def data_providers():
"""Return dict of providers."""
return {
"az_sent_prov": QueryProvider("AzureSentinel"),
"mdatp_prov": QueryProvider("MDATP"),
"splunk_prov": QueryProvider("Splunk"),
"ti_lookup": TILookup(),
"geolite": GeoLiteLookup(),
"ip_stack": IPStackLookup(),
}
def qry_provider():
"""Query Provider fixture."""
Path(_SAVE_FOLDER).mkdir(exist_ok=True)
abs_path = Path(".").absolute()
qry_prov = QueryProvider("Mordor", save_folder=f"./{_SAVE_FOLDER}")
qry_prov.connect()
yield qry_prov
# remove downloaded file on cleanup
_cleanup_temp_files(_SAVE_FOLDER)
_cleanup_temp_files(abs_path.joinpath("mordor"))
def qry_provider():
"""Query Provider fixture."""
Path(_SAVE_FOLDER).mkdir(exist_ok=True)
qry_prov = QueryProvider("Mordor")
qry_prov.connect()
yield qry_prov
# remove downloaded file on cleanup
if _SAVE_PATH and Path(_SAVE_PATH).is_file():
Path(_SAVE_PATH).unlink()
for file in Path(_SAVE_FOLDER).glob("*"):
Path(file).unlink()
if Path(_SAVE_FOLDER).is_dir():
Path(_SAVE_FOLDER).rmdir()
def data_providers():
"""Return dict of providers."""
prov_dict = {}
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=UserWarning)
if _KQL_IMP_OK:
prov_dict["az_sent_prov"] = QueryProvider("AzureSentinel")
prov_dict["mdatp_prov"] = QueryProvider("MDE")
if _SPLUNK_IMP_OK:
prov_dict["splunk_prov"] = QueryProvider("Splunk")
prov_dict["ti_lookup"] = TILookup()
prov_dict["geolite"] = GeoLiteLookup()
if _IPSTACK_IMP_OK:
prov_dict["ip_stack"] = ip_stack_cls()
return prov_dict
def data_providers():
"""Return dict of providers."""
data_path = Path(get_test_data_path()) / "localdata"
return {
"LocalData":
QueryProvider("LocalData",
data_paths=[str(data_path)],
query_paths=[str(data_path)]),
}
def data_providers():
"""Return dict of providers."""
data_path = Path(get_test_data_path()) / "localdata"
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=UserWarning)
return {
"LocalData": QueryProvider(
"LocalData", data_paths=[str(data_path)], query_paths=[str(data_path)]
),
}
def verify_host_name(
qry_prov: QueryProvider, host_name: str, timespan: TimeSpan = None, **kwargs
) -> HostNameVerif:
"""
Verify unique hostname by checking Win and Linux logs.
Parameters
----------
qry_prov : QueryProvider
Kql query provider
timespan : TimeSpan
Time span over which to query
host_name : str
The full or partial hostname.
Returns
-------
HostNameVerif
Tuple[Optional[str], Optional[str], Optional[Dict[str, str]]]
Named tuple HostNameVerif
fields: host_name, host_type, host_names
If unique hostname found, host_name is populated.
If multiple matching hostnames found, host_names is
populated and host_name is None.
host_type is either Windows or Linux.
If no matching host then all fields are None.
"""
# Check if a time span is provide as TimeSpan object or start and end parameters
if timespan is None and ("start" in kwargs and "end" in kwargs):
start = kwargs["start"]
end = kwargs["end"]
elif timespan is not None:
start = timespan.start
end = timespan.end
else:
raise MsticnbMissingParameterError("timespan")
host_names: Dict = {}
# Check for Windows hosts matching host_name
if "SecurityEvent" in qry_prov.schema_tables:
sec_event_host = f"""
SecurityEvent
| where TimeGenerated between (datetime({start})..datetime({end}))
| where Computer has "{host_name}"
| distinct Computer
"""
nb_data_wait("SecurityEvent")
win_hosts_df = qry_prov.exec_query(sec_event_host)
if win_hosts_df is not None and not win_hosts_df.empty:
for host in win_hosts_df["Computer"].to_list():
host_names.update({host: "Windows"})
# Check for Linux hosts matching host_name
if "Syslog" in qry_prov.schema_tables:
syslog_host = f"""
Syslog
| where TimeGenerated between (datetime({start})..datetime({end}))
| where Computer has "{host_name}"
| distinct Computer
"""
nb_data_wait("Syslog")
lx_hosts_df = qry_prov.exec_query(syslog_host)
if lx_hosts_df is not None and not lx_hosts_df.empty:
for host in lx_hosts_df["Computer"].to_list():
host_names.update({host: "Linux"})
# If we have more than one host let the user decide
if len(host_names.keys()) > 1:
print(
f"Multiple matches for '{host_name}'.",
"Please select a host and re-run.",
"\n".join(host_names.keys()),
)
return HostNameVerif(None, None, host_names)
if host_names:
unique_host = next(iter(host_names))
nb_print(f"Unique host found: {unique_host}")
return HostNameVerif(unique_host, host_names[unique_host], None)
nb_print(f"Host not found: {host_name}")
return HostNameVerif(None, None, None)
def azure_sentinel():
"""Fixture to get loaded Azure Sentinel Provider."""
return QueryProvider("AzureSentinel")
def query_prov():
"""Test fixture to create query provider."""
return QueryProvider("LocalData")
pass
def run_line_magic(self, *args, **kwargs):
if kwargs.get("line") == "--schema":
return {}
def find_magic(self, *args, **kwargs):
return True
def get_mock_ip():
return mock_ip()
test_data_provider = KqlTestDriver()
qry_prov = QueryProvider(data_environment="LogAnalytics", driver=test_data_provider)
class TestASKqlTIProvider(unittest.TestCase):
"""Unit test class."""
def test_ti_config_and_load(self):
test_config1 = Path(_TEST_DATA).joinpath("msticpyconfig-askql.yaml")
with custom_mp_config(test_config1):
ti_settings = get_provider_settings()
self.assertIsInstance(ti_settings, dict)
self.assertGreaterEqual(1, len(ti_settings))
# Try to load TIProviders - should throw a warning on
# missing provider class
def setUp(self):
test_data_provider = KqlTestDriver()
self.qry_prov = QueryProvider(data_environment="LogAnalytics",
driver=test_data_provider)
def azure_sentinel():
"""Fixture to get loaded Azure Sentinel Provider."""
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=UserWarning)
return QueryProvider("AzureSentinel")