Merge pull request #144 from CybercentreCanada/cccs-mog-patch-2

Update dynamic_service_helper.py for process ontology addition
CybercentreCanada · Nov 7, 2024 · 677a869 · 677a869
2 parents 9515dc6 + 5d3d92a
commit 677a869
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 4 deletions.
diff --git a/assemblyline_service_utilities/common/dynamic_service_helper.py b/assemblyline_service_utilities/common/dynamic_service_helper.py
@@ -402,6 +402,8 @@ def __init__(
         integrity_level: Optional[str] = None,
         image_hash: Optional[str] = None,
         original_file_name: Optional[str] = None,
+        loaded_modules: Optional[List[str]] = None,
+        services_involved: Optional[List[str]] = None,
     ) -> None:
         """
         This method initializes a process object
@@ -448,6 +450,8 @@ def __init__(
 
         set_optional_argument(self, "image_hash", image_hash, str)
         set_optional_argument(self, "original_file_name", original_file_name, str)
+        set_optional_argument(self, "loaded_modules", loaded_modules, List[str])
+        set_optional_argument(self, "services_involved", services_involved, List[str])
 
     def as_primitives(self) -> Dict[str, Any]:
         """

diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py
@@ -373,9 +373,11 @@ def test_process_as_primitives():
             "pid": None,
             "image": current_image,
             "command_line": None,
+            'services_involved': None,
             "start_time": "1970-01-01 00:00:01.001",
             "end_time": None,
             "integrity_level": None,
+            'loaded_modules': None,
             "image_hash": None,
             "original_file_name": None,
         }
@@ -1647,9 +1649,11 @@ def test_add_process():
             "pid": None,
             "image": "C:\\Windows\\System32\\cmd.exe",
             "command_line": None,
+            'services_involved': None,
             "start_time": "1970-01-01 00:00:00.000",
             "end_time": "9999-12-31 23:59:59.999999",
             "integrity_level": None,
+            'loaded_modules': None,
             "image_hash": None,
             "original_file_name": None,
         }
@@ -1834,9 +1838,11 @@ def test_set_parent_details():
             "pid": None,
             "image": "blah",
             "command_line": None,
+            'services_involved': None,
             "start_time": "1970-01-01 00:00:04.000",
             "end_time": "9999-12-31 23:59:59.999999",
             "integrity_level": None,
+            'loaded_modules': None,
             "image_hash": None,
             "original_file_name": None,
         }
@@ -1880,9 +1886,11 @@ def test_set_parent_details():
             "pid": None,
             "image": "blah",
             "command_line": None,
+            'services_involved': None,
             "start_time": "1970-01-01 00:00:03.000",
             "end_time": "9999-12-31 23:59:59.999999",
             "integrity_level": None,
+            'loaded_modules': None,
             "image_hash": None,
             "original_file_name": None,
         }
@@ -1963,9 +1971,11 @@ def test_set_child_details():
             "pid": 1,
             "image": "blah.exe",
             "command_line": None,
+            'services_involved': None,
             "start_time": "1970-01-01 00:00:02.000",
             "end_time": "1970-01-01 00:00:03.000",
             "integrity_level": None,
+            'loaded_modules': None,
             "image_hash": None,
             "original_file_name": None,
         }
@@ -1996,9 +2006,11 @@ def test_set_child_details():
             "pid": 3,
             "image": "blah.exe",
             "command_line": None,
+            'services_involved': None,
             "start_time": "1970-01-01 00:00:02.000",
             "end_time": "1970-01-01 00:00:03.000",
             "integrity_level": None,
+            'loaded_modules': None,
             "image_hash": None,
             "original_file_name": None,
         }
@@ -2897,7 +2909,9 @@ def test_get_non_safelisted_processes():
                             "session": None,
                         },
                         "ppid": 1,
+                        'services_involved': None,
                         "integrity_level": None,
+                        'loaded_modules': None,
                         "image_hash": None,
                         "original_file_name": None,
                         "command_line": "blah",
@@ -2979,10 +2993,12 @@ def test_get_non_safelisted_processes():
                             "session": None,
                         },
                         "ppid": 1,
+                        'services_involved': None,
                         "command_line": "blah",
                         "pimage": None,
                         "pcommand_line": None,
                         "integrity_level": None,
+                        'loaded_modules': None,
                         "image_hash": None,
                         "original_file_name": None,
                         "children": [
@@ -3017,6 +3033,8 @@ def test_get_non_safelisted_processes():
                                 "pcommand_line": "blah",
                                 "children": [],
                                 "integrity_level": None,
+                                'loaded_modules': None,
+                                'services_involved': None,
                                 "image_hash": None,
                                 "original_file_name": None,
                             }
@@ -3143,6 +3161,8 @@ def test_get_non_safelisted_processes():
                         "pimage": None,
                         "pcommand_line": None,
                         "integrity_level": None,
+                        'loaded_modules': None,
+                        'services_involved': None,
                         "image_hash": None,
                         "original_file_name": None,
                         "children": [
@@ -3177,6 +3197,8 @@ def test_get_non_safelisted_processes():
                                 "pimage": "blah",
                                 "pcommand_line": "blah",
                                 "integrity_level": None,
+                                'loaded_modules': None,
+                                'services_involved': None,
                                 "image_hash": None,
                                 "original_file_name": None,
                             }
@@ -3340,6 +3362,8 @@ def test_get_non_safelisted_processes():
                         "pimage": None,
                         "pcommand_line": None,
                         "integrity_level": None,
+                        'loaded_modules': None,
+                        'services_involved': None,
                         "image_hash": None,
                         "original_file_name": None,
                         "children": [
@@ -3370,6 +3394,8 @@ def test_get_non_safelisted_processes():
                                     "pimage": None,
                                     "pcommand_line": None,
                                     "integrity_level": None,
+                                    'loaded_modules': None,
+                                    'services_involved': None,
                                     "image_hash": None,
                                     "original_file_name": None,
                                     "objectid": {
@@ -5843,6 +5869,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time
                         "integrity_level": None,
                         "image_hash": None,
                         "original_file_name": None,
+                        'services_involved': None,
+                        'loaded_modules': None,
                     }
                 },
             ),
@@ -5894,6 +5922,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time
                         "start_time": "1970-01-01 00:00:01.000",
                         "end_time": None,
                         "integrity_level": None,
+                        'services_involved': None,
+                        'loaded_modules': None,
                         "image_hash": None,
                         "original_file_name": None,
                     },
@@ -5918,6 +5948,8 @@ def test_sort_things_by_relationship(things_to_sort, expected_result, dummy_time
                         "start_time": "1970-01-01 00:00:01.000",
                         "end_time": None,
                         "integrity_level": None,
+                        'loaded_modules': None,
+                        'services_involved': None,
                         "image_hash": None,
                         "original_file_name": None,
                     },

diff --git a/test/test_sysmon_helper.py b/test/test_sysmon_helper.py
@@ -36,7 +36,7 @@ class TestModule:
             'processtree': None, 'service_name': 'CAPE',},
            'pobjectid': None,
            'pimage': None, 'pcommand_line': None, 'ppid': 2, 'pid': 1, 'image': 'blah.exe', 'command_line': './blah',
-           'integrity_level': None, 'image_hash': None, 'original_file_name': None}),
+           'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'services_involved': None, 'loaded_modules': None,}),
          ([{"System": {"EventID": 1},
             "EventData":
             {
@@ -57,7 +57,7 @@ class TestModule:
             'processtree': None, 'service_name': 'CAPE'},
            'pobjectid': None,
            'pimage': None, 'pcommand_line': None, 'ppid': 2, 'pid': 1, 'image': 'blah.exe', 'command_line': './blah',
-           'integrity_level': None, 'image_hash': None, 'original_file_name': None}),
+           'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'loaded_modules': None, 'services_involved': None}),
          ([{"System": {"EventID": 1},
             "EventData":
             {
@@ -72,7 +72,7 @@ class TestModule:
             'time_observed': '1970-01-01 12:40:30.123', 'ontology_id': 'process_5FPZdIxfHmzxsWKUlsSNGl', 'service_name': 'CAPE'},
            'pobjectid': None,
            'pimage': None, 'pcommand_line': None, 'ppid': None, 'pid': 123, 'image': 'blah', 'command_line': None,
-           'integrity_level': None, 'image_hash': None, 'original_file_name': None}),
+           'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'loaded_modules': None, 'services_involved': None}),
          ([{"System": {"EventID": 1},
             "EventData":
             {
@@ -95,7 +95,7 @@ class TestModule:
             'time_observed': '1970-01-01 12:40:30.123', 'ontology_id': 'process_5FPZdIxfHmzxsWKUlsSNGl', 'service_name': 'CAPE'},
            'pobjectid': None,
            'pimage': None, 'pcommand_line': None, 'ppid': None, 'pid': 123, 'image': 'blah', 'command_line': None,
-           'integrity_level': None, 'image_hash': None, 'original_file_name': None}), ])
+           'integrity_level': None, 'image_hash': None, 'original_file_name': None, 'services_involved': None, 'loaded_modules': None}), ])
     def test_convert_sysmon_processes(sysmon, expected_process, mocker):
         so = OntologyResults(service_name="CAPE")
         mocker.patch.object(so, "sandboxes", return_value="blah")