def create_event_filter_by_cursor_test(): """ Test that we create a correct event filter from an existing cursor """ valid_cursor = "1234567890:1234567890" invalid_cursors = ["1234567890:", ":1234567890", ":", "", " ", "1234567890a:1234567890", "1234567890:a1234567890", "1234567890a:a1234567890", "1234567890::1234567890" ] event_filter = c42api.create_filter_by_cursor(valid_cursor) assert event_filter == {'cursor':valid_cursor} for invalid_cursor in invalid_cursors: try: c42api.create_filter_by_cursor(invalid_cursor) assert False except ValueError: pass
def create_event_filter_by_cursor_test(): """ Test that we create a correct event filter from an existing cursor """ valid_cursor = "1234567890:1234567890" invalid_cursors = [ "1234567890:", ":1234567890", ":", "", " ", "1234567890a:1234567890", "1234567890:a1234567890", "1234567890a:a1234567890", "1234567890::1234567890" ] event_filter = c42api.create_filter_by_cursor(valid_cursor) assert event_filter == {'cursor': valid_cursor} for invalid_cursor in invalid_cursors: try: c42api.create_filter_by_cursor(invalid_cursor) assert False except ValueError: pass
def fetch_detection_events_test(): """ Test we fetch detection events in an expected way """ cursor_string = generate_cursor() device_guids = [1, 2, 3] event_filters = ['word'] * 3 guids_and_filters = zip(device_guids, event_filters) expected_results = {} for device_guid in device_guids: expected_results[str(device_guid)] = [ 'word', generate_detection_events(random.randint(1, 20)) ] event_filter = c42api.create_filter_by_cursor(cursor_string) def mock_fetch_detection_events_for_device(server, device_guid, event_filter): """ Mock Func """ return expected_results[str(device_guid)][0], expected_results[str( device_guid)][1] def mock_fetch_security_plan(server, device_guid): """ Mock Func """ return {'planUid': 12312123} def mock_storage_servers(authority, plan_uids=None, device_guid=None): """ Mock Func """ return basic_server(), 1232 c42api.security_event_restore._fetch_detection_events_for_device = mock_fetch_detection_events_for_device c42api.security_event_restore._fetch_security_plan = mock_fetch_security_plan c42api.security_event_restore.fetch_storage.storage_servers = mock_storage_servers for device_guid, cursor, detection_events in c42api.fetch_detection_events( basic_server(), guids_and_filters): assert (device_guid in device_guids and cursor == expected_results[str(device_guid)][0] and detection_events == expected_results[str(device_guid)][1])
def fetch_detection_events_test(): """ Test we fetch detection events in an expected way """ cursor_string = generate_cursor() device_guids = [1, 2, 3] event_filters = ['word'] * 3 guids_and_filters = zip(device_guids, event_filters) expected_results = {} for device_guid in device_guids: expected_results[str(device_guid)] = [ 'word', generate_detection_events(random.randint(1, 20)) ] event_filter = c42api.create_filter_by_cursor(cursor_string) def mock_fetch_detection_events_for_device(server, device_guid, event_filter): """ Mock Func """ return expected_results[str(device_guid)][0], expected_results[str(device_guid)][1] def mock_fetch_security_plan(server, device_guid): """ Mock Func """ return {'planUid':12312123} def mock_storage_servers(authority, plan_uids=None, device_guid=None): """ Mock Func """ return basic_server(), 1232 c42api.security_event_restore._fetch_detection_events_for_device = mock_fetch_detection_events_for_device c42api.security_event_restore._fetch_security_plan = mock_fetch_security_plan c42api.security_event_restore.fetch_storage.storage_servers = mock_storage_servers for device_guid, cursor, detection_events in c42api.fetch_detection_events(basic_server(), guids_and_filters): assert (device_guid in device_guids and cursor == expected_results[str(device_guid)][0] and detection_events == expected_results[str(device_guid)][1])
def _run(): """ Run through Splunk """ server, config_dict = common.setup() events_dir = os.path.join(common.app_home(), 'events') cursor_path = os.path.join(events_dir, 'security-lastRun') if not os.path.exists(events_dir): os.makedirs(events_dir) devices = config_dict['devices'] device_guids = c42api.devices(server, devices) cursors_dict = _try_read_cursor(cursor_path) event_filters = [] for device_guid in device_guids: try: cursor = cursors_dict[device_guid] event_filter = c42api.create_filter_by_cursor(cursor) event_filters.append(event_filter) except (KeyError, TypeError): event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow()) event_filters.append(event_filter) guids_and_filters = zip(device_guids, event_filters) cursors_dict = cursors_dict if cursors_dict else {} for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters): if not cursor or not detection_events: continue cursors_dict[guid] = cursor c42api.write_json_splunk(sys.stdout, detection_events) _write_cursor(cursor_path, cursors_dict)