def test_get_reporter_command(self, requests_mock, triage_instance): set_demisto_arg("reporter_id", "5") requests_mock.get( "https://some-triage-host/api/public/v1/reporters/5", text=fixture_from_file("reporters.json"), ) CofenseTriagev2.get_reporter_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0] assert demisto_results[0]["HumanReadable"] == ( "### Reporter Results:\n" "|Created At|Credibility Score|Email|Id|Last Reported At|Reports Count|Updated At|Vip|\n" "|---|---|---|---|---|---|---|---|\n" "| 2019-04-12T02:58:17.401Z | 0 | [email protected] | 111 | 2016-02-18T00:24:45.000Z | 3 | 2019-04-12T02:59:22.287Z | false |\n" # noqa: 501 ) assert demisto_results[0]["EntryContext"] == { "Cofense.Reporter(val.Id && val.Id == obj.Id)": { "ID": 111, "Email": "*****@*****.**", "CreatedAt": "2019-04-12T02:58:17.401Z", "UpdatedAt": "2019-04-12T02:59:22.287Z", "CredibilityScore": 0, "ReportsCount": 3, "LastReportedAt": "2016-02-18T00:24:45.000Z", "Vip": False, } }
def test_get_report_by_id_command_with_attachment(self, requests_mock, triage_instance): set_demisto_arg("report_id", "6") set_demisto_arg("verbose", "false") requests_mock.get( "https://some-triage-host/api/public/v1/reports/6", text=fixture_from_file("single_report_with_attachment.json"), ) requests_mock.get( "https://some-triage-host/api/public/v1/reporters/5331", text=fixture_from_file("reporters.json"), ) CofenseTriagev2.get_report_by_id_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list assert demisto_results[0][0][0]["HumanReadable"] == ( "### Cofense HTML Report:\n" "HTML report download request has been completed") assert demisto_results[1][0][0]["HumanReadable"] == ( "### Report Summary:\n" "|Category Id|Created At|Email Attachments|Id|Location|Match Priority|Md5|Report Subject|Reported At|Reporter Id|Sha256|\n" # noqa: 501 "|---|---|---|---|---|---|---|---|---|---|---|\n" "| 7 | 2020-03-19T16:43:09.715Z | {'id': 18054, 'report_id': 13363, 'decoded_filename': 'image003.png', 'content_type': 'image/png; name=image003.png', 'size_in_bytes': 7286, 'email_attachment_payload': {'id': 7082, 'md5': '123', 'sha256': '1234', 'mime_type': 'image/png; charset=binary'}} | 13363 | Processed | 1 | 111 | suspicious subject | 2020-03-19T16:42:22.000Z | 5331 | 222 |\n" # noqa: 501 )
def test_fetch_reports_already_fetched(self, mocker, requests_mock, triage_instance): set_demisto_args({ "max_fetch": 10, "date_range": "1 day", "category_id": 5, "match_priority": 2, "tags": "", }) requests_mock.get( "https://some-triage-host/api/public/v1/processed_reports?category_id=5&" "match_priority=2&tags=&start_date=2000-10-30+00%3A00%3A00", # noqa: 501 text=fixture_from_file("processed_reports.json"), ) requests_mock.get( "https://some-triage-host/api/public/v1/reporters/5331", text=fixture_from_file("reporters.json"), ) mocker.patch("demistomock.getLastRun", lambda: {"reports_fetched": "[13363]"}) CofenseTriagev2.fetch_reports(triage_instance) demisto_incidents = CofenseTriagev2.demisto.incidents.call_args_list[ 0][0][0] assert len(demisto_incidents) == 1 assert demisto_incidents[0][ "name"] == "cofense triage report 13392: Crimeware" CofenseTriagev2.demisto.setLastRun.assert_called_once_with( {"reports_fetched": "[13392, 13363]"})
def test_test_function_error(self, requests_mock, triage_instance): requests_mock.get( "https://some-triage-host/api/public/v1/processed_reports", status_code=404, text=fixture_from_file("processed_reports.json"), ) with pytest.raises(TriageRequestFailedError): CofenseTriagev2.test_function(triage_instance)
def test_test_function(self, requests_mock, triage_instance): requests_mock.get( "https://some-triage-host/api/public/v1/processed_reports", text=fixture_from_file("processed_reports.json"), ) CofenseTriagev2.test_function(triage_instance) CofenseTriagev2.demisto.results.assert_called_once_with("ok")
def test_get_attachment_command(self, mocker, requests_mock, triage_instance): set_demisto_arg("attachment_id", "5") set_demisto_arg("file_name", "my_great_file") requests_mock.get( "https://some-triage-host/api/public/v1/attachment/5", text=fixture_from_file("attachment.txt"), ) CofenseTriagev2.get_attachment_command(triage_instance) CofenseTriagev2.get_attachment_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0] assert demisto_results[0]["FileID"] == "/path/to/temp/file" assert demisto_results[0]["File"] == "my_great_file"
def test_search_reports_command_not_found(self, requests_mock, triage_instance): set_demisto_arg("subject", "my great subject") set_demisto_arg("url", "my-great-url") set_demisto_arg("file_hash", "") set_demisto_arg("reporter", "") set_demisto_arg("max_matches", 10) set_demisto_arg("verbose", "") requests_mock.get( "https://some-triage-host/api/public/v1/processed_reports?start_date=2000-10-24+00%3A00%3A00%2B00%3A00", text=fixture_from_file("processed_reports.json"), ) CofenseTriagev2.search_reports_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0] assert len(demisto_results) == 1 assert demisto_results[0]["HumanReadable"] == "no results were found."
def test_get_threat_indicators_command_not_found(self, requests_mock, triage_instance): set_demisto_arg("type", "what") set_demisto_arg("level", "what") set_demisto_arg("start_date", "what") set_demisto_arg("end_date", "what") set_demisto_arg("page", "what") set_demisto_arg("per_page", "what") requests_mock.get( "https://some-triage-host/api/public/v1/triage_threat_indicators?type=what&level=what&start_date=what&end_date=what&page=what&per_page=what", # noqa: 501 text="[]", ) CofenseTriagev2.get_threat_indicators_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0] assert len(demisto_results) == 1 assert demisto_results[0]["HumanReadable"] == ( "no results were found.")
def test_get_report_by_id_command(self, requests_mock, triage_instance): set_demisto_arg("report_id", "6") set_demisto_arg("verbose", "false") requests_mock.get( "https://some-triage-host/api/public/v1/reports/6", text=fixture_from_file("single_report.json"), ) requests_mock.get( "https://some-triage-host/api/public/v1/reporters/5331", text=fixture_from_file("reporters.json"), ) CofenseTriagev2.get_report_by_id_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0] assert demisto_results[0]["HumanReadable"] == ( "### Report Summary:\n" "|Category Id|Created At|Email Attachments|Id|Location|Match Priority|Md5|Report Body|Report Subject|Reported At|Reporter Id|Sha256|\n" # noqa: 501 "|---|---|---|---|---|---|---|---|---|---|---|---|\n" "| 7 | 2020-03-19T16:43:09.715Z | {'id': 18054, 'report_id': 13363, 'decoded_filename': 'image003.png', 'content_type': 'image/png; name=image003.png', 'size_in_bytes': 7286, 'email_attachment_payload': {'id': 7082, 'md5': '123', 'sha256': '1234', 'mime_type': 'image/png; charset=binary'}} | 13363 | Processed | 1 | 111 | From: Sender <*****@*****.**><br>Reply-To: \"[email protected]\" <*****@*****.**><br>Date: Wednesday, March 18, 2020 at 3:34 PM<br>To: [email protected]<br>Subject: suspicious subject<br>click on this link! trust me! <a href=\"http://example.com/malicious\">here</a> | suspicious subject | 2020-03-19T16:42:22.000Z | 5331 | 222 |\n" # noqa: 501 )
def test_get_all_reporters(self, requests_mock, triage_instance): requests_mock.get( "https://some-triage-host/api/public/v1/reporters?start_date=1995-01-01", text=fixture_from_file("reporters.json"), ) reporters = CofenseTriagev2.get_all_reporters(triage_instance, "1995-01-01") assert reporters == [ "*****@*****.**", "*****@*****.**", ]
def test_search_reports_filtering(self, requests_mock, triage_instance, filter_attrs, expected_found_report_ids): requests_mock.get( "https://some-triage-host/api/public/v1/processed_reports?start_date=2000-10-31+00%3A00%3A00", # noqa: 501 text=fixture_from_file("processed_reports.json"), ) found_reports = CofenseTriagev2.search_reports( triage_instance, **filter_attrs, reported_at=datetime.datetime.now()) assert [report["id"] for report in found_reports] == expected_found_report_ids
def test_get_threat_indicators_command(self, requests_mock, triage_instance): set_demisto_arg("type", "what") set_demisto_arg("level", "what") set_demisto_arg("start_date", "what") set_demisto_arg("end_date", "what") set_demisto_arg("page", "what") set_demisto_arg("per_page", "what") requests_mock.get( "https://some-triage-host/api/public/v1/triage_threat_indicators?type=what&level=what&start_date=what&end_date=what&page=what&per_page=what", # noqa: 501 text=fixture_from_file("threat_indicators.json"), ) CofenseTriagev2.get_threat_indicators_command(triage_instance) demisto_results = CofenseTriagev2.demisto.results.call_args_list[0][0] assert len(demisto_results) == 1 assert demisto_results[0]["HumanReadable"] == ( "### Threat Indicators:\n" "|Created At|Id|Operator Id|Report Id|Threat Key|Threat Level|Threat Value|\n" "|---|---|---|---|---|---|---|\n" "| 2020-03-16T17:39:14.579Z | 37 | 2 | 13353 | Domain | Malicious | malicious.example.com |\n" )
def test_fetch_reports(self, mocker, requests_mock, triage_instance): set_demisto_arg("max_fetch", 10) set_demisto_arg("date_range", "1 day") set_demisto_arg("category_id", 5) set_demisto_arg("match_priority", 2) set_demisto_arg("tags", "") requests_mock.get( "https://some-triage-host/api/public/v1/processed_reports?category_id=5&" "match_priority=2&tags=&start_date=2000-10-30+00%3A00%3A00", # noqa: 501 text=fixture_from_file("processed_reports.json"), ) requests_mock.get( "https://some-triage-host/api/public/v1/reporters/5331", text=fixture_from_file("reporters.json"), ) CofenseTriagev2.fetch_reports(triage_instance) demisto_incidents = CofenseTriagev2.demisto.incidents.call_args_list[ 0][0][0] assert len(demisto_incidents) == 2 assert demisto_incidents[0][ "name"] == "cofense triage report 13363: Phishing Simulation" assert demisto_incidents[0]["occurred"] == "2020-03-19T16:43:09.715Z" assert demisto_incidents[0]["severity"] == 1 assert len(demisto_incidents[0]["rawJSON"]) == 1931 assert demisto_incidents[1]["attachment"] == [{ "name": "13392-report.html", "path": "/path/to/temp/file" }] CofenseTriagev2.demisto.setLastRun.assert_called_once_with( {"reports_fetched": "[13392, 13363]"})