def test_format_includes_os_hostname_if_present(self, mock_file_event_log_record):
expected_field_name = "shost"
expected_value = "Test's MacBook Air"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_user_uid_if_present(self, mock_file_event_log_record):
expected_field_name = "suid"
expected_value = "912338501981077099"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_correct_event_name_and_signature_id_for_deleted(
self, mock_file_event_log_record
):
event_type = "DELETED"
mock_file_event_log_record.msg["eventType"] = event_type
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert event_name_assigned_correct_signature_id(event_type, "C42202", cef_out)
def test_format_includes_correct_event_name_and_signature_id_for_read_by_app(
self, mock_file_event_log_record
):
event_type = "READ_BY_APP"
mock_file_event_log_record.msg["eventType"] = event_type
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert event_name_assigned_correct_signature_id(event_type, "C42203", cef_out)
def test_format_includes_domain_name_if_present(self, mock_file_event_log_record):
expected_field_name = "dvchost"
expected_value = "192.168.0.3"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_source_if_present(self, mock_file_event_log_record):
expected_field_name = "sourceServiceName"
expected_value = "Endpoint"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_event_id_if_present(self, mock_file_event_log_record):
expected_field_name = "externalId"
expected_value = "0_1d71796f-af5b-4231-9d8e-df6434da4663_912339407325443353_918253081700247636_16"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_device_uid_if_present(self, mock_file_event_log_record):
expected_field_name = "deviceExternalId"
expected_value = "912339407325443353"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_exposure_if_present(self, mock_file_event_log_record):
expected_field_name = "reason"
expected_value = "ApplicationRead"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_process_name_if_present(self, mock_file_event_log_record):
expected_field_name = "sproc"
expected_value = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_file_category_if_present(self, mock_file_event_log_record):
expected_field_name = "fileType"
expected_value = "UNCATEGORIZED"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_file_size_if_present(self, mock_file_event_log_record):
expected_field_name = "fsize"
expected_value = "86"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_file_path_if_present(self, mock_file_event_log_record):
expected_field_name = "filePath"
expected_value = "/Users/testtesterson/Downloads/About Downloads.lpdf/Contents/Resources/English.lproj/"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def test_format_includes_md5_checksum_if_present(self, mock_file_event_log_record):
expected_field_name = "fileHash"
expected_value = "19b92e63beb08c27ab4489fcfefbbe44"
cef_out = FileEventDictToCEFFormatter().format(mock_file_event_log_record)
assert key_value_pair_in_cef_extension(
expected_field_name, expected_value, cef_out
)
def _get_formatter(output_format):
if output_format == FileEventsOutputFormat.JSON:
return FileEventDictToJSONFormatter()
elif output_format == FileEventsOutputFormat.CEF:
return FileEventDictToCEFFormatter()
else:
return FileEventDictToRawJSONFormatter()
def test_format_uses_correct_product_name(self, mock_file_event_log_record):
alternate_product_name = "Security Parser Formatter Extractor Thingamabob"
cef_out = FileEventDictToCEFFormatter(
default_product_name=alternate_product_name
).format(mock_file_event_log_record)
cef_parts = get_cef_parts(cef_out)
assert cef_parts[2] == alternate_product_name
def test_format_uses_correct_severity(self, mock_file_event_log_record):
alternate_severity = "7"
cef_out = FileEventDictToCEFFormatter(
default_severity_level=alternate_severity).format(
mock_file_event_log_record)
cef_parts = get_cef_parts(cef_out)
assert cef_parts[6] == alternate_severity
def test_format_includes_public_ip_address_if_present(
self, mock_file_event_log_record):
expected_field_name = "src"
expected_value = "71.34.4.22"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_email_sender_if_present(
self, mock_file_event_email_event_log_record):
expected_field_name = "suser"
expected_value = "TEST_EMAIL_SENDER"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_email_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_window_title_if_present(
self, mock_file_event_cloud_activity_event_log_record):
expected_field_name = "requestClientApplication"
expected_value = "TEST_WINDOW_TITLE"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_cloud_activity_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_email_recipients_if_present(
self, mock_file_event_email_event_log_record):
expected_field_name = "duser"
expected_value = "[email protected],[email protected]"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_email_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_shared_with_if_present(
self, mock_file_event_cloud_activity_event_log_record):
expected_field_name = "duser"
expected_value = "[email protected],[email protected]"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_cloud_activity_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_tab_url_if_present(
self, mock_file_event_cloud_activity_event_log_record):
expected_field_name = "request"
expected_value = "TEST_TAB_URL"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_cloud_activity_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_insertion_timestamp_if_present(
self, mock_file_event_log_record):
expected_field_name = "rt"
expected_value = "1568069262724"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_cloud_drive_id_if_present(
self, mock_file_event_cloud_activity_event_log_record):
expected_field_name = "aid"
expected_value = "TEST_CLOUD_DRIVE_ID"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_cloud_activity_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_url_if_present(
self, mock_file_event_cloud_activity_event_log_record):
expected_field_name = "filePath"
expected_value = "https://www.example.com"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_cloud_activity_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_modify_timestamp_if_present(
self, mock_file_event_log_record):
expected_field_name = "fileModificationTime"
expected_value = "1355886008000"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_create_timestamp_if_present(
self, mock_file_event_log_record):
expected_field_name = "fileCreateTime"
expected_value = "1342923569000"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_sync_destination_if_present(
self, mock_file_event_cloud_activity_event_log_record):
expected_field_name = "destinationServiceName"
expected_value = "TEST_SYNC_DESTINATION"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_cloud_activity_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
def test_format_includes_removable_media_serial_number_label_if_present(
self, mock_file_event_removable_media_event_log_record):
expected_field_name = "cs4Label"
expected_value = "Code42AEDRemovableMediaSerialNumber"
cef_out = FileEventDictToCEFFormatter().format(
mock_file_event_removable_media_event_log_record)
assert key_value_pair_in_cef_extension(expected_field_name,
expected_value, cef_out)
