def test_splunk_connect_no_params(splunk_client):
"""Check failure with no args."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
check.is_true(sp_driver.loaded)
with pytest.raises(MsticpyUserConfigError) as mp_ex:
sp_driver.connect()
check.is_false(sp_driver.connected)
check.is_in("no Splunk connection parameters", mp_ex.value.args)
def test_splunk_connect_errors(splunk_client):
"""Check connect failure errors."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
check.is_true(sp_driver.loaded)
print("connected", sp_driver.connected)
with pytest.raises(MsticpyConnectionError) as mp_ex:
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_driver.connect(
host="AuthError", username="******", password=_FAKE_STRING
) # nosec
print("connected", sp_driver.connected)
check.is_false(sp_driver.connected)
check.is_in("Splunk connection", mp_ex.value.args)
sp_driver = SplunkDriver()
print("connected", sp_driver.connected)
with pytest.raises(MsticpyConnectionError) as mp_ex:
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_driver.connect(
host="HTTPError", username="******", password=_FAKE_STRING
) # nosec
print("connected", sp_driver.connected)
check.is_false(sp_driver.connected)
check.is_in("Splunk connection", mp_ex.value.args)
def test_live_connect():
"""Use this to do live testing."""
sp_driver = SplunkDriver()
www = "splunk-mstic.westus2.cloudapp.azure.com"
sp_driver.connect(host=www, port=8089, username="******",
password="******") # nosec
query = """index="botsv2" earliest=08/25/2017:00:00:00 latest=08/26/2017:00:00:00
source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
| table TimeCreated, host, EventID, EventDescription, User, process | head 10
"""
res_df = sp_driver.query(query)
check.is_not_none(res_df)
query0 = """index="botsv2" earliest=08/25/2020:00:00:00
+ 'source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
| table TimeCreated, host, EventID, EventDescription, User, process | head 10
"""
res_df = sp_driver.query(query0)
check.is_instance(res_df, list)
check.is_false(res_df)
query1 = """
index=blackhat sourcetype=network earliest=0 | table TimeGenerated, TotalBytesSent
"""
res_df = sp_driver.query(query1)
check.is_not_none(res_df)
def test_splunk_saved_searches(splunk_client):
"""Check saved searches."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
# trying to get these before connecting should throw
with pytest.raises(MsticpyNotConnectedError) as mp_ex:
sp_driver._get_saved_searches()
check.is_false(sp_driver.connected)
check.is_none(sp_driver._saved_searches)
check.is_in("not connected to Splunk.", mp_ex.value.args)
sp_driver.connect(host="localhost", username="******",
password="******") # nosec
check.is_true(sp_driver.connected)
check.is_instance(sp_driver._saved_searches, pd.DataFrame)
for _, search in sp_driver._saved_searches.iterrows():
check.is_true(search["name"].startswith("query"))
check.equal(search["query"], "get stuff from somewhere")
queries, name = sp_driver.service_queries
check.equal(name, "SavedSearches")
check.is_instance(queries, dict)
for name, query in queries.items():
check.is_true(name.startswith("query"))
check.equal(query, "search get stuff from somewhere")
def test_splunk_saved_searches(splunk_client):
"""Check saved searches."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
# trying to get these before connecting should throw
with pytest.raises(MsticpyNotConnectedError) as mp_ex:
sp_driver._get_saved_searches()
check.is_false(sp_driver.connected)
check.is_none(sp_driver._saved_searches)
check.is_in("not connected to Splunk.", mp_ex.value.args)
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_driver.connect(host="localhost", username="******", password=_FAKE_STRING) # nosec
check.is_true(sp_driver.connected)
check.is_instance(sp_driver._saved_searches, pd.DataFrame)
for _, search in sp_driver._saved_searches.iterrows():
check.is_true(search["name"].startswith("query"))
check.equal(search["query"], "get stuff from somewhere")
queries, name = sp_driver.service_queries
check.equal(name, "SavedSearches")
check.is_instance(queries, dict)
for name, query in queries.items():
check.is_true(name.startswith("query"))
check.equal(query, "search get stuff from somewhere")
def test_splunk_connect_req_params(splunk_client):
"""Check load/connect success with required params."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
check.is_true(sp_driver.loaded)
sp_driver.connect(host="localhost", username="******",
password="******") # nosec
check.is_true(sp_driver.connected)
sp_cntn_str = "host='localhost'; username='******'; password='******'" # nosec
sp_driver = SplunkDriver()
sp_driver.connect(connection_str=sp_cntn_str)
def test_splunk_connect_req_params(splunk_client):
"""Check load/connect success with required params."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
check.is_true(sp_driver.loaded)
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_driver.connect(host="localhost", username="******", password=_FAKE_STRING) # nosec
check.is_true(sp_driver.connected)
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_cntn_str = (
f"host='localhost'; username='******'; password='******'" # nosec
)
sp_driver = SplunkDriver()
sp_driver.connect(connection_str=sp_cntn_str)
def test_splunk_query_success(splunk_client, splunk_results):
"""Check loaded true."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
splunk_results.ResultsReader = _results_reader
# trying to get these before connecting should throw
with pytest.raises(MsticpyNotConnectedError) as mp_ex:
sp_driver.query("some query")
check.is_false(sp_driver.connected)
check.is_in("not connected to Splunk.", mp_ex.value.args)
sp_driver.connect(host="localhost", username="******",
password="******") # nosec
check.is_true(sp_driver.connected)
df_result = sp_driver.query("some query")
check.is_instance(df_result, pd.DataFrame)
check.equal(len(df_result), 10)
response = sp_driver.query("zero query")
check.is_not_instance(response, pd.DataFrame)
check.equal(len(response), 0)
def test_splunk_connect_errors(splunk_client):
"""Check connect failure errors."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
check.is_true(sp_driver.loaded)
print("connected", sp_driver.connected)
with pytest.raises(MsticpyConnectionError) as mp_ex:
sp_driver.connect(host="AuthError", username="******",
password="******") # nosec
print("connected", sp_driver.connected)
check.is_false(sp_driver.connected)
check.is_in("Splunk connection", mp_ex.value.args)
sp_driver = SplunkDriver()
print("connected", sp_driver.connected)
with pytest.raises(MsticpyConnectionError) as mp_ex:
sp_driver.connect(host="HTTPError", username="******",
password="******") # nosec
print("connected", sp_driver.connected)
check.is_false(sp_driver.connected)
check.is_in("Splunk connection", mp_ex.value.args)
def test_splunk_query_success(splunk_client, splunk_results):
"""Check loaded true."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
splunk_results.ResultsReader = _results_reader
# trying to get these before connecting should throw
with pytest.raises(MsticpyNotConnectedError) as mp_ex:
sp_driver.query("some query")
check.is_false(sp_driver.connected)
check.is_in("not connected to Splunk.", mp_ex.value.args)
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_driver.connect(host="localhost", username="******", password=_FAKE_STRING) # nosec
check.is_true(sp_driver.connected)
df_result = sp_driver.query("some query")
check.is_instance(df_result, pd.DataFrame)
check.equal(len(df_result), 10)
response = sp_driver.query("zero query")
check.is_not_instance(response, pd.DataFrame)
check.equal(len(response), 0)
def test_splunk_fired_alerts(splunk_client):
"""Check fired alerts."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
# trying to get these before connecting should throw
with pytest.raises(MsticpyNotConnectedError) as mp_ex:
sp_driver._get_fired_alerts()
check.is_false(sp_driver.connected)
check.is_none(sp_driver._fired_alerts)
check.is_in("not connected to Splunk.", mp_ex.value.args)
sp_driver.connect(host="localhost", username="******",
password="******") # nosec
check.is_true(sp_driver.connected)
check.is_instance(sp_driver._fired_alerts, pd.DataFrame)
for _, alert in sp_driver._fired_alerts.iterrows():
check.is_true(alert["name"].startswith("alert"))
check.equal(alert["count"], 10)
def test_splunk_fired_alerts(splunk_client):
"""Check fired alerts."""
splunk_client.connect = cli_connect
sp_driver = SplunkDriver()
# trying to get these before connecting should throw
with pytest.raises(MsticpyNotConnectedError) as mp_ex:
sp_driver._get_fired_alerts()
check.is_false(sp_driver.connected)
check.is_none(sp_driver._fired_alerts)
check.is_in("not connected to Splunk.", mp_ex.value.args)
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Test code")]
sp_driver.connect(host="localhost", username="******", password=_FAKE_STRING) # nosec
check.is_true(sp_driver.connected)
check.is_instance(sp_driver._fired_alerts, pd.DataFrame)
for _, alert in sp_driver._fired_alerts.iterrows():
check.is_true(alert["name"].startswith("alert"))
check.equal(alert["count"], 10)