def test_next_fetch(requests_mock):
mock_date = "2010-01-01T00:00:00Z"
requests_mock.get(MOCK_URL + "/v2/siem/all?format=json&sinceTime=2010-01-01T00%3A00%3A00Z"
"&threatStatus=active&threatStatus=cleared",
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False
)
next_run, incidents = fetch_incidents(
client=client,
last_run={"last_fetch": mock_date},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type=""
)
assert len(incidents) == 4
assert json.loads(incidents[0]['rawJSON'])["messageID"] == "*****@*****.**"
assert next_run == {"last_fetch": "2010-01-30T00:01:00.000Z"}
def test_list_most_attacked_users_command(requests_mock):
"""
Scenario: Retrieves a list of the most attacked users in the organization for a given period.
Given:
- User has provided valid credentials and argument.
When:
- A get-vap command is called and there is a attacked people in the response.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, list_most_attacked_users_command
mock_response = json.loads(load_mock_response('most_attacked_users.json'))
requests_mock.get(f'{MOCK_URL}/v2/people/vap', json=mock_response)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
result = list_most_attacked_users_command(client, "")
assert len(result.outputs) == 5
assert result.outputs_prefix == 'Proofpoint.Vap'
assert result.outputs.get('users')[0].get('identity').get('guid') == "88e36bf359-99e8-7e53-f58a-6df8b430be6d"
assert result.outputs.get('totalVapUsers') == 2
def test_first_fetch_incidents(mocked_parse_date_range, requests_mock):
mock_date = "2010-01-01T00:00:00Z"
mocked_parse_date_range.return_value = (mock_date, "never mind")
requests_mock.get(MOCK_URL + "/v2/siem/all?format=json&sinceTime=2010-01-01T00%3A00%3A00Z",
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False
)
next_run, incidents = fetch_incidents(
client=client,
last_run={},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status="",
threat_type=""
)
assert len(incidents) == 4
assert json.loads(incidents[0]['rawJSON'])["messageID"] == "*****@*****.**"
assert next_run == {"last_fetch": "2010-01-30T00:01:00.000Z"}
def test_get_top_clickers_command(requests_mock):
"""
Scenario: Retrieves a list of the top clickers in the organization for a given period.
Given:
- User has provided valid credentials and argument.
When:
- A get_top_clickers command is called and there is clickers in the response.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, get_top_clickers_command
mock_response = json.loads(load_mock_response('top_clickers.json'))
requests_mock.get(f'{MOCK_URL}/v2/people/top-clickers', json=mock_response)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
result = get_top_clickers_command(client, "")
assert len(result.outputs) == 3
assert result.outputs_prefix == 'Proofpoint.Topclickers'
assert result.outputs.get('users')[1].get('identity').get('guid') == "b4077fsv0e-3a2e-767f-7315-c049f831cc95"
assert result.outputs.get('totalTopClickers') == 2
def test_list_campaigns_command(requests_mock):
"""
Scenario: Retrieves a list of IDs of campaigns active in a time window.
Given:
- User has provided valid credentials.
When:
- A list-campaign-ids command is called and there is campaigns in the response.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, list_campaigns_command
mock_response = json.loads(load_mock_response('campaigns.json'))
requests_mock.get(f'{MOCK_URL}/v2/campaign/ids', json=mock_response)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
result = list_campaigns_command(client, "3 days")
assert len(result.outputs) == 2
assert result.outputs_prefix == 'Proofpoint.Campaign'
assert result.outputs[0].get('id') == "f3ff0874-85ef-475e-b3fe-d05f97b2ed3f"
assert result.outputs[0].get('lastUpdatedAt') == "2021-03-25T10:37:46.000Z"
def test_get_campaign(requests_mock):
"""
Scenario: Retrieves information for a given campaign.
Given:
- User has provided valid credentials and argument.
When:
- A get-campaign command is called and there is a campaign in the response.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, get_campaign_command
mock_response = json.loads(load_mock_response('campaign_information.json'))
requests_mock.get(f'{MOCK_URL}/v2/campaign/1', json=mock_response)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
result = get_campaign_command(client, "1")
assert len(result.outputs) == 7
assert result.outputs_prefix == 'Proofpoint.Campaign'
assert result.outputs.get('info').get('id') == "aa9b3d62-4d72-4ebc-8f39-3da3833e7038"
def test_next_fetch(requests_mock, mocker):
mock_date = "2010-01-01T00:00:00Z"
mocker.patch('ProofpointTAP_v2.get_now', return_value=datetime.strptime(mock_date, "%Y-%m-%dT%H:%M:%SZ"))
requests_mock.get(MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%'
'2F2010-01-01T00%3A00%3A00Z&threatStatus=active&threatStatus=cleared',
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
next_run, incidents, _ = fetch_incidents(
client=client,
last_run={"last_fetch": mock_date},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=50
)
assert len(incidents) == 4
assert json.loads(incidents[3]['rawJSON'])["messageID"] == "4444"
def test_get_messages_command(requests_mock):
"""
Scenario: Retrieves messages to malicious URLs blocked and delivered in the specified time period.
Given:
- User has provided valid credentials and arguments.
When:
- A get-messages command is called and there is messages in the response.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, get_messages_command
requests_mock.get(f'{MOCK_URL}/v2/siem/messages/blocked',
json={'queryEndTime': '2021-03-23T14:00:00Z', 'messagesBlocked': [MOCK_BLOCKED_MESSAGE]})
requests_mock.get(f'{MOCK_URL}/v2/siem/messages/delivered',
json={'queryEndTime': '2021-03-23T14:00:00Z', 'messagesDelivered': [MOCK_DELIVERED_MESSAGE]})
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
blocked_result = get_messages_command(client, True, "3 days")
delivered_result = get_messages_command(client, False, "3 days")
assert len(blocked_result.outputs) == 1
assert blocked_result.outputs_prefix == 'Proofpoint.MessagesBlocked'
assert blocked_result.outputs[0].get('messageID') == "*****@*****.**"
assert len(delivered_result.outputs) == 1
assert delivered_result.outputs_prefix == 'Proofpoint.MessagesDelivered'
assert delivered_result.outputs[0].get('messageID') == "*****@*****.**"
def test_first_fetch_incidents(requests_mock, mocker):
mocker.patch('ProofpointTAP_v2.get_now',
return_value=get_mocked_time())
mocker.patch('ProofpointTAP_v2.parse_date_range', return_value=("2010-01-01T00:00:00Z", 'never mind'))
requests_mock.get(
MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%2F2010-01-01T00%3A00%3A00Z',
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
next_run, incidents, _ = fetch_incidents(
client=client,
last_run={},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status="",
threat_type=""
)
assert len(incidents) == 4
assert json.loads(incidents[3]['rawJSON'])["messageID"] == "4444"
def test_url_decode(requests_mock):
"""
Scenario: Decode URLs that have been rewritten by TAP to their original, target URL.
Given:
- User has provided valid credentials and arguments.
When:
- A url-decode command is called.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, url_decode_command
mock_response = json.loads(load_mock_response('url_decode.json'))
requests_mock.post(f'{MOCK_URL}/v2/url/decode', json=mock_response)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
result = url_decode_command(client, "")
assert len(result.outputs) == 2
assert result.outputs_prefix == 'Proofpoint.URL'
assert result.outputs[1].get('decodedUrl') == "http://www.bouncycastle.org/"
def test_fetch_incidents_with_encoding(requests_mock, mocker):
"""
Given:
- Message with latin chars in its subject
- Raw JSON encoding param set to latin-1
When:
- Running fetch incidents
Then:
- Ensure subject is returned properly in the raw JSON
"""
mocker.patch(
'ProofpointTAP_v2.get_now',
return_value=get_mocked_time()
)
mocker.patch(
'ProofpointTAP_v2.parse_date_range',
return_value=("2010-01-01T00:00:00Z", 'never mind')
)
requests_mock.get(
MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%2F2010-01-01T00%3A00%3A00Z',
json={
"messagesDelivered": [
{
'subject': 'p\u00c3\u00a9rdida',
'messageTime': '2010-01-30T00:00:59.000Z',
},
],
},
)
client = Client(
proofpoint_url=MOCK_URL,
api_version='v2',
service_principal='user1',
secret='123',
verify=False,
proxies=None,
)
_, incidents, _ = fetch_incidents(
client=client,
last_run={},
first_fetch_time='3 month',
event_type_filter=ALL_EVENTS,
threat_status='',
threat_type='',
raw_json_encoding='latin-1',
)
assert json.loads(incidents[0]['rawJSON'])['subject'] == 'pérdida'
def test_fetch_limit(requests_mock, mocker):
mock_date = "2010-01-01T00:00:00Z"
this_run = {"last_fetch": "2010-01-01T00:00:00Z"}
mocker.patch('ProofpointTAP_v2.get_now', return_value=datetime.strptime(mock_date, "%Y-%m-%dT%H:%M:%SZ"))
requests_mock.get(MOCK_URL + '/v2/siem/all', json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
next_run, incidents, remained = fetch_incidents(
client=client,
last_run=this_run,
first_fetch_time="3 days",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=3
)
assert next_run['last_fetch'] == '2010-01-01T00:00:00Z'
assert len(incidents) == 3
assert len(remained) == 1
# test another run
next_run, incidents, remained = fetch_incidents(
client=client,
last_run=this_run,
first_fetch_time="3 days",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=3,
integration_context={'incidents': remained}
)
assert next_run['last_fetch'] == '2010-01-01T00:00:00Z'
assert len(incidents) == 1
assert not remained
def test_command(requests_mock):
requests_mock.get(MOCK_URL + "/v2/siem/issues?format=json&sinceSeconds=100&threatType=url&threatType=attachment",
json=MOCK_ISSUES)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False
)
args = {
"threatType": "url,attachment",
"sinceSeconds": "100",
"eventTypes": ISSUES_EVENTS
}
_, outputs, _ = get_events_command(client, args)
assert len(outputs["Proofpoint.MessagesDelivered(val.GUID == obj.GUID)"]) == 1
assert len(outputs["Proofpoint.ClicksPermitted(val.GUID == obj.GUID)"]) == 1
def test_fetch_limit(requests_mock):
mock_date = "2010-01-01T00:00:00Z"
requests_mock.get(MOCK_URL + '/v2/siem/all', json=MOCK_ALL_EVENTS)
client = Client(proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None)
next_run, incidents = fetch_incidents(client=client,
last_run={"last_fetch": mock_date},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=3)
assert len(incidents) == 3
assert next_run.get('last_fetch') == '2010-01-11T00:00:21Z'
def test_list_issues_command(requests_mock):
"""
Scenario: Retrieves events for clicks to malicious URLs permitted and messages delivered in the specified time period.
Given:
- User has provided valid credentials and arguments.
When:
- A list_issues command is called and there is clicks and messages in the response.
Then:
- Ensure number of items is correct.
- Ensure outputs prefix is correct.
- Ensure a sample value from the API matches what is generated in the context.
"""
from ProofpointTAP_v2 import Client, list_issues_command
requests_mock.get(f'{MOCK_URL}/v2/siem/issues',
json={
"queryEndTime": "2021-04-16T14:00:00Z",
"messagesDelivered": [MOCK_DELIVERED_MESSAGE],
"clicksPermitted": [MOCK_PERMITTED_CLICK]
})
client = Client(proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None)
result = list_issues_command(client, "3 days")
messages_result = result[0]
clicks_result = result[1]
assert len(clicks_result.outputs) == 1
assert clicks_result.outputs_prefix == 'Proofpoint.ClicksPermitted'
assert clicks_result.outputs[0].get('messageID') == '3333'
assert len(messages_result.outputs) == 1
assert messages_result.outputs_prefix == 'Proofpoint.MessagesDelivered'
assert messages_result.outputs[0].get('messageID') == "*****@*****.**"
class TestGetForensics:
PLATFORMS_OBJECT = [
{
"name": "windows 7 sp1",
"os": "windows 7",
"version": "4.5.661",
}
]
EVIDENCE_OBJECT_URL = {
"type": "url",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"url": "string",
"blacklisted": "boolean",
"ip": "string",
"httpStatus": "string",
"md5": "string",
"offset": "integer",
"rule": "string",
"sha256": "string",
"size": "integer",
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_REGISTRY = {
"type": "registry",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"action": "string",
"key": "string",
"name": "string",
"rule": "string",
"value": "string",
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_PROCESS = {
"type": "process",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"action": "string",
"path": "string",
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_NETWORK = {
"type": "network",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"action": "string",
"ip": "string",
"port": "string",
"type": "string",
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_MUTEX = {
"type": "mutex",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"name": "string",
"path": "string",
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_IDS = {
"type": "ids",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"name": "string",
"signatureId": "integer",
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_FILE = {
"type": "file",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"action": "string",
"md5": "string",
"path": "string",
"rule": "string",
"sha256": "string",
"size": "integer"
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_DROPPER = {
"type": "dropper",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"path": "string",
"rule": "string",
"url": "string"
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_DNS = {
"type": "dns",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"host": "string",
"cnames": ["string1", "string2"],
"ips": ["string1", "string2"],
"nameservers": ["string1", "string2"],
"nameserversList": ["string1", "string2"]
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_COOKIE = {
"type": "cookie",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"action": "string",
"domain": "string",
"key": "string",
"value": "string"
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_OBJECT_ATTACHMENT = {
"type": "attachment",
"display": "string",
"time": "string",
"malicious": "string",
"what": {
"sha256": "string",
"md5": "string",
"offset": "integer",
"rule": "string",
"size": "integer"
},
"platforms": PLATFORMS_OBJECT
}
EVIDENCE_LIST = [
EVIDENCE_OBJECT_ATTACHMENT,
EVIDENCE_OBJECT_COOKIE,
EVIDENCE_OBJECT_DNS,
EVIDENCE_OBJECT_DROPPER,
EVIDENCE_OBJECT_FILE,
EVIDENCE_OBJECT_IDS,
EVIDENCE_OBJECT_MUTEX,
EVIDENCE_OBJECT_NETWORK,
EVIDENCE_OBJECT_PROCESS,
EVIDENCE_OBJECT_REGISTRY,
EVIDENCE_OBJECT_URL,
]
REPORT_OBJECT = [{
'name': 'string',
'scope': 'string',
'type': 'string',
'id': 'string',
'forensics': EVIDENCE_LIST,
}]
REPORT = {
'generated': 'string',
'reports': REPORT_OBJECT * 2,
}
FORENSICS_REPORT = {
"Scope": "string",
"Type": "string",
"ID": "string",
"Attachment": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"SHA256": "string",
"MD5": "string",
"Offset": "integer",
"Size": "integer"
}
],
"Cookie": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Action": "string",
"Domain": "string",
"Key": "string",
"Value": "string"
}
],
"DNS": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Host": "string",
"CNames": [
"string1",
"string2"
],
"IP": [
"string1",
"string2"
],
"NameServers": [
"string1",
"string2"
],
"NameServersList": [
"string1",
"string2"
]
}
],
"Dropper": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Path": "string",
"URL": "string",
"Rule": "string"
}
],
"File": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Path": "string",
"Action": "string",
"SHA256": "string",
"MD5": "string",
"Size": "integer"
}
],
"IDS": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Name": "string",
"SignatureID": "integer"
}
],
"Mutex": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Name": "string",
"Path": "string"
}
],
"Network": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Action": "string",
"IP": "string",
"Port": "string",
"Protocol": "string"
}
],
"Process": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Action": "string",
"Path": "string"
}
],
"Registry": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Name": "string",
"Action": "string",
"Key": "string",
"Value": "string"
}
],
"URL": [
{
"Time": "string",
"Display": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"URL": "string",
"Blacklisted": "boolean",
"SHA256": "string",
"MD5": "string",
"Size": "integer",
"HTTPStatus": "string",
"IP": "string"
}
]
}
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
def test_get_forensics(self, requests_mock):
from ProofpointTAP_v2 import get_forensic_command
requests_mock.get('http://123-fake-api.com/v2/forensics?threatId=1256', json=self.REPORT)
_, output, _ = get_forensic_command(self.client, {'threatId': '1256'})
reports = output['Proofpoint.Report(var.ID === obj.ID)']
assert len(reports) == 2
report = reports[0]
assert all(report)
assert self.FORENSICS_REPORT == report
