def test_cyberint_alerts_get_attachment_command(requests_mock):
"""
Scenario: Retrieve alert attachment.
Given:
- User has provided valid credentials and arguments.
When:
- A alerts-get-attachment called and there attachments reference in the response.
Then:
- Ensure that the return ContentsFormat of the file is 'text'.
- Ensure that the return Type is file.
- Ensure the name of the file.
"""
from Cyberint import Client, cyberint_alerts_get_attachment_command
with open('test_data/attachment_file_mock.png', 'rb') as png_content_mock:
requests_mock.get(f'{BASE_URL}/api/v1/alerts/ARG-3/attachments/X',
content=png_content_mock.read())
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
result = cyberint_alerts_get_attachment_command(
client, "ARG-3", "X", "attachment_file_mock.png")
assert result['ContentsFormat'] == 'text'
assert result['Type'] == EntryType.FILE
assert result['File'] == "attachment_file_mock.png"
def test_cyberint_alerts_status_update_command(requests_mock):
"""
Scenario: Update alert statuses.
Given:
- User has provided valid credentials.
When:
- cyberint_alert_update is called.
- Fetch incidents - for each incident
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from Cyberint import Client, cyberint_alerts_status_update
mock_response = {}
requests_mock.put(f'{BASE_URL}/api/v1/alerts/status', json=mock_response)
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
result = cyberint_alerts_status_update(client, {
'alert_ref_ids': 'alert1',
'status': 'acknowledged'
})
assert len(result.outputs) == 1
assert result.outputs_prefix == 'Cyberint.Alert'
assert result.outputs[0].get('ref_id') == 'alert1'
result = cyberint_alerts_status_update(client, {
'alert_ref_ids': 'alert1,alert2',
'status': 'acknowledged'
})
assert len(result.outputs) == 2
assert result.outputs_prefix == 'Cyberint.Alert'
assert result.outputs[1].get('ref_id') == 'alert2'
def test_extract_data_from_csv_stream(requests_mock):
"""
Scenario: Extract data out of a downloaded csv file.
Given:
- User has provided valid credentials.
When:
- A fetch command is called and there is a CSV file reference in the response.
Then:
- Ensure all fields in the CSV are returned.
- Ensure the wanted fields are found when downloaded.
- Ensure a sample value matches what is in the sample CSV.
"""
from Cyberint import Client, extract_data_from_csv_stream, CSV_FIELDS_TO_EXTRACT
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
mock_response = load_mock_response('csv_no_username.csv')
requests_mock.get(f'{BASE_URL}/api/v1/alerts/alert_id/attachments/123',
json=mock_response)
result = extract_data_from_csv_stream(client, 'alert_id', '123')
assert len(result) == 0
mock_response = load_mock_response('csv_example.csv')
requests_mock.get(f'{BASE_URL}/api/v1/alerts/alert_id/attachments/123',
json=mock_response)
result = extract_data_from_csv_stream(client,
'alert_id',
'123',
delimiter=b'\\n')
assert len(result) == 6
assert list(result[0].keys()) == [
value.lower() for value in CSV_FIELDS_TO_EXTRACT
]
assert result[0]['username'] == 'l1'
def test_cyberint_alerts_fetch_command(requests_mock):
"""
Scenario: List alerts
Given:
- User has provided valid credentials.
When:
- cyberint_alert_list is called.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from Cyberint import Client, cyberint_alerts_fetch_command
mock_response = load_mock_response('csv_example.csv')
requests_mock.get(f'{BASE_URL}/api/v1/alerts/ARG-3/attachments/X',
json=mock_response)
mock_response = json.loads(load_mock_response('list_alerts.json'))
requests_mock.post(f'{BASE_URL}/api/v1/alerts', json=mock_response)
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
result = cyberint_alerts_fetch_command(client, {})
assert len(result.outputs) == 3
assert result.outputs_prefix == 'Cyberint.Alert'
assert result.outputs[0].get('ref_id') == 'ARG-3'
def test_cyberint_alerts_analysis_report_command(requests_mock):
"""
Scenario: Retrieve expert analysis report.
Given:
- User has provided valid credentials and arguments.
When:
- A alerts-analysis-report is called and there analysis report reference in the response.
Then:
- Ensure that the return ContentsFormat of the file is 'text'.
- Ensure that the return Type is file.
- Ensure the name of the file.
"""
from Cyberint import Client, cyberint_alerts_get_analysis_report_command
pdf_content_mock = open('test_data/expert_analysis_mock.pdf', 'rb')
requests_mock.get(f'{BASE_URL}/api/v1/alerts/ARG-4/analysis_report',
content=pdf_content_mock.read())
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
result = cyberint_alerts_get_analysis_report_command(
client, "ARG-4", "expert_analysis_mock.pdf")
assert result['ContentsFormat'] == 'text'
assert result['Type'] == EntryType.FILE
assert result['File'] == "expert_analysis_mock.pdf"
def test_fetch_incidents(requests_mock) -> None:
"""
Scenario: Fetch incidents.
Given:
- User has provided valid credentials.
- Headers and JWT token have been set.
When:
- Every time fetch_incident is called (either timed or by command).
Then:
- Ensure number of incidents is correct.
- Ensure last_fetch is correctly configured according to mock response.
"""
from Cyberint import Client, fetch_incidents
mock_response = load_mock_response('csv_example.csv')
requests_mock.get(f'{BASE_URL}/api/v1/alerts/ARG-3/attachments/123',
json=mock_response)
mock_response = json.loads(load_mock_response('list_alerts.json'))
requests_mock.post(f'{BASE_URL}/api/v1/alerts', json=mock_response)
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
last_fetch, incidents = fetch_incidents(client, {'last_fetch': 100000000},
'3 days', [], [], [], [], 50)
wanted_time = datetime.timestamp(
datetime.strptime('2020-12-30T00:00:57Z', DATE_FORMAT))
assert last_fetch.get('last_fetch') == wanted_time * 1000
assert len(incidents) == 3
assert incidents[0].get(
'name') == 'Cyberint alert ARG-3: Company Customer Credentials Exposed'
def test_fetch_incidents_empty_response(requests_mock):
"""
Scenario: Fetch incidents but there are no incidents to return.
Given:
- User has provided valid credentials.
- Headers and JWT token have been set.
When:
- Every time fetch_incident is called (either timed or by command).
- There are no incidents to return.
Then:
- Ensure number of incidents is correct (None).
- Ensure last_fetch is correctly configured according to mock response.
"""
from Cyberint import Client, fetch_incidents
mock_response = json.loads(load_mock_response('empty.json'))
requests_mock.post(f'{BASE_URL}/api/v1/alerts', json=mock_response)
client = Client(base_url=BASE_URL,
verify_ssl=False,
access_token='xxx',
proxy=False)
last_fetch, incidents = fetch_incidents(client, {'last_fetch': 100000000},
'3 days', [], [], [], [], 50)
assert last_fetch.get('last_fetch') == 100001000
assert len(incidents) == 0
