Ejemplo n.º 1
0
def test_signal_get_details(requests_mock):
    """Tests sumologic-sec-signal-get-details command function.
    """
    from SumoLogicCloudSIEM import Client, signal_get_details, insight_signal_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/signal_details.json')
    signal_id = '2b449e56-f6e8-5306-980a-447a8c026b77'
    signal = mock_response.get('data')
    del signal['allRecords']
    signal = insight_signal_to_readable(signal)

    requests_mock.get('{}/sec/v1/signals/{}'.format(MOCK_URL, signal_id), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'signal_id': signal_id
    }

    response = signal_get_details(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.Signal'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == signal
Ejemplo n.º 2
0
def test_threat_intel_update_source(requests_mock):
    """Tests sumologic-sec-threat-intel-update-source command function.
    """
    from SumoLogicCloudSIEM import Client, threat_intel_update_source, get_update_result, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/update_result.json')
    threat_intel_source_id = '54'
    requests_mock.post('{}/sec/v1/threat-intel-sources/{}/items'.format(MOCK_URL, threat_intel_source_id), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'threat_intel_source_id': threat_intel_source_id,
        'description': 'My description',
        'expiration': '2021-05-30T22:36:10.925Z',
        'value': '10.20.30.40',
        'active': 'true'
    }

    response = threat_intel_update_source(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.UpdateResult'
    assert response.outputs == get_update_result(mock_response.get('data'))
Ejemplo n.º 3
0
def test_insight_get_comments(requests_mock):
    """Tests sumologic-sec-insight-get-comments command function.
    """
    from SumoLogicCloudSIEM import Client, insight_get_comments, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/insight_comments.json')
    insight_id = 'INSIGHT-116'
    comments = mock_response['data']['comments']

    requests_mock.get('{}/sec/v1/insights/{}/comments'.format(MOCK_URL, insight_id), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'insight_id': insight_id
    }

    response = insight_get_comments(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.InsightComments'
    assert response.outputs_key_field == 'Id'
    assert response.outputs[0]['Id'] == comments[0]['id'] == '2'
    assert response.outputs[0]['Author'] == comments[0]['author']['username'] == '*****@*****.**'
    assert response.outputs[0]['Body'] == comments[0]['body'] == 'This is an example comment'
Ejemplo n.º 4
0
def test_threat_intel_search_indicators(requests_mock):
    """Tests sumologic-sec-threat-intel-search-indicators command function.
    """
    from SumoLogicCloudSIEM import Client, threat_intel_search_indicators, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/threat_intel_indicators.json')
    threat_intel_indicators = []
    for threat_intel_indicator in mock_response['data']['objects']:
        threat_intel_indicators.append({(k[0].capitalize() + k[1:]): v for k, v in threat_intel_indicator.items()})

    requests_mock.get('{}/sec/v1/threat-intel-indicators?value=11.22.33.44&sourceIds=54'.format(MOCK_URL), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'value': '11.22.33.44',
        'sourceIds': '54',
    }

    response = threat_intel_search_indicators(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.ThreatIntelIndicators'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == threat_intel_indicators
Ejemplo n.º 5
0
def test_threat_intel_get_sources(requests_mock):
    """Tests sumologic-sec-threat-intel-get-sources command function.
    """
    from SumoLogicCloudSIEM import Client, threat_intel_get_sources, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/threat_intel_sources.json')
    threat_intel_sources = []
    for threat_intel_source in mock_response['data']['objects']:
        threat_intel_sources.append({(k[0].capitalize() + k[1:]): v for k, v in threat_intel_source.items()})

    requests_mock.get('{}/sec/v1/threat-intel-sources?limit=5'.format(MOCK_URL), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'limit': '5'
    }

    response = threat_intel_get_sources(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.ThreatIntelSources'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == threat_intel_sources
Ejemplo n.º 6
0
def test_insight_set_status(requests_mock):
    """Tests sumologic-sec-insight-set-status command function.
    """
    from SumoLogicCloudSIEM import Client, insight_set_status, insight_signal_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/insight_status.json')
    insight_id = 'INSIGHT-221'
    for signal in mock_response['data']['signals']:
        del signal['allRecords']
    insight = insight_signal_to_readable(mock_response.get('data'))

    requests_mock.put('{}/sec/v1/insights/{}/status'.format(MOCK_URL, insight_id), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'insight_id': insight_id,
        'status': 'closed',
        'resolution': 'Resolved'
    }

    response = insight_set_status(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.Insight'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == insight
Ejemplo n.º 7
0
def test_match_list_get(requests_mock):
    """Tests sumologic-sec-match-list-get command function.
    """
    from SumoLogicCloudSIEM import Client, match_list_get, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/match_lists.json')
    match_lists = []
    for match_list in mock_response['data']['objects']:
        match_lists.append({(k[0].capitalize() + k[1:]): v for k, v in match_list.items()})

    requests_mock.get('{}/sec/v1/match-lists?limit=5'.format(MOCK_URL), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'limit': '5'
    }

    response = match_list_get(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.MatchLists'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == match_lists
Ejemplo n.º 8
0
def test_insight_get_details(requests_mock):
    """Tests sumologic-sec-insight-get-details command function.
    """
    from SumoLogicCloudSIEM import Client, insight_get_details, insight_signal_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/insight_details.json')
    insight_id = 'INSIGHT-220'
    insight = insight_signal_to_readable(mock_response.get('data'))

    requests_mock.get('{}/sec/v1/insights/{}'.format(MOCK_URL, insight_id), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'insight_id': insight_id
    }

    response = insight_get_details(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.Insight'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == insight
    assert response.readable_output == tableToMarkdown(
        'Insight Details:', [insight],
        ['Id', 'ReadableId', 'Name', 'Action', 'Status', 'Assignee', 'Description', 'LastUpdated', 'LastUpdatedBy', 'Severity',
         'Closed', 'ClosedBy', 'Timestamp', 'Entity', 'Resolution'], headerTransform=pascalToSpace)
Ejemplo n.º 9
0
def test_signal_search(requests_mock):
    """Tests sumologic-sec-signal-search command function.
    """
    from SumoLogicCloudSIEM import Client, signal_search, insight_signal_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/signal_list.json')
    signals = []
    for signal in mock_response['data']['objects']:
        del signal['allRecords']
        signals.append(insight_signal_to_readable(signal))

    requests_mock.get('{}/sec/v1/signals?q=contentType:\"ANOMALY\"&limit=2'.format(MOCK_URL), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'created': 'All time',
        'contentType': 'ANOMALY',
        'limit': '2'
    }

    response = signal_search(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.SignalList'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == signals
Ejemplo n.º 10
0
def test_entity_search(requests_mock):
    """Tests sumologic-sec-entity-search command function.
    """
    from SumoLogicCloudSIEM import Client, entity_search, entity_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/entity_list.json')
    entities = []
    for entity in mock_response['data']['objects']:
        entities.append(entity_to_readable(entity))

    requests_mock.get('{}/sec/v1/entities?q=hostname:matchesWildcard(\"*test*\")&limit=2'.format(MOCK_URL), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'query': 'hostname:matchesWildcard(\"*test*\")',
        'limit': '2'
    }

    response = entity_search(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.EntityList'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == entities
Ejemplo n.º 11
0
def test_insight_search(requests_mock):
    """Tests sumologic-sec-insight-search command function.
    """
    from SumoLogicCloudSIEM import Client, insight_search, insight_signal_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/insight_list.json')
    insights = []
    for insight in mock_response['data']['objects']:
        insights.append(insight_signal_to_readable(insight))

    requests_mock.get('{}/sec/v1/insights?limit=2'.format(MOCK_URL), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'limit': '2'
    }

    response = insight_search(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.InsightList'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == insights
Ejemplo n.º 12
0
def test_entity_get_details(requests_mock):
    """Tests sumologic-sec-entity-get-details command function.
    """
    from SumoLogicCloudSIEM import Client, entity_get_details, entity_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/entity_details.json')
    entity_id = '_hostname-win10--admin.b.test.com'
    entity = entity_to_readable(mock_response.get('data'))

    requests_mock.get('{}/sec/v1/entities/{}'.format(MOCK_URL, entity_id), json=mock_response)

    client = Client(
        base_url=MOCK_URL,
        verify=False,
        headers=DEFAULT_HEADERS,
        proxy=False,
        auth=('access_id', 'access_key'),
        ok_codes=[200])

    args = {
        'entity_id': entity_id
    }

    response = entity_get_details(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.Entity'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == entity
Ejemplo n.º 13
0
def test_fetch_incidents(requests_mock):
    """Tests fetch incidents.
    """
    from SumoLogicCloudSIEM import Client, fetch_incidents, DEFAULT_HEADERS

    mock_response1 = util_load_json('test_data/insight_list_page1.json')
    requests_mock.get(
        '{}/sec/v1/insights?q=created%3A%3E%3D2021-05-18T00%3A00%3A00.000000+status%3Ain%28%22new%22%2C+%22inprogress%22%29'
        '&limit=20&recordSummaryFields=action%2Cdescription%2Cdevice_hostname%2Cdevice_ip%2CdstDevice_hostname'
        '%2CdstDevice_ip%2Cemail_sender%2Cfile_basename%2Cfile_hash_md5%2Cfile_hash_sha1%2Cfile_hash_sha256'
        '%2CsrcDevice_hostname%2CsrcDevice_ip%2Cthreat_name%2Cthreat_category%2Cthreat_identifier%2Cuser_username'
        '%2Cthreat_url%2ClistMatches'.format(MOCK_URL),
        json=mock_response1)

    mock_response2 = util_load_json('test_data/insight_list_page2.json')
    requests_mock.get(
        '{}/sec/v1/insights?q=created%3A%3E%3D2021-05-18T00%3A00%3A00.000000+status%3Ain%28%22new%22%2C+%22inprogress%22%29'
        '&limit=20&recordSummaryFields=action%2Cdescription%2Cdevice_hostname%2Cdevice_ip%2CdstDevice_hostname'
        '%2CdstDevice_ip%2Cemail_sender%2Cfile_basename%2Cfile_hash_md5%2Cfile_hash_sha1%2Cfile_hash_sha256'
        '%2CsrcDevice_hostname%2CsrcDevice_ip%2Cthreat_name%2Cthreat_category%2Cthreat_identifier%2Cuser_username'
        '%2Cthreat_url%2ClistMatches&offset=1'.format(MOCK_URL),
        json=mock_response2)

    client = Client(base_url=MOCK_URL,
                    verify=False,
                    headers=DEFAULT_HEADERS,
                    proxy=False,
                    auth=('access_id', 'access_key'),
                    ok_codes=[200])

    next_run, incidents = fetch_incidents(client, 20, {}, 1621296000, None,
                                          RECORD_SUMMARY_FIELDS_DEFAULT)

    assert incidents[0].get(
        'name'
    ) == 'Defense Evasion with Persistence - 3fa0cee5-6658-31d4-bd66-32fe1739cf61'
    assert incidents[0].get('occurred') == '2021-05-18T14:46:46.000Z'
    assert incidents[1].get(
        'name'
    ) == 'Defense Evasion with Persistence - 67134063-94a3-3374-9c5f-dcb40d7f172e'
    assert incidents[1].get('occurred') == '2021-05-18T14:46:47.000Z'
    latest_created_time = datetime.strptime(incidents[1].get('occurred'),
                                            '%Y-%m-%dT%H:%M:%S.%fZ')
    assert next_run.get('last_fetch') == int(
        latest_created_time.replace(tzinfo=timezone.utc).timestamp())
Ejemplo n.º 14
0
def test_insight_get_details(requests_mock):
    """Tests sumologic-sec-insight-get-details command function.
    """
    from SumoLogicCloudSIEM import Client, insight_get_details, insight_signal_to_readable, DEFAULT_HEADERS

    mock_response = util_load_json('test_data/insight_details.json')
    insight_id = 'INSIGHT-220'
    insight = insight_signal_to_readable(mock_response.get('data'))

    requests_mock.get(
        '{}/sec/v1/insights/{}?exclude=signals.allRecords&recordSummaryFields=action%2C'
        'description%2Cdevice_hostname%2Cdevice_ip%2CdstDevice_hostname%2CdstDevice_ip%2Cemail_sender%2C'
        'file_basename%2Cfile_hash_md5%2Cfile_hash_sha1%2Cfile_hash_sha256%2CsrcDevice_hostname%2C'
        'srcDevice_ip%2Cthreat_name%2Cthreat_category%2Cthreat_identifier%2Cuser_username%2Cthreat_url%2ClistMatches'
        .format(MOCK_URL, insight_id),
        json=mock_response)

    client = Client(base_url=MOCK_URL,
                    verify=False,
                    headers=DEFAULT_HEADERS,
                    proxy=False,
                    auth=('access_id', 'access_key'),
                    ok_codes=[200])

    args = {
        'insight_id': insight_id,
        'record_summary_fields': RECORD_SUMMARY_FIELDS_DEFAULT
    }

    response = insight_get_details(client, args)

    assert response.outputs_prefix == 'SumoLogicSec.Insight'
    assert response.outputs_key_field == 'Id'
    assert response.outputs == insight
    assert response.readable_output == tableToMarkdown(
        'Insight Details:', [insight], [
            'Id', 'ReadableId', 'Name', 'Action', 'Status', 'Assignee',
            'Description', 'LastUpdated', 'LastUpdatedBy', 'Severity',
            'Closed', 'ClosedBy', 'Timestamp', 'Entity', 'Resolution'
        ],
        headerTransform=pascalToSpace)