def test_update_suspicious_activity_status(requests_mock): """ Given: - Microsoft ATA client When: - Running update-suspicious-activity-status command Then: - Ensure command runs successfully - Verify expected body is sent in the request - Verify command human readable output """ from MicrosoftAdvancedThreatAnalytics import Client, update_suspicious_activity_status suspicious_activity_id = '5f183c5283eaed101cd8c309' suspicious_activity_status = 'Close' requests_mock.post( f'{ATA_CENTER_URL}/suspiciousActivities/{suspicious_activity_id}', status_code=204) client = Client(base_url=ATA_CENTER_URL, ) args = {'id': suspicious_activity_id, 'status': suspicious_activity_status} response = update_suspicious_activity_status(client, args) assert requests_mock.request_history[0].json() == { 'Status': suspicious_activity_status } assert response == f'Suspicious activity {suspicious_activity_id} status was ' \ f'updated to {suspicious_activity_status} successfully.'
def test_fetch_incidents(requests_mock): """ Given: - Microsoft ATA client When: - Running fetch incidents Then: - Ensure fetch runs successfully - Verify expected incident is returned (only DnsReconnaissanceSuspiciousActivity) """ from MicrosoftAdvancedThreatAnalytics import Client, fetch_incidents mock_response = util_load_json('test_data/suspicious_activity.json') requests_mock.get(f'{ATA_CENTER_URL}/suspiciousActivities/', json=mock_response) client = Client(base_url=ATA_CENTER_URL) response = fetch_incidents( client, last_run={'last_fetch': '2020-08-08T13:17:05.9092818Z'}, first_fetch_time='1 day', max_results=50, activity_status_to_fetch=['Open'], min_severity=1, activity_type_to_fetch=[]) assert response[0] == {'last_fetch': '2020-08-09T09:18:22.5496318Z'} assert response[1] == [{ 'name': 'DnsReconnaissanceSuspiciousActivity - 5f2fbf7283eaed101cf41361', 'occurred': '2020-08-09T09:18:22.5496318Z', 'rawJSON': json.dumps(mock_response[0]) }]
def test_entity_get_computer(requests_mock): """ Given: - Microsoft ATA client - Computer entity ID to retrieve When: - Running entity-get command Then: - Ensure command runs successfully - Verify command outputs """ from MicrosoftAdvancedThreatAnalytics import Client, get_entity computer_entity_id = '6b0e48f5-6c63-449c-8b6f-c749e18e28b3' mock_response = util_load_json('test_data/entity_computer.json') requests_mock.get(f'{ATA_CENTER_URL}/uniqueEntities/{computer_entity_id}', json=mock_response) profile_mock_response = util_load_json( 'test_data/entity_profile_computer.json') requests_mock.get( f'{ATA_CENTER_URL}/uniqueEntities/{computer_entity_id}/profile', json=profile_mock_response) mock_response['Profile'] = profile_mock_response client = Client(base_url=ATA_CENTER_URL) args = {'id': computer_entity_id} response = get_entity(client, args) assert response.outputs == mock_response assert response.outputs_prefix == 'MicrosoftATA.Entity' assert response.outputs_key_field == 'Id'
def test_get_suspicious_activity(requests_mock): """ Given: - Microsoft ATA client When: - Running get-suspicious-activity command Then: - Ensure command runs successfully - Verify command outputs """ from MicrosoftAdvancedThreatAnalytics import Client, get_suspicious_activity mock_response = util_load_json('test_data/suspicious_activity.json') requests_mock.get(f'{ATA_CENTER_URL}/suspiciousActivities/', json=mock_response) honeytoken_activity = [mock_response[1]] client = Client(base_url=ATA_CENTER_URL) args = { 'status': 'Open', 'severity': 'Medium,High', 'Type': 'HoneytokenActivitySuspiciousActivity', 'start_time': '2020-07-20T13:00:00', 'end_time': '2020-07-29T14:00:00' } response = get_suspicious_activity(client, args) assert response.outputs == honeytoken_activity assert response.outputs_prefix == 'MicrosoftATA.SuspiciousActivity' assert response.outputs_key_field == 'Id'
def test_get_suspicious_activity_details(requests_mock): """ Given: - Microsoft ATA client - Suspicious activity ID to retrieve When: - Running get-suspicious-activity command Then: - Ensure command runs successfully - Verify command outputs """ from MicrosoftAdvancedThreatAnalytics import Client, get_suspicious_activity suspicious_activity_id = '5f1fe6b383eaed101ce19b58' mock_response = util_load_json('test_data/suspicious_activity.json') honeytoken_activity = mock_response[1] requests_mock.get( f'{ATA_CENTER_URL}/suspiciousActivities/{suspicious_activity_id}', json=mock_response[1]) details_mock_response = util_load_json( 'test_data/suspicious_activity_details.json') requests_mock.get( f'{ATA_CENTER_URL}/suspiciousActivities/{suspicious_activity_id}/details', json=details_mock_response) honeytoken_activity = [honeytoken_activity] honeytoken_activity[0]['DetailsRecords'] = details_mock_response.get( 'DetailsRecords') client = Client(base_url=ATA_CENTER_URL) args = {'id': suspicious_activity_id} response = get_suspicious_activity(client, args) assert response.outputs == honeytoken_activity assert response.outputs_prefix == 'MicrosoftATA.SuspiciousActivity' assert response.outputs_key_field == 'Id'
def test_get_monitoring_alert(requests_mock): """ Given: - Microsoft ATA client When: - Running get-monitoring-alert command Then: - Ensure command runs successfully - Verify command outputs """ from MicrosoftAdvancedThreatAnalytics import Client, get_monitoring_alert mock_response = util_load_json('test_data/monitoring_alert.json') requests_mock.get(f'{ATA_CENTER_URL}/monitoringAlerts', json=mock_response) client = Client(base_url=ATA_CENTER_URL) response = get_monitoring_alert(client, {}) assert response.outputs == mock_response assert response.outputs_prefix == 'MicrosoftATA.MonitoringAlert' assert response.outputs_key_field == 'Id'