def test_CEF_formatter_converts_to_expected_string(self): formatter = FileEventsOutputFormatter(FileEventsOutputFormat.CEF) output = formatter.get_formatted_output(self.test_df) assert ( next(output) == "CEF:0|Code42|Advanced Exfiltration Detection|1|C42203|READ_BY_APP|5|externalId=0_1d71796f-af5b-4231-9d8e-df6434da4663_912339407325443353_918253081700247636_16 end=1567996943851 rt=1568069262724 filePath=/Users/testtesterson/Downloads/About Downloads.lpdf/Contents/Resources/English.lproj/ fname=InfoPlist.strings fileType=UNCATEGORIZED fsize=86 fileHash=19b92e63beb08c27ab4489fcfefbbe44 fileCreateTime=1342923569000 fileModificationTime=1355886008000 [email protected] shost=Test's MacBook Air dvchost=192.168.0.3 src=71.34.4.22 deviceExternalId=912339407325443353 suid=912338501981077099 sourceServiceName=Endpoint reason=ApplicationRead spriv=testtesterson sproc=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome\n" )
def test_format_when_unknown_format_raises_CLI_error(self): with pytest.raises(Code42CLIError): FileEventsOutputFormatter("NOT_A_FORMAT") with pytest.raises(Code42CLIError): formatter = FileEventsOutputFormatter(FileEventsOutputFormat.JSON) formatter.output_format = "NOT_A_FORMAT" list(formatter.get_formatted_output(self.test_df))
def search( state, format, begin, end, advanced_query, use_checkpoint, saved_search, or_query, columns, include_all, **kwargs, ): """Search for file events.""" if format == FileEventsOutputFormat.CEF and columns: raise click.BadOptionUsage( "columns", "--columns option can't be used with CEF format.") # set default table columns if format == OutputFormat.TABLE: if not columns and not include_all: columns = [ "fileName", "filePath", "eventType", "eventTimestamp", "fileCategory", "fileSize", "fileOwner", "md5Checksum", "sha256Checksum", "riskIndicators", "riskSeverity", ] if use_checkpoint: cursor = _get_file_event_cursor_store(state.profile.name) checkpoint = _handle_timestamp_checkpoint(cursor.get(use_checkpoint), state) def checkpoint_func(event): cursor.replace(use_checkpoint, event["eventId"]) else: checkpoint = checkpoint_func = None query = _construct_query(state, begin, end, saved_search, advanced_query, or_query) dfs = _get_all_file_events(state, query, checkpoint) formatter = FileEventsOutputFormatter(format, checkpoint_func=checkpoint_func) # sending to pager when checkpointing can be inaccurate due to pager buffering, so disallow pager force_no_pager = use_checkpoint formatter.echo_formatted_dataframes(dfs, columns=columns, force_no_pager=force_no_pager)
def search( state, format, begin, end, advanced_query, use_checkpoint, saved_search, or_query, include_all, **kwargs, ): """Search for file events.""" output_header = ext.try_get_default_header(include_all, _create_search_header_map(), format) formatter = FileEventsOutputFormatter(format, output_header) cursor = _get_cursor(state, use_checkpoint) handlers = ext.create_handlers( state.sdk, FileEventExtractor, cursor, use_checkpoint, formatter=formatter, force_pager=include_all, ) _extract(state, handlers, begin, end, or_query, advanced_query, saved_search, **kwargs)
def send_to( state, begin, end, advanced_query, use_checkpoint, saved_search, or_query, columns, **kwargs, ): """Send events to the given server address. HOSTNAME format: address:port where port is optional and defaults to 514. """ if use_checkpoint: cursor = _get_file_event_cursor_store(state.profile.name) checkpoint = _handle_timestamp_checkpoint(cursor.get(use_checkpoint), state) def checkpoint_func(event): cursor.replace(use_checkpoint, event["eventId"]) else: checkpoint = checkpoint_func = None query = _construct_query(state, begin, end, saved_search, advanced_query, or_query) dfs = _get_all_file_events(state, query, checkpoint) formatter = FileEventsOutputFormatter(None, checkpoint_func=checkpoint_func) with warn_interrupt(): event = None for event in formatter.iter_rows(dfs, columns=columns): state.logger.info(event) if event is None: # generator was empty click.echo("No results found.")
def test_format_when_none_passed_defaults_to_raw_json(self): formatter = FileEventsOutputFormatter(output_format=None) assert formatter.output_format == FileEventsOutputFormat.RAW
def test_init_sets_format_func_to_table_function_when_no_format_option_is_passed( self, mock_to_table): formatter = FileEventsOutputFormatter(None) for _ in formatter.get_formatted_output("TEST"): pass mock_to_table.assert_called_once_with("TEST", None)
def test_init_sets_format_func_to_cef_function_when_cef_format_option_is_passed( self, mock_to_cef): formatter = FileEventsOutputFormatter(FileEventsOutputFormat.CEF) for _ in formatter.get_formatted_output(["TEST"]): pass mock_to_cef.assert_called_once_with("TEST")
def test_init_sets_format_func_to_dynamic_csv_function_when_csv_option_is_passed( self, mock_to_csv): formatter = FileEventsOutputFormatter(FileEventsOutputFormat.CSV) for _ in formatter.get_formatted_output("TEST"): pass mock_to_csv.assert_called_once_with("TEST")