def test_search_and_send_to_when_given_begin_and_end_date_and_time_uses_expected_query( runner, cli_state, command, search_all_file_events_success): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) time = "15:33:02" runner.invoke( cli, [ *command, "--begin", f"{begin_date} {time}", "--end", f"{end_date} {time}" ], obj=cli_state, ) query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0] query_dict = dict(query) actual_begin = query_dict["groups"][1]["filters"][0]["value"] expected_begin = f"{begin_date}T{time}.000Z" actual_end = query_dict["groups"][1]["filters"][1]["value"] expected_end = f"{end_date}T{time}.000Z" assert actual_begin == expected_begin assert actual_end == expected_end
def test_send_to_when_given_begin_and_end_date_and_times_uses_expected_query( cli_state, alert_extractor, runner ): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) time = "15:33:02" runner.invoke( cli, [ "alerts", "search", "--begin", "{} {}".format(begin_date, time), "--end", "{} {}".format(end_date, time), ], obj=cli_state, ) filters = alert_extractor.extract.call_args[0][0] actual_begin = get_filter_value_from_json(filters, filter_index=0) expected_begin = "{}T{}.000Z".format(begin_date, time) actual_end = get_filter_value_from_json(filters, filter_index=1) expected_end = "{}T{}.000Z".format(end_date, time) assert actual_begin == expected_begin assert actual_end == expected_end
def test_send_to_when_end_date_is_before_begin_date_causes_exit(cli_state, runner): begin_date = get_test_date_str(days_ago=1) end_date = get_test_date_str(days_ago=3) result = runner.invoke( cli, ["alerts", "send-to", "0.0.0.0", "--begin", begin_date, "--end", end_date], obj=cli_state, ) assert result.exit_code == 2 assert "'--begin': cannot be after --end date" in result.output
def test_search_when_end_date_is_before_begin_date_causes_exit( runner, cli_state): begin_date = get_test_date_str(days_ago=1) end_date = get_test_date_str(days_ago=3) result = runner.invoke( cli, ["security-data", "search", "--begin", begin_date, "--end", end_date], obj=cli_state, ) assert result.exit_code == 2 assert "'--begin': cannot be after --end date" in result.output
def test_search_and_send_to_when_given_end_date_and_time_uses_expected_query( cli_state, alert_extractor, runner, command): begin_date = get_test_date_str(days_ago=10) end_date = get_test_date_str(days_ago=1) time = "15:33" runner.invoke( cli, [*command, "--begin", begin_date, "--end", f"{end_date} {time}"], obj=cli_state, ) actual = get_filter_value_from_json( alert_extractor.extract.call_args[0][0], filter_index=1) expected = f"{end_date}T{time}:00.000Z" assert actual == expected
def test_command_when_given_begin_and_end_dates_uses_expected_query( runner, cli_state, file_event_extractor, command): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) runner.invoke( cli, command, obj=cli_state, ) filters = file_event_extractor.extract.call_args[0][1] actual_begin = get_filter_value_from_json(filters, filter_index=0) expected_begin = "{}T00:00:00.000Z".format(begin_date) actual_end = get_filter_value_from_json(filters, filter_index=1) expected_end = "{}T23:59:59.999Z".format(end_date) assert actual_begin == expected_begin assert actual_end == expected_end
def test_search_and_send_to_when_given_begin_date_more_than_ninety_days_back_errors( cli_state, runner, command): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" result = runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) assert "must be within 90 days" in result.output assert result.exit_code == 2
def test_search_and_send_to_when_given_end_date_and_time_uses_expected_query( cli_state, runner, command, search_all_alerts_success ): begin_date = get_test_date_str(days_ago=10) end_date = get_test_date_str(days_ago=1) time = "15:33" runner.invoke( cli, [*command, "--begin", begin_date, "--end", f"{end_date} {time}"], obj=cli_state, ) query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0] query_dict = dict(query) actual = query_dict["groups"][0]["filters"][1]["value"] expected = f"{end_date}T{time}:00.000000Z" assert actual == expected
def test_search_and_send_to_when_given_begin_and_end_dates_uses_expected_query( cli_state, alert_extractor, runner, command ): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) runner.invoke( cli, [*command, "--begin", begin_date, "--end", end_date], obj=cli_state, ) filters = alert_extractor.extract.call_args[0][0] actual_begin = get_filter_value_from_json(filters, filter_index=0) expected_begin = "{}T00:00:00.000Z".format(begin_date) actual_end = get_filter_value_from_json(filters, filter_index=1) expected_end = "{}T23:59:59.999Z".format(end_date) assert actual_begin == expected_begin assert actual_end == expected_end
def test_send_to_when_given_begin_date_more_than_ninety_days_back_errors( cli_state, runner ): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" result = runner.invoke( cli, ["alerts", "send-to", "0.0.0.0", "--begin", begin_date], obj=cli_state ) assert "must be within 90 days" in result.output
def test_search_and_send_to_when_given_end_date_and_time_uses_expected_query( runner, cli_state, file_event_extractor, command): begin_date = get_test_date_str(days_ago=10) end_date = get_test_date_str(days_ago=1) time = "15:33" runner.invoke( cli, [ *command, "--begin", begin_date, "--end", "{} {}".format( end_date, time) ], obj=cli_state, ) actual = get_filter_value_from_json( file_event_extractor.extract.call_args[0][1], filter_index=1) expected = "{}T{}:00.000Z".format(end_date, time) assert actual == expected
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( cli_state, alert_extractor, runner, command): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) actual_ts = get_filter_value_from_json( alert_extractor.extract.call_args[0][0], filter_index=0) expected_ts = f"{begin_date}T00:00:00.000Z" assert actual_ts == expected_ts assert filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter( cli_state, alert_cursor_with_checkpoint, alert_extractor, runner ): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" runner.invoke( cli, ["alerts", "search", "--begin", begin_date, "--use-checkpoint", "test"], obj=cli_state, ) assert not filter_term_is_in_call_args(alert_extractor, f.DateObserved._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( runner, cli_state, file_event_extractor, command): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) actual_ts = get_filter_value_from_json( file_event_extractor.extract.call_args[0][1], filter_index=0) expected_ts = "{}T00:00:00.000Z".format(begin_date) assert actual_ts == expected_ts assert filter_term_is_in_call_args(file_event_extractor, f.EventTimestamp._term)
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( runner, cli_state, command, search_all_file_events_success): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0] query_dict = dict(query) actual_ts = query_dict["groups"][1]["filters"][0]["value"] expected_ts = f"{begin_date}T00:00:00.000Z" assert actual_ts == expected_ts assert filter_term_is_in_call_args(query._filter_group_list, f.EventTimestamp._term)
def test_search_when_given_begin_and_end_date_and_times_uses_expected_query( cli_state, alert_extractor, runner, command): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) time = "15:33:02" runner.invoke( cli, [ *command, "--begin", f"{begin_date} {time}", "--end", f"{end_date} {time}" ], obj=cli_state, ) filters = alert_extractor.extract.call_args[0][0] actual_begin = get_filter_value_from_json(filters, filter_index=0) expected_begin = f"{begin_date}T{time}.000Z" actual_end = get_filter_value_from_json(filters, filter_index=1) expected_end = f"{end_date}T{time}.000Z" assert actual_begin == expected_begin assert actual_end == expected_end
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter( runner, cli_state, file_event_cursor_with_checkpoint, file_event_extractor, command): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" runner.invoke( cli, [*command, "--begin", begin_date, "--use-checkpoint", "test"], obj=cli_state, ) assert not filter_term_is_in_call_args(file_event_extractor, f.InsertionTimestamp._term)
def test_search_and_send_to_when_given_begin_and_end_dates_uses_expected_query( cli_state, runner, command, search_all_alerts_success ): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) runner.invoke( cli, [*command, "--begin", begin_date, "--end", end_date], obj=cli_state, ) query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0] query_dict = dict(query) actual_begin = query_dict["groups"][0]["filters"][0]["value"] expected_begin = f"{begin_date}T00:00:00.000000Z" actual_end = query_dict["groups"][0]["filters"][1]["value"] expected_end = f"{end_date}T23:59:59.999999Z" assert actual_begin == expected_begin assert actual_end == expected_end
def test_search_when_given_begin_date_and_time_without_seconds_uses_expected_query( cli_state, alert_extractor, runner, command ): date = get_test_date_str(days_ago=89) time = "15:33" runner.invoke(cli, [*command, "--begin", "{} {}".format(date, time)], obj=cli_state) actual = get_filter_value_from_json( alert_extractor.extract.call_args[0][0], filter_index=0 ) expected = "{}T{}:00.000Z".format(date, time) assert actual == expected
def test_search_and_send_to_with_or_query_flag_produces_expected_query( runner, cli_state, command, search_all_alerts_success ): begin_date = get_test_date_str(days_ago=10) test_actor = "*****@*****.**" test_rule_type = "FedEndpointExfiltration" runner.invoke( cli, [ *command, "--or-query", "--begin", begin_date, "--actor", test_actor, "--rule-type", test_rule_type, ], obj=cli_state, ) expected_query = { "tenantId": None, "groupClause": "AND", "groups": [ { "filterClause": "AND", "filters": [ { "operator": "ON_OR_AFTER", "term": "createdAt", "value": f"{begin_date}T00:00:00.000000Z", } ], }, { "filterClause": "OR", "filters": [ {"operator": "IS", "term": "actor", "value": "*****@*****.**"}, { "operator": "IS", "term": "type", "value": "FedEndpointExfiltration", }, ], }, ], "pgNum": 0, "pgSize": 25, "srtDirection": "asc", "srtKey": "CreatedAt", } query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0] actual_query = dict(query) assert actual_query == expected_query
def test_search_and_send_to_when_given_begin_date_and_not_use_checkpoint_and_cursor_exists_uses_begin_date( cli_state, runner, command, search_all_alerts_success ): begin_date = get_test_date_str(days_ago=1) runner.invoke(cli, [*command, "--begin", begin_date], obj=cli_state) query = cli_state.sdk.alerts.get_all_alert_details.call_args[0][0] query_dict = dict(query) actual_ts = query_dict["groups"][0]["filters"][0]["value"] expected_ts = f"{begin_date}T00:00:00.000000Z" assert actual_ts == expected_ts assert filter_term_is_in_call_args(query, f.DateObserved._term)
def test_search_with_or_query_flag_produces_expected_query(runner, cli_state): begin_date = get_test_date_str(days_ago=10) test_actor = "*****@*****.**" test_rule_type = "FedEndpointExfiltration" runner.invoke( cli, [ "alerts", "search", "--or-query", "--begin", begin_date, "--actor", test_actor, "--rule-type", test_rule_type, ], obj=cli_state, ) expected_query = { "tenantId": None, "groupClause": "AND", "groups": [ { "filterClause": "AND", "filters": [ { "operator": "ON_OR_AFTER", "term": "createdAt", "value": "{}T00:00:00.000Z".format(begin_date), } ], }, { "filterClause": "OR", "filters": [ {"operator": "IS", "term": "actor", "value": "*****@*****.**"}, { "operator": "IS", "term": "type", "value": "FedEndpointExfiltration", }, ], }, ], "pgNum": 0, "pgSize": 500, "srtDirection": "asc", "srtKey": "CreatedAt", } actual_query = json.loads(str(cli_state.sdk.alerts.search.call_args[0][0])) assert actual_query == expected_query
def test_search_and_send_to_when_given_begin_and_end_dates_uses_expected_query( runner, cli_state, file_event_extractor, command): begin_date = get_test_date_str(days_ago=89) end_date = get_test_date_str(days_ago=1) runner.invoke( cli, [ *command, "--begin", get_test_date_str(days_ago=89), "--end", get_test_date_str(days_ago=1), ], obj=cli_state, ) filters = file_event_extractor.extract.call_args[0][1] actual_begin = get_filter_value_from_json(filters, filter_index=0) expected_begin = f"{begin_date}T00:00:00.000Z" actual_end = get_filter_value_from_json(filters, filter_index=1) expected_end = f"{end_date}T23:59:59.999Z" assert actual_begin == expected_begin assert actual_end == expected_end
def test_search_and_send_to_when_given_begin_date_and_time_without_seconds_uses_expected_query( runner, cli_state, file_event_extractor, command): date = get_test_date_str(days_ago=89) time = "15:33" runner.invoke( cli, [*command, "--begin", f"{date} {time}"], obj=cli_state, ) actual = get_filter_value_from_json( file_event_extractor.extract.call_args[0][1], filter_index=0) expected = f"{date}T{time}:00.000Z" assert actual == expected
def test_search_when_given_end_date_and_time_uses_expected_query( cli_state, alert_extractor, runner ): begin_date = get_test_date_str(days_ago=10) end_date = get_test_date_str(days_ago=1) time = "15:33" runner.invoke( cli, [ "alerts", "search", "--begin", begin_date, "--end", "{} {}".format(end_date, time), ], obj=cli_state, ) actual = get_filter_value_from_json( alert_extractor.extract.call_args[0][0], filter_index=1 ) expected = "{}T{}:00.000Z".format(end_date, time) assert actual == expected
def test_search_and_send_to_when_given_begin_date_past_90_days_and_use_checkpoint_and_a_stored_cursor_exists_and_not_given_end_date_does_not_use_any_event_timestamp_filter( runner, cli_state, file_event_cursor_with_eventid_checkpoint, command, search_all_file_events_success, ): begin_date = get_test_date_str(days_ago=91) + " 12:51:00" runner.invoke( cli, [*command, "--begin", begin_date, "--use-checkpoint", "test"], obj=cli_state, ) query = cli_state.sdk.securitydata.search_all_file_events.call_args[0][0] assert not filter_term_is_in_call_args(query._filter_group_list, f.InsertionTimestamp._term)
def test_search_with_or_query_flag_produces_expected_query(runner, cli_state): begin_date = get_test_date_str(days_ago=10) test_username = "******" test_filename = "test.txt" runner.invoke( cli, [ "security-data", "search", "--or-query", "--begin", begin_date, "--c42-username", test_username, "--file-name", test_filename, ], obj=cli_state, ) expected_query = { "groupClause": "AND", "groups": [ { "filterClause": "AND", "filters": [ { "operator": "EXISTS", "term": "exposure", "value": None }, { "operator": "ON_OR_AFTER", "term": "eventTimestamp", "value": "{}T00:00:00.000Z".format(begin_date), }, ], }, { "filterClause": "OR", "filters": [ { "operator": "IS", "term": "deviceUserName", "value": "*****@*****.**", }, { "operator": "IS", "term": "fileName", "value": "test.txt" }, ], }, ], "pgNum": 1, "pgSize": 10000, "srtDir": "asc", "srtKey": "insertionTimestamp", } actual_query = json.loads( str(cli_state.sdk.securitydata.search_file_events.call_args[0][0])) assert actual_query == expected_query
["security-data", "search", "--saved-search", "test_id", *arg], obj=cli_state, ) assert result.exit_code == 2 assert "{} can't be used with: --saved-search".format( arg[0]) in result.output @pytest.mark.parametrize( "command", ( [ "security-data", "search", "--begin", get_test_date_str(days_ago=89), "--end", get_test_date_str(days_ago=1), ], [ "security-data", "send-to", "0.0.0.0", "--begin", get_test_date_str(days_ago=89), "--end", get_test_date_str(days_ago=1), ], ), ) def test_command_when_given_begin_and_end_dates_uses_expected_query(