def test_to_cef_includes_removable_media_serial_number_if_present(
mock_file_event_removable_media_event, ):
expected_field_name = "cs4"
expected_value = "TEST_SERIAL_NUMBER"
cef_out = to_cef(mock_file_event_removable_media_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_removable_media_serial_number_label_if_present(
mock_file_event_removable_media_event, ):
expected_field_name = "cs4Label"
expected_value = "Code42AEDRemovableMediaSerialNumber"
cef_out = to_cef(mock_file_event_removable_media_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_removable_media_bus_type_label_if_present(
mock_file_event_removable_media_event, ):
expected_field_name = "cs1Label"
expected_value = "Code42AEDRemovableMediaBusType"
cef_out = to_cef(mock_file_event_removable_media_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_removable_media_name_if_present(
mock_file_event_removable_media_event, ):
expected_field_name = "cs3"
expected_value = "TEST_NAME"
cef_out = to_cef(mock_file_event_removable_media_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_removable_media_capacity_if_present(
mock_file_event_removable_media_event, ):
expected_field_name = "cn1"
expected_value = "5000000"
cef_out = to_cef(mock_file_event_removable_media_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_excludes_file_event_fields_not_in_cef_map(mock_file_event):
test_value = "definitelyExcludedValue"
mock_file_event["unmappedFieldName"] = test_value
cef_out = to_cef(mock_file_event)
cef_parts = get_cef_parts(cef_out)
del mock_file_event["unmappedFieldName"]
assert test_value not in cef_parts[-1]
def test_to_cef_includes_email_sender_if_present(
mock_file_event_email_event, ):
expected_field_name = "suser"
expected_value = "TEST_EMAIL_SENDER"
cef_out = to_cef(mock_file_event_email_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_sync_destination_if_present(
mock_file_event_cloud_activity_event, ):
expected_field_name = "destinationServiceName"
expected_value = "TEST_SYNC_DESTINATION"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_correct_event_name_and_signature_id_for_emailed(
mock_file_event_email_event, ):
event_type = "EMAILED"
mock_file_event_email_event["eventType"] = event_type
cef_out = to_cef(mock_file_event_email_event)
assert event_name_assigned_correct_signature_id(event_type, "C42204",
cef_out)
def test_to_cef_includes_actor_if_present(
mock_file_event_cloud_activity_event, ):
expected_field_name = "suser"
expected_value = "*****@*****.**"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_email_recipients_if_present(
mock_file_event_email_event):
expected_field_name = "duser"
expected_value = "[email protected],[email protected]"
cef_out = to_cef(mock_file_event_email_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_tab_url_if_present(
mock_file_event_cloud_activity_event):
expected_field_name = "request"
expected_value = "TEST_TAB_URL"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_window_title_if_present(
mock_file_event_cloud_activity_event):
expected_field_name = "requestClientApplication"
expected_value = "TEST_WINDOW_TITLE"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_cloud_drive_id_if_present(
mock_file_event_cloud_activity_event, ):
expected_field_name = "aid"
expected_value = "TEST_CLOUD_DRIVE_ID"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_shared_with_if_present(
mock_file_event_cloud_activity_event):
expected_field_name = "duser"
expected_value = "[email protected],[email protected]"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_correct_event_name_and_signature_id_for_read_by_app(
mock_file_event, ):
event_type = "READ_BY_APP"
mock_file_event["eventType"] = event_type
cef_out = to_cef(mock_file_event)
assert event_name_assigned_correct_signature_id(event_type, "C42203",
cef_out)
def test_to_cef_includes_url_if_present(
mock_file_event_cloud_activity_event, ):
expected_field_name = "filePath"
expected_value = "https://www.example.com"
cef_out = to_cef(mock_file_event_cloud_activity_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_correct_event_name_and_signature_id_for_modified(
mock_file_event, ):
event_type = "MODIFIED"
mock_file_event["eventType"] = event_type
cef_out = to_cef(mock_file_event)
assert event_name_assigned_correct_signature_id(event_type, "C42201",
cef_out)
def test_to_cef_includes_correct_event_name_and_signature_id_for_deleted(
mock_file_event, ):
event_type = "DELETED"
mock_file_event["eventType"] = event_type
cef_out = to_cef(mock_file_event)
assert event_name_assigned_correct_signature_id(event_type, "C42202",
cef_out)
def test_to_cef_includes_file_name_if_present(mock_file_event):
expected_field_name = "fname"
expected_value = "InfoPlist.strings"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_device_uid_if_present(mock_file_event):
expected_field_name = "deviceExternalId"
expected_value = "912339407325443353"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_event_id_if_present(mock_file_event):
expected_field_name = "externalId"
expected_value = "0_1d71796f-af5b-4231-9d8e-df6434da4663_912339407325443353_918253081700247636_16"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_process_name_if_present(mock_file_event):
expected_field_name = "sproc"
expected_value = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_exposure_if_present(mock_file_event):
expected_field_name = "reason"
expected_value = "ApplicationRead"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_file_category_if_present(mock_file_event):
expected_field_name = "fileType"
expected_value = "UNCATEGORIZED"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_file_size_if_present(mock_file_event):
expected_field_name = "fsize"
expected_value = "86"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_domain_name_if_present(mock_file_event):
expected_field_name = "dvchost"
expected_value = "192.168.0.3"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_source_if_present(mock_file_event):
expected_field_name = "sourceServiceName"
expected_value = "Endpoint"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_insertion_timestamp_if_present(mock_file_event):
expected_field_name = "rt"
expected_value = "1568069262724"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
def test_to_cef_includes_file_path_if_present(mock_file_event):
expected_field_name = "filePath"
expected_value = "/Users/testtesterson/Downloads/About Downloads.lpdf/Contents/Resources/English.lproj/"
cef_out = to_cef(mock_file_event)
assert key_value_pair_in_cef_extension(expected_field_name, expected_value,
cef_out)
