def test_event(self):
events = EventManager(time_range='CUSTOM',
start_time=datetime.now() -
timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
limit=1)
events.load_data()
event = events[0]
event_from_ips_get_alert_data = Event(id=event['IPSIDAlertID'])
self.assertEqual(
event['IPSIDAlertID'], '|'.join([
str(event_from_ips_get_alert_data['ipsId']['id']),
str(event_from_ips_get_alert_data['alertId'])
]))
if msiempy.NitroSession().api_v == 2:
print('CREATING EVENT MANUALLY FROM ID')
data = Event().data_from_id(id=event['IPSIDAlertID'],
use_query=True)
event_from_direct_id_query = Event(data)
print('EVENT RETREIVED : {}'.format(event_from_direct_id_query))
print('ORIGINAL EVENT : {}'.format(event))
self.assertEqual(event_from_direct_id_query, data)
def event_examples():
print('EVENT QUERY #1 : Simple event query sorted by AlertID')
events = EventManager(
time_range='LAST_3_DAYS',
fields=['SrcIP',
'AlertID'], # SrcIP and AlertID are not queried by default
filters=[
FieldFilter('DstIP', [
'0.0.0.0/0',
]),
FieldFilter('HostID', ['mail'], operator='CONTAINS')
], # Please replace "mail" by a test hostname
order=(('ASCENDING', 'AlertID')),
limit=10)
events.load_data()
print(events)
print(events.get_text(fields=['AlertID', 'LastTime', 'SrcIP', 'Rule.msg']))
print('EVENT QUERY #2 : Deeper event query')
events = msiempy.event.EventManager(
time_range='LAST_3_DAYS',
fields=['SrcIP',
'AlertID'], # SrcIP and AlertID are not queried by default
limit=3)
events.load_data(slots=3, max_query_depth=1)
print(events)
print(events.get_text(fields=['AlertID', 'LastTime', 'SrcIP', 'Rule.msg']))
def event_examples():
print("EVENT QUERY #1 : Simple event query sorted by AlertID")
events = EventManager(
time_range="LAST_3_DAYS",
fields=["SrcIP",
"AlertID"], # SrcIP and AlertID are not queried by default
filters=[
FieldFilter(
"DstIP",
[
"0.0.0.0/0",
],
),
FieldFilter("HostID", ["mail"], operator="CONTAINS"),
], # Please replace "mail" by a test hostname
order=(("ASCENDING", "AlertID")),
limit=10,
)
events.load_data()
print(events)
print(events.get_text(fields=["AlertID", "LastTime", "SrcIP", "Rule.msg"]))
print("EVENT QUERY #2 : Deeper event query")
events = msiempy.event.EventManager(
time_range="LAST_3_DAYS",
fields=["SrcIP",
"AlertID"], # SrcIP and AlertID are not queried by default
limit=3,
)
events.load_data(slots=3, max_query_depth=1)
print(events)
print(events.get_text(fields=["AlertID", "LastTime", "SrcIP", "Rule.msg"]))
def test_query_splitted_with_timedelta(self):
events_no_split = EventManager(
time_range='CUSTOM',
start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
order=(('ASCENDING', 'AlertID')),
limit=10)
events_no_split.load_data()
print('events_no_split'.upper())
print(events_no_split.text)
events = EventManager(
time_range='CUSTOM',
start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
order=(('ASCENDING', 'AlertID')),
limit=5,
max_query_depth=1 # Generate warning and ignore
)
events.load_data(slots=2, max_query_depth=1) # Works
print('events_splitted'.upper())
print(events.text)
l1 = events_no_split[:5]
l2 = events[:5]
self.assertEqual(
l1, l2,
'Firts part of the splitted query doesn\'t correspond to the genuine query. This can happen when some event are generated at the exact same moment the query is submitted, retry the test ?'
)
def test_add_note(self):
events = EventManager(time_range='CUSTOM',
start_time=datetime.now() -
timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
limit=2)
events.load_data()
for event in events:
event.set_note("Test note")
genuine_event = Event(id=event['IPSIDAlertID'])
self.assertRegexpMatches(
genuine_event['note'], "Test note",
"The doesn't seem to have been added to the event \n" +
str(event))
def test_unique_keys(self):
ukeys=EventManager(fields=["Rule.msg","Alert.SrcIP","Alert.DstIP","Alert.IPSIDAlertID","Alert.LastTime","SrcMac","Alert.SrcMac","Alert.DstMac","Alert.NormID","Alert.BIN(4)","HostID","Alert.BIN(7)","DSID","Alert.EventCount"]).fields
print("Got")
print(sorted(ukeys))
print("EXPECTED")
print(sorted(['Alert.NormID', 'DSID', 'DstIP', 'DstMac', 'EventCount', 'HostID', 'IPSIDAlertID', 'LastTime', 'Rule.msg', 'SrcIP', 'SrcMac', 'UserIDSrc']))
self.assertEqual(sorted(ukeys), sorted(['Alert.NormID', 'DSID', 'DstIP', 'DstMac', 'EventCount', 'HostID', 'IPSIDAlertID', 'LastTime', 'Rule.msg', 'SrcIP', 'SrcMac', 'UserIDSrc']))
def get_events(self, ds_id, window='LAST_HOUR'):
"""Returns most recent event for the given datasource ID
Arguments:
ds_id (str) -- datasource ID, aka IPSID
Keyword Arguments:
window (str) -- time window to query data in minutes
(default: {'LAST_HOUR'})
"""
events = EventManager(
time_range=window,
fields=['HostID', 'UserIDSrc'],
order=('ASCENDING', 'LastTime'),
filters=[FieldFilter('IPSID', ds_id, operator='EQUALS')],
limit=1,
max_query_depth=1)
events.load_data()
return events
def test_query(self):
events = EventManager(time_range='CUSTOM',
start_time=datetime.now() -
timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
fields=Event.REGULAR_EVENT_FIELDS,
limit=10)
events.load_data()
for e in events:
self.assertNotEqual(e['Alert.SrcIP'], '',
"An event doesn't have proper source IP")
self.assertGreater(len(events), 0)
print('EVENTS KEYS\n' + str(events.keys))
print('EVENTS TEXT\n' + str(events))
print('EVENT JSON\n' + events.json)
def test_ordered_query(self):
events_no_split = EventManager(
time_range='CUSTOM',
start_time=datetime.now() - timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
fields=['Alert.AlertID'],
order=(('ASCENDING', 'AlertID')),
limit=10,
)
events_no_split.load_data()
last_event = None
for event in events_no_split:
if not last_event:
last_event = event
continue
self.assertGreater(int(event['Alert.AlertID']),
int(last_event['Alert.AlertID']))
last_event = event
def test_unique_keys(self):
ukeys = EventManager(fields=[
"Rule.msg",
"Alert.SrcIP",
"Alert.DstIP",
"Alert.IPSIDAlertID",
"Alert.LastTime",
"SrcMac",
"Alert.SrcMac",
"Alert.DstMac",
"Alert.NormID",
"Alert.BIN(4)",
"HostID",
"Alert.BIN(7)",
"DSID",
"Alert.EventCount",
]).fields
print("Got")
print(sorted(ukeys))
print("EXPECTED")
print(
sorted([
"Alert.NormID",
"DSID",
"DstIP",
"DstMac",
"EventCount",
"HostID",
"IPSIDAlertID",
"LastTime",
"Rule.msg",
"SrcIP",
"SrcMac",
"UserIDSrc",
]))
self.assertEqual(
sorted(ukeys),
sorted([
"Alert.NormID",
"DSID",
"DstIP",
"DstMac",
"EventCount",
"HostID",
"IPSIDAlertID",
"LastTime",
"Rule.msg",
"SrcIP",
"SrcMac",
"UserIDSrc",
]),
)
def test_filtered_query(self):
qry_filters = [FieldFilter(name='SrcIP', values=['22.0.0.0/8'])]
e = EventManager(fields=['SrcIP'], filters=qry_filters).load_data()
for event in e:
self.assertIn('22.', event['SrcIP'])
qry_filters = [
GroupFilter([
FieldFilter(name='SrcIP', values=['22.0.0.0/8']),
FieldFilter('AppID', 'CRON', operator='EQUALS')
],
logic='AND')
]
e = EventManager(fields=['SrcIP', 'AppID'],
filters=qry_filters).load_data()
for event in e:
self.assertIn('22.', event['SrcIP'])
self.assertEqual(event['AppID'], 'CRON')
def test_getitem(self):
events = EventManager(time_range='CUSTOM',
start_time=datetime.now() -
timedelta(days=QUERY_TIMERANGE),
end_time=datetime.now() + timedelta(days=1),
fields=Event.REGULAR_EVENT_FIELDS,
limit=5)
events.load_data()
print(events)
print(
events.get_text(fields=[
"Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
"HostID", "UserIDSrc", "ObjectID", "Severity", "LastTime",
"DSIDSigID", "IPSIDAlertID"
],
format='csv'))
print(
events.get_text(fields=[
"Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
"HostID", "UserIDSrc", "ObjectID", "Severity", "LastTime",
"DSIDSigID", "IPSIDAlertID"
],
format='prettytable',
max_column_width=50))
an_event = events[1]
print(an_event)
self.assertTrue('Rule.msg' in an_event)
self.assertTrue('DstIP' in an_event)
self.assertTrue('HostID' in an_event)
for key in [
"Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
"HostID"
]:
del an_event[key]
[
self.assertFalse(key in an_event) for key in [
"Rule.msg", "Alert.SrcIP", "Alert.DstIP", "Alert.SrcMac",
"Alert.DstMac", "Alert.NormID", "Alert.BIN(4)"
]
]
[
self.assertFalse(key in an_event) for key in [
"Rule.msg", "SrcIP", "DstIP", "SrcMac", "DstMac", "NormID",
"HostID"
]
]
def test_manager(self):
events = EventManager(alist=T.TEST_EVENTS)
print("get_text(fields=['SrcIP', 'DstIP', 'LastTime'])")
print(events.get_text(fields=['SrcIP', 'DstIP', 'LastTime']))
if __name__ == "__main__":
args = parse_args()
#print(args)
filters=list()
if args.user: filters.append(('UserIDSrc',args.user))
if args.ip: filters.append(('SrcIP',args.ip))
if args.host: filters.append(('HostID',args.host))
if args.macaddr: filters.append(('SrcMac', args.macaddr))
if len(filters)==0:
print('You must specify a filter. One of the arguments --user --ip --host --macaddr is required')
exit(-1)
events = EventManager(
time_range=args.timerange,
fields=['SrcMac','SrcIP','UserIDSrc','HostID','EventCount'],
filters=filters)
events.load_data(delta='2h', max_query_depth=5)
if len(events)==0:
print('No event found, sorry')
exit(0)
for e in events:
del e['IPSIDAlertID']
del e['LastTime']
del e['Rule.msg']
print("Loaded {} events".format(len(events)))
"""
Print raw events results hour by hour for the past 24h
"""
from datetime import datetime
from msiempy.event import EventManager
from msiempy.__utils__ import parse_timedelta, divide_times
# Generate last 24h tuples (start_time, end_time)
periods = divide_times(
first=datetime.now() - parse_timedelta("24h"), last=datetime.now(), slots=24
)
periods_results = list()
for time in periods:
query = EventManager(
start_time=time[0],
end_time=time[1],
filters=[("SrcIP", ["22.0.0.0/8", "127.0.0.1"])],
)
query.load_data()
periods_results.append(query)
for i, p in enumerate(periods_results):
print("{} hours ago, query got {}".format(24 - i, periods_results[i]))
"""
Print raw events results hour by hour for the past 24h
"""
from datetime import datetime
from msiempy.event import EventManager
from msiempy.__utils__ import parse_timedelta, divide_times
# Generate last 24h tuples (start_time, end_time)
periods = divide_times(
first = datetime.now() - parse_timedelta('24h'),
last = datetime.now(),
slots=24 )
periods_results = list()
for time in periods:
query = EventManager(
start_time=time[0],
end_time=time[1],
filters=[ ('SrcIP', ['22.0.0.0/8', '127.0.0.1'] ) ]
)
query.load_data()
periods_results.append(query)
for i, p in enumerate(periods_results):
print("{} hours ago, query got {}".format(24-i, periods_results[i]))
