def test_get_remote_data_command_with_rate_limit_exception(mocker): """ Given: - an XDR client - arguments (id and lastUpdate time set to a lower than incident modification time) - a Rate limit exception is raises from get_extra_data_command method When - running get_remote_data_command Then - an "API rate limit" error is thrown so that the server will stop the sync loop and will resume from the last incident. """ from PaloAltoNetworks_XDR import get_remote_data_command, Client client = Client( base_url=f'{XDR_URL}/public_api/v1', headers={} ) args = { 'id': 1, 'lastUpdate': 0 } mocker.patch.object(demisto, 'results') mocker.patch('PaloAltoNetworks_XDR.get_incident_extra_data_command', side_effect=Exception("Rate limit exceeded")) with pytest.raises(SystemExit): _ = get_remote_data_command(client, args) assert demisto.results.call_args[0][0].get('Contents') == "API rate limit"
def test_get_remote_data_command_should_close_issue(requests_mock): """ Given: - an XDR client - arguments (id and lastUpdate time set to a lower than incident modification time) - a raw incident (get-extra-data results) indicating the incident was closed on XDR side When - running get_remote_data_command Then - the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident - the entries in the GetRemoteDataResponse holds the closing entry """ from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={}) args = {'id': 1, 'lastUpdate': 0} raw_incident = load_test_data('./test_data/get_incident_extra_data.json') raw_incident['reply']['incident']['status'] = 'resolved_threat_handled' raw_incident['reply']['incident']['resolve_comment'] = 'Handled' expected_modified_incident = raw_incident['reply']['incident'].copy() expected_modified_incident['alerts'] = raw_incident['reply'].get( 'alerts').get('data') expected_modified_incident['network_artifacts'] = raw_incident[ 'reply'].get('network_artifacts').get('data') expected_modified_incident['file_artifacts'] = raw_incident['reply'].get( 'file_artifacts').get('data') expected_modified_incident['id'] = expected_modified_incident.get( 'incident_id') expected_modified_incident['assigned_user_mail'] = '' expected_modified_incident['assigned_user_pretty_name'] = '' expected_modified_incident['closeReason'] = 'Resolved' expected_modified_incident['closeNotes'] = 'Handled' expected_modified_incident['in_mirror_error'] = '' del expected_modified_incident['creation_time'] expected_closing_entry = { 'Type': 1, 'Contents': { 'dbotIncidentClose': True, 'closeReason': 'Resolved', 'closeNotes': 'Handled' }, 'ContentsFormat': 'json' } requests_mock.post( f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident) response = get_remote_data_command(client, args) sort_all_list_incident_fields(expected_modified_incident) assert response.mirrored_object == expected_modified_incident assert expected_closing_entry in response.entries
def test_get_remote_data_command_sync_owners(requests_mock, mocker): """ Given: - an XDR client - arguments (id and lastUpdate time set to a lower than incident modification time) - a raw incident (get-extra-data results) with assigned mail [email protected] When - running get_remote_data_command Then - the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident with the equivalent owner of the assigned mail - the entries in the GetRemoteDataResponse in empty """ from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields mocker.patch.object(demisto, 'params', return_value={"sync_owners": True}) mocker.patch.object(demisto, 'findUser', return_value={ "email": "*****@*****.**", 'username': '******' }) client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={}) args = {'id': 1, 'lastUpdate': 0} raw_incident = load_test_data('./test_data/get_incident_extra_data.json') raw_incident['reply']['incident']['assigned_user_mail'] = '*****@*****.**' expected_modified_incident = raw_incident['reply']['incident'].copy() expected_modified_incident['alerts'] = raw_incident['reply'].get( 'alerts').get('data') expected_modified_incident['network_artifacts'] = raw_incident[ 'reply'].get('network_artifacts').get('data') expected_modified_incident['file_artifacts'] = raw_incident['reply'].get( 'file_artifacts').get('data') expected_modified_incident['id'] = expected_modified_incident.get( 'incident_id') expected_modified_incident['assigned_user_mail'] = '*****@*****.**' expected_modified_incident['assigned_user_pretty_name'] = None expected_modified_incident['owner'] = 'username' expected_modified_incident['in_mirror_error'] = '' del expected_modified_incident['creation_time'] requests_mock.post( f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident) response = get_remote_data_command(client, args) sort_all_list_incident_fields(expected_modified_incident) assert response.mirrored_object == expected_modified_incident assert response.entries == []
def test_get_remote_data_command_should_update(requests_mock): """ Given: - an XDR client - arguments (id and lastUpdate time set to a lower than incident modification time) - a raw incident (get-extra-data results) When - running get_remote_data_command Then - the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident - the entries in the GetRemoteDataResponse in empty """ from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={}) args = {'id': 1, 'lastUpdate': 0} raw_incident = load_test_data('./test_data/get_incident_extra_data.json') expected_modified_incident = raw_incident['reply']['incident'].copy() expected_modified_incident['alerts'] = raw_incident['reply'].get( 'alerts').get('data') expected_modified_incident['network_artifacts'] = raw_incident[ 'reply'].get('network_artifacts').get('data') expected_modified_incident['file_artifacts'] = raw_incident['reply'].get( 'file_artifacts').get('data') expected_modified_incident['id'] = expected_modified_incident.get( 'incident_id') expected_modified_incident['assigned_user_mail'] = '' expected_modified_incident['assigned_user_pretty_name'] = '' expected_modified_incident['in_mirror_error'] = '' del expected_modified_incident['creation_time'] requests_mock.post( f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident) response = get_remote_data_command(client, args) sort_all_list_incident_fields(expected_modified_incident) assert response.mirrored_object == expected_modified_incident assert response.entries == []