def test_load_from_config(self): """ThreatIntel - Load From Config""" ti_client = ThreatIntel.load_from_config(self._default_config) assert_equal(isinstance(ti_client, ThreatIntel), True) assert_equal(ti_client._table, 'table_name') assert_equal(ti_client._enabled_clusters, {'prod'}) expected_config = { 'destinationDomain': 'domain', 'sourceAddress': 'ip', 'destinationAddress': 'ip', 'fileHash': 'md5' } assert_equal(ti_client._ioc_config, expected_config) assert_equal(ti_client._excluded_iocs, {'domain': {'not.evil.com'}})
def test_load_from_config_no_clusters(self): """ThreatIntel - Load From Config, Clusters Disabled""" config = { 'threat_intel': { 'enabled': True }, 'clusters': { 'prod': { 'modules': { 'stream_alert': { 'enable_threat_intel': False } } } } } assert_equal(ThreatIntel.load_from_config(config), None)
def __init__(self, *rule_paths): RulesEngine._config = RulesEngine._config or load_config() RulesEngine._threat_intel = ( RulesEngine._threat_intel or ThreatIntel.load_from_config(self.config) ) # Instantiate the alert forwarder to handle sending alerts to the alert processor RulesEngine._alert_forwarder = RulesEngine._alert_forwarder or AlertForwarder() # Load the lookup tables, which include logic for refreshing the tables RulesEngine._lookup_tables = LookupTables.load_lookup_tables(self.config) # If not rule import paths are specified, default to the config if not rule_paths: rule_paths = [item for location in {'rule_locations', 'matcher_locations'} for item in self.config['global']['general'][location]] import_folders(*rule_paths) self._in_lambda = 'LAMBDA_RUNTIME_DIR' in env self._required_outputs_set = resources.get_required_outputs() self._load_rule_table(self.config)
def test_load_from_config_disabled(self): """ThreatIntel - Load From Config, Disabled""" config = {'threat_intel': {'enabled': False}} assert_equal(ThreatIntel.load_from_config(config), None)
def test_load_from_config_empty(self): """ThreatIntel - Load From Config, Empty""" assert_equal(ThreatIntel.load_from_config({}), None)
def setup(self): """ThreatIntel - Setup""" with patch('boto3.client'): self._threat_intel = ThreatIntel.load_from_config( self._default_config)