Exemplo n.º 1
0
def test_prepare_fetch_incidents_query():
    from CortexDataLake import prepare_fetch_incidents_query
    timestamp = '2020-02-20T16:49:05'
    firewall_subtype = ['attack', 'url']
    fetch_fields = "*"
    firewall_severity = ['Critical', 'High']
    table_name = "firewall.threat"
    fetch_limit = 10
    expected_response = 'SELECT * FROM `firewall.threat` WHERE ' \
                        'time_generated Between TIMESTAMP("2020-02-20T16:49:05") ' \
                        'AND CURRENT_TIMESTAMP AND' \
                        ' (sub_type.value = "attack" OR sub_type.value = "url") AND' \
                        ' (vendor_severity.value = "Critical" OR vendor_severity.value = "High") ' \
                        'ORDER BY time_generated ASC ' \
                        'LIMIT 10'
    assert expected_response == prepare_fetch_incidents_query(
        timestamp, firewall_severity, table_name, firewall_subtype,
        fetch_fields, fetch_limit)

    # Assert that an exception is raised in case the fetch filter_query and fetch subtype/severity are given:
    filter_query = 'dest_port = 54321 AND session_id = 97425'
    try:
        prepare_fetch_incidents_query(timestamp, firewall_severity, table_name,
                                      firewall_subtype, fetch_fields,
                                      fetch_limit, filter_query)
    except DemistoException as e:
        assert 'Fetch Filter parameter cannot be used with Subtype/Severity parameters' in str(
            e)

    # Given the fetch filter_query and no fetch subtype/severity filters, assert the returned response is as expected:
    firewall_severity = []
    firewall_subtype = []
    expected_response = 'SELECT * FROM `firewall.threat` WHERE ' \
                        'time_generated Between TIMESTAMP("2020-02-20T16:49:05") ' \
                        'AND CURRENT_TIMESTAMP AND' \
                        ' dest_port = 54321 AND session_id = 97425 ' \
                        'ORDER BY time_generated ASC ' \
                        'LIMIT 10'
    assert expected_response == prepare_fetch_incidents_query(
        timestamp, firewall_severity, table_name, firewall_subtype,
        fetch_fields, fetch_limit, filter_query)
Exemplo n.º 2
0
def test_prepare_fetch_incidents_query():
    from CortexDataLake import prepare_fetch_incidents_query
    timestamp = '2020-02-20T16:49:05'
    firewall_subtype = ['attack', 'url']
    firewall_severity = ['Critical', 'High']
    fetch_limit = 10
    expected_response = 'SELECT * FROM `firewall.threat` WHERE ' \
                        '(TIME(time_generated) Between TIME(TIMESTAMP("2020-02-20T16:49:05")) ' \
                        'AND TIME(CURRENT_TIMESTAMP)) AND' \
                        ' (sub_type.value = "attack" OR sub_type.value = "url") AND' \
                        ' (vendor_severity.value = "Critical" OR vendor_severity.value = "High") ' \
                        'ORDER BY time_generated ASC ' \
                        'LIMIT 10'
    assert expected_response == prepare_fetch_incidents_query(
        timestamp, firewall_severity, firewall_subtype, fetch_limit)