def test_positive_unknown_verdict_ip_observable(module_headers):
"""Perform testing for enrich deliberate observables endpoint to get
verdict for observable with unknown disposition from Abuse IPDB module
ID: CCTRI-811-e0b57f1d-bfca-4d4c-a163-02fdcebe9131
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected verdict for
observable from Abuse IPDB module
Importance: Critical
"""
observables = [{'type': 'ip', 'value': '1.1.1.1'}]
response_from_all_modules = enrich_deliberate_observables(
payload=observables, **{'headers': module_headers})
response_from_abuse = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_abuse['module'] == MODULE_NAME
assert response_from_abuse['module_instance_id']
assert response_from_abuse['module_type_id']
verdicts = response_from_abuse['data']['verdicts']
assert verdicts['count'] == 1
assert verdicts['docs'][0]['type'] == 'verdict'
assert verdicts['docs'][0]['disposition'] == 5
assert verdicts['docs'][0]['disposition_name'] == 'Unknown'
assert verdicts['docs'][0]['observable'] == observables[0]
assert verdicts['docs'][0]['valid_time']['start_time']
def test_positive_clean_verdict_ip_observable(module_headers):
"""Perform testing for enrich deliberate observables endpoint to get
verdict for observable with clean disposition from Abuse IPDB module
ID: CCTRI-811-eb6d1371-5d0c-42df-8437-8863f3bac4d0
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected verdict for
observable from Abuse IPDB module
Importance: Critical
"""
observables = [{'type': 'ip', 'value': '118.232.96.6'}]
response_from_all_modules = enrich_deliberate_observables(
payload=observables, **{'headers': module_headers})
response_from_abuse = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_abuse['module'] == MODULE_NAME
assert response_from_abuse['module_instance_id']
assert response_from_abuse['module_type_id']
verdicts = response_from_abuse['data']['verdicts']
assert verdicts['count'] == 1
assert verdicts['docs'][0]['type'] == 'verdict'
assert verdicts['docs'][0]['disposition'] == 1
assert verdicts['docs'][0]['disposition_name'] == 'Clean'
assert verdicts['docs'][0]['observable'] == observables[0]
assert verdicts['docs'][0]['valid_time']['start_time']
def test_positive_suspicious_verdict_ip_observable(module_headers):
"""Perform testing for enrich deliberate observables endpoint to get
verdict for observable with suspicious disposition from Abuse IPDB module
ID: CCTRI-811-93e7fe20-bf8f-42ce-9966-17961ce5dfa8
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected verdict for
observable from Abuse IPDB module
Importance: Critical
"""
observables = [{'type': 'ip', 'value': '118.232.96.6'}]
response_from_all_modules = enrich_deliberate_observables(
payload=observables, **{'headers': module_headers})
response_from_abuse = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_abuse['module'] == MODULE_NAME
assert response_from_abuse['module_instance_id']
assert response_from_abuse['module_type_id']
verdicts = response_from_abuse['data']['verdicts']
assert verdicts['count'] == 1
assert verdicts['docs'][0]['type'] == 'verdict'
assert verdicts['docs'][0]['disposition'] == 3
assert verdicts['docs'][0]['disposition_name'] == 'Suspicious'
assert verdicts['docs'][0]['observable'] == observables[0]
assert verdicts['docs'][0]['valid_time']['start_time']
def test_ctr_positive_module_instance_investigate(
module_headers, module_tool_client):
"""Validate that module we create through int module instance end point
can return data for observable investigation process
ID: 15b9b1c0-b771-42a7-b6a6-861682a09d17
Steps:
1. Send POST request to int module instance end point to create new
entity
2. Send enrich observe observable request to server
3. Check response for data from just created custom module
Expectedresults: Data returned from server contains valid and expected
values
Importance: High
"""
# Validate that module instance we plan to use for test automation purpose
# is not present in system
module_instance_list = int_get_module_instance(
**{'headers': module_headers})
module_instance = next(
(
item for item in module_instance_list
if item['name'] == 'Test Investigation Module'
),
False
)
assert not module_instance, (
'Test module instance was not removed from the system from previous '
'runs'
)
# Create new module instance
payload = {
'name': 'Investigation Module',
'module_type_id': PRIVATE_INTEL_MODULE_TYPE,
'enabled': True,
'visibility': 'org',
}
module_instance = int_post_module_instance(
payload=payload, **{'headers': module_headers})
assert module_instance['name'] == 'Investigation Module'
try:
# Check that created module can return data for investigation process
response = module_tool_client.enrich.observe.observables(
[{'type': 'sha256', 'value': SHA256_HASH}])
observables = get_observables(response, module_instance['name'])
assert observables['data']['verdicts']['count'] > 0, (
'No observable verdicts returned from server. Check hash value')
assert observables['data']['judgements']['count'] > 0, (
'No observable judgements returned from server. Check hash value')
assert observables['data']['verdicts']['docs'][0][
'disposition_name'] == 'Malicious'
finally:
# Clean system from created module
int_delete_module_instance(
entity_id=module_instance['id'], **{'headers': module_headers})
def test_positive_smoke_empty_observables(
module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Qualys doesn't have information, will return empty
data
ID: CCTRI-1707-2af2e5ec-d6bd-4a9b-83c1-5cb78786f145
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Qualys module
Importance: Critical
"""
observables = [{"value": observable, "type": observable_type}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_qualys_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_qualys_module['module'] == MODULE_NAME
assert response_from_qualys_module['module_instance_id']
assert response_from_qualys_module['module_type_id']
assert response_from_qualys_module['data'] == {}
def test_positive_smoke_empty_observable(module_headers):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Have I Been Pwned doesn't have information, will
return empty data
ID: CCTRI-1695-b98d1d01-fd20-492f-bda5-bafb313a0737
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains empty dict from
Have I Been Pwned
Importance: Critical
"""
observable = [{'type': 'email', 'value': '*****@*****.**'}]
response_from_all_modules = enrich_observe_observables(
payload=observable, **{'headers': module_headers})
response_from_hibp_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_hibp_module['module'] == MODULE_NAME
assert response_from_hibp_module['module_instance_id']
assert response_from_hibp_module['module_type_id']
assert response_from_hibp_module['data'] == {}
def test_positive_smoke_empty_observables(module_headers):
"""Perform testing for enrich observe observables endpoint to
check that observable, on which Spycloud doesn't have information,
will return empty data
ID: CCTRI-1695-2b2f141b-d2ac-4a26-a254-2f9524e5ad75
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Spycloud module
Importance: Critical
"""
observable = [{'type': 'email', 'value': '*****@*****.**'}]
response_from_all_modules = enrich_observe_observables(
payload=observable, **{'headers': module_headers})
response_from_spycloud_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_spycloud_module['module'] == MODULE_NAME
assert response_from_spycloud_module['module_instance_id']
assert response_from_spycloud_module['module_type_id']
assert response_from_spycloud_module['data'] == {}
def test_positive_smoke_observe_observables_empty_observables(
module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Gigamon ThreatINSIGHT module doesn't have
information, will return empty data
ID: CCTRI-1695-dfc0dce8-6ed3-4c8d-a1b1-ce9675ce15f9
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains empty dict from Gigamon
ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon['module'] == MODULE_NAME
assert response_from_gigamon['module_instance_id']
assert response_from_gigamon['module_type_id']
assert response_from_gigamon['data'] == {}
def test_positive_verdict(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to get
verdicts for observable from CyberCrime Tracker
ID: CCTRI-813-700a7520-6454-485c-8daf-f876c6e57602
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected verdicts for
observable from CyberCrime Tracker
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_cybercrime_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert response_from_cybercrime_module['module'] == MODULE_NAME
assert response_from_cybercrime_module['module_instance_id']
assert response_from_cybercrime_module['module_type_id']
verdicts = response_from_cybercrime_module['data']['verdicts']
assert verdicts['count'] == 1
for verdict in verdicts['docs']:
assert verdict['type'] == 'verdict'
assert verdict['disposition'] == 2
assert verdict['observable'] == observables[0]
assert verdict['valid_time']['start_time']
assert verdict['valid_time']['end_time']
def test_positive_smoke_empty_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Microsoft Graph Security doesn't have information,
will return empty data
ID: CCTRI-1707-335903f4-b387-4ad9-8f8b-badfb1ae7f8c
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Microsoft Graph Security
module
Importance: Critical
"""
observables = [
{
"value": observable,
"type": observable_type
},
]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
assert direct_observables['module'] == MODULE_NAME
assert direct_observables['module_instance_id']
assert direct_observables['module_type_id']
assert direct_observables['data'] == {}
def test_positive_smoke_observe_observables_empty_observables(
module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which AlienVault OTX doesn't have information, will return
empty data
ID: CCTRI-1695-8f48503a-5277-4578-9f38-8d31b2aaa3cb
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains empty dict from AlienVault
OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
assert response_from_alien_vault['data'] == {}
def test_positive_smoke_empty_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which CyberCrime Tracker doesn't have information, will
return empty data
ID: CCTRI-1707-07e734d0-1dcc-4f6a-b169-b8f1b4f53d3d
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from CyberCrime Tracker
module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_cybercrime_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert response_from_cybercrime_module['module'] == MODULE_NAME
assert response_from_cybercrime_module['module_instance_id']
assert response_from_cybercrime_module['module_type_id']
assert response_from_cybercrime_module['data'] == {}
def test_positive_smoke_enrich_refer_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich refer observable endpoint to check status of
AlienVault OTX module
ID: CCTRI-1336-1f700099-447c-4803-9df7-d1c97cc5abdb
Steps:
1. Send request to enrich refer observable endpoint
Expectedresults:
1. Response body contains refer entity with needed fields from
AlienVault OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_refer_observables(
payload=observables, **{'headers': module_headers})
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
assert response_from_alien_vault['id'] == (
f'ref-avotx-search-{observable_type}-{quote(observable, safe="")}')
assert response_from_alien_vault['title'] == (
f'Search for this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}')
assert (response_from_alien_vault['description']) == (
f'Lookup this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]} on '
f'{INTEGRATION_NAME}')
assert response_from_alien_vault['categories'] == [
INTEGRATION_NAME, 'Search'
]
def test_positive_smoke_empty_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Google Chronicle doesn't have information, will
return empty data
ID: CCTRI-1707-1a53cc5b-80c7-4859-bdd2-dc6f301ffac9
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Google Chronicle module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_chronicle_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_chronicle_module['module'] == MODULE_NAME
assert response_from_chronicle_module['module_instance_id']
assert response_from_chronicle_module['module_type_id']
assert response_from_chronicle_module['data'] == {}
def test_positive_smoke_enrich_health(module_headers):
"""Perform testing for enrich health endpoint to check status of CyberCrime
Tracker module
ID: CCTRI-844-2774693e-f297-11ea-adc1-0242ac120002
Steps:
1. Send request to enrich health endpoint
Expectedresults:
1. Check that data in response body contains status Ok from CyberCrime
Tracker module
Importance: Critical
"""
response_from_all_modules = enrich_post_health(
**{'headers': module_headers}
)
response_from_cybercrime = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_cybercrime['module'] == MODULE_NAME
assert response_from_cybercrime['module_instance_id']
assert response_from_cybercrime['module_type_id']
assert response_from_cybercrime['data'] == {'status': 'ok'}
def test_positive_relay_refer_observables_sightings(module_headers, observable,
observable_type):
""" Perform testing for enrich refer observables endpoint for file_name
in Qualys
ID: CCTRI-744-6114ff9d-e97f-47ae-ab41-6508eec000d6
Steps:
1. Send request with observable that has file_name type to endpoint
refer observables
Expectedresults:
1. Check that data in response body contains expected information
from Qualys module
Importance: Critical
"""
observables = [{'value': observable, 'type': observable_type}]
response_from_all_modules = enrich_refer_observables(
payload=observables, **{'headers': module_headers})
sightings = get_observables(response_from_all_modules, MODULE_NAME)
assert sightings['module'] == MODULE_NAME
assert sightings['module_instance_id']
assert sightings['module_type_id']
assert sightings['description']
assert sightings['id'] == (
f'ref-qualys-search-{observable_type}-{observable}')
assert sightings['url'].startswith(
'https://qualysguard.qg3.apps.qualys.com')
assert sightings['title'] == (
f'Search for this '
f'{OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}')
assert sightings['categories'] == ['Qualys', 'Search']
def test_positive_enrich_observe_observables_sha256(module_headers):
"""Perform testing for enrich observe observables endpoint for sha256 in
Graph Security module
ID: CCTRI-354-38e92acf-45e2-4ff6-b5f4-c7e7f4e20f2d
Steps:
1. Send request with observable that has SHA256 type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = (
'091835b16192e526ee1b8a04d0fcef534544cad306672066f2ad6973a4b18b19')
observable_type = 'sha256'
expected_observable = {
'description':
('Attackers can implant the right-to-left-override (RLO) in a '
'filename to change the order of the characters in the filename '
'and make it appear legitimate. This technique is used in '
'different social engineering attacks to convince the user to run'
' the file, and may also be used for hiding purposes. The file '
'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'),
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Right-to-Left-Override (RLO) technique observed',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
assert direct_observables['module'] == MODULE_NAME
assert direct_observables['module_instance_id']
assert direct_observables['module_type_id']
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 2
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_sighting_relation(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check
relationships in sighting of Gigamon ThreatINSIGHT module
ID: CCTRI-1174-fb8d55ae-0352-4170-9b17-ddf49fa81783
Steps:
1. Send request to enrich observe observable endpoint and check
relationships in sighting
Expectedresults:
1. Response body contains relationships in sightings entity with needed
fields from Gigamon ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon['module'] == MODULE_NAME
assert response_from_gigamon['module_instance_id']
assert response_from_gigamon['module_type_id']
sightings = response_from_gigamon['data']['sightings']
assert len(sightings['docs']) > 0
for sighting in sightings['docs']:
if 'HTTP' in sighting['description'].splitlines()[0]:
http_relations = {
relation['relation']
for relation in sighting['relations']
}
assert 'Connected_To' in http_relations
download_relations = {'Downloaded_To', 'Downloaded_From'}
upload_relations = {'Uploaded_From', 'Uploaded_To'}
intersection_relations = http_relations & (download_relations
| upload_relations)
assert not intersection_relations or (intersection_relations
== download_relations) or (
intersection_relations
== upload_relations)
for relation in sighting['relations']:
assert relation['origin'] == INTEGRATION_NAME
assert relation['relation'] in RELATIONS_TYPES
assert relation['source']['value']
assert relation['source']['type'] in RELATED_OBSERVABLES_TYPES
assert relation['related']['value']
assert relation['related']['type'] in RELATED_OBSERVABLES_TYPES
if relation['relation'] == 'Hosted_On':
assert relation['source']['value'].startswith('http') and (
relation['source']['type'] == 'url')
assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_sighting(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check
sightings of Urlscan module
ID: CCTRI-818-acd56463-e158-4c67-9b26-57f08bbe775c
Steps:
1. Send request to enrich observe observable endpoint and check
sighting
Expectedresults:
1. Response body contains sightings entity with needed fields from
Urlscan module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_urlscan_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_urlscan_module['module'] == MODULE_NAME
assert response_from_urlscan_module['module_instance_id']
assert response_from_urlscan_module['module_type_id']
sightings = response_from_urlscan_module['data']['sightings']
assert len(sightings['docs']) > 0
for sighting in sightings['docs']:
assert sighting['description'] == 'Scan Result'
assert sighting['schema_version']
assert sighting['observables'] == observables
assert sighting['type'] == 'sighting'
assert sighting['source'] == URLSCAN
assert sighting['external_ids']
assert sighting['internal'] is False
assert sighting['source_uri'] == (
f'{URL}/result/{sighting["external_ids"][0]}')
assert sighting['id'].startswith('transient:sighting')
assert sighting['count'] == 1
assert sighting['confidence'] == CONFIDENCE_LEVEL
assert sighting['observed_time']['start_time'] == (
sighting['observed_time']['end_time'])
assert sighting['data']['columns']
assert sighting['data']['rows']
assert [relation['relation']
for relation in sighting['relations']] == RELATION_TYPES
for relation in sighting['relations']:
assert relation['origin'] == f'{URLSCAN} Module'
assert relation['source']['value']
assert relation['source']['type']
assert relation['related']['value']
assert relation['related']['type']
assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_enrich_observe_observables_ip(module_headers):
""" Perform testing for enrich observe observables endpoint for IP in
Graph Security module
ID: CCTRI-467-63340fd2-3ed5-44f5-b274-c5595322dc43
Steps:
1. Send request with observable that has IP type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = '10.8.168.41'
observable_type = 'ip'
expected_observable = {
'description':
('SQL Injection, Cross-Site Scripting. We observed the following '
'suspicious value enter the application through the HTTP Request '
'Parameter "userid":POST /WebGoat/SqlInjection/attack5b HTTP/1.0 '
'userid=4+OR+1%3D1 This value was again observed altering the '
'meaning of the SQL query executed within '
'org.hsqldb.jdbc.JDBCStatement.executeQuery(Unknown Source):'
'SELECT * FROM user_data WHERE userid = 4 OR 1=1.'),
'external_ids': ['257F2933-A145-4061-9464-2D964A91EB91'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'High',
'source':
'Microsoft Graph Security',
'title':
'Active attack EXPLOITED in QA',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_smoke_enrich_relationships(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observable endpoint to check
relationships of AlienVault OTX module
ID: CCTRI-1335-943cacc5-0157-42d8-af5c-3778c4b79031
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Response body contains relationships entity with needed fields from
AlienVault OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
relationships = response_from_alien_vault['data']['relationships']
indicators_ids = {
indicator['id']
for indicator in response_from_alien_vault['data']['indicators']
['docs']
}
sightings_ids = {
sighting['id']
for sighting in response_from_alien_vault['data']['sightings']['docs']
}
target_ref = {
relationship['target_ref']
for relationship in response_from_alien_vault['data']['relationships']
['docs']
}
source_ref = {
relationship['source_ref']
for relationship in response_from_alien_vault['data']['relationships']
['docs']
}
assert target_ref == indicators_ids
assert source_ref == sightings_ids
assert len(relationships['docs']) > 0
for relationship in relationships['docs']:
assert relationship['schema_version']
assert relationship['type'] == 'relationship'
assert relationship['id'].startswith('transient:relationship')
assert relationship['relationship_type'] == 'member-of'
assert relationships['count'] == len(relationships['docs'])
def test_positive_enrich_observe_observables_file_path(module_headers):
""" Perform testing for enrich observe observables endpoint for FILE_PATH
in Graph Security module
ID: CCTRI-471-a7435d3f-2160-43c6-b8de-a2da65f9c40d
Steps:
1. Send request with observable that has FILE_PATH type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = r'C:\Windows\SYSTEM32\ntdll.dll'
observable_type = 'file_path'
external_id = '0F72C58F-1D01-4284-BB32-C53DD45B5C01'
expected_observable = {
'description':
('A process suspiciously tried to access the export address table '
'(EAT) to look for potentially useful APIs. This might indicate '
'an exploitation attempt. The process svchost.exe, with process '
'ID 404, tried accessing the Export Address table for module '
r'C:\\Windows\\SYSTEM32\\ntdll.dll and was blocked'),
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'source':
'Microsoft Graph Security',
'external_ids': [external_id],
'type':
'sighting',
'title':
'Exploit Guard blocked dynamic code execution',
'severity':
'High'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
assert direct_observables['data']['sightings']['count'] == 2
current_observables = direct_observables['data']['sightings']['docs']
sighting = [
observable for observable in current_observables
if observable['external_ids'][0] == external_id
][0]
assert sighting['observables'] == observables
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_indicators(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check
indicators of Gigamon ThreatINSIGHT module
ID: CCTRI-1094-fb59a541-a42e-41fc-b859-52a1b564c14e
Steps:
1. Send request to enrich observe observable endpoint and check
indicators
Expectedresults:
1. Response body contains indicators entity with needed fields from
ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon_module['module'] == MODULE_NAME
assert response_from_gigamon_module['module_instance_id']
assert response_from_gigamon_module['module_type_id']
indicators = response_from_gigamon_module['data']['indicators']
assert len(indicators['docs']) > 0
for indicator in indicators['docs']:
assert indicator['description']
assert indicator['producer'] == INTEGRATION_NAME
assert indicator['schema_version']
assert indicator['type'] == 'indicator'
assert indicator['source'] == INTEGRATION_NAME
assert indicator['short_description']
assert indicator['title']
assert indicator['confidence'] in CONFIDENCE
assert indicator['severity'] in SEVERITY
assert indicator['external_ids']
assert indicator['id'] == (
f"transient:indicator-{indicator['external_ids'][0]}")
assert indicator['valid_time']['start_time']
assert 'tags' in indicator
assert indicator['source_uri'] == (
f'{GIGAMON_URL}/detections/rules/{indicator["external_ids"][0]}')
for external_reference in indicator['external_references']:
assert external_reference['description']
assert external_reference['external_id'] == (
indicator['external_ids'][0])
assert external_reference['source_name'] == INTEGRATION_NAME
assert external_reference['url'] == (
f'{GIGAMON_URL}'
f'/detections/rules/{indicator["external_ids"][0]}')
assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_smoke_enrich_refer_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich refer observables endpoint to check response
from Urlscan module
ID: CCTRI-1033-3f3a7a0f-cac8-4111-ab5a-2aa783fac9be
Steps:
1. Send request to enrich refer observable endpoint
Expectedresults:
1. Response body contains refer entity with needed fields from Urlscan
module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_refer_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_urlscan_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert len(response_from_urlscan_module) == 2
observable_category = (
observable_type if observable_type != 'ipv6' else 'ip'
)
for urlscan in response_from_urlscan_module:
if urlscan['title'].startswith('Browse'):
search_type = 'browse'
url = f'{URL}/{observable_category}/{observable}'
elif urlscan['title'].startswith('Search') and observable_type == (
'domain'):
search_type = 'search'
url = f'{URL}/{search_type}/#{observable_category}:{observable}'
elif urlscan['title'].startswith('Search') and observable_type != (
'domain'):
search_type = 'search'
url = f'{URL}/{search_type}/#{observable_category}:"{observable}"'
else:
raise AssertionError('Unsupported type')
assert urlscan['module'] == MODULE_NAME
assert urlscan['module_instance_id']
assert urlscan['module_type_id']
assert urlscan['id'] == (
f'ref-{MODULE_NAME.split(".")[0]}-{search_type}-'
f'{observable_type}-{quote(observable, safe="")}'
)
assert urlscan['title'] in f'{SEARCH_FOR_THIS } {observable_type},' \
f' {BROWSE} {observable_type}'
assert urlscan['description'] == (
f'Check this {observable_type} status with {URLSCAN}'
)
assert urlscan['categories'] == [URLSCAN, search_type.capitalize()]
assert urlscan['url'] == url
def test_positive_relationship(module_headers, observable_type, observable):
"""Perform testing for enrich observe observables endpoint to get
relationship for observable from Google Chronicle module
ID: CCTRI-859-923556f5-f678-4ed3-a2ed-f2c37bd4b5e5
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains expected relationship for
observable from Google Chronicle module and it connects expected
entities
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_chronicle_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_chronicle_module['module'] == MODULE_NAME
assert response_from_chronicle_module['module_instance_id']
assert response_from_chronicle_module['module_type_id']
indicators_ids = {
indicator['id']
for indicator in (
response_from_chronicle_module['data']['indicators']['docs']
)
}
sightings_ids = {
sighting['id']
for sighting in (
response_from_chronicle_module['data']['sightings']['docs']
)
}
relationships = (
response_from_chronicle_module['data']['relationships']
)
assert len(relationships['docs']) > 0
for relationship in relationships['docs']:
assert relationship['schema_version']
assert relationship['type'] == 'relationship'
assert relationship['relationship_type'] == 'sighting-of'
assert relationship['target_ref'] in indicators_ids
assert relationship['source_ref'] in sightings_ids
assert relationships['count'] == (
len(relationships['docs'])) <= (
CTR_ENTITIES_LIMIT
)
def test_positive_enrich_observe_observables_url(module_headers):
""" Perform testing for enrich observe observables endpoint for URL in
Graph Security module
ID: CCTRI-468-dfcd642e-f02b-428b-9695-168e7d59d533
Steps:
1. Send request with observable that has URL type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'http://register.fabricam.com/start.php'
observable_type = 'url'
expected_observable = {
'description':
('Analysis of host data detected a powershell script running on '
'LAP-DOUGLASF that has features in common with known suspicious '
'scripts. This script could either be legitimate activity, or an '
'indication of a compromised host.'),
'external_ids': ['D16B2923-2134-4F94-9FF1-B40761EA3E1D'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Suspicious Powershell Activity Detected',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_file_name(module_headers):
""" Perform testing for enrich observe observables endpoint for file_name
in Graph Security module
ID: CCTRI-470-ef6c5b84-ac4e-463d-bf3f-bf8dd08b7a07
Steps:
1. Send request with observable that has file_name type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'photoview1sp.jpg'
observable_type = 'file_name'
expected_observable = {
'description':
('Attackers can implant the right-to-left-override (RLO) in a '
'filename to change the order of the characters in the filename '
'and make it appear legitimate. This technique is used in '
'different social engineering attacks to convince the user to run '
'the file, and may also be used for hiding purposes. The file '
'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'),
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Right-to-Left-Override (RLO) technique observed',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_python_module_positive_commands_verdict(module_tool_client):
"""Perform testing for verdict command from custom threat response python
module for one observable
ID: CCTRI-385-9f8cc790-a316-4e82-b592-43229f85e381
Steps:
1. Get observable verdict using default deliberate observable request
2. Get observable verdict using our new tool command
Expectedresults: Verdict command for provided observable returns expected
values and disposition name is the same in comparison to direct server
request
Importance: Critical
"""
tool_response = module_tool_client.enrich.deliberate.observables([{
'type':
'sha256',
'value':
SHA256_HASH
}])
tool_observables = get_observables(tool_response, 'Private Intelligence')
assert tool_observables['data']['verdicts']['count'] > 0, (
'No observable verdicts returned from server. Check hash value')
assert tool_observables['data']['verdicts']['docs'][0][
'disposition_name'] == 'Malicious'
tool_command_response = module_tool_client.commands.verdict(SHA256_HASH)
tool_command_private_intel = get_observables(
tool_command_response['response'], 'Private Intelligence')
assert tool_command_private_intel['module'] == 'Private Intelligence'
assert tool_command_private_intel['module_type_id']
assert tool_command_private_intel['module_instance_id']
tool_command_verdict = (
tool_command_private_intel['data']['verdicts']['docs'][0])
assert tool_command_verdict['observable']['value'] == SHA256_HASH
assert tool_command_verdict['observable']['type'] == 'sha256'
assert tool_command_verdict['valid_time'] is not None
assert tool_command_verdict['disposition_name'] == 'Malicious'
def test_positive_enrich_observe_observables_hostname(module_headers):
""" Perform testing for enrich observe observables endpoint for HOSTNAME in
Graph Security module
ID: CCTRI-472-67881b85-20d7-4f11-94d6-dd228d72753c
Steps:
1. Send request with observable that has HOSTNAME type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'DT-ALDOM'
observable_type = 'hostname'
expected_observable = {
'description':
('The system process c:\\windows\\fonts\\csrss.exe was observed '
'running in an abnormal context. Malware often use this process '
'name to masquerade its malicious activity.'),
'external_ids': ['597E99F8-50B6-4D7B-A45A-A35BDB35EFF8'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Suspicious system process executed',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_ctr_positive_tool_enrich_observe_observables(module_headers,
module_tool_client):
"""Perform testing for enrich observe observables end point of custom
threat response python module
ID: d1dd6d3b-f762-4280-a573-7cc815da5a85
Steps:
1. Send request sha256 hash to enrich observe observables end point of
threat response server using direct POST call
2. Send same request using custom python module
3. Compare results
Expectedresults: POST action finished get to the end point and return
correct data
Importance: Critical
"""
data = '01f30887a828344f6cf574bb05bd0bf571fc35979a3032377b95fb0d692b8061'
response = enrich_observe_observables(payload=[{
'type': 'sha256',
'value': data
}],
**{'headers':
module_headers})['data']
tool_response = module_tool_client.enrich.observe.observables([{
'type':
'sha256',
'value':
data
}])['data']
direct_observables = get_observables(response, 'VirusTotal')
tool_observables = get_observables(tool_response, 'VirusTotal')
assert tool_observables['data']['verdicts']['count'] > 0, (
'No observables returned from server. Check hash value')
assert tool_observables['data']['judgements']['count'] > 0, (
'No observables returned from server. Check hash value')
assert tool_observables['data']['verdicts']['docs'][0][
'disposition_name'] == 'Malicious'
assert direct_observables['data']['judgements'][
'count'] == tool_observables['data']['judgements']['count']
