def test_query_device_do_update_policy(monkeypatch):
_was_called = False
def _update_policy(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/device_actions"
assert body == {
"action_type": "UPDATE_POLICY",
"search": {
"query": "foobar",
"criteria": {},
"exclusions": {}
},
"options": {
"policy_id": 8675309
}
}
_was_called = True
return StubResponse(None, 204)
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_update_policy)
api.select(Device).where("foobar").update_policy(8675309)
assert _was_called
def test_query_device_invalid_sort_direction():
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
with pytest.raises(ApiError):
api.select(Device).sort_by("policy_name", "BOGUS")
def test_query_device_do_update_sensor_version(monkeypatch):
_was_called = False
def _update_sensor_version(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/device_actions"
assert body == {
"action_type": "UPDATE_SENSOR_VERSION",
"search": {
"query": "foobar",
"criteria": {},
"exclusions": {}
},
"options": {
"sensor_version": {
"RHEL": "2.3.4.5"
}
}
}
_was_called = True
return StubResponse(None, 204)
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_update_sensor_version)
api.select(Device).where("foobar").update_sensor_version(
{"RHEL": "2.3.4.5"})
assert _was_called
def test_query_vmwarealert_invalid_group_ids():
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
with pytest.raises(ApiError):
api.select(VMwareAlert).set_group_ids(["Bogus"])
def test_query_device_do_quarantine(monkeypatch):
_was_called = False
def _quarantine(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/device_actions"
assert body == {
"action_type": "QUARANTINE",
"search": {
"query": "foobar",
"criteria": {},
"exclusions": {}
},
"options": {
"toggle": "ON"
}
}
_was_called = True
return StubResponse(None, 204)
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_quarantine)
api.select(Device).where("foobar").quarantine(True)
assert _was_called
def test_query_watchlistalert_invalid_criteria_values():
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
with pytest.raises(ApiError):
api.select(WatchlistAlert).set_watchlist_ids([888])
with pytest.raises(ApiError):
api.select(WatchlistAlert).set_watchlist_names([69])
def test_alerts_bulk_dismiss_vmware(monkeypatch):
_was_called = False
def _do_dismiss(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/alerts/vmware/workflow/_criteria"
assert body == {
"query": "Blort",
"state": "DISMISSED",
"remediation_state": "Fixed",
"comment": "Yessir",
"criteria": {
"device_name": ["HAL9000"]
}
}
_was_called = True
return StubResponse({"request_id": "497ABX"})
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_do_dismiss)
q = api.select(VMwareAlert).where("Blort").set_device_names(["HAL9000"])
reqid = q.dismiss("Fixed", "Yessir")
assert _was_called
assert reqid == "497ABX"
def test_load_workflow(monkeypatch):
_was_called = False
def _get_workflow(url, parms=None, default=None):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/workflow/status/497ABX"
_was_called = True
return {
"errors": [],
"failed_ids": [],
"id": "497ABX",
"num_hits": 0,
"num_success": 0,
"status": "QUEUED",
"workflow": {
"state": "DISMISSED",
"remediation": "Fixed",
"comment": "Yessir",
"changed_by": "Robocop",
"last_update_time": "2019-10-31T16:03:13.951Z"
}
}
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, GET=_get_workflow)
workflow = api.select(WorkflowStatus, "497ABX")
assert _was_called
assert workflow.id_ == "497ABX"
def test_query_device_invalid_criteria_values():
tests = [{
"method": "set_ad_group_ids",
"arg": ["Bogus"]
}, {
"method": "set_policy_ids",
"arg": ["Bogus"]
}, {
"method": "set_os",
"arg": ["COMMODORE_64"]
}, {
"method": "set_status",
"arg": ["Bogus"]
}, {
"method": "set_target_priorities",
"arg": ["Bogus"]
}, {
"method": "set_exclude_sensor_versions",
"arg": [12703]
}]
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
query = api.select(Device)
for t in tests:
meth = getattr(query, t["method"], None)
with pytest.raises(ApiError):
meth(t["arg"])
def test_query_device_download(monkeypatch):
_was_called = False
def _run_download(url, query_params, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/devices/_search/download"
assert query_params == {
"status": "ALL",
"ad_group_id": "14,25",
"policy_id": "8675309",
"target_priority": "HIGH",
"query_string": "foobar",
"sort_field": "name",
"sort_order": "DESC"
}
_was_called = True
return "123456789,123456789,123456789"
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, RAW_GET=_run_download)
rc = api.select(Device).where("foobar").set_ad_group_ids([14, 25]).set_policy_ids([8675309]) \
.set_status(["ALL"]).set_target_priorities(["HIGH"]).sort_by("name", "DESC").download()
assert _was_called
assert rc == "123456789,123456789,123456789"
def test_query_watchlistalert_facets(monkeypatch):
_was_called = False
def _run_facet_query(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/alerts/watchlist/_facet"
assert body == {
"query": "Blort",
"criteria": {
"workflow": ["OPEN"]
},
"terms": {
"rows": 0,
"fields": ["REPUTATION", "STATUS"]
}
}
_was_called = True
return StubResponse({
"results": [{
"field": {},
"values": [{
"id": "reputation",
"name": "reputationX",
"total": 4
}]
}, {
"field": {},
"values": [{
"id": "status",
"name": "statusX",
"total": 9
}]
}]
})
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_run_facet_query)
query = api.select(WatchlistAlert).where("Blort").set_workflows(["OPEN"])
f = query.facets(["REPUTATION", "STATUS"])
assert _was_called
assert f == [{
"field": {},
"values": [{
"id": "reputation",
"name": "reputationX",
"total": 4
}]
}, {
"field": {},
"values": [{
"id": "status",
"name": "statusX",
"total": 9
}]
}]
def test_query_device_do_uninstall_sensor(monkeypatch):
_was_called = False
def _uninstall_sensor(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/device_actions"
assert body == {
"action_type": "UNINSTALL_SENSOR",
"search": {
"query": "foobar",
"criteria": {},
"exclusions": {}
}
}
_was_called = True
return StubResponse(None, 204)
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_uninstall_sensor)
api.select(Device).where("foobar").uninstall_sensor()
assert _was_called
def test_query_device_invalid_last_contact_time_combinations():
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
with pytest.raises(ApiError):
api.select(Device).set_last_contact_time()
with pytest.raises(ApiError):
api.select(Device).set_last_contact_time(start="2019-09-30T12:34:56",
end="2019-10-01T12:00:12",
range="-3w")
with pytest.raises(ApiError):
api.select(Device).set_last_contact_time(start="2019-09-30T12:34:56",
range="-3w")
with pytest.raises(ApiError):
api.select(Device).set_last_contact_time(end="2019-10-01T12:00:12",
range="-3w")
def test_query_device_with_all_bells_and_whistles(monkeypatch):
_was_called = False
def _run_query(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/devices/_search"
assert body == {
"query": "foobar",
"criteria": {
"ad_group_id": [14, 25],
"os": ["LINUX"],
"policy_id": [8675309],
"status": ["ALL"],
"target_priority": ["HIGH"]
},
"exclusions": {
"sensor_version": ["0.1"]
},
"sort": [{
"field": "name",
"order": "DESC"
}]
}
_was_called = True
return StubResponse({
"results": [{
"id": 6023,
"organization_name": "thistestworks"
}],
"num_found":
1
})
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_run_query)
query = api.select(Device).where("foobar").set_ad_group_ids([14, 25]).set_os(["LINUX"]) \
.set_policy_ids([8675309]).set_status(["ALL"]).set_target_priorities(["HIGH"]) \
.set_exclude_sensor_versions(["0.1"]).sort_by("name", "DESC")
d = query.one()
assert _was_called
assert d.id == 6023
assert d.organization_name == "thistestworks"
def test_get_device(monkeypatch):
_was_called = False
def _get_device(url):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/devices/6023"
_was_called = True
return {"device_id": 6023, "organization_name": "thistestworks"}
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, GET=_get_device)
rc = api.select(Device, 6023)
assert _was_called
assert isinstance(rc, Device)
assert rc.device_id == 6023
assert rc.organization_name == "thistestworks"
def test_query_basealert_with_create_time_as_start_end(monkeypatch):
_was_called = False
def _run_query(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/alerts/_search"
assert body == {
"query": "Blort",
"criteria": {
"create_time": {
"start": "2019-09-30T12:34:56",
"end": "2019-10-01T12:00:12"
}
}
}
_was_called = True
return StubResponse({
"results": [{
"id": "S0L0",
"org_key": "Z100",
"threat_id": "B0RG",
"workflow": {
"state": "OPEN"
}
}],
"num_found":
1
})
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_run_query)
query = api.select(BaseAlert).where("Blort").set_create_time(
start="2019-09-30T12:34:56", end="2019-10-01T12:00:12")
a = query.one()
assert _was_called
assert a.id == "S0L0"
assert a.org_key == "Z100"
assert a.threat_id == "B0RG"
assert a.workflow_.state == "OPEN"
def test_query_cbanalyticsalert_invalid_criteria_values():
tests = [{
"method": "set_blocked_threat_categories",
"arg": ["MINOR"]
}, {
"method": "set_device_locations",
"arg": ["NARNIA"]
}, {
"method": "set_kill_chain_statuses",
"arg": ["SPAWN_COPIES"]
}, {
"method": "set_not_blocked_threat_categories",
"arg": ["MINOR"]
}, {
"method": "set_policy_applied",
"arg": ["MAYBE"]
}, {
"method": "set_reason_code",
"arg": [55]
}, {
"method": "set_run_states",
"arg": ["MIGHT_HAVE"]
}, {
"method": "set_sensor_actions",
"arg": ["FLIP_A_COIN"]
}, {
"method": "set_threat_cause_vectors",
"arg": ["NETWORK"]
}]
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
query = api.select(CBAnalyticsAlert)
for t in tests:
meth = getattr(query, t["method"], None)
with pytest.raises(ApiError):
meth(t["arg"])
def test_query_device_with_last_contact_time_as_start_end(monkeypatch):
_was_called = False
def _run_query(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/devices/_search"
assert body == {
"query": "foobar",
"criteria": {
"last_contact_time": {
"start": "2019-09-30T12:34:56",
"end": "2019-10-01T12:00:12"
}
},
"exclusions": {}
}
_was_called = True
return StubResponse({
"results": [{
"id": 6023,
"organization_name": "thistestworks"
}],
"num_found":
1
})
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_run_query)
query = api.select(Device).where("foobar") \
.set_last_contact_time(start="2019-09-30T12:34:56", end="2019-10-01T12:00:12")
d = query.one()
assert _was_called
assert d.id == 6023
assert d.organization_name == "thistestworks"
def test_query_basealert_invalid_criteria_values():
tests = [
{
"method": "set_categories",
"arg": ["DOUBLE_DARE"]
},
{
"method": "set_device_ids",
"arg": ["Bogus"]
},
{
"method": "set_device_names",
"arg": [42]
},
{
"method": "set_device_os",
"arg": ["TI994A"]
},
{
"method": "set_device_os_versions",
"arg": [8808]
},
{
"method": "set_device_username",
"arg": [-1]
},
{
"method": "set_alert_ids",
"arg": [9001]
},
{
"method": "set_legacy_alert_ids",
"arg": [9001]
},
{
"method": "set_policy_ids",
"arg": ["Bogus"]
},
{
"method": "set_policy_names",
"arg": [323]
},
{
"method": "set_process_names",
"arg": [7071]
},
{
"method": "set_process_sha256",
"arg": [123456789]
},
{
"method": "set_reputations",
"arg": ["MICROSOFT_FUDWARE"]
},
{
"method": "set_tags",
"arg": [-1]
},
{
"method": "set_target_priorities",
"arg": ["DOGWASH"]
},
{
"method": "set_threat_ids",
"arg": [4096]
},
{
"method": "set_types",
"arg": ["ERBOSOFT"]
},
{
"method": "set_workflows",
"arg": ["IN_LIMBO"]
},
]
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
query = api.select(BaseAlert)
for t in tests:
meth = getattr(query, t["method"], None)
with pytest.raises(ApiError):
meth(t["arg"])
def test_query_basealert_with_all_bells_and_whistles(monkeypatch):
_was_called = False
def _run_query(url, body, **kwargs):
nonlocal _was_called
assert url == "/appservices/v6/orgs/Z100/alerts/_search"
assert body == {
"query": "Blort",
"criteria": {
"category": ["SERIOUS", "CRITICAL"],
"device_id": [6023],
"device_name": ["HAL"],
"device_os": ["LINUX"],
"device_os_version": ["0.1.2"],
"device_username": ["JRN"],
"group_results": True,
"id": ["S0L0"],
"legacy_alert_id": ["S0L0_1"],
"minimum_severity": 6,
"policy_id": [8675309],
"policy_name": ["Strict"],
"process_name": ["IEXPLORE.EXE"],
"process_sha256": ["0123456789ABCDEF0123456789ABCDEF"],
"reputation": ["SUSPECT_MALWARE"],
"tag": ["Frood"],
"target_value": ["HIGH"],
"threat_id": ["B0RG"],
"type": ["WATCHLIST"],
"workflow": ["OPEN"]
},
"sort": [{
"field": "name",
"order": "DESC"
}]
}
_was_called = True
return StubResponse({
"results": [{
"id": "S0L0",
"org_key": "Z100",
"threat_id": "B0RG",
"workflow": {
"state": "OPEN"
}
}],
"num_found":
1
})
api = CbPSCBaseAPI(url="https://example.com",
token="ABCD/1234",
org_key="Z100",
ssl_verify=True)
patch_cbapi(monkeypatch, api, POST=_run_query)
query = api.select(BaseAlert).where("Blort").set_categories(["SERIOUS", "CRITICAL"]).set_device_ids([6023]) \
.set_device_names(["HAL"]).set_device_os(["LINUX"]).set_device_os_versions(["0.1.2"]) \
.set_device_username(["JRN"]).set_group_results(True).set_alert_ids(["S0L0"]) \
.set_legacy_alert_ids(["S0L0_1"]).set_minimum_severity(6).set_policy_ids([8675309]) \
.set_policy_names(["Strict"]).set_process_names(["IEXPLORE.EXE"]) \
.set_process_sha256(["0123456789ABCDEF0123456789ABCDEF"]).set_reputations(["SUSPECT_MALWARE"]) \
.set_tags(["Frood"]).set_target_priorities(["HIGH"]).set_threat_ids(["B0RG"]).set_types(["WATCHLIST"]) \
.set_workflows(["OPEN"]).sort_by("name", "DESC")
a = query.one()
assert _was_called
assert a.id == "S0L0"
assert a.org_key == "Z100"
assert a.threat_id == "B0RG"
assert a.workflow_.state == "OPEN"