def test_second_fetch_incidents(mocker):
from MicrosoftDefenderAdvancedThreatProtection import fetch_incidents
mock_demisto(mocker)
atp_mocker(mocker, 'second_response_alerts.json')
# Check that incident isn't extracted again
fetch_incidents(client_mocker, {'last_alert_fetched_time': "2019-09-01T13:31:08",
'existing_ids': ['da637029414680409372_735564929']})
assert [] == demisto.incidents.call_args[0][0]
def test_third_fetch_incidents(mocker):
from MicrosoftDefenderAdvancedThreatProtection import fetch_incidents
mock_demisto(mocker)
atp_mocker(mocker, 'third_response_alerts.json')
# Check that new incident is extracted
fetch_incidents(client_mocker, {'last_alert_fetched_time': "2019-09-01T13:29:37",
'existing_ids': ['da637029413772554314_295039533']})
assert 'Microsoft Defender ATP Alert da637029414680409372_735564929' == \
demisto.incidents.call_args[0][0][0].get('name')
def test_first_fetch_incidents(mocker):
from MicrosoftDefenderAdvancedThreatProtection import fetch_incidents
mock_demisto(mocker)
atp_mocker(mocker, 'first_response_alerts.json')
fetch_incidents(client_mocker, {'last_alert_fetched_time': "2018-11-26T16:19:21"})
# Check that all 3 incidents are extracted
assert 3 == len(demisto.incidents.call_args[0][0])
assert 'Microsoft Defender ATP Alert da636983472338927033_-2077013687' == \
demisto.incidents.call_args[0][0][2].get('name')