예제 #1
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/devices/_search"
     assert body == {
         "query": "foobar",
         "criteria": {
             "ad_group_id": [14, 25],
             "os": ["LINUX"],
             "policy_id": [8675309],
             "status": ["ALL"],
             "target_priority": ["HIGH"]
         },
         "exclusions": {
             "sensor_version": ["0.1"]
         },
         "sort": [{
             "field": "name",
             "order": "DESC"
         }]
     }
     _was_called = True
     return StubResponse({
         "results": [{
             "id": 6023,
             "organization_name": "thistestworks"
         }],
         "num_found":
         1
     })
예제 #2
0
 def _execute_stop(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs/abcdefg/status"
     assert body == {"status": "CANCELLED"}
     _was_called = True
     return StubResponse(
         {"error_message": "The query is not presently running."}, 409)
예제 #3
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/_search"
     assert body == {
         "query": "Blort",
         "criteria": {
             "create_time": {
                 "start": "2019-09-30T12:34:56",
                 "end": "2019-10-01T12:00:12"
             }
         }
     }
     _was_called = True
     return StubResponse({
         "results": [{
             "id": "S0L0",
             "org_key": "Z100",
             "threat_id": "B0RG",
             "workflow": {
                 "state": "OPEN"
             }
         }],
         "num_found":
         1
     })
예제 #4
0
 def _run_facet_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/watchlist/_facet"
     assert body == {
         "query": "Blort",
         "criteria": {
             "workflow": ["OPEN"]
         },
         "terms": {
             "rows": 0,
             "fields": ["REPUTATION", "STATUS"]
         }
     }
     _was_called = True
     return StubResponse({
         "results": [{
             "field": {},
             "values": [{
                 "id": "reputation",
                 "name": "reputationX",
                 "total": 4
             }]
         }, {
             "field": {},
             "values": [{
                 "id": "status",
                 "name": "statusX",
                 "total": 9
             }]
         }]
     })
예제 #5
0
 def _execute_delete(url):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs/abcdefg"
     if _was_called:
         pytest.fail("_execute_delete should not be called twice!")
     _was_called = True
     return StubResponse(None)
예제 #6
0
 def _run_facet_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/_facet"
     assert body["query"] == "Blort"
     t = body["criteria"]
     assert t["workflow"] == ["OPEN"]
     t = body["terms"]
     assert t["rows"] == 0
     assert t["fields"] == ["REPUTATION", "STATUS"]
     _was_called = True
     return StubResponse({
         "results": [{
             "field": {},
             "values": [{
                 "id": "reputation",
                 "name": "reputationX",
                 "total": 4
             }]
         }, {
             "field": {},
             "values": [{
                 "id": "status",
                 "name": "statusX",
                 "total": 9
             }]
         }]
     })
예제 #7
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs"
     assert body == {"sql": "select * from whatever;", "name": "AmyWasHere", "notify_on_finish": True,
                     "device_filter": {"device_ids": [1, 2, 3], "device_types": ["Alpha", "Bravo", "Charlie"],
                                       "policy_ids": [16, 27, 38]}}
     _was_called = True
     return StubResponse({"org_key": "Z100", "name": "FoobieBletch", "id": "abcdefg"})
예제 #8
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs/_search"
     assert body == {"query": "xyzzy", "sort": [{"field": "id", "order": "ASC"}], "start": 0}
     _was_called = True
     return StubResponse({"org_key": "Z100", "num_found": 3,
                          "results": [{"org_key": "Z100", "name": "FoobieBletch", "id": "abcdefg"},
                                      {"org_key": "Z100", "name": "Aoxomoxoa", "id": "cdefghi"},
                                      {"org_key": "Z100", "name": "Read_Me", "id": "efghijk"}]})
예제 #9
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/cbanalytics/_search"
     assert body == {
         "query": "Blort",
         "criteria": {
             "category": ["SERIOUS", "CRITICAL"],
             "device_id": [6023],
             "device_name": ["HAL"],
             "device_os": ["LINUX"],
             "device_os_version": ["0.1.2"],
             "device_username": ["JRN"],
             "group_results": True,
             "id": ["S0L0"],
             "legacy_alert_id": ["S0L0_1"],
             "minimum_severity": 6,
             "policy_id": [8675309],
             "policy_name": ["Strict"],
             "process_name": ["IEXPLORE.EXE"],
             "process_sha256": ["0123456789ABCDEF0123456789ABCDEF"],
             "reputation": ["SUSPECT_MALWARE"],
             "tag": ["Frood"],
             "target_value": ["HIGH"],
             "threat_id": ["B0RG"],
             "type": ["WATCHLIST"],
             "workflow": ["OPEN"],
             "blocked_threat_category": ["RISKY_PROGRAM"],
             "device_location": ["ONSITE"],
             "kill_chain_status": ["EXECUTE_GOAL"],
             "not_blocked_threat_category": ["NEW_MALWARE"],
             "policy_applied": ["APPLIED"],
             "reason_code": ["ATTACK_VECTOR"],
             "run_state": ["RAN"],
             "sensor_action": ["DENY"],
             "threat_cause_vector": ["WEB"]
         },
         "sort": [{
             "field": "name",
             "order": "DESC"
         }]
     }
     _was_called = True
     return StubResponse({
         "results": [{
             "id": "S0L0",
             "org_key": "Z100",
             "threat_id": "B0RG",
             "workflow": {
                 "state": "OPEN"
             }
         }],
         "num_found":
         1
     })
예제 #10
0
 def _execute_stop(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs/abcdefg/status"
     assert body == {"status": "CANCELLED"}
     _was_called = True
     return StubResponse({
         "org_key": "Z100",
         "name": "FoobieBletch",
         "id": "abcdefg",
         "status": "CANCELLED"
     })
예제 #11
0
 def _do_update(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/threat/workflow/_criteria"
     assert body == {
         "threat_id": ["B0RG", "F3R3NG1"],
         "state": "OPEN",
         "remediation_state": "Fixed",
         "comment": "NoSir"
     }
     _was_called = True
     return StubResponse({"request_id": "497ABX"})
예제 #12
0
 def _bypass(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "BYPASS",
         "device_id": [6023],
         "options": {
             "toggle": "OFF"
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #13
0
 def _update_policy(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "UPDATE_POLICY",
         "device_id": [6023],
         "options": {
             "policy_id": 8675309
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #14
0
 def _quarantine(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "QUARANTINE",
         "device_id": [6023],
         "options": {
             "toggle": "ON"
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #15
0
 def _background_scan(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "BACKGROUND_SCAN",
         "device_id": [6023],
         "options": {
             "toggle": "ON"
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #16
0
 def _run_facets(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs/abcdefg/results/device_summaries/_facet"
     assert body == {
         "query": "xyzzy",
         "criteria": {
             "device_name": ["AxCx", "A7X"]
         },
         "terms": {
             "fields": ["alpha", "bravo", "charlie"]
         }
     }
     _was_called = True
     return StubResponse({
         "terms": [{
             "field":
             "alpha",
             "values": [{
                 "total": 1,
                 "id": "alpha1",
                 "name": "alpha1"
             }, {
                 "total": 2,
                 "id": "alpha2",
                 "name": "alpha2"
             }]
         }, {
             "field":
             "bravo",
             "values": [{
                 "total": 1,
                 "id": "bravo1",
                 "name": "bravo1"
             }, {
                 "total": 2,
                 "id": "bravo2",
                 "name": "bravo2"
             }]
         }, {
             "field":
             "charlie",
             "values": [{
                 "total": 1,
                 "id": "charlie1",
                 "name": "charlie1"
             }, {
                 "total": 2,
                 "id": "charlie2",
                 "name": "charlie2"
             }]
         }]
     })
예제 #17
0
 def _uninstall_sensor(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "UNINSTALL_SENSOR",
         "search": {
             "query": "foobar",
             "criteria": {},
             "exclusions": {}
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #18
0
 def _update_sensor_version(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "UPDATE_SENSOR_VERSION",
         "device_id": [6023],
         "options": {
             "sensor_version": {
                 "RHEL": "2.3.4.5"
             }
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #19
0
 def _do_dismiss(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/vmware/workflow/_criteria"
     assert body == {
         "query": "Blort",
         "state": "DISMISSED",
         "remediation_state": "Fixed",
         "comment": "Yessir",
         "criteria": {
             "device_name": ["HAL9000"]
         }
     }
     _was_called = True
     return StubResponse({"request_id": "497ABX"})
예제 #20
0
 def _run_summaries(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs/abcdefg/results/device_summaries/_search"
     assert body == {
         "query": "foo",
         "criteria": {
             "device_name": ["AxCx", "A7X"]
         },
         "sort": [{
             "field": "device_name",
             "order": "ASC"
         }],
         "start": 0
     }
     _was_called = True
     return StubResponse({
         "org_key":
         "Z100",
         "num_found":
         2,
         "results": [{
             "id":
             "ghijklm",
             "total_results":
             2,
             "device_id":
             314159,
             "metrics": [{
                 "key": "aaa",
                 "value": 0.0
             }, {
                 "key": "bbb",
                 "value": 0.0
             }]
         }, {
             "id":
             "mnopqrs",
             "total_results":
             3,
             "device_id":
             271828,
             "metrics": [{
                 "key": "aaa",
                 "value": 0.0
             }, {
                 "key": "bbb",
                 "value": 0.0
             }]
         }]
     })
예제 #21
0
 def _background_scan(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "BACKGROUND_SCAN",
         "search": {
             "query": "foobar",
             "criteria": {},
             "exclusions": {}
         },
         "options": {
             "toggle": "ON"
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #22
0
 def _quarantine(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "QUARANTINE",
         "search": {
             "query": "foobar",
             "criteria": {},
             "exclusions": {}
         },
         "options": {
             "toggle": "ON"
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #23
0
 def _update_policy(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "UPDATE_POLICY",
         "search": {
             "query": "foobar",
             "criteria": {},
             "exclusions": {}
         },
         "options": {
             "policy_id": 8675309
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #24
0
 def _do_update(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/threat/B0RG/workflow"
     assert body == {
         "state": "OPEN",
         "remediation_state": "Fixed",
         "comment": "NoSir"
     }
     _was_called = True
     return StubResponse({
         "state": "OPEN",
         "remediation": "Fixed",
         "comment": "NoSir",
         "changed_by": "Robocop",
         "last_update_time": "2019-10-31T16:03:13.951Z"
     })
예제 #25
0
 def _do_dismiss(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/ESD14U2C/workflow"
     assert body == {
         "state": "DISMISSED",
         "remediation_state": "Fixed",
         "comment": "Yessir"
     }
     _was_called = True
     return StubResponse({
         "state": "DISMISSED",
         "remediation": "Fixed",
         "comment": "Yessir",
         "changed_by": "Robocop",
         "last_update_time": "2019-10-31T16:03:13.951Z"
     })
예제 #26
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/alerts/watchlist/_search"
     assert body == {
         "query": "Blort",
         "criteria": {
             "category": ["SERIOUS", "CRITICAL"],
             "device_id": [6023],
             "device_name": ["HAL"],
             "device_os": ["LINUX"],
             "device_os_version": ["0.1.2"],
             "device_username": ["JRN"],
             "group_results": True,
             "id": ["S0L0"],
             "legacy_alert_id": ["S0L0_1"],
             "minimum_severity": 6,
             "policy_id": [8675309],
             "policy_name": ["Strict"],
             "process_name": ["IEXPLORE.EXE"],
             "process_sha256": ["0123456789ABCDEF0123456789ABCDEF"],
             "reputation": ["SUSPECT_MALWARE"],
             "tag": ["Frood"],
             "target_value": ["HIGH"],
             "threat_id": ["B0RG"],
             "type": ["WATCHLIST"],
             "workflow": ["OPEN"],
             "watchlist_id": ["100"],
             "watchlist_name": ["Gandalf"]
         },
         "sort": [{
             "field": "name",
             "order": "DESC"
         }]
     }
     _was_called = True
     return StubResponse({
         "results": [{
             "id": "S0L0",
             "org_key": "Z100",
             "threat_id": "B0RG",
             "workflow": {
                 "state": "OPEN"
             }
         }],
         "num_found":
         1
     })
예제 #27
0
 def _update_sensor_version(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {
         "action_type": "UPDATE_SENSOR_VERSION",
         "search": {
             "query": "foobar",
             "criteria": {},
             "exclusions": {}
         },
         "options": {
             "sensor_version": {
                 "RHEL": "2.3.4.5"
             }
         }
     }
     _was_called = True
     return StubResponse(None, 204)
예제 #28
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/devices/_search"
     assert body == {
         "query": "foobar",
         "criteria": {
             "last_contact_time": {
                 "range": "-3w"
             }
         },
         "exclusions": {}
     }
     _was_called = True
     return StubResponse({
         "results": [{
             "id": 6023,
             "organization_name": "thistestworks"
         }],
         "num_found":
         1
     })
예제 #29
0
 def _run_query(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/livequery/v1/orgs/Z100/runs"
     assert body == {"sql": "select * from whatever;", "device_filter": {}}
     _was_called = True
     return StubResponse({"org_key": "Z100", "name": "FoobieBletch", "id": "abcdefg"})
예제 #30
0
 def _uninstall_sensor(url, body, **kwargs):
     nonlocal _was_called
     assert url == "/appservices/v6/orgs/Z100/device_actions"
     assert body == {"action_type": "UNINSTALL_SENSOR", "device_id": [6023]}
     _was_called = True
     return StubResponse(None, 204)