def test_main_regular(mocker):
global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
mocker.patch.object(demisto, 'args',
return_value={
'incidentId': 12345,
'similarTextField': 'incident.commandline, commandline, command, '
'empty_current_incident_field, empty_fetched_incident_field',
'similarCategoricalField': 'signature, filehash, incident.commandline',
'similarJsonField': 'CustomFields',
'limit': 10000,
'fieldExactMatch': '',
'fieldsToDisplay': 'filehash, destinationip, closeNotes, sourceip, alertdescription',
'showIncidentSimilarityForAllFields': True,
'minimunIncidentSimilarity': 0.2,
'maxIncidentsToDisplay': 100,
'query': '',
'aggreagateIncidentsDifferentDate': 'False',
'includeIndicatorsSimilarity': 'True'
})
mocker.patch.object(demisto, 'dt', return_value=None)
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
res, msg = main()
assert ('empty_current_incident_field' not in res.columns)
assert (res.loc['3', 'Identical indicators'] == 'ind_2')
assert (res.loc['2', 'Identical indicators'] == "")
assert check_exist_dataframe_columns(SIMILARITY_COLUNM_NAME_INDICATOR, SIMILARITY_COLUNM_NAME,
COLUMN_ID, COLUMN_TIME, 'name', df=res)
assert res.loc['3', 'similarity indicators'] == 0.4
assert res.loc['2', 'similarity indicators'] == 0.0
def test_main_no_fetched_incidents_found(mocker):
"""
Test output if no related incidents found - Should return None and MESSAGE_NO_INCIDENT_FETCHED
:param mocker:
:return:
"""
global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
FETCHED_INCIDENT = FETCHED_INCIDENT_EMPTY
CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
mocker.patch.object(demisto, 'args',
return_value={
'incidentId': 12345,
'similarTextField': 'incident.commandline, commandline, command, '
'empty_current_incident_field, empty_fetched_incident_field',
'similarCategoricalField': 'signature, filehash',
'similarJsonField': 'CustomFields',
'limit': 10000,
'fieldExactMatch': '',
'fieldsToDisplay': 'filehash, destinationip, closeNotes, sourceip, alertdescription',
'showIncidentSimilarityForAllFields': True,
'minimunIncidentSimilarity': 0.2,
'maxIncidentsToDisplay': 100,
'query': '',
'aggreagateIncidentsDifferentDate': 'False',
'includeIndicatorsSimilarity': 'True'
})
mocker.patch.object(demisto, 'dt', return_value=None)
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
res = main()
assert (not res[0])
assert MESSAGE_NO_INCIDENT_FETCHED in res[1]
def test_main_incident_nested(mocker):
"""
Test if fetched incident truncated - Should return MESSAGE_WARNING_TRUNCATED in the message
:param mocker:
:return:
"""
global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
wrong_field_2 = 'wrong_field_2'
wrong_field_3 = 'wrong_field_3'
wrong_field_4 = 'wrong_field_4'
nested_field = 'xdralerts.cmd'
mocker.patch.object(demisto,
'args',
return_value={
'incidentId': 12345,
'similarTextField': nested_field,
'similarCategoricalField': wrong_field_2,
'similarJsonField': wrong_field_3,
'limit': 3,
'fieldExactMatch': '',
'fieldsToDisplay': wrong_field_4,
'showIncidentSimilarityForAllFields': True,
'minimunIncidentSimilarity': 0.2,
'maxIncidentsToDisplay': 100,
'query': '',
'aggreagateIncidentsDifferentDate': 'False',
'includeIndicatorsSimilarity': 'True'
})
mocker.patch.object(demisto,
'dt',
return_value=['nested_val_1', 'nested_val_2'])
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
df, msg = main()
assert not df.empty
assert (df['similarity %s' % nested_field] == [1.0, 1.0, 1.0]).all()
def test_main_all_incorrect_field(mocker):
"""
Test if only incorrect fields - Should return None and MESSAGE_INCORRECT_FIELD message for wrong fields
:param mocker:
:return:
"""
global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
wrong_field_1 = 'wrong_field_1'
wrong_field_2 = 'wrong_field_2'
wrong_field_3 = 'wrong_field_3'
wrong_field_4 = 'wrong_field_4'
mocker.patch.object(demisto,
'args',
return_value={
'incidentId': 12345,
'similarTextField': wrong_field_1,
'similarCategoricalField': wrong_field_2,
'similarJsonField': wrong_field_3,
'limit': 10000,
'fieldExactMatch': '',
'fieldsToDisplay': wrong_field_4,
'showIncidentSimilarityForAllFields': True,
'minimunIncidentSimilarity': 0.2,
'maxIncidentsToDisplay': 100,
'query': '',
'aggreagateIncidentsDifferentDate': 'False',
'includeIndicatorsSimilarity': 'True'
})
mocker.patch.object(demisto, 'dt', return_value=None)
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
df, msg = main()
assert (not df)
assert MESSAGE_INCORRECT_FIELD % ' , '.join(
[wrong_field_1, wrong_field_3, wrong_field_2, wrong_field_4]) in msg
assert all(field in msg for field in
[wrong_field_1, wrong_field_2, wrong_field_3, wrong_field_4])
def test_main_incident_truncated(mocker):
"""
Test if fetched incident truncated - Should return MESSAGE_WARNING_TRUNCATED in the message
:param mocker:
:return:
"""
global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
correct_field_1 = 'commandline'
wrong_field_2 = 'wrong_field_2'
wrong_field_3 = 'wrong_field_3'
wrong_field_4 = 'wrong_field_4'
mocker.patch.object(demisto,
'args',
return_value={
'incidentId': 12345,
'similarTextField': correct_field_1,
'similarCategoricalField': wrong_field_2,
'similarJsonField': wrong_field_3,
'limit': 3,
'fieldExactMatch': '',
'fieldsToDisplay': wrong_field_4,
'showIncidentSimilarityForAllFields': True,
'minimunIncidentSimilarity': 0.2,
'maxIncidentsToDisplay': 100,
'query': '',
'aggreagateIncidentsDifferentDate': 'False',
'includeIndicatorsSimilarity': 'True'
})
mocker.patch.object(demisto, 'dt', return_value=None)
mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
df, msg = main()
limit = demisto.args()['limit']
assert not df.empty
assert MESSAGE_WARNING_TRUNCATED % (limit, limit) in msg