def test_ip_not_found():
"""
Given:
- an IP
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results with context indicate that no results were found
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=1.1.1.1'
status_code = 200
json_data = {'total_size': 0, 'page': 1, 'page_size': 25, 'more': False}
expected_output = "No results were found for ip 1.1.1.1"
ip_to_check = {'ip': '1.1.1.1'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
results = ip_command(client, ip_to_check, DBotScoreReliability.B,
doc_search_client)
output = results[0].to_context().get('HumanReadable')
assert expected_output in output
def test_ip_command():
"""
Given:
- an IP
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results containing indicator, dbotscore and associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=0.0.0.0'
doc_url = 'https://test.com/rest/document/v0?links.display_text.values=0.0.0.0&type.values=intelligence_alert&type.values=intelligence_report&links.display_text.match_all=true' # noqa: E501
fund_url = 'https://test.com/rest/fundamental/v0/malware_family?key.values=Hive'
status_code = 200
json_data = IP_RES_JSON
intel_json_data = IP_INTEL_JSON
malware_json_data = RAW_MALWARE_FAMILY_RES_JSON
expected_output = {
'IP': [{
'Address': '0.0.0.0'
}],
'DBOTSCORE': [{
'Indicator': '0.0.0.0',
'Type': 'ip',
'Vendor': 'iDefense',
'Score': 2,
'Reliability': 'B - Usually reliable'
}]
}
ip_to_check = {'ip': '0.0.0.0'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url, status_code=status_code, json=intel_json_data)
m.get(fund_url, status_code=status_code, json=malware_json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
fundamental_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['fundamental'])
results = ip_command(client, ip_to_check, DBotScoreReliability.B,
doc_search_client, fundamental_client)
context_result = results[0].to_context()
output = results[0].to_context().get('EntryContext', {})
assert output.get('IP(val.Address && val.Address == obj.Address)',
[]) == expected_output.get('IP')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert _is_intelligence_data_present_in_command_result(
context_result, intel_json_data) is True
def test_wrong_ip():
"""
Given:
- an IP
When:
- running ip command validate at first to check if the given ip is a valid ip
Then:
- raise error before calling http request that indicates that the given argument is not valid
"""
ip_to_check = {'ip': '1'}
client = Client(API_URL, 'api_token', True, False)
doc_search_client = Client(API_URL, 'api_token', True, False, ENDPOINTS['document'])
try:
ip_command(client, ip_to_check, DBotScoreReliability.B, doc_search_client)
except DemistoException as err:
assert "Received wrong IP value" in str(err)
def test_ip_command_when_api_key_not_authorised_for_document_search():
"""
Given:
- a ip and api key not authorized for doc search
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results containing indicator, dbotscore and NO associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=0.0.0.0'
doc_url = 'https://test.com/rest/document/v0?links.display_text.values=0.0.0.0&type.values=intelligence_alert&type.values=intelligence_report&links.display_text.match_all=true' # noqa: E501
status_code = 200
error_status_code = 403
json_data = IP_RES_JSON
doc_search_exception_response = {'timestamp': '2021-11-12T09:09:27.983Z', 'status': 403,
'error': 'Forbidden', 'message': 'Forbidden', 'path': '/rest/document/v0'}
expected_output = {
'IP': [{'Address': '0.0.0.0'}],
'DBOTSCORE': [{'Indicator': '0.0.0.0', 'Type': 'ip', 'Vendor': 'iDefense', 'Score': 2,
'Reliability': 'B - Usually reliable'}]}
ip_to_check = {'ip': '0.0.0.0'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url, status_code=error_status_code, json=doc_search_exception_response)
client = Client(API_URL, 'api_token', True, False, ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False, ENDPOINTS['document'])
results = ip_command(client, ip_to_check, DBotScoreReliability.B, doc_search_client)
context_result = results[0].to_context()
content = context_result['HumanReadable']
output = context_result.get('EntryContext', {})
assert output.get('IP(val.Address && val.Address == obj.Address)', []) == expected_output.get('IP')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert 'Intelligence Alerts' not in content
assert 'Intelligence Reports' not in content