예제 #1
0
def test_get_intel_indicators():
    """ test clean get_intel_indicators """
    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)  # pylint: disable=invalid-name

    response = crowdstrike.get_intel_indicators(limit=10)
    logger.debug(response)
    assert not response.get('errors')
예제 #2
0
def test_find_true_positives():
    """ does some testing looking for true positive incidents """

    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)

    incidents = crowdstrike.incidents_query(filter="tags: 'True Positive'")
    assert len(incidents) > 0
    logger.debug(incidents)
예제 #3
0
def test_find_closed_incidents():
    """ does some testing looking for closed incidents """

    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)

    incidents = crowdstrike.incidents_query(filter="status: '40'")
    assert len(incidents) > 0
    logger.debug(incidents)
예제 #4
0
def test_get_detects():
    """ searches for the latest detection ID """

    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
    response = crowdstrike.get_detects(offset=0, limit=1)
    logger.debug(response)
    assert not response.get('errors')
    # should work, unless you've never had a detection on your account, which would be surprising ^_^
    assert response.get('resources')
예제 #5
0
def test_incidents_perform_actions():
    """ tests some basic things in incidents_perform_actions """

    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
    with pytest.raises(ValueError):
        crowdstrike.incidents_perform_actions(ids=['12345'],
                                              action_parameters=[{
                                                  'foo': 'bar'
                                              }])
    with pytest.raises(ValueError):
        crowdstrike.incidents_perform_actions(ids=['12345'],
                                              action_parameters=[{
                                                  'name': 'tags',
                                                  'value': 'foo',
                                                  'foo': 'bar'
                                              }])
    with pytest.raises(ValueError):
        crowdstrike.incidents_perform_actions(ids=['12345'],
                                              action_parameters=[{
                                                  'name': 'tags',
                                                  'value': 13,
                                                  'foo': 'bar'
                                              }])

    results = crowdstrike.incidents_perform_actions(ids=['12345'],
                                                    action_parameters=[
                                                        {
                                                            'name': 'tags',
                                                            'value': '',
                                                        },
                                                    ])
    logger.debug(results)
예제 #6
0
def test_really_replace_with_a_real_test():
    """ terrible test, shouldn't be like this """
    # TODO: replace this with anything closer to a real test suite
    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)

    logger.info("Testing get_event_streams()")

    streams = crowdstrike.get_event_streams("testing123")

    if not streams.get("resources", False):
        logger.error(json.dumps(streams))
        raise ValueError("No resources in stream response")
    assert streams.get('resources', False)
예제 #7
0
def test_get_detections():
    """ pulls information on the last five detections """
    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)

    response = crowdstrike.get_detects(offset=0, limit=5)
    ids = response.get('resources')
    assert ids

    response = crowdstrike.get_detections(ids=ids)
    logger.debug(response)
    assert not response.get('errors')
    # should work, unless you've never had a detection on your account, which would be surprising ^_^
    assert response.get('resources')
예제 #8
0
def test_really_replace_this_with_a_real_test():
    """ terrible test, replace it with something not-terrible """

    # TODO: make this some vaguely correct tests
    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)

    # find a few different crowdstrike ids
    ids = crowdstrike.get_sensor_installer_ids(sort_string="release_date|desc",
                                               filter_string='platform:"mac"')
    assert ids is not None
    ids = crowdstrike.get_sensor_installer_ids(
        sort_string="release_date|desc", )
    assert ids is not None
    ids = crowdstrike.get_sensor_installer_ids(filter_string='platform:"mac"')
    assert ids is not None

    # test downloading the latest macOS installer
    maclatest = crowdstrike.get_latest_sensor_id(
        filter_string='platform:"mac"')
    logger.info(
        json.dumps(
            # also tests showing an installer's data
            crowdstrike.get_sensor_installer_details(maclatest),
            indent=2))
    assert maclatest is not None

    logger.info("Testing download to temporary directory....")
    # this'll write it to a temporary directory which is removed afterwards
    with tempfile.TemporaryDirectory() as tmpdirname:
        filename = f'{tmpdirname}/FalconSensorMacOS.pkg'
        response = crowdstrike.download_sensor(maclatest, filename)
        assert response is not None
        assert os.path.exists(filename)
예제 #9
0
def test_something_indicators():
    """ tests with a set of values that failed once
        this'll fail on a "restricted" account, worked on my test account - JH 2021-03-20
    """
    payload = {
        "offset": 5,
        "filter": "last_updated:>1590402620",
        "limit": 7000,
        "include_deleted": False,
        "sort": "last_updated.asc",
    }
    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)  # pylint: disable=invalid-name

    response = crowdstrike.get_intel_indicators(**payload)
    logger.debug(response)
    assert not response.get('errors')
예제 #10
0
def test_incidents():
    """ does some wide-open testing of incidents """

    crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)

    incidents = crowdstrike.incidents_query()
    logger.debug(incidents)

    assert len(incidents) > 0

    for incident in incidents:
        single_incident_details = crowdstrike.incidents_get_details(
            ids=[incident])

        #logger.info(json.dumps(single_incident_details.get('resources')[0], indent=4))
        #logger.debug(single_incident_details.get('resources')[0].get('users'))
        logger.debug(single_incident_details.get('resources')[0].get('users'))
        logger.debug(single_incident_details.get('resources')[0].get('state'))
        #logger.debug(single_incident_details.get('resources')[0].get('assigned_to', 'unassigned'))
    assert not single_incident_details.get('errors')
예제 #11
0
    from loguru import logger
    from crowdstrike import CrowdstrikeAPI
except ImportError as import_error:
    sys.exit(f"Error importing required library: {import_error}")

# grab config from the file or environment variable
try:
    from config import CLIENT_ID, CLIENT_SECRET
except ImportError:
    if os.environ.get('CLIENT_ID'):
        logger.debug("Using Client ID from environment variable")
        CLIENT_ID = os.environ.get('CLIENT_ID')
    if os.environ.get('CLIENT_SECRET'):
        logger.debug("Using Client Secret from environment variable")
        CLIENT_SECRET = os.environ.get('CLIENT_SECRET')
    if not CLIENT_ID and not CLIENT_SECRET:
        sys.exit("you didn't set the config either via file or environment")

logger.enable("crowdstrike")

crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)  # pylint: disable=invalid-name


def test_revoke_token(crowdstrike_client=crowdstrike):
    """ test revoke_token """

    logger.debug(crowdstrike_client.get_token())

    response = crowdstrike_client.revoke_token()
    logger.debug(response)