def setUp(self) -> None:
base_url = "https://api.recordedfuture.com/v2/"
verify_ssl = True
self.token = os.environ.get("RF_TOKEN")
headers = {
"X-RFToken": self.token,
"X-RF-User-Agent": "Cortex_XSOAR/2.0 Cortex_XSOAR_unittest_0.1",
}
self.client = Client(
base_url=base_url, verify=verify_ssl, headers=headers, proxy=None
)
def setUp(self) -> None:
base_url = 'https://api.recordedfuture.com/v2/'
verify_ssl = True
self.token = os.environ.get('RF_TOKEN')
headers = {
'X-RFToken': self.token,
'X-RF-User-Agent': 'Cortex_XSOAR/2.0 Cortex_XSOAR_unittest_0.1'
}
self.client = Client(base_url=base_url, verify=verify_ssl,
headers=headers, proxy=None)
def create_client():
base_url = "https://api.recordedfuture.com/gw/xsoar/"
verify_ssl = True
token = os.environ.get("RF_TOKEN")
headers = {
"X-RFToken": token,
"X-RF-User-Agent": "Cortex_XSOAR/2.0 Cortex_XSOAR_unittest_0.1",
}
return Client(
base_url=base_url, verify=verify_ssl, headers=headers, proxy=None
)
class RFTest(unittest.TestCase):
def setUp(self) -> None:
base_url = "https://api.recordedfuture.com/v2/"
verify_ssl = True
self.token = os.environ.get("RF_TOKEN")
headers = {
"X-RFToken": self.token,
"X-RF-User-Agent": "Cortex_XSOAR/2.0 Cortex_XSOAR_unittest_0.1",
}
self.client = Client(
base_url=base_url, verify=verify_ssl, headers=headers, proxy=None
)
self.actions = Actions(self.client)
@vcr.use_cassette()
def test_ip_reputation(self) -> None:
resp = self.actions.lookup_command("37.48.83.137", "ip")
entity = resp[0].to_context()["Contents"]["data"]["results"][0]
context = resp[0].to_context()["EntryContext"]['RecordedFuture.IP(val.name && val.name == obj.name)']
self.assertIsInstance(resp[0], CommandResults)
# there are many rules that are concatenated
self.assertIn(',', context["rules"])
self.assertEqual("37.48.83.137", entity["entity"]["name"])
@vcr.use_cassette()
def test_intelligence(self) -> None:
resp = self.actions.enrich_command("125.63.101.62", "ip", True, True)
context = resp[0].to_context()["EntryContext"]['RecordedFuture.IP(val.name && val.name == obj.name)'] # noqa
self.assertIsInstance(resp[0], CommandResults)
# rules are concatenated
self.assertIn(',', context['concatRules'])
self.assertEqual(
"125.63.101.62", resp[0].to_context()["Contents"]["data"]["name"]
)
@vcr.use_cassette()
def test_whoami(self) -> None:
resp = self.client.whoami()
self.assertEqual(isinstance(resp, dict), True)
@vcr.use_cassette()
def test_intelligence_profile(self) -> None:
"""Will fetch related entities even if related_entities param is false""" # noqa
resp = self.actions.enrich_command("184.168.221.96", "ip", True, False, "Vulnerability Analyst") # noqa
self.assertIsInstance(resp[0], CommandResults)
data = resp[0].raw_response['data']
list_of_lists = sorted([[*entry][0] for entry in data['relatedEntities']]) # noqa
expected = ['RelatedMalwareCategory', 'RelatedMalware', 'RelatedThreatActor'] # noqa
self.assertEqual(list_of_lists, sorted(expected))
@vcr.use_cassette()
def test_threat_assessment(self) -> None:
context = "phishing"
entities = {
"ip": ["8.8.8.8", "1.1.1.1"],
"domain": ["www.feddoctor.com"],
"hash": [
"fa964842244e752950fd4ed711759382a"
"8950e13cc2794d6f73ab7eb9169e5ee"
],
"url": ["https://sites.google.com/site/unblockingnotice/"],
"vulnerability": ["CVE-2020-8813", "CVE-2011-3874"],
}
# mocker.patch.object(DBotScore, 'get_integration_name', return_value='Recorded Future v2')
resp = self.actions.triage_command(entities, context)
self.assertIsInstance(resp[0], CommandResults)
self.assertFalse(resp[0].to_context()["Contents"]["verdict"])
self.assertEqual("phishing", resp[0].to_context()["Contents"]["context"])
@vcr.use_cassette()
def test_threat_assessment_empty(self) -> None:
"""Filters away empty entities"""
context = "phishing"
entities = {
"ip": ["8.8.8.8", "1.1.1.1"],
"domain": ["www.feddoctor.com"],
"hash": [
"fa964842244e752950fd4ed711759382a"
"8950e13cc2794d6f73ab7eb9169e5ee"
],
"url": ["https://sites.google.com/site/unblockingnotice/"],
"vulnerability": ["CVE-2020-8813", "CVE-2011-3874"],
"filter": "yes"
}
resp = self.actions.triage_command(entities, context)
context = resp[0].to_context()
self.assertIsInstance(resp[0], CommandResults)
self.assertFalse(context["Contents"]["verdict"])
self.assertEqual("phishing", context["Contents"]["context"])
scores = [e for e in context["Contents"]['Entities'] if e['score'] == 0]
self.assertEqual(len(scores), 0, "Response contains entities with zero score") # noqa
@vcr.use_cassette()
def test_get_alerting_rules(self) -> None:
resp = self.actions.get_alert_rules_command(rule_name="", limit=10)
self.assertTrue(resp)
self.assertTrue(resp["Contents"]["data"])
self.assertIsInstance(resp, dict)
self.assertIsNotNone(resp["Contents"]["data"]["results"])
@vcr.use_cassette()
def test_get_alerts(self) -> None:
resp = self.actions.get_alerts_command(params={'limit': 200})
self.assertTrue(resp)
self.assertTrue(resp["Contents"]["data"])
self.assertIsInstance(resp, dict)
self.assertIsNotNone(resp["Contents"]["data"]["results"])
@vcr.use_cassette()
def test_single_alert_vulnerability(self) -> None:
"""Gets data for an alert related to vulnerabilities"""
resp = self.actions.get_alert_single_command("f1IGiW")
self.assertTrue(resp.get('HumanReadable'))
@vcr.use_cassette()
def test_single_alert_credential_leaks(self):
"""Alert related to credential leaks"""
resp = self.actions.get_alert_single_command("fzpmIG")
self.assertTrue(resp.get('HumanReadable'))
context = resp['EntryContext']['RecordedFuture.SingleAlert(val.ID === obj.id)'] # noqa
entity = context['flat_entities'][0]
self.assertIn('documents', context.keys())
self.assertIn('flat_entities', context.keys())
self.assertIn('fragment', entity.keys())
self.assertIn('name', entity.keys())
self.assertIn('id', entity.keys())
self.assertIn('type', entity.keys())
@vcr.use_cassette()
def test_single_alert_typosquat(self):
"""Alert related to typosquats"""
resp = self.actions.get_alert_single_command("fp0_an")
self.assertTrue(resp.get('HumanReadable'))
@vcr.use_cassette()
def test_get_links_command(self):
"""Get Technical Links"""
resp = self.actions.get_links_command('152.169.22.67', 'ip')
context = resp.to_context()
self.assertIsInstance(resp, CommandResults)
self.assertTrue(context.get('HumanReadable'))
self.assertTrue(context.get('Contents'))
@vcr.use_cassette()
def test_get_alert_set_status_command(self):
"""Set a status for alert"""
alert_status = 'no-action'
alert_id = 'jrhrfx'
resp = self.actions.alert_set_status(alert_id, alert_status)
context = resp.to_context()
self.assertIsInstance(resp, CommandResults)
self.assertTrue(context.get('HumanReadable'))
self.assertTrue(context.get('Contents'))
self.assertEqual(context['Contents']['status'], alert_status)
@vcr.use_cassette()
def test_get_alert_set_note(self):
"""Set a note for alert"""
note_text = 'note unittest'
alert_id = 'jrhrfx'
resp = self.actions.alert_set_note(alert_id, note_text)
context = resp.to_context()
self.assertIsInstance(resp, CommandResults)
self.assertTrue(context.get('HumanReadable'))
self.assertTrue(context.get('Contents'))
self.assertEqual(context['Contents']['note']['text'], note_text)