def test_normalize_api_call(self): """Test normalize_api_call""" # Ensure the numbers at the end are removed self.assertEquals(normalize_api_call('lambda', 'ListTags20170331'), 'lambda:listtags') # Ensure service renaming occurs self.assertEquals(normalize_api_call('monitoring', 'DescribeAlarms'), 'cloudwatch:describealarms')
def get_events_from_search(self, searchresults): """ Given the results of a query for events, return these in a more usable fashion """ event_names = {} for event in searchresults: event = event[0] # event is now a string like "{field0=s3.amazonaws.com, field1=GetBucketAcl}" # I parse out the field manually # TODO Find a smarter way to parse this data # Remove the '{' and '}' event = event[1 : len(event) - 1] # Split into 'field0=s3.amazonaws.com' and 'field1=GetBucketAcl' event = event.split(", ") # Get the eventsource 's3.amazonaws.com' service = event[0].split("=")[1] # Get the service 's3' service = service.split(".")[0] # Get the eventname 'GetBucketAcl' eventname = event[1].split("=")[1] event_names[normalize_api_call(service, eventname)] = True return event_names
def get_events_from_search(self, searchquery): """ Given a started elasticsearch query, apply the remaining search filters, and return the API calls that exist for this query. s: search query """ searchquery.aggs.bucket("event_names", "terms", field=self.get_field_name("eventName"), size=5000).bucket( "service_names", "terms", field=self.get_field_name("eventSource"), size=5000, ) response = searchquery.execute() event_names = {} for event in response.aggregations.event_names.buckets: service = event.service_names.buckets[0].key service = service.split(".")[0] event_names[normalize_api_call(service, event.key)] = True return event_names