def testInvalidType(self):
"""Ensure that nothing gets changed when the type isn't recognised"""
data = {"type": "<<Garbage>>", "name": "some name"}
expected = copy.copy(data)
name_mapping.update_fields(self.log, data)
self.assertEqual(len(self.output), 0) # not considered an error
self.assertEqual(data, expected)
def testUpdateNameDLPValid(self):
"""DLP event with data that can be extracted"""
data = {
"type":
"Event::Endpoint::DataLossPreventionUserAllowed",
"name":
u"An \u2033allow transfer on acceptance by user\u2033 action was taken. "
u"Username: WIN10CLOUD2\\Sophos Rule names: \u2032test\u2032 User action: File open "
u"Application Name: Google Chrome Data Control action: Allow "
u"File type: Plain text (ASCII/UTF-8) File size: 36 "
u"Source path: C:\\Users\\Sophos\\Desktop\\test.txt",
}
expected = {
"type": "Event::Endpoint::DataLossPreventionUserAllowed",
"name": "allow transfer on acceptance by user",
"user": "******",
"rule": "test",
"user_action": "File open",
"app_name": "Google Chrome",
"action": "Allow",
"file_type": "Plain text (ASCII/UTF-8)",
"file_size": "36",
"file_path": "C:\\Users\\Sophos\\Desktop\\test.txt",
}
name_mapping.update_fields(self.log, data)
self.assertTrue(all(item in data.items() for item in expected.items()))
self.assertEqual(len(self.output), 0)
def testUpdateNameFromDescription(self):
"""Ensure the name gets updated from the description, if present"""
data = {"type": "", "description": "XXX"}
expected = copy.copy(data)
expected["name"] = "XXX"
name_mapping.update_fields(self.log, data)
self.assertEqual(data, expected)
def write_cef_format(results):
"""Write CEF format data.
Arguments:
results {list}: data
"""
for i in results:
i = remove_null_values(i)
name_mapping.update_fields(log, i)
SIEM_LOGGER.info(format_cef(flatten_json(i)).strip())
def write_keyvalue_format(results, siem_logger):
for i in results:
i = remove_null_values(i)
update_cef_keys(i)
name_mapping.update_fields(log, i)
date = i[u'rt']
# TODO: Spaces/quotes/semicolons are not escaped here, does it matter?
events = list('%s="%s";' % (k, v) for k, v in i.items())
siem_logger.info(' '.join([date, ] + events) + u'\n')
def write_json_format(results):
"""Write JSON format data.
Arguments:
results {list}: data
"""
for i in results:
i = remove_null_values(i)
update_cef_keys(i)
name_mapping.update_fields(log, i)
SIEM_LOGGER.info(json.dumps(i, ensure_ascii=False).strip())
def testUpdateNameInvalid(self):
"""A known type, but information can't be extracted (regex mismatch)"""
data = {
"type": "Event::Endpoint::DataLossPreventionUserAllowed",
"name": u"XXXX Garbage data XXXX",
}
before = copy.copy(data)
name_mapping.update_fields(self.log, data)
self.assertEqual(len(self.output),
1) # a line of error output, when the function bails.
self.assertEqual(data, before) # ... and data remains unchanged
def testSkippedType(self):
"""Ensure that entry is skipped if it's to be ignored."""
# First find an event type that is set to 'None'
toskip = None
for k, v in name_mapping.TYPE_HANDLERS.items():
if not v:
toskip = k
break
data = {"type": toskip, "name": "some name"}
expected = copy.copy(data)
name_mapping.update_fields(self.log, data)
self.assertEqual(len(self.output), 0) # not considered an error
self.assertEqual(data, expected)
def write_keyvalue_format(results):
"""Write key value format data.
Arguments:
results {dict}: results
"""
for i in results:
i = remove_null_values(i)
update_cef_keys(i)
name_mapping.update_fields(log, i)
date = i[u"rt"]
# TODO: Spaces/quotes/semicolons are not escaped here, does it matter?
events = list('%s="%s";' % (k, v) for k, v in i.items())
SIEM_LOGGER.info(" ".join([
date,
] + events).strip())
def testUpdateNameThreatValid(self):
"""Threat event with data that can be extracted"""
data = {
"type": "Event::Endpoint::Threat::CleanedUp",
"name": u"Threat 'EICAR' in 'myfile.com' ",
}
expected = {
"type": "Event::Endpoint::Threat::CleanedUp",
"name": u"EICAR",
"filePath": "myfile.com",
"detection_identity_name": "EICAR",
}
name_mapping.update_fields(self.log, data)
self.assertTrue(contains(data, expected)) # expected data present
self.assertEqual(len(self.output), 0) # no error
def write_cef_format(results, siem_logger):
for i in results:
i = remove_null_values(i)
name_mapping.update_fields(log, i)
siem_logger.info(format_cef(flatten_json(i)) + u'\n')
def write_json_format(results, siem_logger):
for i in results:
i = remove_null_values(i)
update_cef_keys(i)
name_mapping.update_fields(log, i)
siem_logger.info(json.dumps(i, ensure_ascii=False) + u'\n')
def write_cef_format(results):
for i in results:
i = remove_null_values(i)
name_mapping.update_fields(log, i)
SIEM_LOGGER.info(format_cef(flatten_json(i)) + u'\n')
