def test_expected_params_in_get_requests(self, mocker, command,
command_args,
expected_http_params):
"""
Given:
- Commands send custom params to http requests
When:
- Call those commands
Then:
- Validate the expected params was sent
"""
# prepare
mocker.patch.object(
Client,
'http_request',
side_effect=self.mocked_http_get_not_found_response)
mocker.patch.object(demisto, 'args', return_value=command_args)
mocker.patch.object(demisto, 'command', return_value=command)
# run
main()
# validate
assert expected_http_params == Client.http_request.call_args[1][
'params']
def test_no_confidence_in_result_ioc(self, mocker):
"""
Given
- Indicator form ThreatStream without confidence value
When
- Run the reputation command
Then
- Validate the DbotScore was set to 1
"""
# prepare
test_indicator = dict(value='test_ioc',
asn='',
meta=dict(registrant_name='test'))
mocker.patch.object(demisto, 'results')
mocker.patch('AnomaliThreatStreamv3.search_worst_indicator_by_params',
return_value=test_indicator)
for ioc in REPUTATION_COMMANDS:
ioc_arg_name = ioc if ioc != 'threatstream-email-reputation' else 'email'
mocker.patch.object(demisto,
'args',
return_value={ioc_arg_name: 'test_ioc'})
mocker.patch.object(demisto, 'command', return_value=ioc)
# run
main()
# validate
entry_context = demisto.results.call_args[0][0]['EntryContext']
assert entry_context[Common.DBotScore.CONTEXT_PATH][0][
'Score'] == Common.DBotScore.GOOD
def test_get_commands__no_result(self, mocker, command, command_args,
expected_output):
"""
Given:
- ThreatStream return nothing for the get requests
When:
-Run commands made get request
Then:
- Validate the expected message was returned
"""
# prepare
mocker.patch.object(
Client,
'http_request',
side_effect=self.mocked_http_get_not_found_response)
mocker.patch.object(demisto, 'args', return_value=command_args)
mocker.patch.object(demisto, 'command', return_value=command)
mocker.patch.object(demisto, 'results')
# run
main()
# validate
result = demisto.results.call_args[0][0]
assert result == expected_output
def test_get_active_and_inactive_ioc(self, mocker, include_inactive,
exp_status_param):
"""
Given
- The Include inactive results flag is true/false
When
- Run the reputation commands
Then
- Validate inactive result returned/not returned
"""
# prepare
mocked_search = mocker.patch(
'AnomaliThreatStreamv3.search_worst_indicator_by_params',
return_value=None)
mocker.patch.object(
demisto,
'params',
return_value={'include_inactive': include_inactive})
for ioc, value in [('ip', '8.8.8.8'), ('domain', 'google.com'),
('file', 'd26cec10398f2b10202d23c966022dce'),
('url', 'www.google.com')]:
mocker.patch.object(demisto, 'command', return_value=ioc)
mocker.patch.object(demisto, 'args', return_value={ioc: value})
# run
main()
# validate
mocked_search.call_args[0][1]['status'] == exp_status_param
def test_get_active_and_inactive_ioc(self, mocker, include_inactive,
exp_status_param):
"""
Given
- The Include inactive results flag is true/false
When
- Run the reputation commands
Then
- Validate inactive result returned/not returned
"""
# prepare
mocked_search = mocker.patch(
'AnomaliThreatStreamv3.search_worst_indicator_by_params',
return_value=None)
mocker.patch.object(
demisto,
'params',
return_value={'include_inactive': include_inactive})
for ioc in ['ip', 'domain', 'file', 'url']:
mocker.patch.object(demisto, 'command', return_value=ioc)
mocker.patch.object(demisto,
'args',
return_value={ioc: 'test_ioc'})
# run
main()
# validate
mocked_search.call_args[0][1]['status'] == exp_status_param
def test_ioc_reputation_with_thresholds_in_instance_param(
self, mocker, threshold_in_command, threshold_in_params,
exp_dbot_score):
"""
Given
- Thresholds levels defined for each ioc in the instance params and confidence are 55
When
- Run the reputation commands
Then
- Validate the dbot score was rated according to the threshold in the command
and only if not defined in the command will rate according the instance param
"""
# prepare
test_indicator = dict(confidence=55,
value='test_ioc',
asn='test_asn',
org='test_org',
tlp='test_tlp',
country='test_country',
meta=dict(registrant_name='test',
maltype='test_maltype'))
mocker.patch.object(demisto, 'results')
mocker.patch('AnomaliThreatStreamv3.search_worst_indicator_by_params',
return_value=test_indicator)
for ioc in ['ip', 'domain', 'file', 'url']:
mocker.patch.object(demisto,
'args',
return_value={
ioc: 'test_ioc',
'threshold': threshold_in_command
})
mocker.patch.object(demisto, 'command', return_value=ioc)
# THRESHOLDS_FROM_PARAM[ioc] = threshold_in_params
mocker.patch.object(
demisto,
'params',
return_value={f'{ioc}_threshold': threshold_in_params})
# run
main()
# validate
entry_context = demisto.results.call_args[0][0]['EntryContext']
assert entry_context[
Common.DBotScore.CONTEXT_PATH][0]['Score'] == exp_dbot_score
if exp_dbot_score == Common.DBotScore.BAD:
assert 'Malicious' in json.dumps(entry_context)
def test_reputation_commands__happy_path(self, mocker, ioc_type, ioc_value,
ioc_context_key):
"""
Given:
- Indicators for reputation
When:
- Call the reputations command
Then:
- Validate the expected results was returned
"""
# prepare
command = value_key = ioc_type.lower()
mocked_ioc_file_path = f'test_data/mocked_{command}_response.json'
mocked_ioc_result = util_load_json(mocked_ioc_file_path)
mocker.patch.object(Client,
'http_request',
return_value=mocked_ioc_result)
mocker.patch.object(demisto,
'args',
return_value={
value_key: ioc_value,
'status': 'active'
})
mocker.patch.object(demisto, 'command', return_value=command)
mocker.patch.object(demisto, 'results')
# run
main()
# validate
iocs = ioc_value.split(',')
mocked_ioc = mocked_ioc_result['objects'][0]
for i in range(len(iocs)):
command_result = demisto.results.call_args_list[i][0][0]
threat_stream_context = command_result['EntryContext'][
f'ThreatStream.{ioc_context_key}']
human_readable, contents = command_result[
'HumanReadable'], command_result['Contents']
expected_values = (DEFAULT_INDICATOR_MAPPING if ioc_type != 'File'
else FILE_INDICATOR_MAPPING).values()
assert all(expected_value in threat_stream_context
for expected_value in expected_values)
assert f'{ioc_type} reputation for: {iocs[i]}' in human_readable
assert mocked_ioc == contents
def test_ioc_reputation_with_thresholds_in_command(self, mocker,
confidence, threshold,
exp_dbot_score):
"""
Given
- Various thresholds levels
When
- Run the reputation commands
Then
- Validate the dbot score was rated according to the threshold
and Malicious key defined for the generic reputation in case confidence > theshold
"""
# prepare
test_indicator = dict(confidence=confidence,
value='test_ioc',
asn='',
meta=dict(registrant_name='test'))
mocker.patch.object(demisto, 'results')
mocker.patch('AnomaliThreatStreamv3.search_worst_indicator_by_params',
return_value=test_indicator)
for ioc in REPUTATION_COMMANDS:
ioc_arg_name = ioc if ioc != 'threatstream-email-reputation' else 'email'
mocker.patch.object(demisto,
'args',
return_value={
ioc_arg_name: 'test_ioc',
'threshold': threshold
})
mocker.patch.object(demisto, 'command', return_value=ioc)
# run
main()
# validate
entry_context = demisto.results.call_args[0][0]['EntryContext']
assert entry_context[
Common.DBotScore.CONTEXT_PATH][0]['Score'] == exp_dbot_score
if exp_dbot_score == Common.DBotScore.BAD and ioc_arg_name != 'email': # email is not a generic reputation
assert 'Malicious' in json.dumps(entry_context)
def test_get_commands__happy_path(self, mocker, command, command_args,
expected_context_keys):
"""
Given:
- Command made get request in ThreatStream with args
When:
- Run this command
Then:
- Validate expected result was returned
"""
# prepare
mocker.patch.object(Client,
'http_request',
side_effect=lambda *args, **kwargs: self.
mocked_http_get_response(command, **kwargs))
mocker.patch.object(demisto, 'args', return_value=command_args)
mocker.patch.object(demisto, 'command', return_value=command)
mocker.patch.object(demisto, 'results')
mocker.patch('AnomaliThreatStreamv3.fileResult',
return_value={
'File': 'test_name',
'FileID': 'test_id'
})
# run
main()
# validate
result = demisto.results.call_args[0][0]
context = result['EntryContext'].popitem(
)[1] if 'EntryContext' in result else result
if isinstance(context, list):
context = context[0]
assert all(key in context.keys() for key in expected_context_keys)
