def test_get_forensics_timeline_command(requests_mock): mock_response = {'IncidentId': "aaa", 'Status': 'Done', 'Evidence': []} client = Client(base_url='https://server', verify=False) start_date = "1 month" end_date = "3 days" args = {'incident_id': "3", 'start_date': start_date, 'end_date': end_date} start_date_parsed, _ = parse_date_range(start_date, date_format=DATE_FORMAT, utc=True) end_date_parsed, _ = parse_date_range(end_date, date_format=DATE_FORMAT, utc=True) url = 'https://server/api/v1/forensics/timeline?incident_id=3&end_date={}&start_date={}'\ .format(end_date_parsed, start_date_parsed) requests_mock.get(url, json=mock_response) _, outputs, _ = get_forensics_timeline_command(client, args) assert outputs == { 'Illusive.Forensics(val.IncidentId == obj.IncidentId)': { 'IncidentId': '3', 'Status': 'Done', 'Evidence': { 'IncidentId': 'aaa', 'Status': 'Done', 'Evidence': [] } } }
def test_get_asm_cj_insight_command(requests_mock): mock_response = { 'data': [], 'hostname': 'bbb', 'machineTagAndSubTags': { 'tag': 'tag', 'subTag': 'sub' } } requests_mock.get('https://server/api/v1/crownjewels/insights', json=mock_response, status_code=202) client = Client(base_url='https://server', verify=False) args = {} _, outputs, _ = get_asm_cj_insight_command(client, args) assert outputs == { 'Illusive.AttackSurfaceInsightsCrownJewel(val.hostname == obj.hostname)': { 'data': [], 'hostname': 'bbb', 'machineTagAndSubTags': { 'tag': 'tag', 'subTag': 'sub' } } }
def test_fetch_incidents(requests_mock): client = Client(base_url='https://server', verify=False) mock_response = [{ 'deceptionFamilies': [], 'incidentId': '1234', 'hasForensics': True, 'incidentTypes': 'MACHINE', 'incidentTimeUTC': '2020-04-21T15:39:32.954Z' }, { 'deceptionFamilies': [], 'incidentId': '4321', 'hasForensics': False, 'incidentTypes': 'MACHINE', 'incidentTimeUTC': '2020-04-21T14:53:54.234Z' }] first_fetch_time = "7 days" requests_mock.get( 'https://server/api/v1/incidents?limit=10&offset=0&start_date=2018-10-24T14:13:20+00:000Z', json=mock_response) nextcheck, incidents = fetch_incidents( client, {'last_run': "2018-10-24T14:13:20+00:000Z"}, first_fetch_time, None) assert str(nextcheck['last_run']) == '2020-04-21T15:39:32.954Z' assert isinstance(incidents, list) assert isinstance(incidents[0]['name'], str)
def test_add_deceptive_users_command(requests_mock): mock_response = {'id': 'aaa'} requests_mock.post('https://server/api/v1/deceptive-entities/users', json=mock_response) client = Client(base_url='https://server', verify=False) user_name = "aaa" domain_name = "illusive.com" args = { 'password': "******", 'username': user_name, 'domain_name': domain_name, 'policy_names': ["myPolicy"] } _, outputs, _ = add_deceptive_users_command(client, args) assert outputs == { 'Illusive.DeceptiveUser(val.userName == obj.userName)': { 'userName': '******', 'domainName': 'illusive.com', 'policyNames': ['myPolicy'], 'password': '******' } }
def test_get_deceptive_servers_command(requests_mock): mock_response = { 'data': [], 'hostname': 'bbb', 'machineTagAndSubTags': { 'tag': 'tag', 'subTag': 'sub' } } requests_mock.get( 'https://server/api/v1/deceptive-entities/servers?deceptive_server_type=SUGGESTED', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'type': "SUGGESTED", } _, outputs, _ = get_deceptive_servers_command(client, args) assert outputs == { 'Illusive.DeceptiveServer(val.host == obj.host)': { 'data': [], 'hostname': 'bbb', 'machineTagAndSubTags': { 'tag': 'tag', 'subTag': 'sub' } } }
def test_run_forensics_on_demand_command(requests_mock): mock_response = {'EventId': '1234'} requests_mock.post('https://server/api/v1/event/create-external-event?hostNameOrIp=myIp', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'fqdn_or_ip': "myIp" } _, outputs, _ = run_forensics_on_demand_command(client, args) assert outputs == {'Illusive.Event(val.eventId == obj.eventId)': {'EventId': '1234'}}
def test_is_deceptive_server_command_returns_false(requests_mock): requests_mock.get('https://server/api/v1/deceptive-entities/server?hostName=myHost', text='') client = Client(base_url='https://server', verify=False) args = { 'hostname': 'myHost' } _, outputs, _ = is_deceptive_server_command(client, args) assert outputs['Illusive.IsDeceptive(val.Hostname == obj.Hostname)']['Hostname'] == args['hostname'] assert outputs['Illusive.IsDeceptive(val.Hostname == obj.Hostname)']['IsDeceptiveServer'] is False
def test_fetch_incidents_first_fetch(requests_mock): client = Client(base_url='https://server', verify=False) mock_response = [] first_fetch_time = "7 days" last_fetch, _ = parse_date_range(first_fetch_time, date_format=DATE_FORMAT, utc=True) requests_mock.get('https://server/api/v1/incidents?limit=10&offset=0&start_date={}'.format(last_fetch), json=mock_response) nextcheck, incidents = fetch_incidents(client, {'last_run': None}, first_fetch_time, None) assert str(nextcheck['last_run']) == last_fetch assert isinstance(incidents, list) assert len(incidents) == 0
def test_remove_host_from_policy_command(requests_mock): mock_response = {'result': 'True'} requests_mock.post('https://server/api/v1/policy/domain_hosts/remove_assignment', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'hosts': ['*****@*****.**'] } _, outputs, _ = remove_host_from_policy_command(client, args) assert outputs == {'Illusive.DeceptionPolicy.isAssigned(val.hosts == obj.hosts)': [{'isAssigned': False, 'hosts': '*****@*****.**', 'policy_name': ''}]}
def test_is_deceptive_user_command_returns_true(requests_mock): mock_response = {'result': 'true'} requests_mock.get('https://server/api/v1/deceptive-entities/user?userName=myUser', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'username': '******' } _, outputs, _ = is_deceptive_user_command(client, args) assert outputs['Illusive.IsDeceptive(val.Username == obj.Username)']['Username'] == args['username'] assert outputs['Illusive.IsDeceptive(val.Username == obj.Username)']['IsDeceptiveUser'] is True
def test_delete_deceptive_servers_command(requests_mock): mock_response = {'result': 'False'} requests_mock.delete( 'https://server/api/v1/deceptive-entities/servers?deceptive_hosts=server1', json=mock_response) client = Client(base_url='https://server', verify=False) args = {'deceptive_hosts': ['server1']} _, outputs, _ = delete_deceptive_servers_command(client, args) assert outputs == {}
def test_get_forensics_artifacts_command(requests_mock): mock_response = bytes() mock_response2 = 3 requests_mock.get('https://server/api/v1/incidents/id?event_id=3', json=mock_response2) requests_mock.get('https://server/api/v1/forensics/artifacts?event_id=3&artifacts_type=DESKTOP_SCREENSHOT', content=mock_response) client = Client(base_url='https://server', verify=False) args = { 'event_id': '3', 'artifact_type': 'DESKTOP_SCREENSHOT' } get_forensics_artifacts_command(client, args)
def test_get_incident_command(requests_mock): mock_response = {'deceptionFamilies': [], 'incidentId': '1234', 'hasForensics': True, 'incidentTypes': 'MACHINE'} requests_mock.get('https://server/api/v2/incidents/incident?incident_id=13', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'incident_id': "13", 'start_date': "3 days" } _, outputs, _ = get_incidents_command(client, args) assert outputs == {'Illusive.Incident(val.incidentId == obj.incidentId)': {'deceptionFamilies': [], 'incidentId': '1234', 'hasForensics': True, 'incidentTypes': 'MACHINE'}}
def test_get_asm_host_insight_command(requests_mock): mock_response = {'hostname': 'aaa', 'domainName': 'bbb', 'ipAddresses': '1.1.1.1'} requests_mock.get('https://server/api/v1/attack-surface/machine-insights?hostNameOrIp=myIp', json=mock_response, status_code=202) client = Client(base_url='https://server', verify=False) args = { 'hostnameOrIp': "myIp" } _, outputs, _ = get_asm_host_insight_command(client, args) assert outputs == {'Illusive.AttackSurfaceInsightsHost(val.ipAddresses == obj.ipAddresses)': {'hostname': 'aaa', 'domainName': 'bbb', 'ipAddresses': '1.1.1.1'}}
def test_get_incidents_command(requests_mock): mock_response = [{'deceptionFamilies': [], 'incidentId': '1234', 'hasForensics': True, 'incidentTypes': 'MACHINE'}, {'deceptionFamilies': [], 'incidentId': '4321', 'hasForensics': False, 'incidentTypes': 'MACHINE'}] requests_mock.get('https://server/api/v1/incidents?limit=10&offset=0', json=mock_response) client = Client(base_url='https://server', verify=False) args = { } _, outputs, _ = get_incidents_command(client, args) assert outputs == {'Illusive.Incident(val.incidentId == obj.incidentId)': [ {'deceptionFamilies': [], 'incidentId': '1234', 'hasForensics': True, 'incidentTypes': 'MACHINE'}, {'deceptionFamilies': [], 'incidentId': '4321', 'hasForensics': False, 'incidentTypes': 'MACHINE'} ]}
def test_get_forensics_triggering_process_info_command(requests_mock): mock_response = {'processes': [{'commandLine': 'bbb', 'name': '1234', 'parent': '1234', 'sha256': '1234'}, {'commandLine': 'aaa', 'name': '34556', 'parent': 'dfg', 'sha256': 'erf'}]} requests_mock.get('https://server/api/v1/forensics/triggering_process_info?event_id=3', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'event_id': '3' } _, outputs, _ = get_forensics_triggering_process_info_command(client, args) assert outputs == {'Illusive.Event(val.eventId == obj.eventId)': {'ForensicsTriggeringProcess': [ {'commandLine': 'bbb', 'name': '1234', 'parent': '1234', 'sha256': '1234'}, {'commandLine': 'aaa', 'name': '34556', 'parent': 'dfg', 'sha256': 'erf'}], 'eventId': '3'}}
def test_get_event_incident_id_command(requests_mock): mock_response = {'EventId': '1234', 'IncidentId': '1'} requests_mock.get('https://server/api/v1/incidents/id?event_id=1234', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'event_id': "1234" } _, outputs, _ = get_event_incident_id_command(client, args) assert outputs == {'Illusive.Event(val.eventId == obj.eventId)': [{'eventId': 1234, 'incidentId': {'EventId': '1234', 'IncidentId': '1'}, 'status': 'Done'}]}
def test_get_incident_events_command(requests_mock): mock_response = [{'eventId': '11', 'eventTimeUTC': '1234', 'hasForensics': True}, {'eventId': '22', 'eventTimeUTC': '1234', 'hasForensics': True}] requests_mock.get('https://server/api/v1/incidents/events?incident_id=3&limit=100&offset=0', json=mock_response) client = Client(base_url='https://server', verify=False) args = { 'incident_id': '3' } _, outputs, _ = get_incident_events_command(client, args) assert outputs == {'Illusive.Incident(val.incidentId == obj.incidentId)': {'Event': [ {'eventId': '11', 'eventTimeUTC': '1234', 'hasForensics': True}, {'eventId': '22', 'eventTimeUTC': '1234', 'hasForensics': True}], 'eventsNumber': 2, 'incidentId': 3}}
def test_add_deceptive_servers_command(requests_mock): mock_response = {'id': 'aaa'} requests_mock.post('https://server/api/v1/deceptive-entities/servers', json=mock_response) client = Client(base_url='https://server', verify=False) user_name = 'aaa.illusive.com' args = { 'service_types': ["FTP", "SSH"], 'host': user_name } _, outputs, _ = add_deceptive_servers_command(client, args) assert outputs == {'Illusive.DeceptiveServer(val.host == obj.host)': {'host': 'aaa.illusive.com', 'serviceTypes': ['FTP', 'SSH'], 'policyNames': "All Policies"}}
def test_get_forensics_analyzers_command(requests_mock): mock_response1 = [{'analyzerName': 'bbb', 'analyzerValue': '1234'}, {'analyzerName': 'aaa', 'analyzerValue': '4321'}] mock_response2 = 3 requests_mock.get('https://server/api/v1/forensics/analyzers?event_id=3', json=mock_response1) requests_mock.get('https://server/api/v1/incidents/id?event_id=3', json=mock_response2) client = Client(base_url='https://server', verify=False) args = { 'event_id': '3' } _, outputs, _ = get_forensics_analyzers_command(client, args) assert outputs == {'Illusive.Event(val.eventId == obj.eventId)': {'ForensicsAnalyzers': [{'analyzerName': 'bbb', 'analyzerValue': '1234'}, {'analyzerName': 'aaa', 'analyzerValue': '4321'}], 'eventId': 3, 'incidentId': 3}}