no successful hosts initialized on RTR"
}]
}
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-init-session/v1',
json={'batch_id': 'batch_id'},
status_code=201)
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-command/v1',
json=error_object,
status_code=404,
reason='Not found')
run_command()
assert return_error_mock.call_count == 1
err_msg = return_error_mock.call_args[0][0]
assert err_msg == 'Error in API call to CrowdStrike Falcon: code: 404 - ' \
'reason: Not found\nHost ID 284771ee197e422d5176d6634a62b934 - Sensor appears to be offline'
def test_run_command_write_scope(requests_mock, mocker):
from CrowdStrikeFalcon import run_command
response = {
"combined": {
"resources": {
"284771ee197e422d5176d6634a62b934": {
"aid": "284771ee197e422d5176d6634a62b934",
"base_command": "mkdir",
"complete": True,
"errors": None,
"query_time": 0.478191482,
"session_id": "ed0743e0-b156-4f98-8bbb-7a720a4192cf",
"stderr": "",
"stdout": "C:\\demistotest1",
"task_id": "e579eee6-ce7a-487c-8fef-439ebc9c3bc0"
}
}
},
"errors": [],
"meta": {
"powered_by": "empower-api",
"query_time": 0.478696373,
"trace_id": "07kk11c3-496g-42df-9157-834e499e279d"
}
}
mocker.patch.object(demisto,
'args',
return_value={
'host_ids': '284771ee197e422d5176d6634a62b934',
'command_type': 'mkdir',
'full_command': 'mkdir C:\\demistotest1',
'scope': 'write'
})
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-init-session/v1',
json={'batch_id': 'batch_id'},
status_code=201)
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-active-responder-command/v1',
json=response,
status_code=201)
results = run_command()
expected_results = {
'CrowdStrike': {
'Command': [{
'HostID': '284771ee197e422d5176d6634a62b934',
'Stdout': 'C:\\demistotest1',
'Stderr': '',
'BaseCommand': 'mkdir',
'Command': 'mkdir C:\\demistotest1'
}]
}
}
assert results['EntryContext'] == expected_results
def test_run_command_read_scope(requests_mock, mocker):
from CrowdStrikeFalcon import run_command
response = {
'meta': {
'query_time': 1.178901572,
'powered_by': 'empower-api',
'trace_id': '07kk11c3-496g-42df-9157-834e499e279d'
},
'combined': {
'resources': {
'284771ee197e422d5176d6634a62b934': {
'session_id':
'1113b475-2c28-4486-8617-d000b8f3bc8d',
'task_id':
'e0149c46-4ba0-48c9-9e98-49b806a0033f',
'complete':
True,
'stdout':
'Directory listing for C:\\ -\n\n'
'Name Type Size (bytes) Size (MB) '
'Last Modified (UTC-5) Created (UTC-5) \n---- '
' ---- ------------ --------- --------------------- -------'
'-------- \n$Recycle.Bin <Directory> -- '
' -- 11/27/2018 10:54:44 AM 9/15/2017 3:33:40 AM \nITAYDI '
' <Directory> -- -- 11/19/2018 1:'
'31:42 PM 11/19/2018 1:31:42 PM ',
'stderr':
'',
'base_command':
'ls',
'aid':
'284771ee197e422d5176d6634a62b934',
'errors':
None,
'query_time':
1.1783866060000001
}
}
},
'errors': []
}
mocker.patch.object(demisto,
'args',
return_value={
'host_ids': '284771ee197e422d5176d6634a62b934',
'command_type': 'ls',
'full_command': 'ls C:\\'
})
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-init-session/v1',
json={'batch_id': 'batch_id'},
status_code=201)
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-command/v1',
json=response,
status_code=201)
results = run_command()
expected_results = {
'CrowdStrike': {
'Command': [{
'HostID':
'284771ee197e422d5176d6634a62b934',
'Stdout':
'Directory listing for C:\\ -\n\n'
'Name Type Size (bytes) Size (MB) '
'Last Modified (UTC-5) Created (UTC-5) \n---- '
' ---- ------------ --------- --------------------- -------'
'-------- \n$Recycle.Bin <Directory> -- '
' -- 11/27/2018 10:54:44 AM 9/15/2017 3:33:40 AM \nITAYDI '
' <Directory> -- -- 11/19/2018 1:'
'31:42 PM 11/19/2018 1:31:42 PM ',
'Stderr':
'',
'BaseCommand':
'ls',
'Command':
'ls C:\\'
}]
}
}
assert results['EntryContext'] == expected_results
def test_run_command_with_stderr(requests_mock, mocker):
from CrowdStrikeFalcon import run_command
response = {
"combined": {
"resources": {
"284771ee197e422d5176d6634a62b934": {
"aid":
"284771ee197e422d5176d6634a62b934",
"base_command":
"runscript",
"complete":
True,
"errors":
None,
"query_time":
4.111527091,
"session_id":
"4d41588e-8455-4f0f-a3ee-0515922a8d94",
"stderr":
"The term 'somepowershellscript' is not recognized as the name of a cmdlet, function,"
" script file, or operable program. Check the spelling of the name, or if a path was "
"included, verify that the path is correct and try again.",
"stdout":
"",
"task_id":
"6d78e0ab-ec8a-4a5b-a948-1dca6381a9d1"
}
}
},
"errors": [],
"meta": {
"powered_by": "empower-api",
"query_time": 4.112103195,
"trace_id": "07kk11c3-496g-42df-9157-834e499e279d"
}
}
mocker.patch.object(demisto,
'args',
return_value={
'host_ids': '284771ee197e422d5176d6634a62b934',
'command_type': 'runscript',
'full_command':
'runscript -CloudFile=InvalidPowerShellScript',
'scope': 'admin'
})
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-init-session/v1',
json={'batch_id': 'batch_id'},
status_code=201)
requests_mock.post(
f'{SERVER_URL}/real-time-response/combined/batch-admin-command/v1',
json=response,
status_code=201)
results = run_command()
expected_results = {
'CrowdStrike': {
'Command': [{
'HostID':
'284771ee197e422d5176d6634a62b934',
'Stdout':
'',
'Stderr':
"The term 'somepowershellscript' is not recognized as the name of a cmdlet, function,"
" script file, or operable program. Check the spelling of the name, or if a path was "
"included, verify that the path is correct and try again.",
'BaseCommand':
'runscript',
'Command':
'runscript -CloudFile=InvalidPowerShellScript'
}]
}
}
assert results['EntryContext'] == expected_results