def test_magic_registration(self, ip: TerminalInteractiveShell): """Test registering a magic.""" res = ip.run_cell(raw_cell=MAGIC_DEFINITION) self.assertions.assertTrue(res.success) magics = ip.run_line_magic(magic_name='picatrixmagics', line='') self.assertions.assertFalse(magics[magics.name == 'my_silly_magic'].empty) line = ip.run_line_magic( magic_name='my_silly_magic', line='--magnitude 23 this is my string') expected_return = ( 'This magical magic produced 23 magics of this is my string') self.assertions.assertEqual(line, expected_return)
def test_context_date(self, ip: TerminalInteractiveShell): """Test querying for contex surrounding a date.""" _ = self._get_sketch(ip) df = ip.run_line_magic( magic_name='timesketch_context_date', line= ('--minutes 10 --fields datetime,message,data_type,event_identifier' ',username,workstation 2020-09-18T22:24:36')) self.assertions.assertTrue(df.shape[0] > 5000) logon_df = df[df.event_identifier == 4624] logged_in_users = list(logon_df.username.unique()) self.assertions.assertTrue('Administrator' in logged_in_users) self.assertions.assertTrue('DWM-1' in logged_in_users) df.sort_values('datetime', inplace=True) first_series = df.iloc[0] last_series = df.iloc[-1] first_time = first_series.datetime last_time = last_series.datetime delta = last_time - first_time delta_rounded = delta.round('min') # This should be 10 minutes or 600 seconds. self.assertions.assertTrue(delta_rounded.total_seconds() == 600.0)
def test_list_views(self, ip: TerminalInteractiveShell): """Test listing up the available views for a sketch.""" _ = self._get_sketch(ip) views = ip.run_line_magic(magic_name='timesketch_list_views', line='') expected_views = set( ['18:Szechuan Hits', '19:Szechuan All Hits', '16:email_addresses']) self.assertions.assertEqual(set(views.keys()), expected_views)
def test_list_saved_searches(self, ip: TerminalInteractiveShell): """Test listing up the available saved searches for a sketch.""" _ = self._get_sketch(ip) views = ip.run_line_magic( magic_name='timesketch_list_saved_searches', line='') expected_views = set( [ '18:Szechuan Hits', '19:Szechuan All Hits', '16:email_addresses', '128:Wifitask', '140:Windows Crash activity', '139:SSH session view', '138:Sigma Rule matches', ]) self.assertions.assertEqual(set(views.keys()), expected_views)
def test_query_data(self, ip: TerminalInteractiveShell): """Test querying for data in a sketch.""" _ = self._get_sketch(ip) df = ip.run_line_magic( magic_name='timesketch_query', line=('--fields datetime,origin,message,hostname,name secret AND ' 'data_type:"windows:shell_item:file_entry"')) df_slice = df[df.origin == 'Beth_Secret.lnk'] self.assertions.assertTrue(df_slice.shape[0] > 0) origin_set = set(df.origin.unique()) expected_set = set([ '9b9cdc69c1c24e2b.automaticDestinations-ms', 'Beth_Secret.lnk', 'HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software' '\\Microsoft\\Windows\\Shell\\BagMRU\\0\\0\\0', 'NoJerry.lnk', 'PortalGunPlans.lnk', 'SECRET_beth.lnk', 'Secret.lnk', 'Szechuan Sauce.lnk', 'f01b4d95cf55d32a.automaticDestinations-ms' ]) self.assertions.assertSetEqual(origin_set, expected_set)
def test_picatrixmagics(self, ip: TerminalInteractiveShell): """Test the picatrixmagics.""" magics = ip.run_line_magic(magic_name='picatrixmagics', line='') self.assertions.assertFalse(magics.empty) self.assertions.assertTrue(magics.shape[0] > 10)
def _get_sketch(self, ip: TerminalInteractiveShell) -> sketch.Sketch: """Return a sketch object.""" self._setup_client(ip) ip.run_line_magic(magic_name='timesketch_set_active_sketch', line='6') return ip.run_line_magic(magic_name='timesketch_get_sketch', line='')