def test_logon_session_rarity_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
test_data = str(Path(TEST_DATA_PATH).absolute())
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
d_path = Path(TEST_DATA_PATH).joinpath("processes_on_host.pkl")
raw_data = pd.read_pickle(d_path)
filt_sess = raw_data[raw_data["Account"] == "MSTICAlertsWin1\\MSTICAdmin"]
data = pd.concat([raw_data.iloc[:1000], filt_sess])
check.is_true(hasattr(nblts.azsent.host, "LogonSessionsRarity"))
if not hasattr(nblts.azsent.host, "LogonSessionsRarity"):
print(nblts.azsent.host)
test_nb = nblts.azsent.host.LogonSessionsRarity()
result = test_nb.run(data=data)
check.is_instance(result.process_clusters, pd.DataFrame)
check.is_instance(result.processes_with_cluster, pd.DataFrame)
check.is_instance(result.session_rarity, pd.DataFrame)
result.list_sessions_by_rarity()
result.plot_sessions_by_rarity()
result.process_tree(account="MSTICAlertsWin1\\MSTICAdmin")
def test_winhostevents_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.host.WinHostEvents()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="myhost", timespan=tspan)
check.is_not_none(result.all_events)
check.is_instance(result.all_events, pd.DataFrame)
check.is_not_none(result.event_pivot)
check.is_instance(result.event_pivot, pd.DataFrame)
check.is_not_none(result.account_events)
check.is_instance(result.account_events, pd.DataFrame)
check.is_not_none(result.event_pivot)
check.is_instance(result.event_pivot, pd.DataFrame)
# check.is_not_none(result.account_timeline)
exp_events = test_nb.expand_events(["5058", "5061"])
check.is_instance(exp_events, pd.DataFrame)
def test_notebooklet_options(monkeypatch):
"""Test option logic for notebooklet."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(query_provider="LocalData",
providers=["tilookup", "geolitelookup"])
nb_test = TstNBSummary()
# default options
nb_res = nb_test.run()
check.is_not_none(nb_res.default_property)
check.is_none(nb_res.optional_property)
# add optional option
nb_res = nb_test.run(options=["+optional_opt"])
check.is_not_none(nb_res.default_property)
check.is_not_none(nb_res.optional_property)
# remove default option
nb_res = nb_test.run(options=["-default_opt"])
check.is_none(nb_res.default_property)
check.is_none(nb_res.optional_property)
# specific options
nb_res = nb_test.run(options=["heartbest", "azure_net"])
check.is_none(nb_res.default_property)
check.is_none(nb_res.optional_property)
# invalid option
f_stream = StringIO()
with redirect_stdout(f_stream):
nb_test.run(options=["invalid_opt"])
output = str(f_stream.getvalue())
check.is_in("Invalid options ['invalid_opt']", output)
def test_notebooklet_options(self):
"""Test option logic for notebooklet."""
init(query_provider="LocalData")
nb_test = TstNBSummary()
# default options
nb_res = nb_test.run()
self.assertIsNotNone(nb_res.default_property)
self.assertIsNone(nb_res.optional_property)
# add optional option
nb_res = nb_test.run(options=["+optional_opt"])
self.assertIsNotNone(nb_res.default_property)
self.assertIsNotNone(nb_res.optional_property)
# remove default option
nb_res = nb_test.run(options=["-default_opt"])
self.assertIsNone(nb_res.default_property)
self.assertIsNone(nb_res.optional_property)
# specific options
nb_res = nb_test.run(options=["heartbest", "azure_net"])
self.assertIsNone(nb_res.default_property)
self.assertIsNone(nb_res.optional_property)
# invalid option
f_stream = StringIO()
with redirect_stdout(f_stream):
nb_test.run(options=["invalid_opt"])
output = str(f_stream.getvalue())
self.assertIn("Invalid options ['invalid_opt']", output)
def test_notebooklet_create(monkeypatch):
"""Test method."""
# Should run because required providers are loaded
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(query_provider="LocalData",
providers=["tilookup", "geolitelookup"])
for _, nblt in nblts.iter_classes():
new_nblt = nblt()
check.is_instance(new_nblt, Notebooklet)
check.is_none(new_nblt.result)
# Should throw a warning because of unrecognized provider
data_providers.init(query_provider="LocalData")
with pytest.raises(MsticnbDataProviderError) as err:
for _, nblt in nblts.iter_classes():
curr_provs = nblt.metadata.req_providers
bad_provs = [*curr_provs, "bad_provider"]
try:
nblt.metadata.req_providers = bad_provs
new_nblt = nblt()
check.is_instance(new_nblt, Notebooklet)
check.is_none(new_nblt.result)
finally:
nblt.metadata.req_providers = curr_provs
check.is_in("bad_provider", err.value.args[0])
test_nb = TstNBSummary()
check.is_not_none(test_nb.get_provider("LocalData"))
with pytest.raises(MsticnbDataProviderError):
test_nb.get_provider("otherprovider")
def test_ip_summary_notebooklet_internal(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
monkeypatch.setattr(data_providers, "TILookup", TILookupMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
providers=["tilookup", "geolitelookup"],
)
test_nb = nblts.azsent.network.IpAddressSummary()
tspan = TimeSpan(period="1D")
test_nb.query_provider.schema.update({tab: {} for tab in DEF_PROV_TABLES})
result = test_nb.run(value="40.76.43.124", timespan=tspan)
check.is_not_none(result.ip_entity)
check.equal(result.ip_type, "Public")
check.equal(result.ip_origin, "Internal")
check.is_not_none(result.whois)
check.is_instance(result.related_alerts, pd.DataFrame)
check.is_instance(result.heartbeat, pd.DataFrame)
check.is_instance(result.az_network_if, pd.DataFrame)
check.is_none(result.passive_dns)
check.is_none(result.ti_results)
def test_ip_summary_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
monkeypatch.setattr(data_providers, "TILookup", TILookupMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
providers=["tilookup", "geolitelookup"],
)
test_nb = nblts.azsent.network.IpAddressSummary()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="11.1.2.3", timespan=tspan)
check.is_not_none(result.ip_entity)
check.equal(result.ip_type, "Public")
check.equal(result.ip_origin, "External")
check.is_in("CountryCode", result.geoip)
check.is_not_none(result.location)
check.is_not_none(result.notebooklet)
check.is_not_none(result.whois)
check.is_instance(result.related_alerts, pd.DataFrame)
check.is_not_none(test_nb.browse_alerts())
check.is_instance(result.passive_dns, pd.DataFrame)
check.is_instance(result.ti_results, pd.DataFrame)
def test_template_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = TemplateNB()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="myhost", timespan=tspan)
check.is_not_none(result.all_events)
check.is_not_none(result.description)
check.is_not_none(result.plot)
result = test_nb.run(value="myhost",
timespan=tspan,
options=["+get_metadata"])
check.is_not_none(result.additional_info)
evts = test_nb.run_additional_operation(
["4679", "5058", "5061", "5059", "4776"])
check.is_instance(evts, pd.DataFrame)
def test_class_metadata(monkeypatch):
"""Test class correctly loads yaml metadata."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(query_provider="LocalData",
providers=["tilookup", "geolitelookip"])
host_nb = host_summary.HostSummary()
check.is_true(hasattr(host_summary, "_CLS_METADATA"))
check.is_instance(host_summary._CLS_METADATA, NBMetadata)
check.is_true(hasattr(host_summary, "_CELL_DOCS"))
check.is_instance(host_summary._CELL_DOCS, dict)
check.is_true(hasattr(host_nb, "metadata"))
check.is_instance(host_nb.metadata, NBMetadata)
check.equal(host_nb.metadata.mod_name, host_summary.__name__)
check.equal(host_nb.description(), "Host summary")
check.equal(host_nb.name(), "HostSummary")
check.is_in("host", host_nb.entity_types())
check.is_in("host", host_nb.keywords())
check.is_in("heartbeat", host_nb.default_options())
check.is_in("alerts", host_nb.default_options())
check.is_in("alerts", host_nb.all_options())
for item in ("Default Options", "alerts", "azure_api"):
check.is_in(item, host_nb.list_options())
def test_template_notebooklet(self):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = TemplateNB()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="myhost", timespan=tspan)
self.assertIsNotNone(result.all_events)
self.assertIsNotNone(result.description)
self.assertIsNotNone(result.plot)
result = test_nb.run(value="myhost",
timespan=tspan,
options=["+get_metadata"])
self.assertIsNotNone(result.additional_info)
evts = test_nb.run_additional_operation(
["4679", "5058", "5061", "5059", "4776"])
self.assertIsInstance(evts, pd.DataFrame)
def test_local_data(monkeypatch):
"""Test nblt output types and values using LocalData provider."""
test_data = str(Path.cwd().joinpath(TEST_DATA_PATH))
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
providers=["tilookup", "geolitelookup"],
)
test_nblt = nblts.azsent.host.HostLogonsSummary()
tspan = TimeSpan(start=datetime(2020, 6, 23, 4, 20),
end=datetime(2020, 6, 29, 21, 32))
nbltlocaldata = test_nblt.run(value="WinAttackSim", timespan=tspan)
assert isinstance(nbltlocaldata.logon_sessions, pd.DataFrame)
assert nbltlocaldata.logon_sessions["SubjectUserName"].iloc[
0] == "WinAttackSim$"
assert nbltlocaldata.logon_sessions["LogonProcessName"].iloc[
3] == "Advapi "
assert "User Pie Chart" in nbltlocaldata.plots.keys()
assert isinstance(nbltlocaldata.plots["Process Bar Chart"], Figure)
assert isinstance(nbltlocaldata.logon_matrix, pd.io.formats.style.Styler)
assert nbltlocaldata.logon_matrix.index[0][0] == "Font Driver Host\\UMFD-0"
assert isinstance(nbltlocaldata.logon_map, FoliumMap)
assert isinstance(nbltlocaldata.timeline, Column)
def test_network_flow_summary_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
monkeypatch.setattr(data_providers, "TILookup", TILookupMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.network.NetworkFlowSummary()
tspan = TimeSpan(period="1D")
test_nb.query_provider.schema.update({tab: {} for tab in DEF_PROV_TABLES})
options = ["+geo_map"]
result = test_nb.run(value="myhost", timespan=tspan, options=options)
check.is_not_none(result.host_entity)
check.is_not_none(result.network_flows)
check.is_instance(result.network_flows, pd.DataFrame)
check.is_not_none(result.plot_flows_by_protocol)
check.is_instance(result.plot_flows_by_protocol, LayoutDOM)
check.is_not_none(result.plot_flows_by_direction)
check.is_instance(result.plot_flows_by_direction, LayoutDOM)
check.is_not_none(result.plot_flow_values)
check.is_instance(result.plot_flow_values, LayoutDOM)
check.is_not_none(result.flow_index)
check.is_instance(result.flow_summary, pd.DataFrame)
result.select_asns()
result.lookup_ti_for_asn_ips()
result.show_selected_asn_map()
def nbltdata():
"""Generate test nblt output."""
test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath(
"lx_host_logons.pkl")
init("LocalData", providers=["tilookup"])
test_nblt = nblts.azsent.host.HostLogonsSummary()
test_df = pd.read_pickle(test_file)
return test_nblt.run(data=test_df, options=["-map"], silent=True)
def nbltdata(monkeypatch):
"""Generate test nblt output."""
test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath(
"lx_host_logons.pkl")
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init("LocalData", providers=["tilookup", "geolitelookup"])
test_nblt = nblts.azsent.host.HostLogonsSummary()
test_df = pd.read_pickle(test_file)
return test_nblt.run(data=test_df, options=["-map"], silent=True)
def test_account_summary_notebooklet():
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.account.AccountSummary()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="accountname", timespan=tspan)
assert result.account_selector is not None
acct_select = test_nb.browse_accounts()
assert isinstance(acct_select, nbwidgets.SelectItem)
select_opts = result.account_selector._item_dict
disp_account = result.account_selector.item_action
for acct_item in select_opts.values():
# Programatically select the item list control
select_item = [
key for key, value in select_opts.items() if value == acct_item
]
if select_item:
result.account_selector._wgt_select.value = select_item[0]
disp_account(acct_item)
assert isinstance(result.account_activity, pd.DataFrame)
assert isinstance(result.related_alerts, pd.DataFrame)
assert isinstance(result.related_bookmarks, pd.DataFrame)
assert isinstance(result.alert_timeline, LayoutDOM)
assert isinstance(result.account_entity, entities.Account)
alert_select = test_nb.browse_alerts()
assert isinstance(alert_select, nbwidgets.SelectAlert)
bm_select = test_nb.browse_bookmarks()
assert isinstance(bm_select, nbwidgets.SelectItem)
test_nb.find_additional_data()
assert isinstance(result.account_timeline_by_ip, LayoutDOM)
if "Windows" in acct_item or "Linux" in acct_item:
assert isinstance(result.host_logons, pd.DataFrame)
assert isinstance(result.host_logon_summary, pd.DataFrame)
assert result.azure_activity is None
assert result.azure_activity_summary is None
assert result.azure_timeline_by_provider is None
assert result.azure_timeline_by_operation is None
else:
assert result.host_logons is None
assert result.host_logon_summary is None
assert isinstance(result.azure_activity, pd.DataFrame)
assert isinstance(result.azure_activity_summary, pd.DataFrame)
assert isinstance(result.azure_timeline_by_provider, LayoutDOM)
assert isinstance(result.azure_timeline_by_operation, LayoutDOM)
def _init_pivot(monkeypatch):
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(
query_provider="LocalData",
providers=["geolitelookup"],
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
return Pivot()
def nbltdata(monkeypatch):
"""Generate test nblt output."""
test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath("alerts_list.pkl")
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init("LocalData", providers=["tilookup", "geolitelookup"])
test_nblt = nblts.azsent.alert.EnrichAlerts() # pylint: disable=no-member
test_df = pd.read_pickle(test_file)
test_df["Entities"] = ""
return test_nblt.run(data=test_df, silent=True)
def test_notebooklet_params(self):
"""Test supplying timespan param."""
init(query_provider="LocalData", providers=["tilookup"])
test_nb = TstNBSummary()
tspan = TimeSpan(period="1D")
test_nb.run(timespan=tspan)
self.assertEqual(tspan, test_nb.timespan)
test_nb.run(start=tspan.start, end=tspan.end)
self.assertEqual(tspan, test_nb.timespan)
def nbltdata():
"""Generate test nblt output."""
test_file = Path.cwd().joinpath(TEST_DATA_PATH).joinpath("alerts_list.pkl")
test_config = str(
Path.cwd().joinpath(TEST_DATA_PATH).joinpath("msticpyconfig-test.yaml")
)
init("LocalData", providers=["tilookup"])
test_nblt = nblts.azsent.alert.EnrichAlerts()
test_df = pd.read_pickle(test_file)
test_df["Entities"] = ""
return test_nblt.run(data=test_df, silent=True)
def test_notebooklet_params(monkeypatch):
"""Test supplying timespan param."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(query_provider="LocalData",
providers=["tilookup", "geolitelookup"])
test_nb = TstNBSummary()
tspan = TimeSpan(period="1D")
test_nb.run(timespan=tspan)
check.equal(tspan, test_nb.timespan)
test_nb.run(start=tspan.start, end=tspan.end)
check.equal(tspan, test_nb.timespan)
def test_host_summary_notebooklet(self):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.host.HostSummary()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="myhost", timespan=tspan)
self.assertIsNotNone(result.host_entity)
self.assertIsNotNone(result.related_alerts)
self.assertIsInstance(result.related_alerts, pd.DataFrame)
self.assertIsNotNone(result.alert_timeline)
self.assertIsNotNone(result.related_bookmarks)
self.assertIsInstance(result.related_bookmarks, pd.DataFrame)
def test_add_sub_data_providers(self):
"""Test intializing adding and subtracting providers."""
dprov = DataProviders(query_provider="LocalData")
init(query_provider="LocalData", providers=["tilookup"])
msticnb = sys.modules["msticnb"]
dprov2 = DataProviders.current()
# Add and remove a provider from defaults
init(query_provider="LocalData", providers=["+ipstacklookup", "-geolitelookup"])
dprov3 = DataProviders.current()
pkg_providers = getattr(msticnb, "data_providers")
self.assertIsNot(dprov3, dprov)
self.assertIsNot(dprov3, dprov2)
self.assertIn("ipstacklookup", dprov3.providers)
self.assertNotIn("geolitelookup", dprov3.providers)
self.assertIn("tilookup", dprov3.providers)
self.assertIn("ipstacklookup", pkg_providers)
self.assertNotIn("geolitelookup", pkg_providers)
self.assertIn("tilookup", pkg_providers)
def test_host_summary_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
test_data = str(Path(TEST_DATA_PATH).absolute())
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.host.HostSummary()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="myhost", timespan=tspan)
check.is_not_none(result.host_entity)
check.is_not_none(result.related_alerts)
check.is_instance(result.related_alerts, pd.DataFrame)
check.is_not_none(result.alert_timeline)
check.is_not_none(result.related_bookmarks)
check.is_instance(result.related_bookmarks, pd.DataFrame)
def test_new_init_data_providers(monkeypatch):
"""Test creating new provider with new provider list."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(query_provider="LocalData", providers=[])
dprov = data_providers.DataProviders.current()
data_providers.init(query_provider="LocalData", providers=[])
dprov2 = data_providers.DataProviders.current()
check.equal(dprov2, dprov)
# specify provider
dprov = data_providers.DataProviders(query_provider="LocalData")
data_providers.init(query_provider="LocalData", providers=["tilookup"])
msticnb = sys.modules["msticnb"]
dprov2 = data_providers.DataProviders.current()
pkg_providers = getattr(msticnb, "data_providers")
check.not_equal(dprov2, dprov)
check.is_in("LocalData", dprov2.providers)
check.is_in("tilookup", dprov2.providers)
check.is_not_in("geolitelookup", dprov2.providers)
check.is_not_in("ipstacklookup", dprov2.providers)
check.is_in("LocalData", pkg_providers)
check.is_in("tilookup", pkg_providers)
check.is_not_in("geolitelookup", pkg_providers)
check.is_not_in("ipstacklookup", pkg_providers)
check.is_instance(dprov2.providers["tilookup"], TILookup)
def test_new_init_data_providers(self):
"""Test creating new provider with new provider list."""
init(query_provider="LocalData", providers=[])
dprov = DataProviders.current()
init(query_provider="LocalData", providers=[])
dprov2 = DataProviders.current()
self.assertIs(dprov2, dprov)
# specify provider
dprov = DataProviders(query_provider="LocalData")
init(query_provider="LocalData", providers=["tilookup"])
msticnb = sys.modules["msticnb"]
dprov2 = DataProviders.current()
pkg_providers = getattr(msticnb, "data_providers")
self.assertIsNot(dprov2, dprov)
self.assertIn("LocalData", dprov2.providers)
self.assertIn("tilookup", dprov2.providers)
self.assertNotIn("geolitelookup", dprov2.providers)
self.assertNotIn("ipstacklookup", dprov2.providers)
self.assertIn("LocalData", pkg_providers)
self.assertIn("tilookup", pkg_providers)
self.assertNotIn("geolitelookup", pkg_providers)
self.assertNotIn("ipstacklookup", pkg_providers)
self.assertIsInstance(dprov2.providers["tilookup"], TILookup)
def test_ip_summary_notebooklet_all(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
monkeypatch.setattr(data_providers, "TILookup", TILookupMock)
data_providers.init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
providers=["tilookup", "geolitelookup"],
)
opts = ["+az_netflow", "+passive_dns", "+az_activity", "+office_365", "+ti"]
test_nb = nblts.azsent.network.IpAddressSummary()
tspan = TimeSpan(period="1D")
test_nb.query_provider.schema.update({tab: {} for tab in DEF_PROV_TABLES})
result = test_nb.run(value="40.76.43.124", timespan=tspan, options=opts)
check.is_not_none(result.ip_entity)
check.is_not_none(result.host_entity)
check.equal(result.host_entity.HostName, "MSTICAlertsWin1")
check.equal(result.host_entity.OSFamily.name, "Linux")
check.equal(result.ip_type, "Public")
check.equal(result.ip_origin, "Internal")
check.is_instance(result.heartbeat, pd.DataFrame)
check.is_instance(result.az_network_if, pd.DataFrame)
check.is_instance(result.az_network_flows, pd.DataFrame)
check.is_instance(result.az_network_flow_summary, pd.DataFrame)
check.is_instance(result.az_network_flows_timeline, LayoutDOM)
check.is_instance(result.aad_signins, pd.DataFrame)
check.is_instance(result.office_activity, pd.DataFrame)
check.is_instance(result.vmcomputer, pd.DataFrame)
check.is_instance(test_nb.netflow_total_by_protocol(), LayoutDOM)
check.is_instance(test_nb.netflow_by_direction(), LayoutDOM)
check.is_not_none(result.whois)
check.is_instance(result.related_alerts, pd.DataFrame)
check.is_instance(result.passive_dns, pd.DataFrame)
check.is_instance(result.ti_results, pd.DataFrame)
def test_notebooklet_create(self):
"""Test method."""
test_with_geop = True
try:
geoip = GeoLiteLookup()
if not geoip._api_key:
test_with_geop = False
del geoip
except MsticpyUserConfigError:
test_with_geop = False
if test_with_geop:
# Should run because required providers are loaded
init(query_provider="LocalData",
providers=["tilookup", "geolitelookup"])
for _, nblt in nblts.iter_classes():
new_nblt = nblt()
self.assertIsInstance(new_nblt, Notebooklet)
self.assertIsNone(new_nblt.result)
# Should throw a warning because of unrecognized provider
init(query_provider="LocalData")
with self.assertRaises(MsticnbDataProviderError) as err:
for _, nblt in nblts.iter_classes():
curr_provs = nblt.metadata.req_providers
bad_provs = [*curr_provs, "bad_provider"]
try:
nblt.metadata.req_providers = bad_provs
new_nblt = nblt()
self.assertIsInstance(new_nblt, Notebooklet)
self.assertIsNone(new_nblt.result)
finally:
nblt.metadata.req_providers = curr_provs
self.assertIn("bad_provider", err.exception.args[0])
test_nb = TstNBSummary()
self.assertIsNotNone(test_nb.get_provider("LocalData"))
with self.assertRaises(MsticnbDataProviderError):
test_nb.get_provider("otherprovider")
def test_add_sub_data_providers(monkeypatch):
"""Test intializing adding and subtracting providers."""
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
dprov = data_providers.DataProviders(query_provider="LocalData")
data_providers.init(query_provider="LocalData", providers=["tilookup"])
msticnb = sys.modules["msticnb"]
dprov2 = data_providers.DataProviders.current()
# Add and remove a provider from defaults
data_providers.init(
query_provider="LocalData", providers=["+ipstacklookup", "-geolitelookup"]
)
dprov3 = data_providers.DataProviders.current()
pkg_providers = getattr(msticnb, "data_providers")
check.not_equal(dprov3, dprov)
check.not_equal(dprov3, dprov2)
check.is_in("ipstacklookup", dprov3.providers)
check.is_not_in("geolitelookup", dprov3.providers)
check.is_in("tilookup", dprov3.providers)
check.is_in("ipstacklookup", pkg_providers)
check.is_not_in("geolitelookup", pkg_providers)
check.is_in("tilookup", pkg_providers)
def test_network_flow_summary_notebooklet(self):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
init(
query_provider="LocalData",
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.network.NetworkFlowSummary()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="myhost", timespan=tspan)
self.assertIsNotNone(result.host_entity)
self.assertIsNotNone(result.network_flows)
self.assertIsInstance(result.network_flows, pd.DataFrame)
self.assertIsNotNone(result.plot_flows_by_protocol)
self.assertIsInstance(result.plot_flows_by_protocol, LayoutDOM)
self.assertIsNotNone(result.plot_flows_by_direction)
self.assertIsInstance(result.plot_flows_by_direction, LayoutDOM)
self.assertIsNotNone(result.plot_flow_values)
self.assertIsInstance(result.plot_flow_values, LayoutDOM)
self.assertIsNotNone(result.flow_index)
self.assertIsInstance(result.flow_summary, pd.DataFrame)
def test_account_summary_notebooklet(monkeypatch):
"""Test basic run of notebooklet."""
test_data = str(Path(TEST_DATA_PATH).absolute())
monkeypatch.setattr(data_providers, "GeoLiteLookup", GeoIPLiteMock)
data_providers.init(
"LocalData",
providers=["-tilookup"],
LocalData_data_paths=[test_data],
LocalData_query_paths=[test_data],
)
test_nb = nblts.azsent.account.AccountSummary()
tspan = TimeSpan(period="1D")
result = test_nb.run(value="accountname", timespan=tspan)
check.is_not_none(result.account_selector)
acct_select = test_nb.browse_accounts()
check.is_instance(acct_select, nbwidgets.SelectItem)
select_opts = result.account_selector._item_dict
disp_account = result.account_selector.item_action
for acct_item in select_opts.values():
# Programatically select the item list control
select_item = [
key for key, value in select_opts.items() if value == acct_item
]
if select_item:
result.account_selector._wgt_select.value = select_item[0]
disp_account(acct_item)
check.is_instance(result.account_activity, pd.DataFrame)
check.is_instance(result.related_alerts, pd.DataFrame)
check.is_instance(result.related_bookmarks, pd.DataFrame)
check.is_instance(result.alert_timeline, LayoutDOM)
check.is_instance(result.account_entity, entities.Account)
alert_select = test_nb.browse_alerts()
check.is_instance(alert_select, nbwidgets.SelectAlert)
bm_select = test_nb.browse_bookmarks()
assert isinstance(bm_select, nbwidgets.SelectItem)
test_nb.get_additional_data()
check.is_instance(result.account_timeline_by_ip, LayoutDOM)
if "Windows" in acct_item or "Linux" in acct_item:
check.is_instance(result.host_logons, pd.DataFrame)
check.is_instance(result.host_logon_summary, pd.DataFrame)
check.is_none(result.azure_activity)
check.is_none(result.azure_activity_summary)
check.is_none(result.azure_timeline_by_provider)
check.is_none(result.azure_timeline_by_operation)
vwr = result.view_events(
attrib="host_logons",
summary_cols=["Computer", "LogonResult", "LogonType"],
)
else:
check.is_none(result.host_logons)
check.is_none(result.host_logon_summary)
check.is_instance(result.azure_activity, pd.DataFrame)
check.is_instance(result.azure_activity_summary, pd.DataFrame)
check.is_instance(result.azure_timeline_by_provider, LayoutDOM)
check.is_instance(result.azure_timeline_by_operation, LayoutDOM)
vwr = result.view_events(
attrib="azure_activity",
summary_cols=["Source", "Operation", "IPAddress"],
)
check.is_instance(vwr, nbwidgets.SelectItem)
result.display_alert_timeline()
result.browse_accounts()
result.browse_alerts()
result.browse_bookmarks()
result.az_activity_timeline_by_provider()
result.az_activity_timeline_by_ip()
result.az_activity_timeline_by_operation()
result.host_logon_timeline()
check.is_not_none(result.get_geoip_map())
