Python is_ioc Examples

Example #1

File: test_rule_helpers.py Project: iulianroman/streamalert

def test_is_ioc_with_no_matching():
    """Helpers - No known IOC detected in a record"""
    rec = {
        'account': 12345,
        'region': '123456123456',
        'detail': {
            'eventSource': '...',
            'userAgent': '...',
            'sourceIPAddress': '1.1.1.2',
            'recipientAccountId': '12345'
        },
        'detail-type': '...',
        'source': '1.1.1.2',
        'version': '1.05',
        'normalized_types': {
            'sourceAddress': [['detail', 'sourceIPAddress'], ['source']],
            'username': [['detail', 'userIdentity', 'userName']]
        },
        'time': '...',
        'id': '12345',
        'resources': {
            'test': '...'
        }
    }

    ioc_result = base.is_ioc(rec)
    assert_equal(ioc_result, False)

Example #2

File: test_rule_helpers.py Project: iulianroman/streamalert

def test_is_ioc_with_lowercase_ioc_is_true():
    """Helpers - IOC is lowercase while related data is mixcase."""
    rec = {
        'server': "test-server",
        'computer_name': 'test-pc',
        "domain": "test_Evil.net",
        "event_type": "netconn",
        "ipv4": "0.0.0.0",
        "local_ip": "127.0.0.1",
        "local_port": 54279,
        "md5": "EF69CD89AD7ADDB9A16BB6F26F1EFAF7",
        'normalized_types': {
            'destinationDomain': [['domain']],
            'fileHash': [['md5']]
        }
    }

    ioc_result = base.is_ioc(rec)
    assert_equal(ioc_result, True)
    expected_ioc_info = [
        {
            'type': 'domain',
            'value': 'test_evil.net'
        },
        {
            'type': 'md5',
            'value': 'ef69cd89ad7addb9a16bb6f26f1efaf7'
        }
    ]
    assert_equal(rec[StreamThreatIntel.IOC_KEY], expected_ioc_info)

Example #3

File: test_rule_helpers.py Project: iulianroman/streamalert

def test_detect_ioc_rule():
    """Helpers - There is IOC detected in a record"""
    rec = {
        'account': 12345,
        'region': '123456123456',
        'detail': {
            'eventSource': '...',
            'userAgent': '...',
            'sourceIPAddress': '90.163.54.11',
            'recipientAccountId': '12345'
        },
        'detail-type': '...',
        'source': '1.1.1.2',
        'version': '1.05',
        'normalized_types': {
            'sourceAddress': [['detail', 'sourceIPAddress'], ['source']],
            'username': [['detail', 'userIdentity', 'userName']]
        },
        'time': '...',
        'id': '12345',
        'resources': {
            'test': '...'
        }
    }

    ioc_result = base.is_ioc(rec)
    assert_equal(ioc_result, True)
    expected_ioc_info = [{
        'type': 'ip',
        'value': '90.163.54.11'
    }]
    assert_equal(rec[StreamThreatIntel.IOC_KEY], expected_ioc_info)

Example #4

File: test_rule_helpers.py Project: iulianroman/streamalert

def test_is_ioc_with_lowercase_ioc_is_false():
    """Helpers - IOC is lowercase while lowercase_ioc flag is set to False."""
    rec = {
        'server': "test-server",
        'computer_name': 'test-pc',
        "domain": "test_Evil.net",
        "event_type": "netconn",
        "ipv4": "0.0.0.0",
        "local_ip": "127.0.0.1",
        "local_port": 54279,
        "md5": "EF69CD89AD7ADDB9A16BB6F26F1EFAF7",
        'normalized_types': {
            'destinationDomain': [['domain']],
            'fileHash': [['md5']]
        }
    }
    ioc_result = base.is_ioc(rec, lowercase_ioc=False)
    assert_equal(ioc_result, False)