def test_expected_params_in_get_requests(self, mocker, command, command_args, expected_http_params): """ Given: - Commands send custom params to http requests When: - Call those commands Then: - Validate the expected params was sent """ # prepare mocker.patch.object( Client, 'http_request', side_effect=self.mocked_http_get_not_found_response) mocker.patch.object(demisto, 'args', return_value=command_args) mocker.patch.object(demisto, 'command', return_value=command) # run main() # validate assert expected_http_params == Client.http_request.call_args[1][ 'params']
def test_no_confidence_in_result_ioc(self, mocker): """ Given - Indicator form ThreatStream without confidence value When - Run the reputation command Then - Validate the DbotScore was set to 1 """ # prepare test_indicator = dict(value='test_ioc', asn='', meta=dict(registrant_name='test')) mocker.patch.object(demisto, 'results') mocker.patch('AnomaliThreatStreamv3.search_worst_indicator_by_params', return_value=test_indicator) for ioc in REPUTATION_COMMANDS: ioc_arg_name = ioc if ioc != 'threatstream-email-reputation' else 'email' mocker.patch.object(demisto, 'args', return_value={ioc_arg_name: 'test_ioc'}) mocker.patch.object(demisto, 'command', return_value=ioc) # run main() # validate entry_context = demisto.results.call_args[0][0]['EntryContext'] assert entry_context[Common.DBotScore.CONTEXT_PATH][0][ 'Score'] == Common.DBotScore.GOOD
def test_get_commands__no_result(self, mocker, command, command_args, expected_output): """ Given: - ThreatStream return nothing for the get requests When: -Run commands made get request Then: - Validate the expected message was returned """ # prepare mocker.patch.object( Client, 'http_request', side_effect=self.mocked_http_get_not_found_response) mocker.patch.object(demisto, 'args', return_value=command_args) mocker.patch.object(demisto, 'command', return_value=command) mocker.patch.object(demisto, 'results') # run main() # validate result = demisto.results.call_args[0][0] assert result == expected_output
def test_get_active_and_inactive_ioc(self, mocker, include_inactive, exp_status_param): """ Given - The Include inactive results flag is true/false When - Run the reputation commands Then - Validate inactive result returned/not returned """ # prepare mocked_search = mocker.patch( 'AnomaliThreatStreamv3.search_worst_indicator_by_params', return_value=None) mocker.patch.object( demisto, 'params', return_value={'include_inactive': include_inactive}) for ioc, value in [('ip', '8.8.8.8'), ('domain', 'google.com'), ('file', 'd26cec10398f2b10202d23c966022dce'), ('url', 'www.google.com')]: mocker.patch.object(demisto, 'command', return_value=ioc) mocker.patch.object(demisto, 'args', return_value={ioc: value}) # run main() # validate mocked_search.call_args[0][1]['status'] == exp_status_param
def test_get_active_and_inactive_ioc(self, mocker, include_inactive, exp_status_param): """ Given - The Include inactive results flag is true/false When - Run the reputation commands Then - Validate inactive result returned/not returned """ # prepare mocked_search = mocker.patch( 'AnomaliThreatStreamv3.search_worst_indicator_by_params', return_value=None) mocker.patch.object( demisto, 'params', return_value={'include_inactive': include_inactive}) for ioc in ['ip', 'domain', 'file', 'url']: mocker.patch.object(demisto, 'command', return_value=ioc) mocker.patch.object(demisto, 'args', return_value={ioc: 'test_ioc'}) # run main() # validate mocked_search.call_args[0][1]['status'] == exp_status_param
def test_ioc_reputation_with_thresholds_in_instance_param( self, mocker, threshold_in_command, threshold_in_params, exp_dbot_score): """ Given - Thresholds levels defined for each ioc in the instance params and confidence are 55 When - Run the reputation commands Then - Validate the dbot score was rated according to the threshold in the command and only if not defined in the command will rate according the instance param """ # prepare test_indicator = dict(confidence=55, value='test_ioc', asn='test_asn', org='test_org', tlp='test_tlp', country='test_country', meta=dict(registrant_name='test', maltype='test_maltype')) mocker.patch.object(demisto, 'results') mocker.patch('AnomaliThreatStreamv3.search_worst_indicator_by_params', return_value=test_indicator) for ioc in ['ip', 'domain', 'file', 'url']: mocker.patch.object(demisto, 'args', return_value={ ioc: 'test_ioc', 'threshold': threshold_in_command }) mocker.patch.object(demisto, 'command', return_value=ioc) # THRESHOLDS_FROM_PARAM[ioc] = threshold_in_params mocker.patch.object( demisto, 'params', return_value={f'{ioc}_threshold': threshold_in_params}) # run main() # validate entry_context = demisto.results.call_args[0][0]['EntryContext'] assert entry_context[ Common.DBotScore.CONTEXT_PATH][0]['Score'] == exp_dbot_score if exp_dbot_score == Common.DBotScore.BAD: assert 'Malicious' in json.dumps(entry_context)
def test_reputation_commands__happy_path(self, mocker, ioc_type, ioc_value, ioc_context_key): """ Given: - Indicators for reputation When: - Call the reputations command Then: - Validate the expected results was returned """ # prepare command = value_key = ioc_type.lower() mocked_ioc_file_path = f'test_data/mocked_{command}_response.json' mocked_ioc_result = util_load_json(mocked_ioc_file_path) mocker.patch.object(Client, 'http_request', return_value=mocked_ioc_result) mocker.patch.object(demisto, 'args', return_value={ value_key: ioc_value, 'status': 'active' }) mocker.patch.object(demisto, 'command', return_value=command) mocker.patch.object(demisto, 'results') # run main() # validate iocs = ioc_value.split(',') mocked_ioc = mocked_ioc_result['objects'][0] for i in range(len(iocs)): command_result = demisto.results.call_args_list[i][0][0] threat_stream_context = command_result['EntryContext'][ f'ThreatStream.{ioc_context_key}'] human_readable, contents = command_result[ 'HumanReadable'], command_result['Contents'] expected_values = (DEFAULT_INDICATOR_MAPPING if ioc_type != 'File' else FILE_INDICATOR_MAPPING).values() assert all(expected_value in threat_stream_context for expected_value in expected_values) assert f'{ioc_type} reputation for: {iocs[i]}' in human_readable assert mocked_ioc == contents
def test_ioc_reputation_with_thresholds_in_command(self, mocker, confidence, threshold, exp_dbot_score): """ Given - Various thresholds levels When - Run the reputation commands Then - Validate the dbot score was rated according to the threshold and Malicious key defined for the generic reputation in case confidence > theshold """ # prepare test_indicator = dict(confidence=confidence, value='test_ioc', asn='', meta=dict(registrant_name='test')) mocker.patch.object(demisto, 'results') mocker.patch('AnomaliThreatStreamv3.search_worst_indicator_by_params', return_value=test_indicator) for ioc in REPUTATION_COMMANDS: ioc_arg_name = ioc if ioc != 'threatstream-email-reputation' else 'email' mocker.patch.object(demisto, 'args', return_value={ ioc_arg_name: 'test_ioc', 'threshold': threshold }) mocker.patch.object(demisto, 'command', return_value=ioc) # run main() # validate entry_context = demisto.results.call_args[0][0]['EntryContext'] assert entry_context[ Common.DBotScore.CONTEXT_PATH][0]['Score'] == exp_dbot_score if exp_dbot_score == Common.DBotScore.BAD and ioc_arg_name != 'email': # email is not a generic reputation assert 'Malicious' in json.dumps(entry_context)
def test_get_commands__happy_path(self, mocker, command, command_args, expected_context_keys): """ Given: - Command made get request in ThreatStream with args When: - Run this command Then: - Validate expected result was returned """ # prepare mocker.patch.object(Client, 'http_request', side_effect=lambda *args, **kwargs: self. mocked_http_get_response(command, **kwargs)) mocker.patch.object(demisto, 'args', return_value=command_args) mocker.patch.object(demisto, 'command', return_value=command) mocker.patch.object(demisto, 'results') mocker.patch('AnomaliThreatStreamv3.fileResult', return_value={ 'File': 'test_name', 'FileID': 'test_id' }) # run main() # validate result = demisto.results.call_args[0][0] context = result['EntryContext'].popitem( )[1] if 'EntryContext' in result else result if isinstance(context, list): context = context[0] assert all(key in context.keys() for key in expected_context_keys)