コード例 #1
0
def test_insight_idr_get_investigation(requests_mock) -> None:
    """
    Scenario: test get investigation
    Given:
     - User has provided valid credentials
    When:
     - insight_idr_get_investigation_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure output is as expected
    """
    from Rapid7_InsightIDR import Client, insight_idr_get_investigation_command

    mock_response = util_load_json('test_data/get_investigation.json')
    requests_mock.get(
        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)

    response = insight_idr_get_investigation_command(
        client, '174e4f99-2ac7-4481-9301-4d24c34baf06')

    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
    assert response.outputs_key_field == 'id'
    assert response.outputs == response.raw_response
コード例 #2
0
def test_close_investigation(requests_mock) -> None:
    """
    Scenario: test close investigations
    Given:
     - User has provided valid credentials
     - User has provided valid times
    When:
     - insight_idr_close_investigations_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure the amount of ids that were closed
    """
    from Rapid7_InsightIDR import Client, insight_idr_close_investigations_command

    mock_response = util_load_json('test_data/close_investigations.json')
    requests_mock.post(
        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations/bulk_close',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)

    response = insight_idr_close_investigations_command(
        client, 'start_time', 'end_time', 'MANUAL')

    assert response.raw_response.get('num_closed', -1) == len(
        response.raw_response.get('ids', []))
    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
    assert response.outputs_key_field == 'id'
コード例 #3
0
def test_insight_idr_query_log_set(requests_mock) -> None:
    """
    Scenario: test query log set
    Given:
     - User has provided valid credentials
     - User has provided valid logset ID
    When:
     - insight_idr_query_log_set_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure output is as expected
    """
    from Rapid7_InsightIDR import Client, insight_idr_query_log_set_command

    mock_response = util_load_json('test_data/list_log_sets.json')
    requests_mock.get(
        f'https://{REGION}.api.insight.rapid7.com/log_search/query/logsets/x',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)
    response = insight_idr_query_log_set_command(client, 'x', '', '', '')

    outputs = []
    for event in response.raw_response.get('events', []):
        outputs.append(event)

    assert response.outputs_prefix == 'Rapid7InsightIDR.Event'
    assert response.outputs_key_field == 'message'
    assert response.outputs == outputs
コード例 #4
0
def test_insight_idr_download_logs(requests_mock) -> None:
    """
    Scenario: test download logs
    Given:
     - User has provided valid credentials
     - User has provided valid logIDs
    When:
     - insight_idr_download_logs_command is called
    Then:
     - Ensure file type
    """
    from Rapid7_InsightIDR import Client, insight_idr_download_logs_command

    mock_response = util_load_file('test_data/download_logs.txt')
    requests_mock.get(
        f'https://{REGION}.api.insight.rapid7.com/log_search/download/logs/x:y',
        text=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)
    response = insight_idr_download_logs_command(client, 'x:y')

    assert (response.get('File', '')[-4:]) == '.log'
コード例 #5
0
def test_insight_idr_list_logs(requests_mock) -> None:
    """
    Scenario: test list logs
    Given:
     - User has provided valid credentials
    When:
     - insight_idr_list_logs_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure output is as expected
    """
    from Rapid7_InsightIDR import Client, insight_idr_list_logs_command

    mock_response = util_load_json('test_data/list_logs.json')
    requests_mock.get(
        f'https://{REGION}.api.insight.rapid7.com/log_search/management/logs',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)
    response = insight_idr_list_logs_command(client)

    outputs = []
    for log in response.raw_response.get('logs', []):
        outputs.append(log)

    assert response.outputs_prefix == 'Rapid7InsightIDR.Log'
    assert response.outputs_key_field == 'id'
    assert response.outputs == outputs
コード例 #6
0
def test_insight_idr_replace_threat_indicators(requests_mock) -> None:
    """
    Scenario: test replace indiactors to threat
    Given:
     - User has provided valid credentials
     - User has provided valid indicators
    When:
     - insight_idr_replace_threat_indicators_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure output is as expected
    """
    from Rapid7_InsightIDR import Client, insight_idr_replace_threat_indicators_command

    mock_response = util_load_json('test_data/replace_threat_indicators.json')
    requests_mock.post(
        f'https://{REGION}.api.insight.rapid7.com/idr/v1/customthreats/key/x/indicators/replace',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)
    response = insight_idr_replace_threat_indicators_command(client, 'x')

    outputs = []
    for threat in response.raw_response:
        outputs.append(threat.get('threat'))

    assert response.outputs_prefix == 'Rapid7InsightIDR.Threat'
    assert response.outputs_key_field == 'name'
    assert response.outputs == outputs
コード例 #7
0
def test_fetch_incidents(requests_mock) -> None:
    """
    Scenario: test fetch incidents
    Given:
     - User has provided valid credentials
     - User has provided valid last_run and first_time_fetch
     - User has provided valid max_fetch
    When:
     - insight_idr_query_log_set_command is called
    Then:
     - Ensure output is as expected
     - Ensure timestamp is as expected (+1 Miliseconds)
    """
    from Rapid7_InsightIDR import Client, fetch_incidents

    mock_response = util_load_json('test_data/list_investigations.json')
    requests_mock.get(
        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)

    last_fetch_timestamp = parse_date_range('1 day', to_timestamp=True)[0]
    last_run = {'last_fetch': last_fetch_timestamp}

    response = fetch_incidents(client=client,
                               max_fetch='1',
                               last_run=last_run,
                               first_fetch_time='1 day')
    outputs = []
    for investigation in response[1]:
        outputs.append(investigation)

    assert last_fetch_timestamp + 1 == response[0]['last_fetch']
    assert response[1] == [{
        'name': 'Joe enabled account Joebob',
        'occurred': '2018-06-06T16:56:42.000Z',
        'rawJSON': outputs[0]['rawJSON'],
    }, {
        'name': 'Hello',
        'occurred': '2018-06-06T16:56:43.000Z',
        'rawJSON': outputs[1]['rawJSON'],
    }]
コード例 #8
0
def test_set_status(requests_mock) -> None:
    """
    Scenario: test set status to investigations
    Given:
     - User has provided valid credentials
     - User has provided valid status
    When:
     - insight_idr_set_status_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure status field is as expected
    """
    from Rapid7_InsightIDR import Client, insight_idr_set_status_command

    investigation_id = '174e4f99-2ac7-4481-9301-4d24c34baf06'
    status = 'OPEN'

    mock_response = util_load_json('test_data/set_status.json')
    requests_mock.put(
        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations/{investigation_id}'
        f'/status/{status}',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)

    response = insight_idr_set_status_command(client, investigation_id, status)

    if response.raw_response:
        for data in response.raw_response:
            for obj in data.get('data', []):
                assert obj.get('status', '') == status

    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
    assert response.outputs_key_field == 'id'
コード例 #9
0
def test_assign_user(requests_mock) -> None:
    """
    Scenario: test assign user to investigations
    Given:
     - User has provided valid credentials
     - User has provided valid email address
    When:
     - insight_idr_assign_user_command is called
    Then:
     - Ensure prefix is correct
     - Ensure key field is correct
     - Ensure email field is as expected
    """
    from Rapid7_InsightIDR import Client, insight_idr_assign_user_command

    investigation_id = '174e4f99-2ac7-4481-9301-4d24c34baf06'
    email = '*****@*****.**'

    mock_response = util_load_json('test_data/assign_user.json')
    requests_mock.put(
        f'https://{REGION}.api.insight.rapid7.com/idr/v1/investigations/'
        f'{investigation_id}/assignee',
        json=mock_response)

    client = Client(base_url=f'https://{REGION}.api.insight.rapid7.com/',
                    verify=False,
                    headers={'Authentication': 'apikey'},
                    proxy=False)

    response = insight_idr_assign_user_command(client, investigation_id, email)
    if response.raw_response:
        for data in response.raw_response:
            for obj in data.get('data', []):
                assert obj.get('assignee', {}).get('email', '') == email

    assert response.outputs_prefix == 'Rapid7InsightIDR.Investigation'
    assert response.outputs_key_field == 'id'