def test_get_reporter_command(self, requests_mock, triage_instance):
set_demisto_arg("reporter_id", "5")
requests_mock.get(
"https://some-triage-host/api/public/v1/reporters/5",
text=fixture_from_file("reporters.json"),
)
CofenseTriagev2.get_reporter_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0]
assert demisto_results[0]["HumanReadable"] == (
"### Reporter Results:\n"
"|Created At|Credibility Score|Email|Id|Last Reported At|Reports Count|Updated At|Vip|\n"
"|---|---|---|---|---|---|---|---|\n"
"| 2019-04-12T02:58:17.401Z | 0 | [email protected] | 111 | 2016-02-18T00:24:45.000Z | 3 | 2019-04-12T02:59:22.287Z | false |\n" # noqa: 501
)
assert demisto_results[0]["EntryContext"] == {
"Cofense.Reporter(val.Id && val.Id == obj.Id)": {
"ID": 111,
"Email": "*****@*****.**",
"CreatedAt": "2019-04-12T02:58:17.401Z",
"UpdatedAt": "2019-04-12T02:59:22.287Z",
"CredibilityScore": 0,
"ReportsCount": 3,
"LastReportedAt": "2016-02-18T00:24:45.000Z",
"Vip": False,
}
}
def test_get_report_by_id_command_with_attachment(self, requests_mock,
triage_instance):
set_demisto_arg("report_id", "6")
set_demisto_arg("verbose", "false")
requests_mock.get(
"https://some-triage-host/api/public/v1/reports/6",
text=fixture_from_file("single_report_with_attachment.json"),
)
requests_mock.get(
"https://some-triage-host/api/public/v1/reporters/5331",
text=fixture_from_file("reporters.json"),
)
CofenseTriagev2.get_report_by_id_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list
assert demisto_results[0][0][0]["HumanReadable"] == (
"### Cofense HTML Report:\n"
"HTML report download request has been completed")
assert demisto_results[1][0][0]["HumanReadable"] == (
"### Report Summary:\n"
"|Category Id|Created At|Email Attachments|Id|Location|Match Priority|Md5|Report Subject|Reported At|Reporter Id|Sha256|\n" # noqa: 501
"|---|---|---|---|---|---|---|---|---|---|---|\n"
"| 7 | 2020-03-19T16:43:09.715Z | {'id': 18054, 'report_id': 13363, 'decoded_filename': 'image003.png', 'content_type': 'image/png; name=image003.png', 'size_in_bytes': 7286, 'email_attachment_payload': {'id': 7082, 'md5': '123', 'sha256': '1234', 'mime_type': 'image/png; charset=binary'}} | 13363 | Processed | 1 | 111 | suspicious subject | 2020-03-19T16:42:22.000Z | 5331 | 222 |\n" # noqa: 501
)
def test_fetch_reports_already_fetched(self, mocker, requests_mock,
triage_instance):
set_demisto_args({
"max_fetch": 10,
"date_range": "1 day",
"category_id": 5,
"match_priority": 2,
"tags": "",
})
requests_mock.get(
"https://some-triage-host/api/public/v1/processed_reports?category_id=5&"
"match_priority=2&tags=&start_date=2000-10-30+00%3A00%3A00",
# noqa: 501
text=fixture_from_file("processed_reports.json"),
)
requests_mock.get(
"https://some-triage-host/api/public/v1/reporters/5331",
text=fixture_from_file("reporters.json"),
)
mocker.patch("demistomock.getLastRun",
lambda: {"reports_fetched": "[13363]"})
CofenseTriagev2.fetch_reports(triage_instance)
demisto_incidents = CofenseTriagev2.demisto.incidents.call_args_list[
0][0][0]
assert len(demisto_incidents) == 1
assert demisto_incidents[0][
"name"] == "cofense triage report 13392: Crimeware"
CofenseTriagev2.demisto.setLastRun.assert_called_once_with(
{"reports_fetched": "[13392, 13363]"})
def test_test_function_error(self, requests_mock, triage_instance):
requests_mock.get(
"https://some-triage-host/api/public/v1/processed_reports",
status_code=404,
text=fixture_from_file("processed_reports.json"),
)
with pytest.raises(TriageRequestFailedError):
CofenseTriagev2.test_function(triage_instance)
def test_test_function(self, requests_mock, triage_instance):
requests_mock.get(
"https://some-triage-host/api/public/v1/processed_reports",
text=fixture_from_file("processed_reports.json"),
)
CofenseTriagev2.test_function(triage_instance)
CofenseTriagev2.demisto.results.assert_called_once_with("ok")
def test_get_attachment_command(self, mocker, requests_mock,
triage_instance):
set_demisto_arg("attachment_id", "5")
set_demisto_arg("file_name", "my_great_file")
requests_mock.get(
"https://some-triage-host/api/public/v1/attachment/5",
text=fixture_from_file("attachment.txt"),
)
CofenseTriagev2.get_attachment_command(triage_instance)
CofenseTriagev2.get_attachment_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0]
assert demisto_results[0]["FileID"] == "/path/to/temp/file"
assert demisto_results[0]["File"] == "my_great_file"
def test_search_reports_command_not_found(self, requests_mock,
triage_instance):
set_demisto_arg("subject", "my great subject")
set_demisto_arg("url", "my-great-url")
set_demisto_arg("file_hash", "")
set_demisto_arg("reporter", "")
set_demisto_arg("max_matches", 10)
set_demisto_arg("verbose", "")
requests_mock.get(
"https://some-triage-host/api/public/v1/processed_reports?start_date=2000-10-24+00%3A00%3A00%2B00%3A00",
text=fixture_from_file("processed_reports.json"),
)
CofenseTriagev2.search_reports_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0]
assert len(demisto_results) == 1
assert demisto_results[0]["HumanReadable"] == "no results were found."
def test_get_threat_indicators_command_not_found(self, requests_mock,
triage_instance):
set_demisto_arg("type", "what")
set_demisto_arg("level", "what")
set_demisto_arg("start_date", "what")
set_demisto_arg("end_date", "what")
set_demisto_arg("page", "what")
set_demisto_arg("per_page", "what")
requests_mock.get(
"https://some-triage-host/api/public/v1/triage_threat_indicators?type=what&level=what&start_date=what&end_date=what&page=what&per_page=what", # noqa: 501
text="[]",
)
CofenseTriagev2.get_threat_indicators_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0]
assert len(demisto_results) == 1
assert demisto_results[0]["HumanReadable"] == (
"no results were found.")
def test_get_report_by_id_command(self, requests_mock, triage_instance):
set_demisto_arg("report_id", "6")
set_demisto_arg("verbose", "false")
requests_mock.get(
"https://some-triage-host/api/public/v1/reports/6",
text=fixture_from_file("single_report.json"),
)
requests_mock.get(
"https://some-triage-host/api/public/v1/reporters/5331",
text=fixture_from_file("reporters.json"),
)
CofenseTriagev2.get_report_by_id_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0]
assert demisto_results[0]["HumanReadable"] == (
"### Report Summary:\n"
"|Category Id|Created At|Email Attachments|Id|Location|Match Priority|Md5|Report Body|Report Subject|Reported At|Reporter Id|Sha256|\n" # noqa: 501
"|---|---|---|---|---|---|---|---|---|---|---|---|\n"
"| 7 | 2020-03-19T16:43:09.715Z | {'id': 18054, 'report_id': 13363, 'decoded_filename': 'image003.png', 'content_type': 'image/png; name=image003.png', 'size_in_bytes': 7286, 'email_attachment_payload': {'id': 7082, 'md5': '123', 'sha256': '1234', 'mime_type': 'image/png; charset=binary'}} | 13363 | Processed | 1 | 111 | From: Sender <*****@*****.**><br>Reply-To: \"[email protected]\" <*****@*****.**><br>Date: Wednesday, March 18, 2020 at 3:34 PM<br>To: [email protected]<br>Subject: suspicious subject<br>click on this link! trust me! <a href=\"http://example.com/malicious\">here</a> | suspicious subject | 2020-03-19T16:42:22.000Z | 5331 | 222 |\n" # noqa: 501
)
def test_get_all_reporters(self, requests_mock, triage_instance):
requests_mock.get(
"https://some-triage-host/api/public/v1/reporters?start_date=1995-01-01",
text=fixture_from_file("reporters.json"),
)
reporters = CofenseTriagev2.get_all_reporters(triage_instance,
"1995-01-01")
assert reporters == [
"*****@*****.**",
"*****@*****.**",
]
def test_search_reports_filtering(self, requests_mock, triage_instance,
filter_attrs, expected_found_report_ids):
requests_mock.get(
"https://some-triage-host/api/public/v1/processed_reports?start_date=2000-10-31+00%3A00%3A00", # noqa: 501
text=fixture_from_file("processed_reports.json"),
)
found_reports = CofenseTriagev2.search_reports(
triage_instance,
**filter_attrs,
reported_at=datetime.datetime.now())
assert [report["id"]
for report in found_reports] == expected_found_report_ids
def test_get_threat_indicators_command(self, requests_mock,
triage_instance):
set_demisto_arg("type", "what")
set_demisto_arg("level", "what")
set_demisto_arg("start_date", "what")
set_demisto_arg("end_date", "what")
set_demisto_arg("page", "what")
set_demisto_arg("per_page", "what")
requests_mock.get(
"https://some-triage-host/api/public/v1/triage_threat_indicators?type=what&level=what&start_date=what&end_date=what&page=what&per_page=what", # noqa: 501
text=fixture_from_file("threat_indicators.json"),
)
CofenseTriagev2.get_threat_indicators_command(triage_instance)
demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0]
assert len(demisto_results) == 1
assert demisto_results[0]["HumanReadable"] == (
"### Threat Indicators:\n"
"|Created At|Id|Operator Id|Report Id|Threat Key|Threat Level|Threat Value|\n"
"|---|---|---|---|---|---|---|\n"
"| 2020-03-16T17:39:14.579Z | 37 | 2 | 13353 | Domain | Malicious | malicious.example.com |\n"
)
def test_fetch_reports(self, mocker, requests_mock, triage_instance):
set_demisto_arg("max_fetch", 10)
set_demisto_arg("date_range", "1 day")
set_demisto_arg("category_id", 5)
set_demisto_arg("match_priority", 2)
set_demisto_arg("tags", "")
requests_mock.get(
"https://some-triage-host/api/public/v1/processed_reports?category_id=5&"
"match_priority=2&tags=&start_date=2000-10-30+00%3A00%3A00",
# noqa: 501
text=fixture_from_file("processed_reports.json"),
)
requests_mock.get(
"https://some-triage-host/api/public/v1/reporters/5331",
text=fixture_from_file("reporters.json"),
)
CofenseTriagev2.fetch_reports(triage_instance)
demisto_incidents = CofenseTriagev2.demisto.incidents.call_args_list[
0][0][0]
assert len(demisto_incidents) == 2
assert demisto_incidents[0][
"name"] == "cofense triage report 13363: Phishing Simulation"
assert demisto_incidents[0]["occurred"] == "2020-03-19T16:43:09.715Z"
assert demisto_incidents[0]["severity"] == 1
assert len(demisto_incidents[0]["rawJSON"]) == 1931
assert demisto_incidents[1]["attachment"] == [{
"name":
"13392-report.html",
"path":
"/path/to/temp/file"
}]
CofenseTriagev2.demisto.setLastRun.assert_called_once_with(
{"reports_fetched": "[13392, 13363]"})