def test_ctr_positive_tool_enrich_refer_observables(module_headers,
module_tool_client):
"""Perform testing for enrich refer observables end point of custom
threat response python module
ID: 7b8d86b5-a360-4f91-acd7-f2d9e4104b03
Steps:
1. Send request sha256 hash to enrich refer observables end point of
threat response server using direct POST call
2. Send same request using custom python module
3. Compare results
Expectedresults: POST action finished get to the end point and return
correct data
Importance: Critical
"""
request_content = 'cisco.com'
response = enrich_refer_observables(payload=[{
'type': 'domain',
'value': request_content
}],
**{'headers':
module_headers})['data'][0]
tool_response = module_tool_client.enrich.refer.observables([{
'type':
'domain',
'value':
request_content
}])['data'][0]
assert tool_response['module']
assert tool_response['title'] == 'Search for this domain'
assert response == tool_response
def test_positive_smoke_enrich_refer_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich refer observable endpoint to check status of
AlienVault OTX module
ID: CCTRI-1336-1f700099-447c-4803-9df7-d1c97cc5abdb
Steps:
1. Send request to enrich refer observable endpoint
Expectedresults:
1. Response body contains refer entity with needed fields from
AlienVault OTX module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_refer_observables(
payload=observables, **{'headers': module_headers})
response_from_alien_vault = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_alien_vault['module'] == MODULE_NAME
assert response_from_alien_vault['module_instance_id']
assert response_from_alien_vault['module_type_id']
assert response_from_alien_vault['id'] == (
f'ref-avotx-search-{observable_type}-{quote(observable, safe="")}')
assert response_from_alien_vault['title'] == (
f'Search for this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}')
assert (response_from_alien_vault['description']) == (
f'Lookup this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]} on '
f'{INTEGRATION_NAME}')
assert response_from_alien_vault['categories'] == [
INTEGRATION_NAME, 'Search'
]
def test_positive_relay_refer_observables_sightings(module_headers, observable,
observable_type):
""" Perform testing for enrich refer observables endpoint for file_name
in Qualys
ID: CCTRI-744-6114ff9d-e97f-47ae-ab41-6508eec000d6
Steps:
1. Send request with observable that has file_name type to endpoint
refer observables
Expectedresults:
1. Check that data in response body contains expected information
from Qualys module
Importance: Critical
"""
observables = [{'value': observable, 'type': observable_type}]
response_from_all_modules = enrich_refer_observables(
payload=observables, **{'headers': module_headers})
sightings = get_observables(response_from_all_modules, MODULE_NAME)
assert sightings['module'] == MODULE_NAME
assert sightings['module_instance_id']
assert sightings['module_type_id']
assert sightings['description']
assert sightings['id'] == (
f'ref-qualys-search-{observable_type}-{observable}')
assert sightings['url'].startswith(
'https://qualysguard.qg3.apps.qualys.com')
assert sightings['title'] == (
f'Search for this '
f'{OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}')
assert sightings['categories'] == ['Qualys', 'Search']
def test_positive_smoke_enrich_refer_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich refer observables endpoint to check response
from Urlscan module
ID: CCTRI-1033-3f3a7a0f-cac8-4111-ab5a-2aa783fac9be
Steps:
1. Send request to enrich refer observable endpoint
Expectedresults:
1. Response body contains refer entity with needed fields from Urlscan
module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_refer_observables(
payload=observables,
**{'headers': module_headers}
)
response_from_urlscan_module = get_observables(
response_from_all_modules, MODULE_NAME)
assert len(response_from_urlscan_module) == 2
observable_category = (
observable_type if observable_type != 'ipv6' else 'ip'
)
for urlscan in response_from_urlscan_module:
if urlscan['title'].startswith('Browse'):
search_type = 'browse'
url = f'{URL}/{observable_category}/{observable}'
elif urlscan['title'].startswith('Search') and observable_type == (
'domain'):
search_type = 'search'
url = f'{URL}/{search_type}/#{observable_category}:{observable}'
elif urlscan['title'].startswith('Search') and observable_type != (
'domain'):
search_type = 'search'
url = f'{URL}/{search_type}/#{observable_category}:"{observable}"'
else:
raise AssertionError('Unsupported type')
assert urlscan['module'] == MODULE_NAME
assert urlscan['module_instance_id']
assert urlscan['module_type_id']
assert urlscan['id'] == (
f'ref-{MODULE_NAME.split(".")[0]}-{search_type}-'
f'{observable_type}-{quote(observable, safe="")}'
)
assert urlscan['title'] in f'{SEARCH_FOR_THIS } {observable_type},' \
f' {BROWSE} {observable_type}'
assert urlscan['description'] == (
f'Check this {observable_type} status with {URLSCAN}'
)
assert urlscan['categories'] == [URLSCAN, search_type.capitalize()]
assert urlscan['url'] == url
def test_positive_refer_observables(module_headers, observable,
observable_type):
"""Perform testing for enrich refer observables endpoint to check response
from Gigamon ThreatINSIGHT module
ID: CCTRI-894-1cbaf12e-b4db-4d42-bbd5-ff7666b46ccc
Steps:
1. Send request to enrich refer observables endpoint and check response
Expectedresults:
1. Response body contains refer entity with needed fields from Gigamon
ThreatINSIGHT module
Importance: Critical
"""
observables = [{'type': observable_type, 'value': observable}]
response_from_all_modules = enrich_refer_observables(
payload=observables, **{'headers': module_headers})
response_from_gigamon_module = get_observables(response_from_all_modules,
MODULE_NAME)
assert response_from_gigamon_module['module'] == MODULE_NAME
assert response_from_gigamon_module['module_instance_id']
assert response_from_gigamon_module['module_type_id']
assert response_from_gigamon_module['id'] == (
f'ref-gti-search-{observable_type}-{observable}')
assert response_from_gigamon_module['title'] == (
f'Search for this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}')
assert (response_from_gigamon_module['description']) == (
f'Lookup this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]} on '
f'{INTEGRATION_NAME}')
assert response_from_gigamon_module['categories'] == [
INTEGRATION_NAME, 'Search'
]
assert response_from_gigamon_module['url'] == (
f'{GIGAMON_URL}/search?query={observable}')