def test_positive_smoke_empty_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Microsoft Graph Security doesn't have information,
will return empty data
ID: CCTRI-1707-335903f4-b387-4ad9-8f8b-badfb1ae7f8c
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Microsoft Graph Security
module
Importance: Critical
"""
observables = [
{
"value": observable,
"type": observable_type
},
]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
assert direct_observables['module'] == MODULE_NAME
assert direct_observables['module_instance_id']
assert direct_observables['module_type_id']
assert direct_observables['data'] == {}
def test_positive_smoke_empty_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which CyberCrime Tracker doesn't have information, will
return empty data
ID: CCTRI-1707-07e734d0-1dcc-4f6a-b169-b8f1b4f53d3d
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from CyberCrime Tracker
module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_cybercrime_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert response_from_cybercrime_module['module'] == MODULE_NAME
assert response_from_cybercrime_module['module_instance_id']
assert response_from_cybercrime_module['module_type_id']
assert response_from_cybercrime_module['data'] == {}
def test_positive_smoke_observe_observables_empty_observables(
module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Gigamon ThreatINSIGHT module doesn't have
information, will return empty data
ID: CCTRI-1695-dfc0dce8-6ed3-4c8d-a1b1-ce9675ce15f9
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains empty dict from Gigamon
ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon['module'] == MODULE_NAME
assert response_from_gigamon['module_instance_id']
assert response_from_gigamon['module_type_id']
assert response_from_gigamon['data'] == {}
def test_positive_smoke_empty_observables(
module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Qualys doesn't have information, will return empty
data
ID: CCTRI-1707-2af2e5ec-d6bd-4a9b-83c1-5cb78786f145
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Qualys module
Importance: Critical
"""
observables = [{"value": observable, "type": observable_type}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_qualys_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_qualys_module['module'] == MODULE_NAME
assert response_from_qualys_module['module_instance_id']
assert response_from_qualys_module['module_type_id']
assert response_from_qualys_module['data'] == {}
def test_positive_smoke_empty_observable(module_headers):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Have I Been Pwned doesn't have information, will
return empty data
ID: CCTRI-1695-b98d1d01-fd20-492f-bda5-bafb313a0737
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains empty dict from
Have I Been Pwned
Importance: Critical
"""
observable = [{'type': 'email', 'value': '*****@*****.**'}]
response_from_all_modules = enrich_observe_observables(
payload=observable, **{'headers': module_headers})
response_from_hibp_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_hibp_module['module'] == MODULE_NAME
assert response_from_hibp_module['module_instance_id']
assert response_from_hibp_module['module_type_id']
assert response_from_hibp_module['data'] == {}
def test_positive_verdict(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to get
verdicts for observable from CyberCrime Tracker
ID: CCTRI-813-700a7520-6454-485c-8daf-f876c6e57602
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected verdicts for
observable from CyberCrime Tracker
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_cybercrime_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert response_from_cybercrime_module['module'] == MODULE_NAME
assert response_from_cybercrime_module['module_instance_id']
assert response_from_cybercrime_module['module_type_id']
verdicts = response_from_cybercrime_module['data']['verdicts']
assert verdicts['count'] == 1
for verdict in verdicts['docs']:
assert verdict['type'] == 'verdict'
assert verdict['disposition'] == 2
assert verdict['observable'] == observables[0]
assert verdict['valid_time']['start_time']
assert verdict['valid_time']['end_time']
def test_positive_smoke_empty_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which Google Chronicle doesn't have information, will
return empty data
ID: CCTRI-1707-1a53cc5b-80c7-4859-bdd2-dc6f301ffac9
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Google Chronicle module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_chronicle_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_chronicle_module['module'] == MODULE_NAME
assert response_from_chronicle_module['module_instance_id']
assert response_from_chronicle_module['module_type_id']
assert response_from_chronicle_module['data'] == {}
def test_positive_smoke_observe_observables_empty_observables(
module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check that
observable, on which AlienVault OTX doesn't have information, will return
empty data
ID: CCTRI-1695-8f48503a-5277-4578-9f38-8d31b2aaa3cb
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains empty dict from AlienVault
OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
assert response_from_alien_vault['data'] == {}
def test_positive_smoke_empty_observables(module_headers):
"""Perform testing for enrich observe observables endpoint to
check that observable, on which Spycloud doesn't have information,
will return empty data
ID: CCTRI-1695-2b2f141b-d2ac-4a26-a254-2f9524e5ad75
Steps:
1. Send request to enrich observe observables endpoint
Expectedresults:
1. Response body contains empty data dict from Spycloud module
Importance: Critical
"""
observable = [{'type': 'email', 'value': '*****@*****.**'}]
response_from_all_modules = enrich_observe_observables(
payload=observable, **{'headers': module_headers})
response_from_spycloud_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_spycloud_module['module'] == MODULE_NAME
assert response_from_spycloud_module['module_instance_id']
assert response_from_spycloud_module['module_type_id']
assert response_from_spycloud_module['data'] == {}
def test_positive_sighting(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check
sightings of Urlscan module
ID: CCTRI-818-acd56463-e158-4c67-9b26-57f08bbe775c
Steps:
1. Send request to enrich observe observable endpoint and check
sighting
Expectedresults:
1. Response body contains sightings entity with needed fields from
Urlscan module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_urlscan_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_urlscan_module['module'] == MODULE_NAME
assert response_from_urlscan_module['module_instance_id']
assert response_from_urlscan_module['module_type_id']
sightings = response_from_urlscan_module['data']['sightings']
assert len(sightings['docs']) > 0
for sighting in sightings['docs']:
assert sighting['description'] == 'Scan Result'
assert sighting['schema_version']
assert sighting['observables'] == observables
assert sighting['type'] == 'sighting'
assert sighting['source'] == URLSCAN
assert sighting['external_ids']
assert sighting['internal'] is False
assert sighting['source_uri'] == (
f'{URL}/result/{sighting["external_ids"][0]}')
assert sighting['id'].startswith('transient:sighting')
assert sighting['count'] == 1
assert sighting['confidence'] == CONFIDENCE_LEVEL
assert sighting['observed_time']['start_time'] == (
sighting['observed_time']['end_time'])
assert sighting['data']['columns']
assert sighting['data']['rows']
assert [relation['relation']
for relation in sighting['relations']] == RELATION_TYPES
for relation in sighting['relations']:
assert relation['origin'] == f'{URLSCAN} Module'
assert relation['source']['value']
assert relation['source']['type']
assert relation['related']['value']
assert relation['related']['type']
assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_smoke_enrich_relationships(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observable endpoint to check
relationships of AlienVault OTX module
ID: CCTRI-1335-943cacc5-0157-42d8-af5c-3778c4b79031
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Response body contains relationships entity with needed fields from
AlienVault OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
relationships = response_from_alien_vault['data']['relationships']
indicators_ids = {
indicator['id']
for indicator in response_from_alien_vault['data']['indicators']
['docs']
}
sightings_ids = {
sighting['id']
for sighting in response_from_alien_vault['data']['sightings']['docs']
}
target_ref = {
relationship['target_ref']
for relationship in response_from_alien_vault['data']['relationships']
['docs']
}
source_ref = {
relationship['source_ref']
for relationship in response_from_alien_vault['data']['relationships']
['docs']
}
assert target_ref == indicators_ids
assert source_ref == sightings_ids
assert len(relationships['docs']) > 0
for relationship in relationships['docs']:
assert relationship['schema_version']
assert relationship['type'] == 'relationship'
assert relationship['id'].startswith('transient:relationship')
assert relationship['relationship_type'] == 'member-of'
assert relationships['count'] == len(relationships['docs'])
def test_positive_enrich_observe_observables_sha256(module_headers):
"""Perform testing for enrich observe observables endpoint for sha256 in
Graph Security module
ID: CCTRI-354-38e92acf-45e2-4ff6-b5f4-c7e7f4e20f2d
Steps:
1. Send request with observable that has SHA256 type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = (
'091835b16192e526ee1b8a04d0fcef534544cad306672066f2ad6973a4b18b19')
observable_type = 'sha256'
expected_observable = {
'description':
('Attackers can implant the right-to-left-override (RLO) in a '
'filename to change the order of the characters in the filename '
'and make it appear legitimate. This technique is used in '
'different social engineering attacks to convince the user to run'
' the file, and may also be used for hiding purposes. The file '
'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'),
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Right-to-Left-Override (RLO) technique observed',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
assert direct_observables['module'] == MODULE_NAME
assert direct_observables['module_instance_id']
assert direct_observables['module_type_id']
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 2
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_ip(module_headers):
""" Perform testing for enrich observe observables endpoint for IP in
Graph Security module
ID: CCTRI-467-63340fd2-3ed5-44f5-b274-c5595322dc43
Steps:
1. Send request with observable that has IP type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = '10.8.168.41'
observable_type = 'ip'
expected_observable = {
'description':
('SQL Injection, Cross-Site Scripting. We observed the following '
'suspicious value enter the application through the HTTP Request '
'Parameter "userid":POST /WebGoat/SqlInjection/attack5b HTTP/1.0 '
'userid=4+OR+1%3D1 This value was again observed altering the '
'meaning of the SQL query executed within '
'org.hsqldb.jdbc.JDBCStatement.executeQuery(Unknown Source):'
'SELECT * FROM user_data WHERE userid = 4 OR 1=1.'),
'external_ids': ['257F2933-A145-4061-9464-2D964A91EB91'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'High',
'source':
'Microsoft Graph Security',
'title':
'Active attack EXPLOITED in QA',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_sighting_relation(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observables endpoint to check
relationships in sighting of Gigamon ThreatINSIGHT module
ID: CCTRI-1174-fb8d55ae-0352-4170-9b17-ddf49fa81783
Steps:
1. Send request to enrich observe observable endpoint and check
relationships in sighting
Expectedresults:
1. Response body contains relationships in sightings entity with needed
fields from Gigamon ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon['module'] == MODULE_NAME
assert response_from_gigamon['module_instance_id']
assert response_from_gigamon['module_type_id']
sightings = response_from_gigamon['data']['sightings']
assert len(sightings['docs']) > 0
for sighting in sightings['docs']:
if 'HTTP' in sighting['description'].splitlines()[0]:
http_relations = {
relation['relation']
for relation in sighting['relations']
}
assert 'Connected_To' in http_relations
download_relations = {'Downloaded_To', 'Downloaded_From'}
upload_relations = {'Uploaded_From', 'Uploaded_To'}
intersection_relations = http_relations & (download_relations
| upload_relations)
assert not intersection_relations or (intersection_relations
== download_relations) or (
intersection_relations
== upload_relations)
for relation in sighting['relations']:
assert relation['origin'] == INTEGRATION_NAME
assert relation['relation'] in RELATIONS_TYPES
assert relation['source']['value']
assert relation['source']['type'] in RELATED_OBSERVABLES_TYPES
assert relation['related']['value']
assert relation['related']['type'] in RELATED_OBSERVABLES_TYPES
if relation['relation'] == 'Hosted_On':
assert relation['source']['value'].startswith('http') and (
relation['source']['type'] == 'url')
assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_relationship(module_headers, observable_type, observable):
"""Perform testing for enrich observe observables endpoint to get
relationship for observable from Google Chronicle module
ID: CCTRI-859-923556f5-f678-4ed3-a2ed-f2c37bd4b5e5
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains expected relationship for
observable from Google Chronicle module and it connects expected
entities
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_chronicle_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_chronicle_module['module'] == MODULE_NAME
assert response_from_chronicle_module['module_instance_id']
assert response_from_chronicle_module['module_type_id']
indicators_ids = {
indicator['id']
for indicator in (
response_from_chronicle_module['data']['indicators']['docs']
)
}
sightings_ids = {
sighting['id']
for sighting in (
response_from_chronicle_module['data']['sightings']['docs']
)
}
relationships = (
response_from_chronicle_module['data']['relationships']
)
assert len(relationships['docs']) > 0
for relationship in relationships['docs']:
assert relationship['schema_version']
assert relationship['type'] == 'relationship'
assert relationship['relationship_type'] == 'sighting-of'
assert relationship['target_ref'] in indicators_ids
assert relationship['source_ref'] in sightings_ids
assert relationships['count'] == (
len(relationships['docs'])) <= (
CTR_ENTITIES_LIMIT
)
def test_positive_indicators(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check
indicators of Gigamon ThreatINSIGHT module
ID: CCTRI-1094-fb59a541-a42e-41fc-b859-52a1b564c14e
Steps:
1. Send request to enrich observe observable endpoint and check
indicators
Expectedresults:
1. Response body contains indicators entity with needed fields from
ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon_module['module'] == MODULE_NAME
assert response_from_gigamon_module['module_instance_id']
assert response_from_gigamon_module['module_type_id']
indicators = response_from_gigamon_module['data']['indicators']
assert len(indicators['docs']) > 0
for indicator in indicators['docs']:
assert indicator['description']
assert indicator['producer'] == INTEGRATION_NAME
assert indicator['schema_version']
assert indicator['type'] == 'indicator'
assert indicator['source'] == INTEGRATION_NAME
assert indicator['short_description']
assert indicator['title']
assert indicator['confidence'] in CONFIDENCE
assert indicator['severity'] in SEVERITY
assert indicator['external_ids']
assert indicator['id'] == (
f"transient:indicator-{indicator['external_ids'][0]}")
assert indicator['valid_time']['start_time']
assert 'tags' in indicator
assert indicator['source_uri'] == (
f'{GIGAMON_URL}/detections/rules/{indicator["external_ids"][0]}')
for external_reference in indicator['external_references']:
assert external_reference['description']
assert external_reference['external_id'] == (
indicator['external_ids'][0])
assert external_reference['source_name'] == INTEGRATION_NAME
assert external_reference['url'] == (
f'{GIGAMON_URL}'
f'/detections/rules/{indicator["external_ids"][0]}')
assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_enrich_observe_observables_file_path(module_headers):
""" Perform testing for enrich observe observables endpoint for FILE_PATH
in Graph Security module
ID: CCTRI-471-a7435d3f-2160-43c6-b8de-a2da65f9c40d
Steps:
1. Send request with observable that has FILE_PATH type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = r'C:\Windows\SYSTEM32\ntdll.dll'
observable_type = 'file_path'
external_id = '0F72C58F-1D01-4284-BB32-C53DD45B5C01'
expected_observable = {
'description':
('A process suspiciously tried to access the export address table '
'(EAT) to look for potentially useful APIs. This might indicate '
'an exploitation attempt. The process svchost.exe, with process '
'ID 404, tried accessing the Export Address table for module '
r'C:\\Windows\\SYSTEM32\\ntdll.dll and was blocked'),
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'source':
'Microsoft Graph Security',
'external_ids': [external_id],
'type':
'sighting',
'title':
'Exploit Guard blocked dynamic code execution',
'severity':
'High'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
assert direct_observables['data']['sightings']['count'] == 2
current_observables = direct_observables['data']['sightings']['docs']
sighting = [
observable for observable in current_observables
if observable['external_ids'][0] == external_id
][0]
assert sighting['observables'] == observables
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_file_name(module_headers):
""" Perform testing for enrich observe observables endpoint for file_name
in Graph Security module
ID: CCTRI-470-ef6c5b84-ac4e-463d-bf3f-bf8dd08b7a07
Steps:
1. Send request with observable that has file_name type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'photoview1sp.jpg'
observable_type = 'file_name'
expected_observable = {
'description':
('Attackers can implant the right-to-left-override (RLO) in a '
'filename to change the order of the characters in the filename '
'and make it appear legitimate. This technique is used in '
'different social engineering attacks to convince the user to run '
'the file, and may also be used for hiding purposes. The file '
'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'),
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Right-to-Left-Override (RLO) technique observed',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_url(module_headers):
""" Perform testing for enrich observe observables endpoint for URL in
Graph Security module
ID: CCTRI-468-dfcd642e-f02b-428b-9695-168e7d59d533
Steps:
1. Send request with observable that has URL type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'http://register.fabricam.com/start.php'
observable_type = 'url'
expected_observable = {
'description':
('Analysis of host data detected a powershell script running on '
'LAP-DOUGLASF that has features in common with known suspicious '
'scripts. This script could either be legitimate activity, or an '
'indication of a compromised host.'),
'external_ids': ['D16B2923-2134-4F94-9FF1-B40761EA3E1D'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Suspicious Powershell Activity Detected',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_hostname(module_headers):
""" Perform testing for enrich observe observables endpoint for HOSTNAME in
Graph Security module
ID: CCTRI-472-67881b85-20d7-4f11-94d6-dd228d72753c
Steps:
1. Send request with observable that has HOSTNAME type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'DT-ALDOM'
observable_type = 'hostname'
expected_observable = {
'description':
('The system process c:\\windows\\fonts\\csrss.exe was observed '
'running in an abnormal context. Malware often use this process '
'name to masquerade its malicious activity.'),
'external_ids': ['597E99F8-50B6-4D7B-A45A-A35BDB35EFF8'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Medium',
'source':
'Microsoft Graph Security',
'title':
'Suspicious system process executed',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_sighting_email(module_headers):
"""Perform testing for enrich observe observables endpoint to get
sighting for observable from Have I Been Pwned module
ID: CCTRI-812-57f2d8d6-a897-4ce4-abcf-331296e2d86a
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected sighting for
observable from Have I Been Pwned module
Importance: Critical
"""
observable = [{'type': 'email', 'value': '*****@*****.**'}]
response = enrich_observe_observables(payload=observable,
**{'headers': module_headers})
sightings = get_observables(response,
'Have I Been Pwned')['data']['sightings']
assert len(sightings['docs']) > 0
# check some generic properties
for sighting in sightings['docs']:
assert sighting['type'] == 'sighting'
assert sighting['count'] == 1
assert sighting['internal'] is False
assert sighting['title'] == f'Found on {MODULE_NAME}'
assert sighting['observables'] == observable
assert sighting['source'] == MODULE_NAME
assert sighting['source_uri'] == (
f'{HIBP_URL}/account/user%40example.com')
assert sighting['targets'][0]['type'] == 'email'
assert sighting['targets'][0]['observables'] == observable
assert sighting['observed_time']['start_time'] == (
sighting['observed_time']['end_time'])
assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
# check properties of one unique sighting
sighting = [d for d in sightings['docs']
if 'Apollo' in d['description']][0]
assert sighting['description'] == (
f'{observable[0]["value"]} present in Apollo breach.')
relation = {
'origin': MODULE_NAME,
'origin_uri': f'{HIBP_URL}/account/user%40example.com',
'relation': 'Leaked_From',
'source': observable[0],
'related': {
'value': 'apollo.io',
'type': 'domain'
}
}
assert sighting['relations'][0] == relation
assert sighting['confidence'] == 'High'
assert sighting['severity'] == 'Medium'
def test_positive_relationships(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check
relationships of Gigamon ThreatINSIGHT module
ID: CCTRI-1094-52303f90-0ac9-42e5-80b7-aab5b5d83f47
Steps:
1. Send request to enrich observe observable endpoint and check
relationships
Expectedresults:
1. Response body contains relationships entity with needed fields from
ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_gigamon = get_observables(
response_from_all_modules, MODULE_NAME)
assert response_from_gigamon['module']
assert response_from_gigamon['module_instance_id']
assert response_from_gigamon['module_type_id']
relationships = response_from_gigamon['data']['relationships']
indicators = response_from_gigamon['data']['indicators']
sightings = response_from_gigamon['data']['sightings']
indicators_ids = frozenset(
indicator['id'] for indicator in indicators['docs'])
sightings_ids = frozenset(
sighting['id'] for sighting in sightings['docs'])
assert len(relationships['docs']) > 0
for relationship in relationships['docs']:
assert relationship['schema_version']
assert relationship['target_ref'].startswith('transient:indicator')
assert relationship['target_ref'] in indicators_ids
assert relationship['type'] == 'relationship'
assert relationship['source_ref'].startswith('transient:sighting')
assert relationship['source_ref'] in sightings_ids
assert relationship['id'].startswith('transient:relationship')
assert relationship['relationship_type'] == 'sighting-of'
assert relationships['count'] == (
len(relationships['docs'])) <= (
CTR_ENTITIES_LIMIT
)
def test_positive_enrich_observe_observables_domain(module_headers):
""" Perform testing for enrich observe observables endpoint for domain in
Graph Security module
ID: CCTRI-354-91094c36-a118-48a6-9ba9-5f73a1f63208
Steps:
1. Send request with observable that has domain type to observe
observables endpoint
Expectedresults:
1. Check that data in response body contains expected information
from Microsoft Graph Security module
Importance: Critical
"""
observable = 'www.febrikam.com'
observable_type = 'domain'
expected_observable = {
'description':
('A Windows process has connected to a newly registered domain.'),
'external_ids': ['F007461A-C92F-48E5-A734-89A4E5F38A15'],
'schema_version':
'1.0.12',
'sensor':
'endpoint',
'severity':
'Low',
'source':
'Microsoft Graph Security',
'title':
'Connection to newly registered domain',
'type':
'sighting'
}
# Get sightings
observables = [{"value": observable, "type": observable_type}]
response = enrich_observe_observables(payload=observables,
**{'headers': module_headers})
direct_observables = get_observables(response, MODULE_NAME)
# Check respond data
sightings = direct_observables['data']['sightings']
assert sightings['count'] == 1
sighting = sightings['docs'][0]
assert sighting['observables'] == observables
assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'}
for key in expected_observable.keys():
assert expected_observable[key] == sighting[key]
def test_positive_judgement(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to check
judgements of Urlscan module
ID: CCTRI-1032-edddfab6-e48f-4121-af52-23f25044b72f
Steps:
1. Send request to enrich observe observable endpoint and check
judgement
Expectedresults:
1. Response body contains judgements entity with needed fields from
Urlscan module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_urlscan_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_urlscan_module['module'] == MODULE_NAME
assert response_from_urlscan_module['module_instance_id']
assert response_from_urlscan_module['module_type_id']
judgements = response_from_urlscan_module['data']['judgements']
assert len(judgements['docs']) > 0
for judgement in judgements['docs']:
assert judgement['valid_time']['start_time']
assert judgement['valid_time']['end_time']
assert judgement['schema_version']
assert judgement['observable'] == observables[0]
assert judgement['type'] == 'judgement'
assert judgement['source'] == URLSCAN
assert judgement['disposition'] == 2
assert judgement['reason']
assert judgement['source_uri'].startswith(URL)
assert judgement['disposition_name'] == 'Malicious'
assert judgement['priority']
assert judgement['id'].startswith('transient:judgement')
assert judgement['severity'] == SEVERITY_LEVEL
assert judgement['confidence'] == CONFIDENCE_LEVEL
for external_reference in judgement['external_references']:
assert external_reference['source_name'] == URLSCAN
assert external_reference['description']
assert external_reference['url']
assert judgements['count'] == len(judgements['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_indicator_email(module_headers):
"""Perform testing for enrich observe observables endpoint to get
indicator for observable from Have I Been Pwned module
ID: CCTRI-843-2a0ae451-954a-4daf-b4e9-33f8f7b2e8b0
Steps:
1. Send request to enrich deliberate observable endpoint
Expectedresults:
1. Check that data in response body contains expected indicator for
observable from Have I Been Pwned module
Importance: Critical
"""
observable = [{'type': 'email', 'value': '*****@*****.**'}]
response_from_all_modules = enrich_observe_observables(
payload=observable, **{'headers': module_headers})
response_from_hibp_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_hibp_module['module'] == MODULE_NAME
assert response_from_hibp_module['module_instance_id']
assert response_from_hibp_module['module_type_id']
indicators = response_from_hibp_module['data']['indicators']
assert len(indicators['docs']) > 0
# check some generic properties
for indicator in indicators['docs']:
assert indicator['type'] == 'indicator'
assert indicator['producer'] == MODULE_NAME
assert indicator['source'] == f'{MODULE_NAME} Breaches'
assert indicator['tlp'] == 'white'
if (indicator['confidence'] == 'High'
and 'Passwords' in indicator['tags']):
assert indicator['severity'] == 'High'
else:
assert indicator['severity'] == 'Medium'
assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
# check properties of one unique indicator
indicator = [d for d in indicators['docs'] if d['title'] == 'PDL'][0]
assert indicator[
'short_description'] == 'Data Enrichment Exposure From PDL Customer'
assert ('Exposed information included email addresses, '
'phone numbers, social media') in indicator['description']
tags = [
'Email addresses', 'Employers', 'Geographic locations', 'Job titles',
'Names', 'Phone numbers', 'Social media profiles'
]
assert indicator['tags'] == tags
assert indicator['confidence'] == 'High'
def test_positive_smoke_enrich_sightings(module_headers, observable,
observable_type):
"""Perform testing for enrich observe observable endpoint to check
sightings of AlienVault OTX module
ID: CCTRI-1333-027027d6-bdd9-4c03-8704-65a541f8b7ee
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Response body contains sighting entity with needed fields from
AlienVault OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)['data']
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
sightings = response_from_alien_vault['data']['sightings']
assert len(sightings['docs']) > 0
for sighting in sightings['docs']:
assert 'description' in sighting
assert sighting['schema_version']
assert sighting['observables'] == observables
assert sighting['type'] == 'sighting'
assert sighting['source'] == MODULE_NAME
assert sighting['external_ids']
assert sighting['title']
assert sighting['internal'] is False
assert sighting['source_uri'] == (
f'{ALIEN_VAULT_URL}/pulse/{sighting["external_ids"][0]}')
assert sighting['id'].startswith('transient:sighting')
assert sighting['count'] == 1
assert sighting['tlp']
assert sighting['confidence'] == CONFIDENCE_LEVEL
assert sighting['observed_time']['start_time'] == (
sighting['observed_time']['end_time'])
assert sightings['count'] == len(sightings['docs'])
def test_positive_indicators(module_headers, observable, observable_type):
"""Perform testing for enrich observe observables endpoint to get
indicators from Google Chronicle
ID: CCTRI-859-56c35f55-a7f7-4857-8ba1-39ef7f644932
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains expected indicators for
observable from Google Chronicle
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_observe_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_chronicle_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert response_from_chronicle_module['module'] == MODULE_NAME
assert response_from_chronicle_module['module_instance_id']
assert response_from_chronicle_module['module_type_id']
indicators = response_from_chronicle_module['data']['indicators']
assert len(indicators['docs']) > 0
# check some generic properties
for indicator in indicators['docs']:
assert 'valid_time' in indicator
assert indicator['type'] == 'indicator'
assert indicator['producer'] == PRODUCER
assert indicator['schema_version']
assert indicator['short_description']
assert indicator['title'] == indicator['short_description']
assert indicator['id'].startswith('transient:indicator-')
assert indicator['severity'] in SEVERITY
assert indicator['confidence'] in CONFIDENCE
if 'external_references' in indicator:
for external_references in indicator['external_references']:
assert external_references['source_name'] == SOURCE_NAME
assert external_references['url'].startswith('http')
assert indicators['count'] == (
len(indicators['docs'])) <= (
CTR_ENTITIES_LIMIT
)
def test_positive_indicators_ip_observable(module_headers):
"""Perform testing for enrich observe observables endpoint to get
indicators for observable from Abuse IPDB module
ID: CCTRI-840-10da94e0-4b1b-4fa2-bd4f-3e9885426918
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains expected indicators for
observable from Abuse IPDB module
Importance: Critical
"""
observables = [{'type': 'ip', 'value': '1.1.1.1'}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_abuse_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_abuse_module['module'] == MODULE_NAME
assert response_from_abuse_module['module_instance_id']
assert response_from_abuse_module['module_type_id']
indicators = response_from_abuse_module['data']['indicators']
assert len(indicators['docs']) > 0
for indicator in indicators['docs']:
assert indicator['type'] == 'indicator'
assert indicator['id'].startswith('transient:indicator-')
assert indicator['schema_version']
assert indicator['producer'] == SOURCE
assert indicator['valid_time'] == {}
assert indicator['confidence'] == 'Medium'
assert indicator['title']
assert indicator['description']
assert indicator['external_ids']
assert indicator['external_references'] == [{
'source_name':
SOURCE,
'description':
f'{SOURCE} attack categories',
'url':
f'{ABUSE_IPDB_URL}/categories',
'external_id':
indicator["external_ids"][0]
}]
assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_enrich_observe_observables_judgements(
module_headers, observable, observable_type, disposition_name,
disposition):
"""Perform testing for enrich observe observables endpoint to get
judgements for observable Qualys module
ID: CCTRI-797-9ce334d2-74bc-4c3a-bb8a-181f260076f0
Steps:
1. Send request to enrich observe observable endpoint
Expectedresults:
1. Check that data in response body contains expected judgements for
observable from Qualys module
Importance: Critical
"""
observables = [{"value": observable, "type": observable_type}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_qualys_ioc = get_observables(response_from_all_modules,
'Qualys IOC')
assert response_from_qualys_ioc['module']
assert response_from_qualys_ioc['module_instance_id']
assert response_from_qualys_ioc['module_type_id']
judgements = response_from_qualys_ioc['data']['judgements']
assert len(judgements['docs']) > 0
for judgement in judgements['docs']:
assert 'valid_time' in judgement
assert judgement['schema_version']
assert judgement['observable'] == observables[0]
assert judgement['type'] == 'judgement'
assert judgement['source'] == MODULE_NAME
assert judgement['external_ids']
assert judgement['disposition'] == disposition
assert 'external_references' in judgement
assert 'reason' in judgement
assert judgement['disposition_name'] == disposition_name
assert judgement['priority'] == 90
assert judgement['id'].startswith('transient:judgement-')
assert judgement['severity']
assert judgement['confidence'] == CONFIDENCE
assert judgements['count'] == len(judgements['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_sighting_x509(module_headers):
"""Perform testing for Gigamon ThreatINSIGHT module sightings functionality
for x509 event types specifically
ID: CCTRI-1125-82b45fee-9266-4793-9642-b89a324b8e26
Steps:
1. Send request to enrich observe observable endpoint and check
sighting. Use observables that contains sightings for x509 event type
Expectedresults:
1. Response body contains sightings entity with expected data for x509
event type
Importance: Critical
"""
observables = [{'type': 'domain', 'value': 'wp.com'}]
response_from_all_modules = enrich_observe_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon['module'] == MODULE_NAME
assert response_from_gigamon['module_instance_id']
assert response_from_gigamon['module_type_id']
sightings = response_from_gigamon['data']['sightings']
assert len(sightings['docs']) > 0
assert [
sighting for sighting in sightings['docs']
if 'Event: `X509`' in sighting['description']
], 'There are no sightings with necessary event type'
for sighting in sightings['docs']:
if 'Event: `X509`' in sighting['description']:
relation = [
r for r in sighting['relations']
if r['relation'] == 'SAN_DNS_For'
]
assert relation
assert relation[0]['origin'] == INTEGRATION_NAME
assert relation[0]['source'] == observables[0]
assert relation[0]['related']['type'] == 'ip'
assert relation[0]['related']['value']
assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
