def test_no_results_response(self, mock_requests_response):
mocked_return_value = """
{"terms": ["process_name:notepad.exe"],
"results": [],
"elapsed": 0.01921701431274414,
"comprehensive_search": true,
"all_segments": true,
"total_results": 0,
"highlights": [],
"facets": {},
"tagged_pids": {"00000036-0000-0a02-01d4-97e70c22b346-0167c881d4b3": [{"name": "Default Investigation", "id": 1}, {"name": "Default Investigation", "id": 1}]},
"start": 0,
"incomplete_results": false,
"filtered": {}
}
"""
mock_requests_response.return_value = RequestMockResponse(
200, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list(
"process_name:notepad.exe")[0]
results_response = entry_point.create_results_connection(
query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == True
assert 'data' in results_response
assert len(results_response['data']) == 0
def test_transmit_limit_and_sort(self, mock_requests_response):
mocked_return_value = '{"reason": "query_syntax_error"}'
request_parameter_list = []
mock_requests_response.return_value = RequestMockResponse(200, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list("process_name:cmd.exe")[0]
results_response = entry_point.create_results_connection(query_expression, 100, 2)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == True
mock_requests_response.assert_called_with('https://hostbla:8080/api/v1/process?q=process_name%3Acmd.exe&start=100&rows=2&sort=start+asc', cert=None, data=None, headers={'X-Auth-Token': 'bla'}, timeout=None, verify=True)
def test_query_syntax_error_response(self, mock_requests_response):
mocked_return_value = '{"reason": "query_syntax_error"}'
mock_requests_response.return_value = RequestMockResponse(400, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list("(process_name:cmd.exe")[0]
results_response = entry_point.create_results_connection(query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == False
assert 'error' in results_response
assert results_response['error'] == "query_syntax_error"
assert 'code' in results_response
assert results_response['code'] == 'invalid_query'
def test_binary_bad_parameter_search_response(self, mock_requests_response):
mocked_return_value = "Unhandled exception. Check logs for details."
mock_requests_response.return_value = RequestMockResponse(500, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list("process_name:cmd.exe")[0]
results_response = entry_point.create_results_connection(query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == False
assert 'error' in results_response
assert results_response['error'] == mocked_return_value
assert 'code' in results_response
assert results_response['code'] == 'unknown' # we may be able to return a better error code
def test_bad_token_response(self, mock_requests_response):
mocked_return_value = """<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>401 Unauthorized</title>
<h1>Unauthorized</h1>
<p>The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.</p>
"""
mock_requests_response.return_value = RequestMockResponse(401, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list("process_name:cmd.exe")[0]
results_response = entry_point.create_results_connection(query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == False
assert 'error' in results_response
assert results_response['error'] == mocked_return_value
assert 'code' in results_response
assert results_response['code'] == 'authentication_fail'
def test_one_results_response_limited(self, mock_requests_response):
mocked_process_return_value, mocked_events_return_value = \
TestCarbonBlackEventsConnection._get_mock_process_and_events_data()
mock_requests_response.side_effect = [
RequestMockResponse(200, mocked_process_return_value.encode()),
RequestMockResponse(200, mocked_events_return_value.encode()),
]
_connection = deepcopy(connection)
_connection['options']['result_limit'] = 1
entry_point = EntryPoint(_connection, config)
query_expression = self._create_query_list(
"process_name:erl.exe and last_update:[2021-03-15T16:20:00 TO 2021-03-15T16:30:00]"
)[0]
results_response = entry_point.create_results_connection(
query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success']
assert 'data' in results_response
assert len(results_response['data']) == 1
def test_transmit_limit_and_sort(self, mock_requests_response):
mocked_return_value = '{"reason": "query_syntax_error"}'
mock_requests_response.return_value = RequestMockResponse(
200, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list("process_name:cmd.exe")[0]
results_response = entry_point.create_results_connection(
query_expression, 100, 2)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == True
mock_requests_response.assert_called_with(
ANY,
'https://hostbla:8080/api/v1/process',
params=[('q', 'process_name:cmd.exe'), ('start', 100), ('rows', 2),
('sort', 'start asc')],
data=None,
headers={'X-Auth-Token': 'bla'},
timeout=30,
verify=True)
def test_one_results_response(self, mock_requests_response):
mocked_process_return_value, mocked_events_return_value = \
TestCarbonBlackEventsConnection._get_mock_process_and_events_data()
mock_requests_response.side_effect = [
RequestMockResponse(200, mocked_process_return_value.encode()),
RequestMockResponse(200, mocked_events_return_value.encode()),
]
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list(
"process_name:erl.exe and last_update:[2021-03-15T16:20:00 TO 2021-03-15T16:30:00]"
)[0]
results_response = entry_point.create_results_connection(
query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success']
assert 'data' in results_response
assert len(results_response['data']) == 3
assert 'process_name' in results_response['data'][0]
assert results_response['data'][0]['process_name'] == 'erl.exe'
assert 'modload_md5' in results_response['data'][0]
assert results_response['data'][0][
'modload_md5'] == '450e6430481940a25e7b268dcc29a6d4'
def test_one_results_response(self, mock_requests_response):
mocked_return_value = """
{
"terms": [
"process_name:cmd.exe",
"start:[2019-01-22T00:00:00 TO *]"
],
"results": [
{
"process_md5": "5746bd7e255dd6a8afa06f7c42c1ba41",
"sensor_id": 49,
"filtering_known_dlls": true,
"modload_count": 3,
"parent_unique_id": "00000031-0000-09cc-01d4-b1e61979dd7c-000000000001",
"emet_count": 0,
"alliance_score_srstrust": -100,
"cmdline": "C:\\\\Windows\\\\system32\\\\cmd.exe /c tasklist",
"alliance_updated_srstrust": "2018-04-05T16:04:34Z",
"filemod_count": 0,
"id": "00000031-0000-0768-01d4-b1e6197c3edd",
"parent_name": "cmd.exe",
"parent_md5": "000000000000000000000000000000",
"group": "lab1",
"parent_id": "00000031-0000-09cc-01d4-b1e61979dd7c",
"hostname": "lab1-host1",
"last_update": "2019-01-22T00:04:52.937Z",
"start": "2019-01-22T00:04:52.875Z",
"alliance_link_srstrust": "https://example.com",
"comms_ip": 212262914,
"regmod_count": 0,
"interface_ip": 183439304,
"process_pid": 1896,
"username": "******",
"terminated": true,
"alliance_data_srstrust": [
"5746bd7e255dd6a8afa06f7c42c1ba41"
],
"process_name": "cmd.exe",
"emet_config": "",
"last_server_update": "2019-01-22T00:07:07.064Z",
"path": "c:\\\\windows\\\\system32\\\\cmd.exe",
"netconn_count": 0,
"parent_pid": 2508,
"crossproc_count": 2,
"segment_id": 1548115627056,
"host_type": "workstation",
"processblock_count": 0,
"os_type": "windows",
"childproc_count": 4,
"unique_id": "00080031-0000-0748-01d4-b1e61c7c3edd-016872e1cb30"
}
],
"elapsed": 0.05147600173950195,
"comprehensive_search": true,
"all_segments": true,
"total_results": 1,
"highlights": [],
"facets": {},
"tagged_pids": {},
"start": 0,
"incomplete_results": false,
"filtered": {}
}
"""
mock_requests_response.return_value = RequestMockResponse(
200, mocked_return_value.encode())
entry_point = EntryPoint(connection, config)
query_expression = self._create_query_list(
"process_name:cmd.exe start:[2019-01-22 TO *]")[0]
results_response = entry_point.create_results_connection(
query_expression, 0, 10)
assert results_response is not None
assert 'success' in results_response
assert results_response['success'] == True
assert 'data' in results_response
assert len(results_response['data']) == 1
assert 'process_name' in results_response['data'][0]
assert results_response['data'][0]['process_name'] == 'cmd.exe'