def testInvalidType(self): """Ensure that nothing gets changed when the type isn't recognised""" data = {"type": "<<Garbage>>", "name": "some name"} expected = copy.copy(data) name_mapping.update_fields(self.log, data) self.assertEqual(len(self.output), 0) # not considered an error self.assertEqual(data, expected)
def testUpdateNameDLPValid(self): """DLP event with data that can be extracted""" data = { "type": "Event::Endpoint::DataLossPreventionUserAllowed", "name": u"An \u2033allow transfer on acceptance by user\u2033 action was taken. " u"Username: WIN10CLOUD2\\Sophos Rule names: \u2032test\u2032 User action: File open " u"Application Name: Google Chrome Data Control action: Allow " u"File type: Plain text (ASCII/UTF-8) File size: 36 " u"Source path: C:\\Users\\Sophos\\Desktop\\test.txt", } expected = { "type": "Event::Endpoint::DataLossPreventionUserAllowed", "name": "allow transfer on acceptance by user", "user": "******", "rule": "test", "user_action": "File open", "app_name": "Google Chrome", "action": "Allow", "file_type": "Plain text (ASCII/UTF-8)", "file_size": "36", "file_path": "C:\\Users\\Sophos\\Desktop\\test.txt", } name_mapping.update_fields(self.log, data) self.assertTrue(all(item in data.items() for item in expected.items())) self.assertEqual(len(self.output), 0)
def testUpdateNameFromDescription(self): """Ensure the name gets updated from the description, if present""" data = {"type": "", "description": "XXX"} expected = copy.copy(data) expected["name"] = "XXX" name_mapping.update_fields(self.log, data) self.assertEqual(data, expected)
def write_cef_format(results): """Write CEF format data. Arguments: results {list}: data """ for i in results: i = remove_null_values(i) name_mapping.update_fields(log, i) SIEM_LOGGER.info(format_cef(flatten_json(i)).strip())
def write_keyvalue_format(results, siem_logger): for i in results: i = remove_null_values(i) update_cef_keys(i) name_mapping.update_fields(log, i) date = i[u'rt'] # TODO: Spaces/quotes/semicolons are not escaped here, does it matter? events = list('%s="%s";' % (k, v) for k, v in i.items()) siem_logger.info(' '.join([date, ] + events) + u'\n')
def write_json_format(results): """Write JSON format data. Arguments: results {list}: data """ for i in results: i = remove_null_values(i) update_cef_keys(i) name_mapping.update_fields(log, i) SIEM_LOGGER.info(json.dumps(i, ensure_ascii=False).strip())
def testUpdateNameInvalid(self): """A known type, but information can't be extracted (regex mismatch)""" data = { "type": "Event::Endpoint::DataLossPreventionUserAllowed", "name": u"XXXX Garbage data XXXX", } before = copy.copy(data) name_mapping.update_fields(self.log, data) self.assertEqual(len(self.output), 1) # a line of error output, when the function bails. self.assertEqual(data, before) # ... and data remains unchanged
def testSkippedType(self): """Ensure that entry is skipped if it's to be ignored.""" # First find an event type that is set to 'None' toskip = None for k, v in name_mapping.TYPE_HANDLERS.items(): if not v: toskip = k break data = {"type": toskip, "name": "some name"} expected = copy.copy(data) name_mapping.update_fields(self.log, data) self.assertEqual(len(self.output), 0) # not considered an error self.assertEqual(data, expected)
def write_keyvalue_format(results): """Write key value format data. Arguments: results {dict}: results """ for i in results: i = remove_null_values(i) update_cef_keys(i) name_mapping.update_fields(log, i) date = i[u"rt"] # TODO: Spaces/quotes/semicolons are not escaped here, does it matter? events = list('%s="%s";' % (k, v) for k, v in i.items()) SIEM_LOGGER.info(" ".join([ date, ] + events).strip())
def testUpdateNameThreatValid(self): """Threat event with data that can be extracted""" data = { "type": "Event::Endpoint::Threat::CleanedUp", "name": u"Threat 'EICAR' in 'myfile.com' ", } expected = { "type": "Event::Endpoint::Threat::CleanedUp", "name": u"EICAR", "filePath": "myfile.com", "detection_identity_name": "EICAR", } name_mapping.update_fields(self.log, data) self.assertTrue(contains(data, expected)) # expected data present self.assertEqual(len(self.output), 0) # no error
def write_cef_format(results, siem_logger): for i in results: i = remove_null_values(i) name_mapping.update_fields(log, i) siem_logger.info(format_cef(flatten_json(i)) + u'\n')
def write_json_format(results, siem_logger): for i in results: i = remove_null_values(i) update_cef_keys(i) name_mapping.update_fields(log, i) siem_logger.info(json.dumps(i, ensure_ascii=False) + u'\n')
def write_cef_format(results): for i in results: i = remove_null_values(i) name_mapping.update_fields(log, i) SIEM_LOGGER.info(format_cef(flatten_json(i)) + u'\n')