Merge pull request #2 from SED/process-updates

Fix deprecated v1 search_validation. Add alterntive fetch for process_sha256
carbonblack · Nov 15, 2024 · 44da28c · 44da28c
2 parents b3c60fc + d540371
commit 44da28c
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 46 deletions.
diff --git a/src/cbc_sdk/endpoint_standard/base.py b/src/cbc_sdk/endpoint_standard/base.py
@@ -123,6 +123,8 @@ def process_sha256(self):
         """
         if "process_hash" in self._info:
             return next((hsh for hsh in self.process_hash if len(hsh) == 64), None)
+        elif "process_sha256" in self._info:
+            return self._info.get("process_sha256", None)
         else:
             return None
 

diff --git a/src/cbc_sdk/platform/events.py b/src/cbc_sdk/platform/events.py
@@ -41,7 +41,8 @@ class Event(UnrefreshableModel):
         >>> events = [event for event in events_query]
     """
     urlobject = '/api/investigate/v2/orgs/{}/events/{}/_search'
-    validation_url = '/api/investigate/v1/orgs/{}/events/search_validation'
+    validation_url = '/api/investigate/v2/orgs/{}/events/search_validation'
+    validation_method = 'POST'
     default_sort = 'last_update desc'
     primary_key = "process_guid"
 

diff --git a/src/cbc_sdk/platform/processes.py b/src/cbc_sdk/platform/processes.py
@@ -309,6 +309,8 @@ def process_sha256(self):
         """Returns a string representation of the SHA256 hash for this process."""
         if "process_hash" in self._info:
             return next((hsh for hsh in self.process_hash if len(hsh) == 64), None)
+        elif "process_sha256" in self._info:
+            return self._info.get("process_sha256", None)
         elif "process_hash" in self.summary._info["process"]:
             return next((hash for hash in self.summary._info["process"]["process_hash"] if len(hash) == 64), None)
         else:

diff --git a/src/cbc_sdk/rest_api.py b/src/cbc_sdk/rest_api.py
@@ -487,11 +487,11 @@ def validate_process_query(self, query):
         Examples:
             >>> cb.validate_process_query("process_name:chrome.exe") # True
         """
-        args = {"q": query}
-        url = "/api/investigate/v1/orgs/{}/processes/search_validation".format(
+        args = {"query": query}
+        url = "/api/investigate/v2/orgs/{}/processes/search_validation".format(
             self.credentials.org_key
         )
-        resp = self.get_object(url, query_parameters=args)
+        resp = self.post_object(url, args).json()
 
         return resp.get("valid", False)
 

diff --git a/src/tests/uat/process_search_calls.py b/src/tests/uat/process_search_calls.py
@@ -76,8 +76,8 @@
 
 GET_PROCESS_EVENTS = '{}api/investigate/v2/orgs/{}/events/{}/_search'
 
-PROCESS_SEARCH_VALIDATION = '{}api/investigate/v1/orgs/{}/processes/search_validation'
-EVENT_SEARCH_VALIDATION = '{}api/investigate/v1/orgs/{}/events/search_validation'
+PROCESS_SEARCH_VALIDATION = '{}api/investigate/v2/orgs/{}/processes/search_validation'
+EVENT_SEARCH_VALIDATION = '{}api/investigate/v2/orgs/{}/events/search_validation'
 
 START_PROCESS_FACET_SEARCH = '{}api/investigate/v2/orgs/{}/processes/facet_jobs'
 GET_PROCESS_FACET_SEARCH_RESULTS = '{}api/investigate/v2/orgs/{}/processes/facet_jobs/{}/results'
@@ -98,8 +98,8 @@ def run_process_invalid_search(cb, print_detail):
         cb (CBCloudAPI): API object
         print_detail (bool): whether to print full info to the console, useful for debugging
     """
-    invalid_process_search_url = PROCESS_SEARCH_VALIDATION.format(HOSTNAME, ORG_KEY) + '?q=enrichedBADFIELD:true'
-    api_response = requests.get(invalid_process_search_url, headers=HEADERS)
+    invalid_process_search_url = PROCESS_SEARCH_VALIDATION.format(HOSTNAME, ORG_KEY)
+    api_response = requests.post(invalid_process_search_url, headers=HEADERS, data={"query": "enrichedBADFIELD:true"})
 
     process_query = cb.select(Process).where("enrichedBADFIELD:true")
 
@@ -126,8 +126,8 @@ def run_process_event_invalid_search(cb, print_detail):
         cb (CBCloudAPI): API object
         print_detail (bool): whether to print full info to the console, useful for debugging
     """
-    invalid_event_search_url = EVENT_SEARCH_VALIDATION.format(HOSTNAME, ORG_KEY) + '?q=enrichedBADFIELD:true'
-    api_response = requests.get(invalid_event_search_url, headers=HEADERS)
+    invalid_event_search_url = EVENT_SEARCH_VALIDATION.format(HOSTNAME, ORG_KEY)
+    api_response = requests.post(invalid_event_search_url, headers=HEADERS, data={"query": "enrichedBADFIELD:true"})
 
     event_query = cb.select(Event).where("enrichedBADFIELD:true")
 

diff --git a/src/tests/unit/platform/test_platform_events.py b/src/tests/unit/platform/test_platform_events.py
@@ -72,11 +72,8 @@ def test_event_query_process_select_with_guid(cbcsdk_mock):
     assert isinstance(process, Process)
     assert process.process_guid == guid
 
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/events/search_validation?"
-                             "process_guid=J7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&q=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&query=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e",
+    cbcsdk_mock.mock_request("POST",
+                             "/api/investigate/v2/orgs/test/events/search_validation",
                              EVENT_SEARCH_VALIDATION_RESP)
     url = r"/api/investigate/v2/orgs/test/events/J7G6DTLN\-006633e3\-00000334\-00000000\-1d677bedfbb1c2e/_search"
     cbcsdk_mock.mock_request("POST", url, EVENT_SEARCH_RESP_INTERIM)
@@ -96,11 +93,8 @@ def test_event_query_select_with_guid(cbcsdk_mock):
 
 def test_event_query_select_with_where(cbcsdk_mock):
     """Test Event Querying with where() clause"""
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/events/search_validation?"
-                             "process_guid=J7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&q=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&query=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e",
+    cbcsdk_mock.mock_request("POST",
+                             "/api/investigate/v2/orgs/test/events/search_validation",
                              EVENT_SEARCH_VALIDATION_RESP)
 
     url = "/api/investigate/v2/orgs/test/events/J7G6DTLN\\-006633e3\\-00000334\\-00000000\\-1d677bedfbb1c2e/_search"
@@ -121,10 +115,7 @@ def test_event_query_select_with_where(cbcsdk_mock):
     cbcsdk_mock.mock_request("POST", url, EVENT_SEARCH_RESP)
 
     cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/events/search_validation?"
-                             "process_guid=J7G6DTLN-006633e3-00000334-00000000-1d677bedfbb1c2e"
-                             "&q=process_guid%3AJ7G6DTLN-006633e3-00000334-00000000-1d677bedfbb1c2e"
-                             "&query=process_guid%3AJ7G6DTLN-006633e3-00000334-00000000-1d677bedfbb1c2e",
+                             "/api/investigate/v2/orgs/test/events/search_validation",
                              EVENT_SEARCH_VALIDATION_RESP)
 
     events = api.select(Event).where('process_guid:J7G6DTLN-006633e3-00000334-00000000-1d677bedfbb1c2e')
@@ -144,11 +135,8 @@ def test_event_query_select_with_where(cbcsdk_mock):
 
 def test_event_query_select_timeout(cbcsdk_mock):
     """Test Event Querying with where() clause that times out"""
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/events/search_validation?"
-                             "process_guid=J7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&q=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&query=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e",
+    cbcsdk_mock.mock_request("POST",
+                             "/api/investigate/v2/orgs/test/events/search_validation",
                              EVENT_SEARCH_VALIDATION_RESP)
 
     url = "/api/investigate/v2/orgs/test/events/J7G6DTLN\\-006633e3\\-00000334\\-00000000\\-1d677bedfbb1c2e/_search"
@@ -163,11 +151,8 @@ def test_event_query_select_timeout(cbcsdk_mock):
 
 def test_event_query_select_asynchronous(cbcsdk_mock):
     """Test Event Querying with where() clause as asynchronous"""
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/events/search_validation?"
-                             "process_guid=J7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&q=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&query=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e",
+    cbcsdk_mock.mock_request("POST",
+                             "/api/investigate/v2/orgs/test/events/search_validation",
                              EVENT_SEARCH_VALIDATION_RESP)
 
     url = "/api/investigate/v2/orgs/test/events/J7G6DTLN\\-006633e3\\-00000334\\-00000000\\-1d677bedfbb1c2e/_search"
@@ -198,11 +183,8 @@ def _fake_multiple_fetches(url, body, **kwargs):
             assert body['start'] == 1
             return EVENT_SEARCH_RESP_PART_TWO
 
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/events/search_validation?"
-                             "process_guid=J7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&q=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e"
-                             "&query=process_guid%3AJ7G6DTLN%5C-006633e3%5C-00000334%5C-00000000%5C-1d677bedfbb1c2e",
+    cbcsdk_mock.mock_request("POST",
+                             "/api/investigate/v2/orgs/test/events/search_validation",
                              EVENT_SEARCH_VALIDATION_RESP)
 
     url = "/api/investigate/v2/orgs/test/events/J7G6DTLN\\-006633e3\\-00000334\\-00000000\\-1d677bedfbb1c2e/_search"

diff --git a/src/tests/unit/test_helpers.py b/src/tests/unit/test_helpers.py
@@ -152,11 +152,8 @@ def post_validate(*args):
             return {"valid": True}
         return {"valid": False}
 
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/processes/search_validation?q=process_name%3Achrome.exe",
-                             post_validate)
-    cbcsdk_mock.mock_request("GET",
-                             "/api/investigate/v1/orgs/test/processes/search_validation?q=invalid",
+    cbcsdk_mock.mock_request("POST",
+                             "/api/investigate/v2/orgs/test/processes/search_validation",
                              post_validate)
 
     api = cbcsdk_mock.api

diff --git a/src/tests/unit/test_rest_api.py b/src/tests/unit/test_rest_api.py
@@ -83,8 +83,8 @@ def test_process_search_validations(cbcsdk_mock):
     """Tests getting process search validations"""
     api = cbcsdk_mock.api
     cbcsdk_mock.mock_request(
-        "GET",
-        "/api/investigate/v1/orgs/test/processes/search_validation?q=process",
+        "POST",
+        "/api/investigate/v2/orgs/test/processes/search_validation",
         PROCESS_SEARCH_VALIDATIONS_RESP,
     )
     result = api.validate_process_query("process")