def test_get_intel_indicators():
""" test clean get_intel_indicators """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET) # pylint: disable=invalid-name
response = crowdstrike.get_intel_indicators(limit=10)
logger.debug(response)
assert not response.get('errors')
def test_find_true_positives():
""" does some testing looking for true positive incidents """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
incidents = crowdstrike.incidents_query(filter="tags: 'True Positive'")
assert len(incidents) > 0
logger.debug(incidents)
def test_find_closed_incidents():
""" does some testing looking for closed incidents """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
incidents = crowdstrike.incidents_query(filter="status: '40'")
assert len(incidents) > 0
logger.debug(incidents)
def test_get_detects():
""" searches for the latest detection ID """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
response = crowdstrike.get_detects(offset=0, limit=1)
logger.debug(response)
assert not response.get('errors')
# should work, unless you've never had a detection on your account, which would be surprising ^_^
assert response.get('resources')
def test_incidents_perform_actions():
""" tests some basic things in incidents_perform_actions """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
with pytest.raises(ValueError):
crowdstrike.incidents_perform_actions(ids=['12345'],
action_parameters=[{
'foo': 'bar'
}])
with pytest.raises(ValueError):
crowdstrike.incidents_perform_actions(ids=['12345'],
action_parameters=[{
'name': 'tags',
'value': 'foo',
'foo': 'bar'
}])
with pytest.raises(ValueError):
crowdstrike.incidents_perform_actions(ids=['12345'],
action_parameters=[{
'name': 'tags',
'value': 13,
'foo': 'bar'
}])
results = crowdstrike.incidents_perform_actions(ids=['12345'],
action_parameters=[
{
'name': 'tags',
'value': '',
},
])
logger.debug(results)
def test_really_replace_with_a_real_test():
""" terrible test, shouldn't be like this """
# TODO: replace this with anything closer to a real test suite
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
logger.info("Testing get_event_streams()")
streams = crowdstrike.get_event_streams("testing123")
if not streams.get("resources", False):
logger.error(json.dumps(streams))
raise ValueError("No resources in stream response")
assert streams.get('resources', False)
def test_get_detections():
""" pulls information on the last five detections """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
response = crowdstrike.get_detects(offset=0, limit=5)
ids = response.get('resources')
assert ids
response = crowdstrike.get_detections(ids=ids)
logger.debug(response)
assert not response.get('errors')
# should work, unless you've never had a detection on your account, which would be surprising ^_^
assert response.get('resources')
def test_really_replace_this_with_a_real_test():
""" terrible test, replace it with something not-terrible """
# TODO: make this some vaguely correct tests
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
# find a few different crowdstrike ids
ids = crowdstrike.get_sensor_installer_ids(sort_string="release_date|desc",
filter_string='platform:"mac"')
assert ids is not None
ids = crowdstrike.get_sensor_installer_ids(
sort_string="release_date|desc", )
assert ids is not None
ids = crowdstrike.get_sensor_installer_ids(filter_string='platform:"mac"')
assert ids is not None
# test downloading the latest macOS installer
maclatest = crowdstrike.get_latest_sensor_id(
filter_string='platform:"mac"')
logger.info(
json.dumps(
# also tests showing an installer's data
crowdstrike.get_sensor_installer_details(maclatest),
indent=2))
assert maclatest is not None
logger.info("Testing download to temporary directory....")
# this'll write it to a temporary directory which is removed afterwards
with tempfile.TemporaryDirectory() as tmpdirname:
filename = f'{tmpdirname}/FalconSensorMacOS.pkg'
response = crowdstrike.download_sensor(maclatest, filename)
assert response is not None
assert os.path.exists(filename)
def test_something_indicators():
""" tests with a set of values that failed once
this'll fail on a "restricted" account, worked on my test account - JH 2021-03-20
"""
payload = {
"offset": 5,
"filter": "last_updated:>1590402620",
"limit": 7000,
"include_deleted": False,
"sort": "last_updated.asc",
}
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET) # pylint: disable=invalid-name
response = crowdstrike.get_intel_indicators(**payload)
logger.debug(response)
assert not response.get('errors')
def test_incidents():
""" does some wide-open testing of incidents """
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET)
incidents = crowdstrike.incidents_query()
logger.debug(incidents)
assert len(incidents) > 0
for incident in incidents:
single_incident_details = crowdstrike.incidents_get_details(
ids=[incident])
#logger.info(json.dumps(single_incident_details.get('resources')[0], indent=4))
#logger.debug(single_incident_details.get('resources')[0].get('users'))
logger.debug(single_incident_details.get('resources')[0].get('users'))
logger.debug(single_incident_details.get('resources')[0].get('state'))
#logger.debug(single_incident_details.get('resources')[0].get('assigned_to', 'unassigned'))
assert not single_incident_details.get('errors')
from loguru import logger
from crowdstrike import CrowdstrikeAPI
except ImportError as import_error:
sys.exit(f"Error importing required library: {import_error}")
# grab config from the file or environment variable
try:
from config import CLIENT_ID, CLIENT_SECRET
except ImportError:
if os.environ.get('CLIENT_ID'):
logger.debug("Using Client ID from environment variable")
CLIENT_ID = os.environ.get('CLIENT_ID')
if os.environ.get('CLIENT_SECRET'):
logger.debug("Using Client Secret from environment variable")
CLIENT_SECRET = os.environ.get('CLIENT_SECRET')
if not CLIENT_ID and not CLIENT_SECRET:
sys.exit("you didn't set the config either via file or environment")
logger.enable("crowdstrike")
crowdstrike = CrowdstrikeAPI(CLIENT_ID, CLIENT_SECRET) # pylint: disable=invalid-name
def test_revoke_token(crowdstrike_client=crowdstrike):
""" test revoke_token """
logger.debug(crowdstrike_client.get_token())
response = crowdstrike_client.revoke_token()
logger.debug(response)