def test_enrich_offense_with_events__all_events(self, mocker): """ Assert enrich_offense_with_events doesn't add an additional WHERE query when FetchMode.all_events Given: - Fetch incidents is set to: FetchMode.all_events When: - Event fetch query is built via in enrich_offense_with_event Then: - Assert search is created without additional WHERE query """ client = QRadarClient("", {}, {"identifier": "*", "password": "******"}) offense = RAW_RESPONSES["fetch-incidents"] fetch_mode = FetchMode.all_events events_cols = "" events_limit = "" poee_mock = mocker.patch.object(QRadar_v2, "perform_offense_events_enrichment", return_value=offense) enrich_offense_with_events(client, offense, fetch_mode, events_cols, events_limit) assert poee_mock.call_args[0][1] == ""
def test_enrich_offense_with_events__correlations(self, mocker): """ Assert enrich_offense_with_events adds an additional WHERE query when FetchMode.correlations_only Given: - Fetch incidents is set to: FetchMode.correlations_only When: - Event fetch query is built via in enrich_offense_with_event Then: - Assert search is created with additional WHERE query """ client = QRadarClient("", {}, {"identifier": "*", "password": "******"}) offense = RAW_RESPONSES["fetch-incidents"] fetch_mode = FetchMode.correlations_only events_cols = "" events_limit = "" poee_mock = mocker.patch.object(QRadar_v2, "perform_offense_events_enrichment", return_value=offense) enrich_offense_with_events(client, offense, fetch_mode, events_cols, events_limit) assert poee_mock.call_args[0][1] == "AND LOGSOURCETYPENAME(devicetype) = 'Custom Rule Engine'"