def create_event_filter_by_cursor_test():
"""
Test that we create a correct event filter from an existing cursor
"""
valid_cursor = "1234567890:1234567890"
invalid_cursors = ["1234567890:",
":1234567890",
":",
"",
" ",
"1234567890a:1234567890",
"1234567890:a1234567890",
"1234567890a:a1234567890",
"1234567890::1234567890"
]
event_filter = c42api.create_filter_by_cursor(valid_cursor)
assert event_filter == {'cursor':valid_cursor}
for invalid_cursor in invalid_cursors:
try:
c42api.create_filter_by_cursor(invalid_cursor)
assert False
except ValueError:
pass
def create_event_filter_by_cursor_test():
"""
Test that we create a correct event filter from an existing cursor
"""
valid_cursor = "1234567890:1234567890"
invalid_cursors = [
"1234567890:", ":1234567890", ":", "", " ", "1234567890a:1234567890",
"1234567890:a1234567890", "1234567890a:a1234567890",
"1234567890::1234567890"
]
event_filter = c42api.create_filter_by_cursor(valid_cursor)
assert event_filter == {'cursor': valid_cursor}
for invalid_cursor in invalid_cursors:
try:
c42api.create_filter_by_cursor(invalid_cursor)
assert False
except ValueError:
pass
def fetch_detection_events_test():
"""
Test we fetch detection events in an expected way
"""
cursor_string = generate_cursor()
device_guids = [1, 2, 3]
event_filters = ['word'] * 3
guids_and_filters = zip(device_guids, event_filters)
expected_results = {}
for device_guid in device_guids:
expected_results[str(device_guid)] = [
'word', generate_detection_events(random.randint(1, 20))
]
event_filter = c42api.create_filter_by_cursor(cursor_string)
def mock_fetch_detection_events_for_device(server, device_guid,
event_filter):
"""
Mock Func
"""
return expected_results[str(device_guid)][0], expected_results[str(
device_guid)][1]
def mock_fetch_security_plan(server, device_guid):
"""
Mock Func
"""
return {'planUid': 12312123}
def mock_storage_servers(authority, plan_uids=None, device_guid=None):
"""
Mock Func
"""
return basic_server(), 1232
c42api.security_event_restore._fetch_detection_events_for_device = mock_fetch_detection_events_for_device
c42api.security_event_restore._fetch_security_plan = mock_fetch_security_plan
c42api.security_event_restore.fetch_storage.storage_servers = mock_storage_servers
for device_guid, cursor, detection_events in c42api.fetch_detection_events(
basic_server(), guids_and_filters):
assert (device_guid in device_guids
and cursor == expected_results[str(device_guid)][0]
and detection_events == expected_results[str(device_guid)][1])
def fetch_detection_events_test():
"""
Test we fetch detection events in an expected way
"""
cursor_string = generate_cursor()
device_guids = [1, 2, 3]
event_filters = ['word'] * 3
guids_and_filters = zip(device_guids, event_filters)
expected_results = {}
for device_guid in device_guids:
expected_results[str(device_guid)] = [
'word',
generate_detection_events(random.randint(1, 20))
]
event_filter = c42api.create_filter_by_cursor(cursor_string)
def mock_fetch_detection_events_for_device(server, device_guid, event_filter):
"""
Mock Func
"""
return expected_results[str(device_guid)][0], expected_results[str(device_guid)][1]
def mock_fetch_security_plan(server, device_guid):
"""
Mock Func
"""
return {'planUid':12312123}
def mock_storage_servers(authority, plan_uids=None, device_guid=None):
"""
Mock Func
"""
return basic_server(), 1232
c42api.security_event_restore._fetch_detection_events_for_device = mock_fetch_detection_events_for_device
c42api.security_event_restore._fetch_security_plan = mock_fetch_security_plan
c42api.security_event_restore.fetch_storage.storage_servers = mock_storage_servers
for device_guid, cursor, detection_events in c42api.fetch_detection_events(basic_server(), guids_and_filters):
assert (device_guid in device_guids
and cursor == expected_results[str(device_guid)][0]
and detection_events == expected_results[str(device_guid)][1])
def _run():
"""
Run through Splunk
"""
server, config_dict = common.setup()
events_dir = os.path.join(common.app_home(), 'events')
cursor_path = os.path.join(events_dir, 'security-lastRun')
if not os.path.exists(events_dir):
os.makedirs(events_dir)
devices = config_dict['devices']
device_guids = c42api.devices(server, devices)
cursors_dict = _try_read_cursor(cursor_path)
event_filters = []
for device_guid in device_guids:
try:
cursor = cursors_dict[device_guid]
event_filter = c42api.create_filter_by_cursor(cursor)
event_filters.append(event_filter)
except (KeyError, TypeError):
event_filter = c42api.create_filter_by_utc_datetime(datetime.utcfromtimestamp(0), datetime.utcnow())
event_filters.append(event_filter)
guids_and_filters = zip(device_guids, event_filters)
cursors_dict = cursors_dict if cursors_dict else {}
for guid, cursor, detection_events in c42api.fetch_detection_events(server, guids_and_filters):
if not cursor or not detection_events:
continue
cursors_dict[guid] = cursor
c42api.write_json_splunk(sys.stdout, detection_events)
_write_cursor(cursor_path, cursors_dict)
