use v2 of alert aggregate data api (#357)

code42 · Aug 12, 2021 · 2a54806 · 2a54806
1 parent 96a186a
commit 2a54806
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 15 deletions.
diff --git a/src/py42/services/alerts.py b/src/py42/services/alerts.py
@@ -7,7 +7,7 @@
 
 
 class AlertService(BaseService):
-    _uri_prefix = "/svc/api/v1/{0}"
+    _uri_prefix = "/svc/api"
 
     _CREATED_AT = "CreatedAt"
     _RULE_METADATA = "ruleMetadata"
@@ -22,13 +22,13 @@ def search(self, query, page_num=1, page_size=None):
         if page_size:
             query.page_size = page_size
         query = self._add_tenant_id_if_missing(query)
-        uri = self._uri_prefix.format("query-alerts")
+        uri = f"{self._uri_prefix}/v1/query-alerts"
         return self._connection.post(uri, json=query)
 
     def get_search_page(self, query, page_num, page_size):
         query.page_number = page_num - 1
         query.page_size = page_size
-        uri = self._uri_prefix.format("query-alerts")
+        uri = f"{self._uri_prefix}/v1/query-alerts"
         query = self._add_tenant_id_if_missing(query)
         return self._connection.post(uri, json=query)
 
@@ -44,7 +44,7 @@ def get_details(self, alert_ids):
         if not isinstance(alert_ids, (list, tuple)):
             alert_ids = [alert_ids]
         tenant_id = self._user_context.get_current_tenant_id()
-        uri = self._uri_prefix.format("query-details")
+        uri = f"{self._uri_prefix}/v1/query-details"
         data = {"tenantId": tenant_id, "alertIds": alert_ids}
         results = self._connection.post(uri, json=data)
         return _convert_observation_json_strings_to_objects(results)
@@ -53,7 +53,7 @@ def update_state(self, state, alert_ids, note=None):
         if not isinstance(alert_ids, (list, tuple)):
             alert_ids = [alert_ids]
         tenant_id = self._user_context.get_current_tenant_id()
-        uri = self._uri_prefix.format("update-state")
+        uri = f"{self._uri_prefix}/v1/update-state"
         data = {
             "tenantId": tenant_id,
             "alertIds": alert_ids,
@@ -86,7 +86,7 @@ def get_rules_page(
             "srtKey": sort_key,
             "srtDirection": sort_direction,
         }
-        uri = self._uri_prefix.format("rules/query-rule-metadata")
+        uri = f"{self._uri_prefix}/v1/rules/query-rule-metadata"
         return self._connection.post(uri, json=data)
 
     def get_all_rules(self, sort_key=_CREATED_AT, sort_direction="DESC"):
@@ -125,7 +125,7 @@ def get_rule_by_observer_id(
 
     def update_note(self, alert_id, note):
         tenant_id = self._user_context.get_current_tenant_id()
-        uri = self._uri_prefix.format("add-note")
+        uri = f"{self._uri_prefix}/v1/add-note"
         data = {
             "tenantId": tenant_id,
             "alertId": alert_id,
@@ -134,11 +134,11 @@ def update_note(self, alert_id, note):
         return self._connection.post(uri, json=data)
 
     def get_aggregate_data(self, alert_id):
-        uri = self._uri_prefix.format("query-details-aggregate")
-        data = {
-            "alertId": alert_id,
-        }
-        return self._connection.post(uri, json=data)
+        uri = f"{self._uri_prefix}/v2/query-details-aggregate"
+        data = {"alertId": alert_id}
+        response = self._connection.post(uri, json=data)
+        response.data["alert"]["ffsUrl"] = response.data["alert"].get("ffsUrlEndpoint")
+        return response
 
 
 def _convert_observation_json_strings_to_objects(results):

diff --git a/tests/services/test_alerts.py b/tests/services/test_alerts.py
@@ -9,12 +9,12 @@
 from py42.services._connection import Connection
 from py42.services.alerts import AlertService
 
+
 TEST_RESPONSE = """
 {"type$": "RULE_METADATA_SEARCH_RESPONSE",
  "ruleMetadata": [{ "name": "TESTNAME"}, { "name": "TSTNAME"}, { "name": "TesTNAME"}]
 , "totalCount": 1, "problems": []}
 """
-
 TEST_PARSEABLE_ALERT_DETAIL_RESPONSE = """
 {
     "type$": "ALERT_DETAILS_RESPONSE",
@@ -34,7 +34,6 @@
     ]
 }
 """
-
 TEST_NON_PARSEABLE_ALERT_DETAIL_RESPONSE = """
 {
     "type$": "ALERT_DETAILS_RESPONSE",
@@ -54,6 +53,77 @@
     ]
 }
 """
+TEST_ALERT_AGGREGATE_RESPONSE = """{
+  "type$": "ALERT_DETAILS_IN_AGGREGATE_V2_RESPONSE",
+  "alert": {
+    "type$": "ALERT_DETAILS_AGGREGATE_V2",
+    "tenantId": "093845-3333-bbbb-a6d9-11213cfbb33",
+    "type": "FED_COMPOSITE",
+    "name": "Zip file exfiltration",
+    "description": "Alerts you about the movement of archive files that may conceal file contents.",
+    "actor": "test.testerson@example.com",
+    "actorId": "111154444252344565",
+    "target": "N/A",
+    "severity": "HIGH",
+    "ruleId": "4455661d-1111-2222-3333-33d83f500000",
+    "ruleSource": "Alerting",
+    "id": "d8e67016-1969-4cc9-9590-d52ab20d349a",
+    "createdAt": "2021-08-09T15:21:56.9761420Z",
+    "state": "OPEN",
+    "observations": [
+      {
+        "type$": "OBSERVATION_AGGREGATE",
+        "observedAt": "2021-08-09T15:00:00.0000000Z",
+        "type": "FedEndpointExfiltration",
+        "data": "{}"
+      }
+    ],
+    "firstObservationAt": "2021-08-09T15:00:00.0000000Z",
+    "lastObservationAt": "2021-08-09T15:05:00.0000000Z",
+    "fileCount": 1,
+    "totalFileSize": 112303,
+    "fileCategories": [
+      {
+        "type$": "FILE_CATEGORY",
+        "category": "Archive",
+        "fileCount": 1,
+        "totalFileSize": 112303
+      }
+    ],
+    "riskSeveritySummary": [
+      {
+        "type$": "RISK_SEVERITY_SUMMARY",
+        "severity": "CRITICAL",
+        "numEvents": 1,
+        "summarizedRiskIndicators": [
+          {
+            "type$": "SUMMARIZED_RISK_INDICATOR",
+            "name": "Zip",
+            "numEvents": 1
+          },
+          {
+            "type$": "SUMMARIZED_RISK_INDICATOR",
+            "name": "Remote",
+            "numEvents": 1
+          },
+          {
+            "type$": "SUMMARIZED_RISK_INDICATOR",
+            "name": "Yahoo upload",
+            "numEvents": 1
+          },
+          {
+            "type$": "SUMMARIZED_RISK_INDICATOR",
+            "name": "Departing",
+            "numEvents": 1
+          }
+        ]
+      }
+    ],
+    "ffsUrlEndpoint": "https://ffs-url-test.example.com",
+    "alertUrl": "https://alerts.example.com/alert-id"
+  }
+}
+"""
 
 
 @pytest.fixture
@@ -423,7 +493,22 @@ def test_get_aggregate_data_calls_post_with_expected_url_and_data(
         alert_service.get_aggregate_data("alert-id")
         assert (
             mock_connection.post.call_args[0][0]
-            == "/svc/api/v1/query-details-aggregate"
+            == "/svc/api/v2/query-details-aggregate"
         )
         post_data = mock_connection.post.call_args[1]["json"]
         assert post_data["alertId"] == "alert-id"
+
+    def test_get_aggregate_data_creates_alias_for_ffs_url(
+        self, mocker, mock_connection, user_context
+    ):
+        # This is to support the method when it once called the v1 api.
+        mock_connection.post.return_value = create_mock_response(
+            mocker, TEST_ALERT_AGGREGATE_RESPONSE
+        )
+        alert_service = AlertService(mock_connection, user_context)
+        response = alert_service.get_aggregate_data("alert-id")
+        assert (
+            response["alert"]["ffsUrl"]
+            == "https://ffs-url-test.example.com"
+            == response["alert"]["ffsUrlEndpoint"]
+        )