def test_domain_not_found():
"""
Given:
- an Domain
When:
- running domain command and validate whether the domain is malicious
Then:
- return command results with context indicate that no results were found
"""
url = 'https://test.com/rest/threatindicator/v0/domain?key.values=mydomain.com'
status_code = 200
json_data = {'total_size': 0, 'page': 1, 'page_size': 25, 'more': False}
expected_output = "No results were found for Domain mydomain.com"
domain_to_check = {'domain': 'mydomain.com'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
fundamental_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['fundamental'])
results = domain_command(client, domain_to_check,
DBotScoreReliability.B, doc_search_client,
fundamental_client)
output = results[0].to_context().get('HumanReadable')
assert expected_output in output
def test_domain_command():
"""
Given:
- a domain
When:
- running domain command and validate whether the domain is malicious
Then:
- return command results containing indicator, dbotscore and associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/domain?key.values=mydomain.com'
doc_url = 'https://test.com/rest/document/v0?links.display_text.values=mydomain.com&type.values=intelligence_alert&type.values=intelligence_report&links.display_text.match_all=true' # noqa: E501
status_code = 200
json_data = DOMAIN_RES_JSON
intel_json_data = DOMAIN_INTEL_JSON
expected_output = {
'domain': [{
'Name': 'mydomain.com'
}],
'DBOTSCORE': [{
'Indicator': 'mydomain.com',
'Type': 'domain',
'Vendor': 'iDefense',
'Score': 2,
'Reliability': 'B - Usually reliable'
}] # noqa: E501
}
domain_to_check = {'domain': 'mydomain.com'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url, status_code=status_code, json=intel_json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
fundamental_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['fundamental'])
results = domain_command(client, domain_to_check,
DBotScoreReliability.B, doc_search_client,
fundamental_client)
context_result = results[0].to_context()
output = results[0].to_context().get('EntryContext', {})
assert output.get('Domain(val.Name && val.Name == obj.Name)',
[]) == expected_output.get('domain')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert _is_intelligence_data_present_in_command_result(
context_result, intel_json_data) is True
def test_domain_command_when_api_key_not_authorized_for_document_search():
"""
Given:
- a domain and api key not authorized for doc search
When:
- running domain command and validate whether the domain is malicious
Then:
- return command results containing indicator, dbotscore and NO associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/domain?key.values=mydomain.com'
doc_url = 'https://test.com/rest/document/v0?links.display_text.values=mydomain.com&type.values=intelligence_alert&type.values=intelligence_report&links.display_text.match_all=true' # noqa: E501
status_code = 200
error_status_code = 403
json_data = DOMAIN_RES_JSON
doc_search_exception_response = {'timestamp': '2021-11-12T09:09:27.983Z', 'status': 403,
'error': 'Forbidden', 'message': 'Forbidden', 'path': '/rest/document/v0'}
expected_output = {
'domain': [{'Name': 'mydomain.com'}],
'DBOTSCORE': [{'Indicator': 'mydomain.com', 'Type': 'domain', 'Vendor': 'iDefense', 'Score': 2, 'Reliability': 'B - Usually reliable'}] # noqa: E501
}
domain_to_check = {'domain': 'mydomain.com'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url, status_code=error_status_code, json=doc_search_exception_response)
client = Client(API_URL, 'api_token', True, False, ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False, ENDPOINTS['document'])
results = domain_command(client, domain_to_check, DBotScoreReliability.B, doc_search_client)
context_result = results[0].to_context()
content = context_result['HumanReadable']
output = context_result.get('EntryContext', {})
assert output.get('Domain(val.Name && val.Name == obj.Name)', []) == expected_output.get('domain')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert 'Intelligence Alerts' not in content
assert 'Intelligence Reports' not in content