def test_prepare_fetch_incidents_query(): from CortexDataLake import prepare_fetch_incidents_query timestamp = '2020-02-20T16:49:05' firewall_subtype = ['attack', 'url'] fetch_fields = "*" firewall_severity = ['Critical', 'High'] table_name = "firewall.threat" fetch_limit = 10 expected_response = 'SELECT * FROM `firewall.threat` WHERE ' \ 'time_generated Between TIMESTAMP("2020-02-20T16:49:05") ' \ 'AND CURRENT_TIMESTAMP AND' \ ' (sub_type.value = "attack" OR sub_type.value = "url") AND' \ ' (vendor_severity.value = "Critical" OR vendor_severity.value = "High") ' \ 'ORDER BY time_generated ASC ' \ 'LIMIT 10' assert expected_response == prepare_fetch_incidents_query( timestamp, firewall_severity, table_name, firewall_subtype, fetch_fields, fetch_limit) # Assert that an exception is raised in case the fetch filter_query and fetch subtype/severity are given: filter_query = 'dest_port = 54321 AND session_id = 97425' try: prepare_fetch_incidents_query(timestamp, firewall_severity, table_name, firewall_subtype, fetch_fields, fetch_limit, filter_query) except DemistoException as e: assert 'Fetch Filter parameter cannot be used with Subtype/Severity parameters' in str( e) # Given the fetch filter_query and no fetch subtype/severity filters, assert the returned response is as expected: firewall_severity = [] firewall_subtype = [] expected_response = 'SELECT * FROM `firewall.threat` WHERE ' \ 'time_generated Between TIMESTAMP("2020-02-20T16:49:05") ' \ 'AND CURRENT_TIMESTAMP AND' \ ' dest_port = 54321 AND session_id = 97425 ' \ 'ORDER BY time_generated ASC ' \ 'LIMIT 10' assert expected_response == prepare_fetch_incidents_query( timestamp, firewall_severity, table_name, firewall_subtype, fetch_fields, fetch_limit, filter_query)
def test_prepare_fetch_incidents_query(): from CortexDataLake import prepare_fetch_incidents_query timestamp = '2020-02-20T16:49:05' firewall_subtype = ['attack', 'url'] firewall_severity = ['Critical', 'High'] fetch_limit = 10 expected_response = 'SELECT * FROM `firewall.threat` WHERE ' \ '(TIME(time_generated) Between TIME(TIMESTAMP("2020-02-20T16:49:05")) ' \ 'AND TIME(CURRENT_TIMESTAMP)) AND' \ ' (sub_type.value = "attack" OR sub_type.value = "url") AND' \ ' (vendor_severity.value = "Critical" OR vendor_severity.value = "High") ' \ 'ORDER BY time_generated ASC ' \ 'LIMIT 10' assert expected_response == prepare_fetch_incidents_query( timestamp, firewall_severity, firewall_subtype, fetch_limit)