def test_logon_session_rarity_notebooklet(monkeypatch): """Test basic run of notebooklet.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) test_data = str(Path(TEST_DATA_PATH).absolute()) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) d_path = Path(TEST_DATA_PATH).joinpath("processes_on_host.pkl") raw_data = pd.read_pickle(d_path) filt_sess = raw_data[raw_data["Account"] == "MSTICAlertsWin1\\MSTICAdmin"] data = pd.concat([raw_data.iloc[:1000], filt_sess]) check.is_true(hasattr(nblts.azsent.host, "LogonSessionsRarity")) if not hasattr(nblts.azsent.host, "LogonSessionsRarity"): print(nblts.azsent.host) test_nb = nblts.azsent.host.LogonSessionsRarity() result = test_nb.run(data=data) check.is_instance(result.process_clusters, pd.DataFrame) check.is_instance(result.processes_with_cluster, pd.DataFrame) check.is_instance(result.session_rarity, pd.DataFrame) result.list_sessions_by_rarity() result.plot_sessions_by_rarity() result.process_tree(account="MSTICAlertsWin1\\MSTICAdmin")
def test_winhostevents_notebooklet(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.host.WinHostEvents() tspan = TimeSpan(period="1D") result = test_nb.run(value="myhost", timespan=tspan) check.is_not_none(result.all_events) check.is_instance(result.all_events, pd.DataFrame) check.is_not_none(result.event_pivot) check.is_instance(result.event_pivot, pd.DataFrame) check.is_not_none(result.account_events) check.is_instance(result.account_events, pd.DataFrame) check.is_not_none(result.event_pivot) check.is_instance(result.event_pivot, pd.DataFrame) # check.is_not_none(result.account_timeline) exp_events = test_nb.expand_events(["5058", "5061"]) check.is_instance(exp_events, pd.DataFrame)
def test_notebooklet_options(monkeypatch): """Test option logic for notebooklet.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init(query_provider="LocalData", providers=["tilookup", "geolitelookup"]) nb_test = TstNBSummary() # default options nb_res = nb_test.run() check.is_not_none(nb_res.default_property) check.is_none(nb_res.optional_property) # add optional option nb_res = nb_test.run(options=["+optional_opt"]) check.is_not_none(nb_res.default_property) check.is_not_none(nb_res.optional_property) # remove default option nb_res = nb_test.run(options=["-default_opt"]) check.is_none(nb_res.default_property) check.is_none(nb_res.optional_property) # specific options nb_res = nb_test.run(options=["heartbest", "azure_net"]) check.is_none(nb_res.default_property) check.is_none(nb_res.optional_property) # invalid option f_stream = StringIO() with redirect_stdout(f_stream): nb_test.run(options=["invalid_opt"]) output = str(f_stream.getvalue()) check.is_in("Invalid options ['invalid_opt']", output)
def test_notebooklet_options(self): """Test option logic for notebooklet.""" init(query_provider="LocalData") nb_test = TstNBSummary() # default options nb_res = nb_test.run() self.assertIsNotNone(nb_res.default_property) self.assertIsNone(nb_res.optional_property) # add optional option nb_res = nb_test.run(options=["+optional_opt"]) self.assertIsNotNone(nb_res.default_property) self.assertIsNotNone(nb_res.optional_property) # remove default option nb_res = nb_test.run(options=["-default_opt"]) self.assertIsNone(nb_res.default_property) self.assertIsNone(nb_res.optional_property) # specific options nb_res = nb_test.run(options=["heartbest", "azure_net"]) self.assertIsNone(nb_res.default_property) self.assertIsNone(nb_res.optional_property) # invalid option f_stream = StringIO() with redirect_stdout(f_stream): nb_test.run(options=["invalid_opt"]) output = str(f_stream.getvalue()) self.assertIn("Invalid options ['invalid_opt']", output)
def test_notebooklet_create(monkeypatch): """Test method.""" # Should run because required providers are loaded monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init(query_provider="LocalData", providers=["tilookup", "geolitelookup"]) for _, nblt in nblts.iter_classes(): new_nblt = nblt() check.is_instance(new_nblt, Notebooklet) check.is_none(new_nblt.result) # Should throw a warning because of unrecognized provider data_providers.init(query_provider="LocalData") with pytest.raises(MsticnbDataProviderError) as err: for _, nblt in nblts.iter_classes(): curr_provs = nblt.metadata.req_providers bad_provs = [*curr_provs, "bad_provider"] try: nblt.metadata.req_providers = bad_provs new_nblt = nblt() check.is_instance(new_nblt, Notebooklet) check.is_none(new_nblt.result) finally: nblt.metadata.req_providers = curr_provs check.is_in("bad_provider", err.value.args[0]) test_nb = TstNBSummary() check.is_not_none(test_nb.get_provider("LocalData")) with pytest.raises(MsticnbDataProviderError): test_nb.get_provider("otherprovider")
def test_ip_summary_notebooklet_internal(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) monkeypatch.setattr(data_providers, "TILookup", TILookupMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], providers=["tilookup", "geolitelookup"], ) test_nb = nblts.azsent.network.IpAddressSummary() tspan = TimeSpan(period="1D") test_nb.query_provider.schema.update({tab: {} for tab in DEF_PROV_TABLES}) result = test_nb.run(value="40.76.43.124", timespan=tspan) check.is_not_none(result.ip_entity) check.equal(result.ip_type, "Public") check.equal(result.ip_origin, "Internal") check.is_not_none(result.whois) check.is_instance(result.related_alerts, pd.DataFrame) check.is_instance(result.heartbeat, pd.DataFrame) check.is_instance(result.az_network_if, pd.DataFrame) check.is_none(result.passive_dns) check.is_none(result.ti_results)
def test_ip_summary_notebooklet(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) monkeypatch.setattr(data_providers, "TILookup", TILookupMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], providers=["tilookup", "geolitelookup"], ) test_nb = nblts.azsent.network.IpAddressSummary() tspan = TimeSpan(period="1D") result = test_nb.run(value="11.1.2.3", timespan=tspan) check.is_not_none(result.ip_entity) check.equal(result.ip_type, "Public") check.equal(result.ip_origin, "External") check.is_in("CountryCode", result.geoip) check.is_not_none(result.location) check.is_not_none(result.notebooklet) check.is_not_none(result.whois) check.is_instance(result.related_alerts, pd.DataFrame) check.is_not_none(test_nb.browse_alerts()) check.is_instance(result.passive_dns, pd.DataFrame) check.is_instance(result.ti_results, pd.DataFrame)
def test_template_notebooklet(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = TemplateNB() tspan = TimeSpan(period="1D") result = test_nb.run(value="myhost", timespan=tspan) check.is_not_none(result.all_events) check.is_not_none(result.description) check.is_not_none(result.plot) result = test_nb.run(value="myhost", timespan=tspan, options=["+get_metadata"]) check.is_not_none(result.additional_info) evts = test_nb.run_additional_operation( ["4679", "5058", "5061", "5059", "4776"]) check.is_instance(evts, pd.DataFrame)
def test_class_metadata(monkeypatch): """Test class correctly loads yaml metadata.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init(query_provider="LocalData", providers=["tilookup", "geolitelookip"]) host_nb = host_summary.HostSummary() check.is_true(hasattr(host_summary, "_CLS_METADATA")) check.is_instance(host_summary._CLS_METADATA, NBMetadata) check.is_true(hasattr(host_summary, "_CELL_DOCS")) check.is_instance(host_summary._CELL_DOCS, dict) check.is_true(hasattr(host_nb, "metadata")) check.is_instance(host_nb.metadata, NBMetadata) check.equal(host_nb.metadata.mod_name, host_summary.__name__) check.equal(host_nb.description(), "Host summary") check.equal(host_nb.name(), "HostSummary") check.is_in("host", host_nb.entity_types()) check.is_in("host", host_nb.keywords()) check.is_in("heartbeat", host_nb.default_options()) check.is_in("alerts", host_nb.default_options()) check.is_in("alerts", host_nb.all_options()) for item in ("Default Options", "alerts", "azure_api"): check.is_in(item, host_nb.list_options())
def test_template_notebooklet(self): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = TemplateNB() tspan = TimeSpan(period="1D") result = test_nb.run(value="myhost", timespan=tspan) self.assertIsNotNone(result.all_events) self.assertIsNotNone(result.description) self.assertIsNotNone(result.plot) result = test_nb.run(value="myhost", timespan=tspan, options=["+get_metadata"]) self.assertIsNotNone(result.additional_info) evts = test_nb.run_additional_operation( ["4679", "5058", "5061", "5059", "4776"]) self.assertIsInstance(evts, pd.DataFrame)
def test_local_data(monkeypatch): """Test nblt output types and values using LocalData provider.""" test_data = str(Path.cwd().joinpath(TEST_DATA_PATH)) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], providers=["tilookup", "geolitelookup"], ) test_nblt = nblts.azsent.host.HostLogonsSummary() tspan = TimeSpan(start=datetime(2020, 6, 23, 4, 20), end=datetime(2020, 6, 29, 21, 32)) nbltlocaldata = test_nblt.run(value="WinAttackSim", timespan=tspan) assert isinstance(nbltlocaldata.logon_sessions, pd.DataFrame) assert nbltlocaldata.logon_sessions["SubjectUserName"].iloc[ 0] == "WinAttackSim$" assert nbltlocaldata.logon_sessions["LogonProcessName"].iloc[ 3] == "Advapi " assert "User Pie Chart" in nbltlocaldata.plots.keys() assert isinstance(nbltlocaldata.plots["Process Bar Chart"], Figure) assert isinstance(nbltlocaldata.logon_matrix, pd.io.formats.style.Styler) assert nbltlocaldata.logon_matrix.index[0][0] == "Font Driver Host\\UMFD-0" assert isinstance(nbltlocaldata.logon_map, FoliumMap) assert isinstance(nbltlocaldata.timeline, Column)
def test_network_flow_summary_notebooklet(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) monkeypatch.setattr(data_providers, "TILookup", TILookupMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.network.NetworkFlowSummary() tspan = TimeSpan(period="1D") test_nb.query_provider.schema.update({tab: {} for tab in DEF_PROV_TABLES}) options = ["+geo_map"] result = test_nb.run(value="myhost", timespan=tspan, options=options) check.is_not_none(result.host_entity) check.is_not_none(result.network_flows) check.is_instance(result.network_flows, pd.DataFrame) check.is_not_none(result.plot_flows_by_protocol) check.is_instance(result.plot_flows_by_protocol, LayoutDOM) check.is_not_none(result.plot_flows_by_direction) check.is_instance(result.plot_flows_by_direction, LayoutDOM) check.is_not_none(result.plot_flow_values) check.is_instance(result.plot_flow_values, LayoutDOM) check.is_not_none(result.flow_index) check.is_instance(result.flow_summary, pd.DataFrame) result.select_asns() result.lookup_ti_for_asn_ips() result.show_selected_asn_map()
def nbltdata(): """Generate test nblt output.""" test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath( "lx_host_logons.pkl") init("LocalData", providers=["tilookup"]) test_nblt = nblts.azsent.host.HostLogonsSummary() test_df = pd.read_pickle(test_file) return test_nblt.run(data=test_df, options=["-map"], silent=True)
def nbltdata(monkeypatch): """Generate test nblt output.""" test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath( "lx_host_logons.pkl") monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init("LocalData", providers=["tilookup", "geolitelookup"]) test_nblt = nblts.azsent.host.HostLogonsSummary() test_df = pd.read_pickle(test_file) return test_nblt.run(data=test_df, options=["-map"], silent=True)
def test_account_summary_notebooklet(): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.account.AccountSummary() tspan = TimeSpan(period="1D") result = test_nb.run(value="accountname", timespan=tspan) assert result.account_selector is not None acct_select = test_nb.browse_accounts() assert isinstance(acct_select, nbwidgets.SelectItem) select_opts = result.account_selector._item_dict disp_account = result.account_selector.item_action for acct_item in select_opts.values(): # Programatically select the item list control select_item = [ key for key, value in select_opts.items() if value == acct_item ] if select_item: result.account_selector._wgt_select.value = select_item[0] disp_account(acct_item) assert isinstance(result.account_activity, pd.DataFrame) assert isinstance(result.related_alerts, pd.DataFrame) assert isinstance(result.related_bookmarks, pd.DataFrame) assert isinstance(result.alert_timeline, LayoutDOM) assert isinstance(result.account_entity, entities.Account) alert_select = test_nb.browse_alerts() assert isinstance(alert_select, nbwidgets.SelectAlert) bm_select = test_nb.browse_bookmarks() assert isinstance(bm_select, nbwidgets.SelectItem) test_nb.find_additional_data() assert isinstance(result.account_timeline_by_ip, LayoutDOM) if "Windows" in acct_item or "Linux" in acct_item: assert isinstance(result.host_logons, pd.DataFrame) assert isinstance(result.host_logon_summary, pd.DataFrame) assert result.azure_activity is None assert result.azure_activity_summary is None assert result.azure_timeline_by_provider is None assert result.azure_timeline_by_operation is None else: assert result.host_logons is None assert result.host_logon_summary is None assert isinstance(result.azure_activity, pd.DataFrame) assert isinstance(result.azure_activity_summary, pd.DataFrame) assert isinstance(result.azure_timeline_by_provider, LayoutDOM) assert isinstance(result.azure_timeline_by_operation, LayoutDOM)
def _init_pivot(monkeypatch): test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init( query_provider="LocalData", providers=["geolitelookup"], LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) return Pivot()
def nbltdata(monkeypatch): """Generate test nblt output.""" test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath("alerts_list.pkl") monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init("LocalData", providers=["tilookup", "geolitelookup"]) test_nblt = nblts.azsent.alert.EnrichAlerts() # pylint: disable=no-member test_df = pd.read_pickle(test_file) test_df["Entities"] = "" return test_nblt.run(data=test_df, silent=True)
def test_notebooklet_params(self): """Test supplying timespan param.""" init(query_provider="LocalData", providers=["tilookup"]) test_nb = TstNBSummary() tspan = TimeSpan(period="1D") test_nb.run(timespan=tspan) self.assertEqual(tspan, test_nb.timespan) test_nb.run(start=tspan.start, end=tspan.end) self.assertEqual(tspan, test_nb.timespan)
def nbltdata(): """Generate test nblt output.""" test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath("alerts_list.pkl") test_config = str( Path.cwd().joinpath(TEST_DATA_PATH).joinpath("msticpyconfig-test.yaml") ) init("LocalData", providers=["tilookup"]) test_nblt = nblts.azsent.alert.EnrichAlerts() test_df = pd.read_pickle(test_file) test_df["Entities"] = "" return test_nblt.run(data=test_df, silent=True)
def test_notebooklet_params(monkeypatch): """Test supplying timespan param.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init(query_provider="LocalData", providers=["tilookup", "geolitelookup"]) test_nb = TstNBSummary() tspan = TimeSpan(period="1D") test_nb.run(timespan=tspan) check.equal(tspan, test_nb.timespan) test_nb.run(start=tspan.start, end=tspan.end) check.equal(tspan, test_nb.timespan)
def test_host_summary_notebooklet(self): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.host.HostSummary() tspan = TimeSpan(period="1D") result = test_nb.run(value="myhost", timespan=tspan) self.assertIsNotNone(result.host_entity) self.assertIsNotNone(result.related_alerts) self.assertIsInstance(result.related_alerts, pd.DataFrame) self.assertIsNotNone(result.alert_timeline) self.assertIsNotNone(result.related_bookmarks) self.assertIsInstance(result.related_bookmarks, pd.DataFrame)
def test_add_sub_data_providers(self): """Test intializing adding and subtracting providers.""" dprov = DataProviders(query_provider="LocalData") init(query_provider="LocalData", providers=["tilookup"]) msticnb = sys.modules["msticnb"] dprov2 = DataProviders.current() # Add and remove a provider from defaults init(query_provider="LocalData", providers=["+ipstacklookup", "-geolitelookup"]) dprov3 = DataProviders.current() pkg_providers = getattr(msticnb, "data_providers") self.assertIsNot(dprov3, dprov) self.assertIsNot(dprov3, dprov2) self.assertIn("ipstacklookup", dprov3.providers) self.assertNotIn("geolitelookup", dprov3.providers) self.assertIn("tilookup", dprov3.providers) self.assertIn("ipstacklookup", pkg_providers) self.assertNotIn("geolitelookup", pkg_providers) self.assertIn("tilookup", pkg_providers)
def test_host_summary_notebooklet(monkeypatch): """Test basic run of notebooklet.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) test_data = str(Path(TEST_DATA_PATH).absolute()) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.host.HostSummary() tspan = TimeSpan(period="1D") result = test_nb.run(value="myhost", timespan=tspan) check.is_not_none(result.host_entity) check.is_not_none(result.related_alerts) check.is_instance(result.related_alerts, pd.DataFrame) check.is_not_none(result.alert_timeline) check.is_not_none(result.related_bookmarks) check.is_instance(result.related_bookmarks, pd.DataFrame)
def test_new_init_data_providers(monkeypatch): """Test creating new provider with new provider list.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init(query_provider="LocalData", providers=[]) dprov = data_providers.DataProviders.current() data_providers.init(query_provider="LocalData", providers=[]) dprov2 = data_providers.DataProviders.current() check.equal(dprov2, dprov) # specify provider dprov = data_providers.DataProviders(query_provider="LocalData") data_providers.init(query_provider="LocalData", providers=["tilookup"]) msticnb = sys.modules["msticnb"] dprov2 = data_providers.DataProviders.current() pkg_providers = getattr(msticnb, "data_providers") check.not_equal(dprov2, dprov) check.is_in("LocalData", dprov2.providers) check.is_in("tilookup", dprov2.providers) check.is_not_in("geolitelookup", dprov2.providers) check.is_not_in("ipstacklookup", dprov2.providers) check.is_in("LocalData", pkg_providers) check.is_in("tilookup", pkg_providers) check.is_not_in("geolitelookup", pkg_providers) check.is_not_in("ipstacklookup", pkg_providers) check.is_instance(dprov2.providers["tilookup"], TILookup)
def test_new_init_data_providers(self): """Test creating new provider with new provider list.""" init(query_provider="LocalData", providers=[]) dprov = DataProviders.current() init(query_provider="LocalData", providers=[]) dprov2 = DataProviders.current() self.assertIs(dprov2, dprov) # specify provider dprov = DataProviders(query_provider="LocalData") init(query_provider="LocalData", providers=["tilookup"]) msticnb = sys.modules["msticnb"] dprov2 = DataProviders.current() pkg_providers = getattr(msticnb, "data_providers") self.assertIsNot(dprov2, dprov) self.assertIn("LocalData", dprov2.providers) self.assertIn("tilookup", dprov2.providers) self.assertNotIn("geolitelookup", dprov2.providers) self.assertNotIn("ipstacklookup", dprov2.providers) self.assertIn("LocalData", pkg_providers) self.assertIn("tilookup", pkg_providers) self.assertNotIn("geolitelookup", pkg_providers) self.assertNotIn("ipstacklookup", pkg_providers) self.assertIsInstance(dprov2.providers["tilookup"], TILookup)
def test_ip_summary_notebooklet_all(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) monkeypatch.setattr(data_providers, "TILookup", TILookupMock) data_providers.init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], providers=["tilookup", "geolitelookup"], ) opts = ["+az_netflow", "+passive_dns", "+az_activity", "+office_365", "+ti"] test_nb = nblts.azsent.network.IpAddressSummary() tspan = TimeSpan(period="1D") test_nb.query_provider.schema.update({tab: {} for tab in DEF_PROV_TABLES}) result = test_nb.run(value="40.76.43.124", timespan=tspan, options=opts) check.is_not_none(result.ip_entity) check.is_not_none(result.host_entity) check.equal(result.host_entity.HostName, "MSTICAlertsWin1") check.equal(result.host_entity.OSFamily.name, "Linux") check.equal(result.ip_type, "Public") check.equal(result.ip_origin, "Internal") check.is_instance(result.heartbeat, pd.DataFrame) check.is_instance(result.az_network_if, pd.DataFrame) check.is_instance(result.az_network_flows, pd.DataFrame) check.is_instance(result.az_network_flow_summary, pd.DataFrame) check.is_instance(result.az_network_flows_timeline, LayoutDOM) check.is_instance(result.aad_signins, pd.DataFrame) check.is_instance(result.office_activity, pd.DataFrame) check.is_instance(result.vmcomputer, pd.DataFrame) check.is_instance(test_nb.netflow_total_by_protocol(), LayoutDOM) check.is_instance(test_nb.netflow_by_direction(), LayoutDOM) check.is_not_none(result.whois) check.is_instance(result.related_alerts, pd.DataFrame) check.is_instance(result.passive_dns, pd.DataFrame) check.is_instance(result.ti_results, pd.DataFrame)
def test_notebooklet_create(self): """Test method.""" test_with_geop = True try: geoip = GeoLiteLookup() if not geoip._api_key: test_with_geop = False del geoip except MsticpyUserConfigError: test_with_geop = False if test_with_geop: # Should run because required providers are loaded init(query_provider="LocalData", providers=["tilookup", "geolitelookup"]) for _, nblt in nblts.iter_classes(): new_nblt = nblt() self.assertIsInstance(new_nblt, Notebooklet) self.assertIsNone(new_nblt.result) # Should throw a warning because of unrecognized provider init(query_provider="LocalData") with self.assertRaises(MsticnbDataProviderError) as err: for _, nblt in nblts.iter_classes(): curr_provs = nblt.metadata.req_providers bad_provs = [*curr_provs, "bad_provider"] try: nblt.metadata.req_providers = bad_provs new_nblt = nblt() self.assertIsInstance(new_nblt, Notebooklet) self.assertIsNone(new_nblt.result) finally: nblt.metadata.req_providers = curr_provs self.assertIn("bad_provider", err.exception.args[0]) test_nb = TstNBSummary() self.assertIsNotNone(test_nb.get_provider("LocalData")) with self.assertRaises(MsticnbDataProviderError): test_nb.get_provider("otherprovider")
def test_add_sub_data_providers(monkeypatch): """Test intializing adding and subtracting providers.""" monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) dprov = data_providers.DataProviders(query_provider="LocalData") data_providers.init(query_provider="LocalData", providers=["tilookup"]) msticnb = sys.modules["msticnb"] dprov2 = data_providers.DataProviders.current() # Add and remove a provider from defaults data_providers.init( query_provider="LocalData", providers=["+ipstacklookup", "-geolitelookup"] ) dprov3 = data_providers.DataProviders.current() pkg_providers = getattr(msticnb, "data_providers") check.not_equal(dprov3, dprov) check.not_equal(dprov3, dprov2) check.is_in("ipstacklookup", dprov3.providers) check.is_not_in("geolitelookup", dprov3.providers) check.is_in("tilookup", dprov3.providers) check.is_in("ipstacklookup", pkg_providers) check.is_not_in("geolitelookup", pkg_providers) check.is_in("tilookup", pkg_providers)
def test_network_flow_summary_notebooklet(self): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) init( query_provider="LocalData", LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.network.NetworkFlowSummary() tspan = TimeSpan(period="1D") result = test_nb.run(value="myhost", timespan=tspan) self.assertIsNotNone(result.host_entity) self.assertIsNotNone(result.network_flows) self.assertIsInstance(result.network_flows, pd.DataFrame) self.assertIsNotNone(result.plot_flows_by_protocol) self.assertIsInstance(result.plot_flows_by_protocol, LayoutDOM) self.assertIsNotNone(result.plot_flows_by_direction) self.assertIsInstance(result.plot_flows_by_direction, LayoutDOM) self.assertIsNotNone(result.plot_flow_values) self.assertIsInstance(result.plot_flow_values, LayoutDOM) self.assertIsNotNone(result.flow_index) self.assertIsInstance(result.flow_summary, pd.DataFrame)
def test_account_summary_notebooklet(monkeypatch): """Test basic run of notebooklet.""" test_data = str(Path(TEST_DATA_PATH).absolute()) monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock) data_providers.init( "LocalData", providers=["-tilookup"], LocalData_data_paths=[test_data], LocalData_query_paths=[test_data], ) test_nb = nblts.azsent.account.AccountSummary() tspan = TimeSpan(period="1D") result = test_nb.run(value="accountname", timespan=tspan) check.is_not_none(result.account_selector) acct_select = test_nb.browse_accounts() check.is_instance(acct_select, nbwidgets.SelectItem) select_opts = result.account_selector._item_dict disp_account = result.account_selector.item_action for acct_item in select_opts.values(): # Programatically select the item list control select_item = [ key for key, value in select_opts.items() if value == acct_item ] if select_item: result.account_selector._wgt_select.value = select_item[0] disp_account(acct_item) check.is_instance(result.account_activity, pd.DataFrame) check.is_instance(result.related_alerts, pd.DataFrame) check.is_instance(result.related_bookmarks, pd.DataFrame) check.is_instance(result.alert_timeline, LayoutDOM) check.is_instance(result.account_entity, entities.Account) alert_select = test_nb.browse_alerts() check.is_instance(alert_select, nbwidgets.SelectAlert) bm_select = test_nb.browse_bookmarks() assert isinstance(bm_select, nbwidgets.SelectItem) test_nb.get_additional_data() check.is_instance(result.account_timeline_by_ip, LayoutDOM) if "Windows" in acct_item or "Linux" in acct_item: check.is_instance(result.host_logons, pd.DataFrame) check.is_instance(result.host_logon_summary, pd.DataFrame) check.is_none(result.azure_activity) check.is_none(result.azure_activity_summary) check.is_none(result.azure_timeline_by_provider) check.is_none(result.azure_timeline_by_operation) vwr = result.view_events( attrib="host_logons", summary_cols=["Computer", "LogonResult", "LogonType"], ) else: check.is_none(result.host_logons) check.is_none(result.host_logon_summary) check.is_instance(result.azure_activity, pd.DataFrame) check.is_instance(result.azure_activity_summary, pd.DataFrame) check.is_instance(result.azure_timeline_by_provider, LayoutDOM) check.is_instance(result.azure_timeline_by_operation, LayoutDOM) vwr = result.view_events( attrib="azure_activity", summary_cols=["Source", "Operation", "IPAddress"], ) check.is_instance(vwr, nbwidgets.SelectItem) result.display_alert_timeline() result.browse_accounts() result.browse_alerts() result.browse_bookmarks() result.az_activity_timeline_by_provider() result.az_activity_timeline_by_ip() result.az_activity_timeline_by_operation() result.host_logon_timeline() check.is_not_none(result.get_geoip_map())