def test_positive_unknown_verdict_ip_observable(module_headers): """Perform testing for enrich deliberate observables endpoint to get verdict for observable with unknown disposition from Abuse IPDB module ID: CCTRI-811-e0b57f1d-bfca-4d4c-a163-02fdcebe9131 Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected verdict for observable from Abuse IPDB module Importance: Critical """ observables = [{'type': 'ip', 'value': '1.1.1.1'}] response_from_all_modules = enrich_deliberate_observables( payload=observables, **{'headers': module_headers}) response_from_abuse = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_abuse['module'] == MODULE_NAME assert response_from_abuse['module_instance_id'] assert response_from_abuse['module_type_id'] verdicts = response_from_abuse['data']['verdicts'] assert verdicts['count'] == 1 assert verdicts['docs'][0]['type'] == 'verdict' assert verdicts['docs'][0]['disposition'] == 5 assert verdicts['docs'][0]['disposition_name'] == 'Unknown' assert verdicts['docs'][0]['observable'] == observables[0] assert verdicts['docs'][0]['valid_time']['start_time']
def test_positive_clean_verdict_ip_observable(module_headers): """Perform testing for enrich deliberate observables endpoint to get verdict for observable with clean disposition from Abuse IPDB module ID: CCTRI-811-eb6d1371-5d0c-42df-8437-8863f3bac4d0 Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected verdict for observable from Abuse IPDB module Importance: Critical """ observables = [{'type': 'ip', 'value': '118.232.96.6'}] response_from_all_modules = enrich_deliberate_observables( payload=observables, **{'headers': module_headers}) response_from_abuse = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_abuse['module'] == MODULE_NAME assert response_from_abuse['module_instance_id'] assert response_from_abuse['module_type_id'] verdicts = response_from_abuse['data']['verdicts'] assert verdicts['count'] == 1 assert verdicts['docs'][0]['type'] == 'verdict' assert verdicts['docs'][0]['disposition'] == 1 assert verdicts['docs'][0]['disposition_name'] == 'Clean' assert verdicts['docs'][0]['observable'] == observables[0] assert verdicts['docs'][0]['valid_time']['start_time']
def test_positive_suspicious_verdict_ip_observable(module_headers): """Perform testing for enrich deliberate observables endpoint to get verdict for observable with suspicious disposition from Abuse IPDB module ID: CCTRI-811-93e7fe20-bf8f-42ce-9966-17961ce5dfa8 Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected verdict for observable from Abuse IPDB module Importance: Critical """ observables = [{'type': 'ip', 'value': '118.232.96.6'}] response_from_all_modules = enrich_deliberate_observables( payload=observables, **{'headers': module_headers}) response_from_abuse = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_abuse['module'] == MODULE_NAME assert response_from_abuse['module_instance_id'] assert response_from_abuse['module_type_id'] verdicts = response_from_abuse['data']['verdicts'] assert verdicts['count'] == 1 assert verdicts['docs'][0]['type'] == 'verdict' assert verdicts['docs'][0]['disposition'] == 3 assert verdicts['docs'][0]['disposition_name'] == 'Suspicious' assert verdicts['docs'][0]['observable'] == observables[0] assert verdicts['docs'][0]['valid_time']['start_time']
def test_ctr_positive_module_instance_investigate( module_headers, module_tool_client): """Validate that module we create through int module instance end point can return data for observable investigation process ID: 15b9b1c0-b771-42a7-b6a6-861682a09d17 Steps: 1. Send POST request to int module instance end point to create new entity 2. Send enrich observe observable request to server 3. Check response for data from just created custom module Expectedresults: Data returned from server contains valid and expected values Importance: High """ # Validate that module instance we plan to use for test automation purpose # is not present in system module_instance_list = int_get_module_instance( **{'headers': module_headers}) module_instance = next( ( item for item in module_instance_list if item['name'] == 'Test Investigation Module' ), False ) assert not module_instance, ( 'Test module instance was not removed from the system from previous ' 'runs' ) # Create new module instance payload = { 'name': 'Investigation Module', 'module_type_id': PRIVATE_INTEL_MODULE_TYPE, 'enabled': True, 'visibility': 'org', } module_instance = int_post_module_instance( payload=payload, **{'headers': module_headers}) assert module_instance['name'] == 'Investigation Module' try: # Check that created module can return data for investigation process response = module_tool_client.enrich.observe.observables( [{'type': 'sha256', 'value': SHA256_HASH}]) observables = get_observables(response, module_instance['name']) assert observables['data']['verdicts']['count'] > 0, ( 'No observable verdicts returned from server. Check hash value') assert observables['data']['judgements']['count'] > 0, ( 'No observable judgements returned from server. Check hash value') assert observables['data']['verdicts']['docs'][0][ 'disposition_name'] == 'Malicious' finally: # Clean system from created module int_delete_module_instance( entity_id=module_instance['id'], **{'headers': module_headers})
def test_positive_smoke_empty_observables( module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Qualys doesn't have information, will return empty data ID: CCTRI-1707-2af2e5ec-d6bd-4a9b-83c1-5cb78786f145 Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Qualys module Importance: Critical """ observables = [{"value": observable, "type": observable_type}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_qualys_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_qualys_module['module'] == MODULE_NAME assert response_from_qualys_module['module_instance_id'] assert response_from_qualys_module['module_type_id'] assert response_from_qualys_module['data'] == {}
def test_positive_smoke_empty_observable(module_headers): """Perform testing for enrich observe observables endpoint to check that observable, on which Have I Been Pwned doesn't have information, will return empty data ID: CCTRI-1695-b98d1d01-fd20-492f-bda5-bafb313a0737 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains empty dict from Have I Been Pwned Importance: Critical """ observable = [{'type': 'email', 'value': '*****@*****.**'}] response_from_all_modules = enrich_observe_observables( payload=observable, **{'headers': module_headers}) response_from_hibp_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_hibp_module['module'] == MODULE_NAME assert response_from_hibp_module['module_instance_id'] assert response_from_hibp_module['module_type_id'] assert response_from_hibp_module['data'] == {}
def test_positive_smoke_empty_observables(module_headers): """Perform testing for enrich observe observables endpoint to check that observable, on which Spycloud doesn't have information, will return empty data ID: CCTRI-1695-2b2f141b-d2ac-4a26-a254-2f9524e5ad75 Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Spycloud module Importance: Critical """ observable = [{'type': 'email', 'value': '*****@*****.**'}] response_from_all_modules = enrich_observe_observables( payload=observable, **{'headers': module_headers}) response_from_spycloud_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_spycloud_module['module'] == MODULE_NAME assert response_from_spycloud_module['module_instance_id'] assert response_from_spycloud_module['module_type_id'] assert response_from_spycloud_module['data'] == {}
def test_positive_smoke_observe_observables_empty_observables( module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Gigamon ThreatINSIGHT module doesn't have information, will return empty data ID: CCTRI-1695-dfc0dce8-6ed3-4c8d-a1b1-ce9675ce15f9 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains empty dict from Gigamon ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon['module'] == MODULE_NAME assert response_from_gigamon['module_instance_id'] assert response_from_gigamon['module_type_id'] assert response_from_gigamon['data'] == {}
def test_positive_verdict(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to get verdicts for observable from CyberCrime Tracker ID: CCTRI-813-700a7520-6454-485c-8daf-f876c6e57602 Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected verdicts for observable from CyberCrime Tracker Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_cybercrime_module = get_observables( response_from_all_modules, MODULE_NAME) assert response_from_cybercrime_module['module'] == MODULE_NAME assert response_from_cybercrime_module['module_instance_id'] assert response_from_cybercrime_module['module_type_id'] verdicts = response_from_cybercrime_module['data']['verdicts'] assert verdicts['count'] == 1 for verdict in verdicts['docs']: assert verdict['type'] == 'verdict' assert verdict['disposition'] == 2 assert verdict['observable'] == observables[0] assert verdict['valid_time']['start_time'] assert verdict['valid_time']['end_time']
def test_positive_smoke_empty_observables(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Microsoft Graph Security doesn't have information, will return empty data ID: CCTRI-1707-335903f4-b387-4ad9-8f8b-badfb1ae7f8c Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Microsoft Graph Security module Importance: Critical """ observables = [ { "value": observable, "type": observable_type }, ] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) assert direct_observables['module'] == MODULE_NAME assert direct_observables['module_instance_id'] assert direct_observables['module_type_id'] assert direct_observables['data'] == {}
def test_positive_smoke_observe_observables_empty_observables( module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which AlienVault OTX doesn't have information, will return empty data ID: CCTRI-1695-8f48503a-5277-4578-9f38-8d31b2aaa3cb Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains empty dict from AlienVault OTX module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_alien_vault = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_alien_vault['module'] == MODULE_NAME assert response_from_alien_vault['module_instance_id'] assert response_from_alien_vault['module_type_id'] assert response_from_alien_vault['data'] == {}
def test_positive_smoke_empty_observables(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which CyberCrime Tracker doesn't have information, will return empty data ID: CCTRI-1707-07e734d0-1dcc-4f6a-b169-b8f1b4f53d3d Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from CyberCrime Tracker module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_cybercrime_module = get_observables( response_from_all_modules, MODULE_NAME) assert response_from_cybercrime_module['module'] == MODULE_NAME assert response_from_cybercrime_module['module_instance_id'] assert response_from_cybercrime_module['module_type_id'] assert response_from_cybercrime_module['data'] == {}
def test_positive_smoke_enrich_refer_observables(module_headers, observable, observable_type): """Perform testing for enrich refer observable endpoint to check status of AlienVault OTX module ID: CCTRI-1336-1f700099-447c-4803-9df7-d1c97cc5abdb Steps: 1. Send request to enrich refer observable endpoint Expectedresults: 1. Response body contains refer entity with needed fields from AlienVault OTX module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_refer_observables( payload=observables, **{'headers': module_headers}) response_from_alien_vault = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_alien_vault['module'] == MODULE_NAME assert response_from_alien_vault['module_instance_id'] assert response_from_alien_vault['module_type_id'] assert response_from_alien_vault['id'] == ( f'ref-avotx-search-{observable_type}-{quote(observable, safe="")}') assert response_from_alien_vault['title'] == ( f'Search for this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}') assert (response_from_alien_vault['description']) == ( f'Lookup this {OBSERVABLE_HUMAN_READABLE_NAME[observable_type]} on ' f'{INTEGRATION_NAME}') assert response_from_alien_vault['categories'] == [ INTEGRATION_NAME, 'Search' ]
def test_positive_smoke_empty_observables(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Google Chronicle doesn't have information, will return empty data ID: CCTRI-1707-1a53cc5b-80c7-4859-bdd2-dc6f301ffac9 Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Google Chronicle module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_chronicle_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_chronicle_module['module'] == MODULE_NAME assert response_from_chronicle_module['module_instance_id'] assert response_from_chronicle_module['module_type_id'] assert response_from_chronicle_module['data'] == {}
def test_positive_smoke_enrich_health(module_headers): """Perform testing for enrich health endpoint to check status of CyberCrime Tracker module ID: CCTRI-844-2774693e-f297-11ea-adc1-0242ac120002 Steps: 1. Send request to enrich health endpoint Expectedresults: 1. Check that data in response body contains status Ok from CyberCrime Tracker module Importance: Critical """ response_from_all_modules = enrich_post_health( **{'headers': module_headers} ) response_from_cybercrime = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_cybercrime['module'] == MODULE_NAME assert response_from_cybercrime['module_instance_id'] assert response_from_cybercrime['module_type_id'] assert response_from_cybercrime['data'] == {'status': 'ok'}
def test_positive_relay_refer_observables_sightings(module_headers, observable, observable_type): """ Perform testing for enrich refer observables endpoint for file_name in Qualys ID: CCTRI-744-6114ff9d-e97f-47ae-ab41-6508eec000d6 Steps: 1. Send request with observable that has file_name type to endpoint refer observables Expectedresults: 1. Check that data in response body contains expected information from Qualys module Importance: Critical """ observables = [{'value': observable, 'type': observable_type}] response_from_all_modules = enrich_refer_observables( payload=observables, **{'headers': module_headers}) sightings = get_observables(response_from_all_modules, MODULE_NAME) assert sightings['module'] == MODULE_NAME assert sightings['module_instance_id'] assert sightings['module_type_id'] assert sightings['description'] assert sightings['id'] == ( f'ref-qualys-search-{observable_type}-{observable}') assert sightings['url'].startswith( 'https://qualysguard.qg3.apps.qualys.com') assert sightings['title'] == ( f'Search for this ' f'{OBSERVABLE_HUMAN_READABLE_NAME[observable_type]}') assert sightings['categories'] == ['Qualys', 'Search']
def test_positive_enrich_observe_observables_sha256(module_headers): """Perform testing for enrich observe observables endpoint for sha256 in Graph Security module ID: CCTRI-354-38e92acf-45e2-4ff6-b5f4-c7e7f4e20f2d Steps: 1. Send request with observable that has SHA256 type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = ( '091835b16192e526ee1b8a04d0fcef534544cad306672066f2ad6973a4b18b19') observable_type = 'sha256' expected_observable = { 'description': ('Attackers can implant the right-to-left-override (RLO) in a ' 'filename to change the order of the characters in the filename ' 'and make it appear legitimate. This technique is used in ' 'different social engineering attacks to convince the user to run' ' the file, and may also be used for hiding purposes. The file ' 'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'), 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Right-to-Left-Override (RLO) technique observed', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data assert direct_observables['module'] == MODULE_NAME assert direct_observables['module_instance_id'] assert direct_observables['module_type_id'] sightings = direct_observables['data']['sightings'] assert sightings['count'] == 2 sighting = sightings['docs'][0] assert sighting['observables'] == observables for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_sighting_relation(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check relationships in sighting of Gigamon ThreatINSIGHT module ID: CCTRI-1174-fb8d55ae-0352-4170-9b17-ddf49fa81783 Steps: 1. Send request to enrich observe observable endpoint and check relationships in sighting Expectedresults: 1. Response body contains relationships in sightings entity with needed fields from Gigamon ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon['module'] == MODULE_NAME assert response_from_gigamon['module_instance_id'] assert response_from_gigamon['module_type_id'] sightings = response_from_gigamon['data']['sightings'] assert len(sightings['docs']) > 0 for sighting in sightings['docs']: if 'HTTP' in sighting['description'].splitlines()[0]: http_relations = { relation['relation'] for relation in sighting['relations'] } assert 'Connected_To' in http_relations download_relations = {'Downloaded_To', 'Downloaded_From'} upload_relations = {'Uploaded_From', 'Uploaded_To'} intersection_relations = http_relations & (download_relations | upload_relations) assert not intersection_relations or (intersection_relations == download_relations) or ( intersection_relations == upload_relations) for relation in sighting['relations']: assert relation['origin'] == INTEGRATION_NAME assert relation['relation'] in RELATIONS_TYPES assert relation['source']['value'] assert relation['source']['type'] in RELATED_OBSERVABLES_TYPES assert relation['related']['value'] assert relation['related']['type'] in RELATED_OBSERVABLES_TYPES if relation['relation'] == 'Hosted_On': assert relation['source']['value'].startswith('http') and ( relation['source']['type'] == 'url') assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_sighting(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check sightings of Urlscan module ID: CCTRI-818-acd56463-e158-4c67-9b26-57f08bbe775c Steps: 1. Send request to enrich observe observable endpoint and check sighting Expectedresults: 1. Response body contains sightings entity with needed fields from Urlscan module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_urlscan_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_urlscan_module['module'] == MODULE_NAME assert response_from_urlscan_module['module_instance_id'] assert response_from_urlscan_module['module_type_id'] sightings = response_from_urlscan_module['data']['sightings'] assert len(sightings['docs']) > 0 for sighting in sightings['docs']: assert sighting['description'] == 'Scan Result' assert sighting['schema_version'] assert sighting['observables'] == observables assert sighting['type'] == 'sighting' assert sighting['source'] == URLSCAN assert sighting['external_ids'] assert sighting['internal'] is False assert sighting['source_uri'] == ( f'{URL}/result/{sighting["external_ids"][0]}') assert sighting['id'].startswith('transient:sighting') assert sighting['count'] == 1 assert sighting['confidence'] == CONFIDENCE_LEVEL assert sighting['observed_time']['start_time'] == ( sighting['observed_time']['end_time']) assert sighting['data']['columns'] assert sighting['data']['rows'] assert [relation['relation'] for relation in sighting['relations']] == RELATION_TYPES for relation in sighting['relations']: assert relation['origin'] == f'{URLSCAN} Module' assert relation['source']['value'] assert relation['source']['type'] assert relation['related']['value'] assert relation['related']['type'] assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_enrich_observe_observables_ip(module_headers): """ Perform testing for enrich observe observables endpoint for IP in Graph Security module ID: CCTRI-467-63340fd2-3ed5-44f5-b274-c5595322dc43 Steps: 1. Send request with observable that has IP type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = '10.8.168.41' observable_type = 'ip' expected_observable = { 'description': ('SQL Injection, Cross-Site Scripting. We observed the following ' 'suspicious value enter the application through the HTTP Request ' 'Parameter "userid":POST /WebGoat/SqlInjection/attack5b HTTP/1.0 ' 'userid=4+OR+1%3D1 This value was again observed altering the ' 'meaning of the SQL query executed within ' 'org.hsqldb.jdbc.JDBCStatement.executeQuery(Unknown Source):' 'SELECT * FROM user_data WHERE userid = 4 OR 1=1.'), 'external_ids': ['257F2933-A145-4061-9464-2D964A91EB91'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'High', 'source': 'Microsoft Graph Security', 'title': 'Active attack EXPLOITED in QA', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_smoke_enrich_relationships(module_headers, observable, observable_type): """Perform testing for enrich observe observable endpoint to check relationships of AlienVault OTX module ID: CCTRI-1335-943cacc5-0157-42d8-af5c-3778c4b79031 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Response body contains relationships entity with needed fields from AlienVault OTX module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_alien_vault = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_alien_vault['module'] == MODULE_NAME assert response_from_alien_vault['module_instance_id'] assert response_from_alien_vault['module_type_id'] relationships = response_from_alien_vault['data']['relationships'] indicators_ids = { indicator['id'] for indicator in response_from_alien_vault['data']['indicators'] ['docs'] } sightings_ids = { sighting['id'] for sighting in response_from_alien_vault['data']['sightings']['docs'] } target_ref = { relationship['target_ref'] for relationship in response_from_alien_vault['data']['relationships'] ['docs'] } source_ref = { relationship['source_ref'] for relationship in response_from_alien_vault['data']['relationships'] ['docs'] } assert target_ref == indicators_ids assert source_ref == sightings_ids assert len(relationships['docs']) > 0 for relationship in relationships['docs']: assert relationship['schema_version'] assert relationship['type'] == 'relationship' assert relationship['id'].startswith('transient:relationship') assert relationship['relationship_type'] == 'member-of' assert relationships['count'] == len(relationships['docs'])
def test_positive_enrich_observe_observables_file_path(module_headers): """ Perform testing for enrich observe observables endpoint for FILE_PATH in Graph Security module ID: CCTRI-471-a7435d3f-2160-43c6-b8de-a2da65f9c40d Steps: 1. Send request with observable that has FILE_PATH type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = r'C:\Windows\SYSTEM32\ntdll.dll' observable_type = 'file_path' external_id = '0F72C58F-1D01-4284-BB32-C53DD45B5C01' expected_observable = { 'description': ('A process suspiciously tried to access the export address table ' '(EAT) to look for potentially useful APIs. This might indicate ' 'an exploitation attempt. The process svchost.exe, with process ' 'ID 404, tried accessing the Export Address table for module ' r'C:\\Windows\\SYSTEM32\\ntdll.dll and was blocked'), 'schema_version': '1.0.12', 'sensor': 'endpoint', 'source': 'Microsoft Graph Security', 'external_ids': [external_id], 'type': 'sighting', 'title': 'Exploit Guard blocked dynamic code execution', 'severity': 'High' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) assert direct_observables['data']['sightings']['count'] == 2 current_observables = direct_observables['data']['sightings']['docs'] sighting = [ observable for observable in current_observables if observable['external_ids'][0] == external_id ][0] assert sighting['observables'] == observables for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_indicators(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check indicators of Gigamon ThreatINSIGHT module ID: CCTRI-1094-fb59a541-a42e-41fc-b859-52a1b564c14e Steps: 1. Send request to enrich observe observable endpoint and check indicators Expectedresults: 1. Response body contains indicators entity with needed fields from ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon_module['module'] == MODULE_NAME assert response_from_gigamon_module['module_instance_id'] assert response_from_gigamon_module['module_type_id'] indicators = response_from_gigamon_module['data']['indicators'] assert len(indicators['docs']) > 0 for indicator in indicators['docs']: assert indicator['description'] assert indicator['producer'] == INTEGRATION_NAME assert indicator['schema_version'] assert indicator['type'] == 'indicator' assert indicator['source'] == INTEGRATION_NAME assert indicator['short_description'] assert indicator['title'] assert indicator['confidence'] in CONFIDENCE assert indicator['severity'] in SEVERITY assert indicator['external_ids'] assert indicator['id'] == ( f"transient:indicator-{indicator['external_ids'][0]}") assert indicator['valid_time']['start_time'] assert 'tags' in indicator assert indicator['source_uri'] == ( f'{GIGAMON_URL}/detections/rules/{indicator["external_ids"][0]}') for external_reference in indicator['external_references']: assert external_reference['description'] assert external_reference['external_id'] == ( indicator['external_ids'][0]) assert external_reference['source_name'] == INTEGRATION_NAME assert external_reference['url'] == ( f'{GIGAMON_URL}' f'/detections/rules/{indicator["external_ids"][0]}') assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_smoke_enrich_refer_observables(module_headers, observable, observable_type): """Perform testing for enrich refer observables endpoint to check response from Urlscan module ID: CCTRI-1033-3f3a7a0f-cac8-4111-ab5a-2aa783fac9be Steps: 1. Send request to enrich refer observable endpoint Expectedresults: 1. Response body contains refer entity with needed fields from Urlscan module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_refer_observables( payload=observables, **{'headers': module_headers} ) response_from_urlscan_module = get_observables( response_from_all_modules, MODULE_NAME) assert len(response_from_urlscan_module) == 2 observable_category = ( observable_type if observable_type != 'ipv6' else 'ip' ) for urlscan in response_from_urlscan_module: if urlscan['title'].startswith('Browse'): search_type = 'browse' url = f'{URL}/{observable_category}/{observable}' elif urlscan['title'].startswith('Search') and observable_type == ( 'domain'): search_type = 'search' url = f'{URL}/{search_type}/#{observable_category}:{observable}' elif urlscan['title'].startswith('Search') and observable_type != ( 'domain'): search_type = 'search' url = f'{URL}/{search_type}/#{observable_category}:"{observable}"' else: raise AssertionError('Unsupported type') assert urlscan['module'] == MODULE_NAME assert urlscan['module_instance_id'] assert urlscan['module_type_id'] assert urlscan['id'] == ( f'ref-{MODULE_NAME.split(".")[0]}-{search_type}-' f'{observable_type}-{quote(observable, safe="")}' ) assert urlscan['title'] in f'{SEARCH_FOR_THIS } {observable_type},' \ f' {BROWSE} {observable_type}' assert urlscan['description'] == ( f'Check this {observable_type} status with {URLSCAN}' ) assert urlscan['categories'] == [URLSCAN, search_type.capitalize()] assert urlscan['url'] == url
def test_positive_relationship(module_headers, observable_type, observable): """Perform testing for enrich observe observables endpoint to get relationship for observable from Google Chronicle module ID: CCTRI-859-923556f5-f678-4ed3-a2ed-f2c37bd4b5e5 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains expected relationship for observable from Google Chronicle module and it connects expected entities Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_chronicle_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_chronicle_module['module'] == MODULE_NAME assert response_from_chronicle_module['module_instance_id'] assert response_from_chronicle_module['module_type_id'] indicators_ids = { indicator['id'] for indicator in ( response_from_chronicle_module['data']['indicators']['docs'] ) } sightings_ids = { sighting['id'] for sighting in ( response_from_chronicle_module['data']['sightings']['docs'] ) } relationships = ( response_from_chronicle_module['data']['relationships'] ) assert len(relationships['docs']) > 0 for relationship in relationships['docs']: assert relationship['schema_version'] assert relationship['type'] == 'relationship' assert relationship['relationship_type'] == 'sighting-of' assert relationship['target_ref'] in indicators_ids assert relationship['source_ref'] in sightings_ids assert relationships['count'] == ( len(relationships['docs'])) <= ( CTR_ENTITIES_LIMIT )
def test_positive_enrich_observe_observables_url(module_headers): """ Perform testing for enrich observe observables endpoint for URL in Graph Security module ID: CCTRI-468-dfcd642e-f02b-428b-9695-168e7d59d533 Steps: 1. Send request with observable that has URL type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'http://register.fabricam.com/start.php' observable_type = 'url' expected_observable = { 'description': ('Analysis of host data detected a powershell script running on ' 'LAP-DOUGLASF that has features in common with known suspicious ' 'scripts. This script could either be legitimate activity, or an ' 'indication of a compromised host.'), 'external_ids': ['D16B2923-2134-4F94-9FF1-B40761EA3E1D'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Suspicious Powershell Activity Detected', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_file_name(module_headers): """ Perform testing for enrich observe observables endpoint for file_name in Graph Security module ID: CCTRI-470-ef6c5b84-ac4e-463d-bf3f-bf8dd08b7a07 Steps: 1. Send request with observable that has file_name type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'photoview1sp.jpg' observable_type = 'file_name' expected_observable = { 'description': ('Attackers can implant the right-to-left-override (RLO) in a ' 'filename to change the order of the characters in the filename ' 'and make it appear legitimate. This technique is used in ' 'different social engineering attacks to convince the user to run ' 'the file, and may also be used for hiding purposes. The file ' 'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'), 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Right-to-Left-Override (RLO) technique observed', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_python_module_positive_commands_verdict(module_tool_client): """Perform testing for verdict command from custom threat response python module for one observable ID: CCTRI-385-9f8cc790-a316-4e82-b592-43229f85e381 Steps: 1. Get observable verdict using default deliberate observable request 2. Get observable verdict using our new tool command Expectedresults: Verdict command for provided observable returns expected values and disposition name is the same in comparison to direct server request Importance: Critical """ tool_response = module_tool_client.enrich.deliberate.observables([{ 'type': 'sha256', 'value': SHA256_HASH }]) tool_observables = get_observables(tool_response, 'Private Intelligence') assert tool_observables['data']['verdicts']['count'] > 0, ( 'No observable verdicts returned from server. Check hash value') assert tool_observables['data']['verdicts']['docs'][0][ 'disposition_name'] == 'Malicious' tool_command_response = module_tool_client.commands.verdict(SHA256_HASH) tool_command_private_intel = get_observables( tool_command_response['response'], 'Private Intelligence') assert tool_command_private_intel['module'] == 'Private Intelligence' assert tool_command_private_intel['module_type_id'] assert tool_command_private_intel['module_instance_id'] tool_command_verdict = ( tool_command_private_intel['data']['verdicts']['docs'][0]) assert tool_command_verdict['observable']['value'] == SHA256_HASH assert tool_command_verdict['observable']['type'] == 'sha256' assert tool_command_verdict['valid_time'] is not None assert tool_command_verdict['disposition_name'] == 'Malicious'
def test_positive_enrich_observe_observables_hostname(module_headers): """ Perform testing for enrich observe observables endpoint for HOSTNAME in Graph Security module ID: CCTRI-472-67881b85-20d7-4f11-94d6-dd228d72753c Steps: 1. Send request with observable that has HOSTNAME type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'DT-ALDOM' observable_type = 'hostname' expected_observable = { 'description': ('The system process c:\\windows\\fonts\\csrss.exe was observed ' 'running in an abnormal context. Malware often use this process ' 'name to masquerade its malicious activity.'), 'external_ids': ['597E99F8-50B6-4D7B-A45A-A35BDB35EFF8'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Suspicious system process executed', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_ctr_positive_tool_enrich_observe_observables(module_headers, module_tool_client): """Perform testing for enrich observe observables end point of custom threat response python module ID: d1dd6d3b-f762-4280-a573-7cc815da5a85 Steps: 1. Send request sha256 hash to enrich observe observables end point of threat response server using direct POST call 2. Send same request using custom python module 3. Compare results Expectedresults: POST action finished get to the end point and return correct data Importance: Critical """ data = '01f30887a828344f6cf574bb05bd0bf571fc35979a3032377b95fb0d692b8061' response = enrich_observe_observables(payload=[{ 'type': 'sha256', 'value': data }], **{'headers': module_headers})['data'] tool_response = module_tool_client.enrich.observe.observables([{ 'type': 'sha256', 'value': data }])['data'] direct_observables = get_observables(response, 'VirusTotal') tool_observables = get_observables(tool_response, 'VirusTotal') assert tool_observables['data']['verdicts']['count'] > 0, ( 'No observables returned from server. Check hash value') assert tool_observables['data']['judgements']['count'] > 0, ( 'No observables returned from server. Check hash value') assert tool_observables['data']['verdicts']['docs'][0][ 'disposition_name'] == 'Malicious' assert direct_observables['data']['judgements'][ 'count'] == tool_observables['data']['judgements']['count']