예제 #1
0
def test_query_device_do_update_policy(monkeypatch):
    _was_called = False

    def _update_policy(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/device_actions"
        assert body == {
            "action_type": "UPDATE_POLICY",
            "search": {
                "query": "foobar",
                "criteria": {},
                "exclusions": {}
            },
            "options": {
                "policy_id": 8675309
            }
        }
        _was_called = True
        return StubResponse(None, 204)

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_update_policy)
    api.select(Device).where("foobar").update_policy(8675309)
    assert _was_called
예제 #2
0
def test_query_device_invalid_sort_direction():
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    with pytest.raises(ApiError):
        api.select(Device).sort_by("policy_name", "BOGUS")
예제 #3
0
def test_query_device_do_update_sensor_version(monkeypatch):
    _was_called = False

    def _update_sensor_version(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/device_actions"
        assert body == {
            "action_type": "UPDATE_SENSOR_VERSION",
            "search": {
                "query": "foobar",
                "criteria": {},
                "exclusions": {}
            },
            "options": {
                "sensor_version": {
                    "RHEL": "2.3.4.5"
                }
            }
        }
        _was_called = True
        return StubResponse(None, 204)

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_update_sensor_version)
    api.select(Device).where("foobar").update_sensor_version(
        {"RHEL": "2.3.4.5"})
    assert _was_called
예제 #4
0
def test_query_vmwarealert_invalid_group_ids():
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    with pytest.raises(ApiError):
        api.select(VMwareAlert).set_group_ids(["Bogus"])
예제 #5
0
def test_query_device_do_quarantine(monkeypatch):
    _was_called = False

    def _quarantine(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/device_actions"
        assert body == {
            "action_type": "QUARANTINE",
            "search": {
                "query": "foobar",
                "criteria": {},
                "exclusions": {}
            },
            "options": {
                "toggle": "ON"
            }
        }
        _was_called = True
        return StubResponse(None, 204)

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_quarantine)
    api.select(Device).where("foobar").quarantine(True)
    assert _was_called
예제 #6
0
def test_query_watchlistalert_invalid_criteria_values():
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    with pytest.raises(ApiError):
        api.select(WatchlistAlert).set_watchlist_ids([888])
    with pytest.raises(ApiError):
        api.select(WatchlistAlert).set_watchlist_names([69])
예제 #7
0
def test_alerts_bulk_dismiss_vmware(monkeypatch):
    _was_called = False

    def _do_dismiss(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/alerts/vmware/workflow/_criteria"
        assert body == {
            "query": "Blort",
            "state": "DISMISSED",
            "remediation_state": "Fixed",
            "comment": "Yessir",
            "criteria": {
                "device_name": ["HAL9000"]
            }
        }
        _was_called = True
        return StubResponse({"request_id": "497ABX"})

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_do_dismiss)
    q = api.select(VMwareAlert).where("Blort").set_device_names(["HAL9000"])
    reqid = q.dismiss("Fixed", "Yessir")
    assert _was_called
    assert reqid == "497ABX"
예제 #8
0
def test_load_workflow(monkeypatch):
    _was_called = False

    def _get_workflow(url, parms=None, default=None):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/workflow/status/497ABX"
        _was_called = True
        return {
            "errors": [],
            "failed_ids": [],
            "id": "497ABX",
            "num_hits": 0,
            "num_success": 0,
            "status": "QUEUED",
            "workflow": {
                "state": "DISMISSED",
                "remediation": "Fixed",
                "comment": "Yessir",
                "changed_by": "Robocop",
                "last_update_time": "2019-10-31T16:03:13.951Z"
            }
        }

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, GET=_get_workflow)
    workflow = api.select(WorkflowStatus, "497ABX")
    assert _was_called
    assert workflow.id_ == "497ABX"
예제 #9
0
def test_query_device_invalid_criteria_values():
    tests = [{
        "method": "set_ad_group_ids",
        "arg": ["Bogus"]
    }, {
        "method": "set_policy_ids",
        "arg": ["Bogus"]
    }, {
        "method": "set_os",
        "arg": ["COMMODORE_64"]
    }, {
        "method": "set_status",
        "arg": ["Bogus"]
    }, {
        "method": "set_target_priorities",
        "arg": ["Bogus"]
    }, {
        "method": "set_exclude_sensor_versions",
        "arg": [12703]
    }]
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    query = api.select(Device)
    for t in tests:
        meth = getattr(query, t["method"], None)
        with pytest.raises(ApiError):
            meth(t["arg"])
예제 #10
0
def test_query_device_download(monkeypatch):
    _was_called = False

    def _run_download(url, query_params, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/devices/_search/download"
        assert query_params == {
            "status": "ALL",
            "ad_group_id": "14,25",
            "policy_id": "8675309",
            "target_priority": "HIGH",
            "query_string": "foobar",
            "sort_field": "name",
            "sort_order": "DESC"
        }
        _was_called = True
        return "123456789,123456789,123456789"

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, RAW_GET=_run_download)
    rc = api.select(Device).where("foobar").set_ad_group_ids([14, 25]).set_policy_ids([8675309]) \
        .set_status(["ALL"]).set_target_priorities(["HIGH"]).sort_by("name", "DESC").download()
    assert _was_called
    assert rc == "123456789,123456789,123456789"
예제 #11
0
def test_query_watchlistalert_facets(monkeypatch):
    _was_called = False

    def _run_facet_query(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/alerts/watchlist/_facet"
        assert body == {
            "query": "Blort",
            "criteria": {
                "workflow": ["OPEN"]
            },
            "terms": {
                "rows": 0,
                "fields": ["REPUTATION", "STATUS"]
            }
        }
        _was_called = True
        return StubResponse({
            "results": [{
                "field": {},
                "values": [{
                    "id": "reputation",
                    "name": "reputationX",
                    "total": 4
                }]
            }, {
                "field": {},
                "values": [{
                    "id": "status",
                    "name": "statusX",
                    "total": 9
                }]
            }]
        })

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_run_facet_query)
    query = api.select(WatchlistAlert).where("Blort").set_workflows(["OPEN"])
    f = query.facets(["REPUTATION", "STATUS"])
    assert _was_called
    assert f == [{
        "field": {},
        "values": [{
            "id": "reputation",
            "name": "reputationX",
            "total": 4
        }]
    }, {
        "field": {},
        "values": [{
            "id": "status",
            "name": "statusX",
            "total": 9
        }]
    }]
예제 #12
0
def test_query_device_do_uninstall_sensor(monkeypatch):
    _was_called = False

    def _uninstall_sensor(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/device_actions"
        assert body == {
            "action_type": "UNINSTALL_SENSOR",
            "search": {
                "query": "foobar",
                "criteria": {},
                "exclusions": {}
            }
        }
        _was_called = True
        return StubResponse(None, 204)

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_uninstall_sensor)
    api.select(Device).where("foobar").uninstall_sensor()
    assert _was_called
예제 #13
0
def test_query_device_invalid_last_contact_time_combinations():
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    with pytest.raises(ApiError):
        api.select(Device).set_last_contact_time()
    with pytest.raises(ApiError):
        api.select(Device).set_last_contact_time(start="2019-09-30T12:34:56",
                                                 end="2019-10-01T12:00:12",
                                                 range="-3w")
    with pytest.raises(ApiError):
        api.select(Device).set_last_contact_time(start="2019-09-30T12:34:56",
                                                 range="-3w")
    with pytest.raises(ApiError):
        api.select(Device).set_last_contact_time(end="2019-10-01T12:00:12",
                                                 range="-3w")
예제 #14
0
def test_query_device_with_all_bells_and_whistles(monkeypatch):
    _was_called = False

    def _run_query(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/devices/_search"
        assert body == {
            "query": "foobar",
            "criteria": {
                "ad_group_id": [14, 25],
                "os": ["LINUX"],
                "policy_id": [8675309],
                "status": ["ALL"],
                "target_priority": ["HIGH"]
            },
            "exclusions": {
                "sensor_version": ["0.1"]
            },
            "sort": [{
                "field": "name",
                "order": "DESC"
            }]
        }
        _was_called = True
        return StubResponse({
            "results": [{
                "id": 6023,
                "organization_name": "thistestworks"
            }],
            "num_found":
            1
        })

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_run_query)
    query = api.select(Device).where("foobar").set_ad_group_ids([14, 25]).set_os(["LINUX"]) \
        .set_policy_ids([8675309]).set_status(["ALL"]).set_target_priorities(["HIGH"]) \
        .set_exclude_sensor_versions(["0.1"]).sort_by("name", "DESC")
    d = query.one()
    assert _was_called
    assert d.id == 6023
    assert d.organization_name == "thistestworks"
예제 #15
0
def test_get_device(monkeypatch):
    _was_called = False

    def _get_device(url):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/devices/6023"
        _was_called = True
        return {"device_id": 6023, "organization_name": "thistestworks"}

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, GET=_get_device)
    rc = api.select(Device, 6023)
    assert _was_called
    assert isinstance(rc, Device)
    assert rc.device_id == 6023
    assert rc.organization_name == "thistestworks"
예제 #16
0
def test_query_basealert_with_create_time_as_start_end(monkeypatch):
    _was_called = False

    def _run_query(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/alerts/_search"
        assert body == {
            "query": "Blort",
            "criteria": {
                "create_time": {
                    "start": "2019-09-30T12:34:56",
                    "end": "2019-10-01T12:00:12"
                }
            }
        }
        _was_called = True
        return StubResponse({
            "results": [{
                "id": "S0L0",
                "org_key": "Z100",
                "threat_id": "B0RG",
                "workflow": {
                    "state": "OPEN"
                }
            }],
            "num_found":
            1
        })

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_run_query)
    query = api.select(BaseAlert).where("Blort").set_create_time(
        start="2019-09-30T12:34:56", end="2019-10-01T12:00:12")
    a = query.one()
    assert _was_called
    assert a.id == "S0L0"
    assert a.org_key == "Z100"
    assert a.threat_id == "B0RG"
    assert a.workflow_.state == "OPEN"
예제 #17
0
def test_query_cbanalyticsalert_invalid_criteria_values():
    tests = [{
        "method": "set_blocked_threat_categories",
        "arg": ["MINOR"]
    }, {
        "method": "set_device_locations",
        "arg": ["NARNIA"]
    }, {
        "method": "set_kill_chain_statuses",
        "arg": ["SPAWN_COPIES"]
    }, {
        "method": "set_not_blocked_threat_categories",
        "arg": ["MINOR"]
    }, {
        "method": "set_policy_applied",
        "arg": ["MAYBE"]
    }, {
        "method": "set_reason_code",
        "arg": [55]
    }, {
        "method": "set_run_states",
        "arg": ["MIGHT_HAVE"]
    }, {
        "method": "set_sensor_actions",
        "arg": ["FLIP_A_COIN"]
    }, {
        "method": "set_threat_cause_vectors",
        "arg": ["NETWORK"]
    }]
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    query = api.select(CBAnalyticsAlert)
    for t in tests:
        meth = getattr(query, t["method"], None)
        with pytest.raises(ApiError):
            meth(t["arg"])
예제 #18
0
def test_query_device_with_last_contact_time_as_start_end(monkeypatch):
    _was_called = False

    def _run_query(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/devices/_search"
        assert body == {
            "query": "foobar",
            "criteria": {
                "last_contact_time": {
                    "start": "2019-09-30T12:34:56",
                    "end": "2019-10-01T12:00:12"
                }
            },
            "exclusions": {}
        }
        _was_called = True
        return StubResponse({
            "results": [{
                "id": 6023,
                "organization_name": "thistestworks"
            }],
            "num_found":
            1
        })

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_run_query)
    query = api.select(Device).where("foobar") \
        .set_last_contact_time(start="2019-09-30T12:34:56", end="2019-10-01T12:00:12")
    d = query.one()
    assert _was_called
    assert d.id == 6023
    assert d.organization_name == "thistestworks"
예제 #19
0
def test_query_basealert_invalid_criteria_values():
    tests = [
        {
            "method": "set_categories",
            "arg": ["DOUBLE_DARE"]
        },
        {
            "method": "set_device_ids",
            "arg": ["Bogus"]
        },
        {
            "method": "set_device_names",
            "arg": [42]
        },
        {
            "method": "set_device_os",
            "arg": ["TI994A"]
        },
        {
            "method": "set_device_os_versions",
            "arg": [8808]
        },
        {
            "method": "set_device_username",
            "arg": [-1]
        },
        {
            "method": "set_alert_ids",
            "arg": [9001]
        },
        {
            "method": "set_legacy_alert_ids",
            "arg": [9001]
        },
        {
            "method": "set_policy_ids",
            "arg": ["Bogus"]
        },
        {
            "method": "set_policy_names",
            "arg": [323]
        },
        {
            "method": "set_process_names",
            "arg": [7071]
        },
        {
            "method": "set_process_sha256",
            "arg": [123456789]
        },
        {
            "method": "set_reputations",
            "arg": ["MICROSOFT_FUDWARE"]
        },
        {
            "method": "set_tags",
            "arg": [-1]
        },
        {
            "method": "set_target_priorities",
            "arg": ["DOGWASH"]
        },
        {
            "method": "set_threat_ids",
            "arg": [4096]
        },
        {
            "method": "set_types",
            "arg": ["ERBOSOFT"]
        },
        {
            "method": "set_workflows",
            "arg": ["IN_LIMBO"]
        },
    ]
    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    query = api.select(BaseAlert)
    for t in tests:
        meth = getattr(query, t["method"], None)
        with pytest.raises(ApiError):
            meth(t["arg"])
예제 #20
0
def test_query_basealert_with_all_bells_and_whistles(monkeypatch):
    _was_called = False

    def _run_query(url, body, **kwargs):
        nonlocal _was_called
        assert url == "/appservices/v6/orgs/Z100/alerts/_search"
        assert body == {
            "query": "Blort",
            "criteria": {
                "category": ["SERIOUS", "CRITICAL"],
                "device_id": [6023],
                "device_name": ["HAL"],
                "device_os": ["LINUX"],
                "device_os_version": ["0.1.2"],
                "device_username": ["JRN"],
                "group_results": True,
                "id": ["S0L0"],
                "legacy_alert_id": ["S0L0_1"],
                "minimum_severity": 6,
                "policy_id": [8675309],
                "policy_name": ["Strict"],
                "process_name": ["IEXPLORE.EXE"],
                "process_sha256": ["0123456789ABCDEF0123456789ABCDEF"],
                "reputation": ["SUSPECT_MALWARE"],
                "tag": ["Frood"],
                "target_value": ["HIGH"],
                "threat_id": ["B0RG"],
                "type": ["WATCHLIST"],
                "workflow": ["OPEN"]
            },
            "sort": [{
                "field": "name",
                "order": "DESC"
            }]
        }
        _was_called = True
        return StubResponse({
            "results": [{
                "id": "S0L0",
                "org_key": "Z100",
                "threat_id": "B0RG",
                "workflow": {
                    "state": "OPEN"
                }
            }],
            "num_found":
            1
        })

    api = CbPSCBaseAPI(url="https://example.com",
                       token="ABCD/1234",
                       org_key="Z100",
                       ssl_verify=True)
    patch_cbapi(monkeypatch, api, POST=_run_query)
    query = api.select(BaseAlert).where("Blort").set_categories(["SERIOUS", "CRITICAL"]).set_device_ids([6023]) \
        .set_device_names(["HAL"]).set_device_os(["LINUX"]).set_device_os_versions(["0.1.2"]) \
        .set_device_username(["JRN"]).set_group_results(True).set_alert_ids(["S0L0"]) \
        .set_legacy_alert_ids(["S0L0_1"]).set_minimum_severity(6).set_policy_ids([8675309]) \
        .set_policy_names(["Strict"]).set_process_names(["IEXPLORE.EXE"]) \
        .set_process_sha256(["0123456789ABCDEF0123456789ABCDEF"]).set_reputations(["SUSPECT_MALWARE"]) \
        .set_tags(["Frood"]).set_target_priorities(["HIGH"]).set_threat_ids(["B0RG"]).set_types(["WATCHLIST"]) \
        .set_workflows(["OPEN"]).sort_by("name", "DESC")
    a = query.one()
    assert _was_called
    assert a.id == "S0L0"
    assert a.org_key == "Z100"
    assert a.threat_id == "B0RG"
    assert a.workflow_.state == "OPEN"