def setup(): """Setup before each method""" test_config = { 'threat_intel': { 'enabled': True, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
def test_do_not_load_intelligence(self): """Threat Intel - Do not load intelligence to memory when it is disabled""" test_config = { 'threat_intel': { 'enabled': False, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures') intelligence = StreamThreatIntel._StreamThreatIntel__intelligence # pylint: disable=no-member assert_equal(len(intelligence), 0)
def test_no_config_loaded(self): """Threat Intel - No datatypes_ioc_mapping config loaded if it is disabled""" test_config = { 'threat_intel': { 'enabled': False, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures') datatypes_ioc_mapping = StreamThreatIntel.get_config() assert_equal(len(datatypes_ioc_mapping), 0)
def test_get_intelligence(self): """Threat Intel - get intelligence dictionary""" test_config = { 'threat_intel': { 'enabled': True, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures') intelligence = StreamThreatIntel.get_intelligence() expected_keys = ['domain', 'md5', 'ip'] assert_items_equal(intelligence.keys(), expected_keys) assert_equal(len(intelligence['domain']), 10) assert_equal(len(intelligence['md5']), 10) assert_equal(len(intelligence['ip']), 10)
def test_load_intelligence(self): """Threat Intel - Load intelligence to memory""" test_config = { 'threat_intel': { 'enabled': True, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures') intelligence = StreamThreatIntel._StreamThreatIntel__intelligence # pylint: disable=no-member expected_keys = ['domain', 'md5', 'ip'] assert_items_equal(intelligence.keys(), expected_keys) assert_equal(len(intelligence['domain']), 10) assert_equal(len(intelligence['md5']), 10) assert_equal(len(intelligence['ip']), 10)
def test_get_config(self): """Threat Intel - get intelligence dictionary""" test_config = { 'threat_intel': { 'enabled': True, 'mapping': { 'sourceAddress': 'ip', 'destinationDomain': 'domain', 'fileHash': 'md5' } } } StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures') datatypes_ioc_mapping = StreamThreatIntel.get_config() expected_keys = ['sourceAddress', 'destinationDomain', 'fileHash'] assert_items_equal(datatypes_ioc_mapping.keys(), expected_keys) assert_equal(datatypes_ioc_mapping['sourceAddress'], 'ip') assert_equal(datatypes_ioc_mapping['destinationDomain'], 'domain') assert_equal(datatypes_ioc_mapping['fileHash'], 'md5')
def __init__(self, context, enable_alert_processor=True): """Initializer Args: context (dict): An AWS context object which provides metadata on the currently executing lambda function. enable_alert_processor (bool): If the user wants to send the alerts using their own methods, 'enable_alert_processor' can be set to False to suppress sending with the StreamAlert alert processor. """ # Load the config. Validation occurs during load, which will # raise exceptions on any ConfigErrors StreamAlert.config = StreamAlert.config or load_config() # Load the environment from the context arn self.env = load_env(context) # Instantiate the sink here to handle sending the triggered alerts to the # alert processor self.sinker = StreamSink(self.env) # Instantiate a classifier that is used for this run self.classifier = StreamClassifier(config=self.config) self.enable_alert_processor = enable_alert_processor self._failed_record_count = 0 self._processed_size = 0 self._alerts = [] # Create a dictionary to hold parsed payloads by log type. # Firehose needs this information to send to its corresponding # delivery stream. self.categorized_payloads = defaultdict(list) # Firehose client initialization self.firehose_client = None StreamThreatIntel.load_intelligence(self.config)