def test_query_device_do_quarantine(monkeypatch): _was_called = False def _quarantine(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/device_actions" assert body == { "action_type": "QUARANTINE", "search": { "query": "foobar", "criteria": {}, "exclusions": {} }, "options": { "toggle": "ON" } } _was_called = True return StubResponse(None, 204) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_quarantine) api.select(Device).where("foobar").quarantine(True) assert _was_called
def test_query_device_do_update_policy(monkeypatch): _was_called = False def _update_policy(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/device_actions" assert body == { "action_type": "UPDATE_POLICY", "search": { "query": "foobar", "criteria": {}, "exclusions": {} }, "options": { "policy_id": 8675309 } } _was_called = True return StubResponse(None, 204) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_update_policy) api.select(Device).where("foobar").update_policy(8675309) assert _was_called
def test_query_device_do_update_sensor_version(monkeypatch): _was_called = False def _update_sensor_version(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/device_actions" assert body == { "action_type": "UPDATE_SENSOR_VERSION", "search": { "query": "foobar", "criteria": {}, "exclusions": {} }, "options": { "sensor_version": { "RHEL": "2.3.4.5" } } } _was_called = True return StubResponse(None, 204) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_update_sensor_version) api.select(Device).where("foobar").update_sensor_version( {"RHEL": "2.3.4.5"}) assert _was_called
def test_query_watchlistalert_invalid_criteria_values(): api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) with pytest.raises(ApiError): api.select(WatchlistAlert).set_watchlist_ids([888]) with pytest.raises(ApiError): api.select(WatchlistAlert).set_watchlist_names([69])
def test_query_device_invalid_sort_direction(): api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) with pytest.raises(ApiError): api.select(Device).sort_by("policy_name", "BOGUS")
def test_query_basealert_invalid_criteria_values(): tests = [ {"method": "set_categories", "arg": ["DOUBLE_DARE"]}, {"method": "set_device_ids", "arg": ["Bogus"]}, {"method": "set_device_names", "arg": [42]}, {"method": "set_device_os", "arg": ["TI994A"]}, {"method": "set_device_os_versions", "arg": [8808]}, {"method": "set_device_username", "arg": [-1]}, {"method": "set_alert_ids", "arg": [9001]}, {"method": "set_legacy_alert_ids", "arg": [9001]}, {"method": "set_policy_ids", "arg": ["Bogus"]}, {"method": "set_policy_names", "arg": [323]}, {"method": "set_process_names", "arg": [7071]}, {"method": "set_process_sha256", "arg": [123456789]}, {"method": "set_reputations", "arg": ["MICROSOFT_FUDWARE"]}, {"method": "set_tags", "arg": [-1]}, {"method": "set_target_priorities", "arg": ["DOGWASH"]}, {"method": "set_threat_ids", "arg": [4096]}, {"method": "set_types", "arg": ["ERBOSOFT"]}, {"method": "set_workflows", "arg": ["IN_LIMBO"]}, ] api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) query = api.select(BaseAlert) for t in tests: meth = getattr(query, t["method"], None) with pytest.raises(ApiError): meth(t["arg"])
def test_alerts_bulk_dismiss_vmware(monkeypatch): """Test dismissing a batch of VMware alerts.""" _was_called = False def _do_dismiss(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/cbanalytics/workflow/_criteria" assert body == { "query": "Blort", "state": "DISMISSED", "remediation_state": "Fixed", "comment": "Yessir", "criteria": { "device_name": ["HAL9000"] } } _was_called = True return StubResponse({"request_id": "497ABX"}) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbc_sdk_api(monkeypatch, api, POST=_do_dismiss) q = api.select(CBAnalyticsAlert).where("Blort").set_device_names( ["HAL9000"]) reqid = q.dismiss("Fixed", "Yessir") assert _was_called assert reqid == "497ABX"
def test_load_workflow(monkeypatch): """Test loading a workflow status.""" _was_called = False def _get_workflow(url, parms=None, default=None): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/workflow/status/497ABX" _was_called = True return { "errors": [], "failed_ids": [], "id": "497ABX", "num_hits": 0, "num_success": 0, "status": "QUEUED", "workflow": { "state": "DISMISSED", "remediation": "Fixed", "comment": "Yessir", "changed_by": "Robocop", "last_update_time": "2019-10-31T16:03:13.951Z" } } api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbc_sdk_api(monkeypatch, api, GET=_get_workflow) workflow = api.select(WorkflowStatus, "497ABX") assert _was_called assert workflow.id_ == "497ABX"
def test_query_device_download(monkeypatch): _was_called = False def _run_download(url, query_params, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/devices/_search/download" assert query_params == { "status": "ALL", "ad_group_id": "14,25", "policy_id": "8675309", "target_priority": "HIGH", "query_string": "foobar", "sort_field": "name", "sort_order": "DESC" } _was_called = True return "123456789,123456789,123456789" api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, RAW_GET=_run_download) rc = api.select(Device).where("foobar").set_ad_group_ids([14, 25]).set_policy_ids([8675309]) \ .set_status(["ALL"]).set_target_priorities(["HIGH"]).sort_by("name", "DESC").download() assert _was_called assert rc == "123456789,123456789,123456789"
def test_query_device_invalid_criteria_values(): tests = [{ "method": "set_ad_group_ids", "arg": ["Bogus"] }, { "method": "set_policy_ids", "arg": ["Bogus"] }, { "method": "set_os", "arg": ["COMMODORE_64"] }, { "method": "set_status", "arg": ["Bogus"] }, { "method": "set_target_priorities", "arg": ["Bogus"] }, { "method": "set_exclude_sensor_versions", "arg": [12703] }] api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) query = api.select(Device) for t in tests: meth = getattr(query, t["method"], None) with pytest.raises(ApiError): meth(t["arg"])
def test_query_watchlistalert_facets(monkeypatch): """Test a watchlist alert facet query.""" _was_called = False def _run_facet_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/watchlist/_facet" assert body == { "query": "Blort", "criteria": { "workflow": ["OPEN"] }, "terms": { "rows": 0, "fields": ["REPUTATION", "STATUS"] }, "rows": 100 } _was_called = True return StubResponse({ "results": [{ "field": {}, "values": [{ "id": "reputation", "name": "reputationX", "total": 4 }] }, { "field": {}, "values": [{ "id": "status", "name": "statusX", "total": 9 }] }] }) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbc_sdk_api(monkeypatch, api, POST=_run_facet_query) query = api.select(WatchlistAlert).where("Blort").set_workflows(["OPEN"]) f = query.facets(["REPUTATION", "STATUS"]) assert _was_called assert f == [{ "field": {}, "values": [{ "id": "reputation", "name": "reputationX", "total": 4 }] }, { "field": {}, "values": [{ "id": "status", "name": "statusX", "total": 9 }] }]
def test_query_basealert_facets(monkeypatch): _was_called = False def _run_facet_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/_facet" assert body["query"] == "Blort" t = body["criteria"] assert t["workflow"] == ["OPEN"] t = body["terms"] assert t["rows"] == 0 assert t["fields"] == ["REPUTATION", "STATUS"] _was_called = True return StubResponse({"results": [{"field": {}, "values": [{"id": "reputation", "name": "reputationX", "total": 4}]}, {"field": {}, "values": [{"id": "status", "name": "statusX", "total": 9}]}]}) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_run_facet_query) query = api.select(BaseAlert).where("Blort").set_workflows(["OPEN"]) f = query.facets(["REPUTATION", "STATUS"]) assert _was_called assert f == [{"field": {}, "values": [{"id": "reputation", "name": "reputationX", "total": 4}]}, {"field": {}, "values": [{"id": "status", "name": "statusX", "total": 9}]}]
def test_query_basealert_invalid_create_time_combinations(): api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) with pytest.raises(ApiError): api.select(BaseAlert).set_create_time() with pytest.raises(ApiError): api.select(BaseAlert).set_create_time(start="2019-09-30T12:34:56", end="2019-10-01T12:00:12", range="-3w") with pytest.raises(ApiError): api.select(BaseAlert).set_create_time(start="2019-09-30T12:34:56", range="-3w") with pytest.raises(ApiError): api.select(BaseAlert).set_create_time(end="2019-10-01T12:00:12", range="-3w")
def test_query_devicecontrolalert_invalid_criteria_values(method, arg): """Test invalid values being supplied to DeviceControl alert queries.""" api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) query = api.select(DeviceControlAlert) meth = getattr(query, method, None) with pytest.raises(ApiError): meth(arg)
def test_simple_query(monkeypatch): """Test SimpleQuery methods using a FeedQuery for API calls""" _was_called = False def _get_results(url, **kwargs): nonlocal _was_called assert url == "/threathunter/feedmgr/v2/orgs/WNEX/feeds" _was_called = True return { "results": [{ "name": "My Feed", "owner": "WNEX", "provider_url": "https://exampleprovider.com", "summary": "this is the summary", "category": "this is the category", "source_label": None, "access": "public", "id": "my_feed_id" }] } api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="WNEX", ssl_verify=True) patch_cbapi(monkeypatch, api, GET=_get_results) feed = api.select(Feed).where(include_public=True) assert isinstance(feed, SimpleQuery) assert isinstance(feed, FeedQuery) results = feed.results assert isinstance(results, list) assert isinstance(results[0], Feed) assert results[0].id == "my_feed_id" assert results[0].name == "My Feed" assert _was_called simpleQuery = SimpleQuery(Feed, api) assert simpleQuery._doc_class == Feed assert str( simpleQuery._urlobject) == "/threathunter/feedmgr/v2/orgs/{}/feeds" assert isinstance(simpleQuery, SimpleQuery) assert simpleQuery._cb == api assert simpleQuery._results == [] assert simpleQuery._query == {} clonedSimple = simpleQuery._clone() assert clonedSimple._cb == simpleQuery._cb assert clonedSimple._results == simpleQuery._results assert clonedSimple._query == simpleQuery._query
def test_query_device_do_uninstall_sensor(monkeypatch): _was_called = False def _uninstall_sensor(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/device_actions" assert body == { "action_type": "UNINSTALL_SENSOR", "search": { "query": "foobar", "criteria": {}, "exclusions": {} } } _was_called = True return StubResponse(None, 204) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_uninstall_sensor) api.select(Device).where("foobar").uninstall_sensor() assert _was_called
def test_simple_get(monkeypatch): _was_called = False def _get_run(url, parms=None, default=None): nonlocal _was_called assert url == "/livequery/v1/orgs/Z100/runs/abcdefg" _was_called = True return {"org_key": "Z100", "name": "FoobieBletch", "id": "abcdefg"} api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, GET=_get_run) run = api.select(Run, "abcdefg") assert _was_called assert run.org_key == "Z100" assert run.name == "FoobieBletch" assert run.id == "abcdefg"
def test_query_basealert_with_time_range(monkeypatch): """Test an alert query with the last_update_time specified as a range.""" _was_called = False _timestamp = datetime.now() def _run_query(url, body, **kwargs): nonlocal _was_called nonlocal _timestamp assert url == "/appservices/v6/orgs/Z100/alerts/_search" assert body == { "query": "Blort", "criteria": { "last_update_time": { "start": _timestamp.isoformat(), "end": _timestamp.isoformat() } }, "rows": 100 } _was_called = True return StubResponse({ "results": [{ "id": "S0L0", "org_key": "Z100", "threat_id": "B0RG", "workflow": { "state": "OPEN" } }], "num_found": 1 }) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbc_sdk_api(monkeypatch, api, POST=_run_query) query = api.select(BaseAlert).where("Blort").set_time_range( "last_update_time", start=_timestamp, end=_timestamp) a = query.one() assert _was_called assert a.id == "S0L0" assert a.org_key == "Z100" assert a.threat_id == "B0RG" assert a.workflow_.state == "OPEN"
def test_alerts_bulk_undismiss(monkeypatch): _was_called = False def _do_update(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/workflow/_criteria" assert body == {"query": "Blort", "state": "OPEN", "remediation_state": "Fixed", "comment": "NoSir", "criteria": {"device_name": ["HAL9000"]}} _was_called = True return StubResponse({"request_id": "497ABX"}) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_do_update) q = api.select(BaseAlert).where("Blort").set_device_names(["HAL9000"]) reqid = q.update("Fixed", "NoSir") assert _was_called assert reqid == "497ABX"
def test_query_device_with_all_bells_and_whistles(monkeypatch): _was_called = False def _run_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/devices/_search" assert body == { "query": "foobar", "criteria": { "ad_group_id": [14, 25], "os": ["LINUX"], "policy_id": [8675309], "status": ["ALL"], "target_priority": ["HIGH"] }, "exclusions": { "sensor_version": ["0.1"] }, "sort": [{ "field": "name", "order": "DESC" }] } _was_called = True return StubResponse({ "results": [{ "id": 6023, "organization_name": "thistestworks" }], "num_found": 1 }) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_run_query) query = api.select(Device).where("foobar").set_ad_group_ids([14, 25]).set_os(["LINUX"]) \ .set_policy_ids([8675309]).set_status(["ALL"]).set_target_priorities(["HIGH"]) \ .set_exclude_sensor_versions(["0.1"]).sort_by("name", "DESC") d = query.one() assert _was_called assert d.id == 6023 assert d.organization_name == "thistestworks"
def test_query_cbanalyticsalert_invalid_criteria_values(): tests = [ {"method": "set_blocked_threat_categories", "arg": ["MINOR"]}, {"method": "set_device_locations", "arg": ["NARNIA"]}, {"method": "set_kill_chain_statuses", "arg": ["SPAWN_COPIES"]}, {"method": "set_not_blocked_threat_categories", "arg": ["MINOR"]}, {"method": "set_policy_applied", "arg": ["MAYBE"]}, {"method": "set_reason_code", "arg": [55]}, {"method": "set_run_states", "arg": ["MIGHT_HAVE"]}, {"method": "set_sensor_actions", "arg": ["FLIP_A_COIN"]}, {"method": "set_threat_cause_vectors", "arg": ["NETWORK"]} ] api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) query = api.select(CBAnalyticsAlert) for t in tests: meth = getattr(query, t["method"], None) with pytest.raises(ApiError): meth(t["arg"])
def test_query_basealert_with_create_time_as_start_end(monkeypatch): """Test an alert query with the creation time specified as a start and end time.""" _was_called = False def _run_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/_search" assert body == { "query": "Blort", "rows": 100, "criteria": { "create_time": { "start": "2019-09-30T12:34:56", "end": "2019-10-01T12:00:12" } } } _was_called = True return StubResponse({ "results": [{ "id": "S0L0", "org_key": "Z100", "threat_id": "B0RG", "workflow": { "state": "OPEN" } }], "num_found": 1 }) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbc_sdk_api(monkeypatch, api, POST=_run_query) query = api.select(BaseAlert).where("Blort").set_create_time( start="2019-09-30T12:34:56", end="2019-10-01T12:00:12") a = query.one() assert _was_called assert a.id == "S0L0" assert a.org_key == "Z100" assert a.threat_id == "B0RG" assert a.workflow_.state == "OPEN"
def test_get_device(monkeypatch): _was_called = False def _get_device(url): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/devices/6023" _was_called = True return {"device_id": 6023, "organization_name": "thistestworks"} api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, GET=_get_device) rc = api.select(Device, 6023) assert _was_called assert isinstance(rc, Device) assert rc.device_id == 6023 assert rc.organization_name == "thistestworks"
def test_query_cbanalyticsalert_with_all_bells_and_whistles(monkeypatch): _was_called = False def _run_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/cbanalytics/_search" assert body == {"query": "Blort", "criteria": {"category": ["SERIOUS", "CRITICAL"], "device_id": [6023], "device_name": ["HAL"], "device_os": ["LINUX"], "device_os_version": ["0.1.2"], "device_username": ["JRN"], "group_results": True, "id": ["S0L0"], "legacy_alert_id": ["S0L0_1"], "minimum_severity": 6, "policy_id": [8675309], "policy_name": ["Strict"], "process_name": ["IEXPLORE.EXE"], "process_sha256": ["0123456789ABCDEF0123456789ABCDEF"], "reputation": ["SUSPECT_MALWARE"], "tag": ["Frood"], "target_value": ["HIGH"], "threat_id": ["B0RG"], "type": ["WATCHLIST"], "workflow": ["OPEN"], "blocked_threat_category": ["RISKY_PROGRAM"], "device_location": ["ONSITE"], "kill_chain_status": ["EXECUTE_GOAL"], "not_blocked_threat_category": ["NEW_MALWARE"], "policy_applied": ["APPLIED"], "reason_code": ["ATTACK_VECTOR"], "run_state": ["RAN"], "sensor_action": ["DENY"], "threat_cause_vector": ["WEB"]}, "sort": [{"field": "name", "order": "DESC"}]} _was_called = True return StubResponse({"results": [{"id": "S0L0", "org_key": "Z100", "threat_id": "B0RG", "workflow": {"state": "OPEN"}}], "num_found": 1}) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_run_query) query = api.select(CBAnalyticsAlert).where("Blort").set_categories(["SERIOUS", "CRITICAL"]) \ .set_device_ids([6023]).set_device_names(["HAL"]).set_device_os(["LINUX"]).set_device_os_versions(["0.1.2"]) \ .set_device_username(["JRN"]).set_group_results(True).set_alert_ids(["S0L0"]).set_legacy_alert_ids(["S0L0_1"]) \ .set_minimum_severity(6).set_policy_ids([8675309]).set_policy_names(["Strict"]) \ .set_process_names(["IEXPLORE.EXE"]).set_process_sha256(["0123456789ABCDEF0123456789ABCDEF"]) \ .set_reputations(["SUSPECT_MALWARE"]).set_tags(["Frood"]).set_target_priorities(["HIGH"]) \ .set_threat_ids(["B0RG"]).set_types(["WATCHLIST"]).set_workflows(["OPEN"]) \ .set_blocked_threat_categories(["RISKY_PROGRAM"]).set_device_locations(["ONSITE"]) \ .set_kill_chain_statuses(["EXECUTE_GOAL"]).set_not_blocked_threat_categories(["NEW_MALWARE"]) \ .set_policy_applied(["APPLIED"]).set_reason_code(["ATTACK_VECTOR"]).set_run_states(["RAN"]) \ .set_sensor_actions(["DENY"]).set_threat_cause_vectors(["WEB"]).sort_by("name", "DESC") a = query.one() assert _was_called assert a.id == "S0L0" assert a.org_key == "Z100" assert a.threat_id == "B0RG" assert a.workflow_.state == "OPEN"
def test_query_basealert_with_create_time_as_range(monkeypatch): _was_called = False def _run_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/_search" assert body == {"query": "Blort", "criteria": {"create_time": {"range": "-3w"}}} _was_called = True return StubResponse({"results": [{"id": "S0L0", "org_key": "Z100", "threat_id": "B0RG", "workflow": {"state": "OPEN"}}], "num_found": 1}) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_run_query) query = api.select(BaseAlert).where("Blort").set_create_time(range="-3w") a = query.one() assert _was_called assert a.id == "S0L0" assert a.org_key == "Z100" assert a.threat_id == "B0RG" assert a.workflow_.state == "OPEN"
def test_query_device_with_last_contact_time_as_start_end(monkeypatch): _was_called = False def _run_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/devices/_search" assert body == { "query": "foobar", "criteria": { "last_contact_time": { "start": "2019-09-30T12:34:56", "end": "2019-10-01T12:00:12" } }, "exclusions": {} } _was_called = True return StubResponse({ "results": [{ "id": 6023, "organization_name": "thistestworks" }], "num_found": 1 }) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbapi(monkeypatch, api, POST=_run_query) query = api.select(Device).where("foobar") \ .set_last_contact_time(start="2019-09-30T12:34:56", end="2019-10-01T12:00:12") d = query.one() assert _was_called assert d.id == 6023 assert d.organization_name == "thistestworks"
def test_query_vmwarealert_invalid_group_ids(): api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) with pytest.raises(ApiError): api.select(VMwareAlert).set_group_ids(["Bogus"])
def test_query_watchlistalert_with_all_bells_and_whistles(monkeypatch): """Test a watchlist alert query with all options selected.""" _was_called = False def _run_query(url, body, **kwargs): nonlocal _was_called assert url == "/appservices/v6/orgs/Z100/alerts/watchlist/_search" assert body == { "query": "Blort", "rows": 100, "criteria": { "category": ["SERIOUS", "CRITICAL"], "device_id": [6023], "device_name": ["HAL"], "device_os": ["LINUX"], "device_os_version": ["0.1.2"], "device_username": ["JRN"], "group_results": True, "id": ["S0L0"], "legacy_alert_id": ["S0L0_1"], "minimum_severity": 6, "policy_id": [8675309], "policy_name": ["Strict"], "process_name": ["IEXPLORE.EXE"], "process_sha256": ["0123456789ABCDEF0123456789ABCDEF"], "reputation": ["SUSPECT_MALWARE"], "tag": ["Frood"], "target_value": ["HIGH"], "threat_id": ["B0RG"], "type": ["WATCHLIST"], "workflow": ["OPEN"], "watchlist_id": ["100"], "watchlist_name": ["Gandalf"] }, "sort": [{ "field": "name", "order": "DESC" }] } _was_called = True return StubResponse({ "results": [{ "id": "S0L0", "org_key": "Z100", "threat_id": "B0RG", "workflow": { "state": "OPEN" } }], "num_found": 1 }) api = CBCloudAPI(url="https://example.com", token="ABCD/1234", org_key="Z100", ssl_verify=True) patch_cbc_sdk_api(monkeypatch, api, POST=_run_query) query = api.select(WatchlistAlert).where("Blort").set_categories(["SERIOUS", "CRITICAL"]).set_device_ids([6023]) \ .set_device_names(["HAL"]).set_device_os(["LINUX"]).set_device_os_versions(["0.1.2"]) \ .set_device_username(["JRN"]).set_group_results(True).set_alert_ids(["S0L0"]) \ .set_legacy_alert_ids(["S0L0_1"]).set_minimum_severity(6).set_policy_ids([8675309]) \ .set_policy_names(["Strict"]).set_process_names(["IEXPLORE.EXE"]) \ .set_process_sha256(["0123456789ABCDEF0123456789ABCDEF"]).set_reputations(["SUSPECT_MALWARE"]) \ .set_tags(["Frood"]).set_target_priorities(["HIGH"]).set_threat_ids(["B0RG"]).set_types(["WATCHLIST"]) \ .set_workflows(["OPEN"]).set_watchlist_ids(["100"]).set_watchlist_names(["Gandalf"]).sort_by("name", "DESC") a = query.one() assert _was_called assert a.id == "S0L0" assert a.org_key == "Z100" assert a.threat_id == "B0RG" assert a.workflow_.state == "OPEN"