def test_fetch_all_alerts(requests_mock, orca_client: OrcaClient) -> None:
mock_response = mock_alerts_response.copy() # deepcopy not needed
mock_response["next_page_token"] = "NEXT_PAGE"
requests_mock.get(f"{DUMMY_ORCA_API_DNS_NAME}/query/alerts", json=mock_response)
# Get first page
last_run, fetched_incidents = fetch_incidents(
orca_client, {'lastRun': None},
max_fetch=20,
pull_existing_alerts=True,
first_fetch_time=None
)
assert len(fetched_incidents) == 2
assert last_run['next_page_token'] == 'NEXT_PAGE'
mock_response["next_page_token"] = None # type: ignore
requests_mock.get(f"{DUMMY_ORCA_API_DNS_NAME}/query/alerts", json=mock_response)
# Get next page
last_run, fetched_incidents = fetch_incidents(
orca_client, last_run,
max_fetch=20,
pull_existing_alerts=True,
first_fetch_time=None
)
assert len(fetched_incidents) == 2
assert 'next_page_token' not in last_run
# No pages and no updates
last_run, fetched_incidents = fetch_incidents(
orca_client, last_run,
max_fetch=20,
pull_existing_alerts=True,
first_fetch_time=None
)
assert len(fetched_incidents) == 0
def test_fetch_incidents_not_first_run_return_empty(mocker, orca_client: OrcaClient) -> None:
# validates that fetch-incidents is returning an a empty list when it is not the first run
mocker.patch.object(demisto, 'getLastRun',
return_value={'lastRun': datetime.now().strftime(DEMISTO_OCCURRED_FORMAT),
"incidents_for_next_run": []})
fetched_incidents = fetch_incidents(orca_client, max_fetch=20, pull_existing_alerts=True, first_fetch_time=None)
assert fetched_incidents == []
def test_fetch_incidents_not_first_run_return_empty(orca_client: OrcaClient) -> None:
# validates that fetch-incidents is returning an a empty list when it is not the first run
last_run, fetched_incidents = fetch_incidents(
orca_client,
last_run={'lastRun': datetime.now().strftime(DEMISTO_OCCURRED_FORMAT)},
max_fetch=20,
pull_existing_alerts=True,
first_fetch_time=None
)
assert fetched_incidents == []
def test_fetch_incidents_first_run_should_succeed(requests_mock, orca_client: OrcaClient) -> None:
requests_mock.get(f"{DUMMY_ORCA_API_DNS_NAME}/query/alerts", json=mock_alerts_response)
last_run, fetched_incidents = fetch_incidents(
orca_client,
last_run={'lastRun': None},
max_fetch=20,
pull_existing_alerts=True,
first_fetch_time=None
)
assert fetched_incidents[0]['name'] == 'orca-59'
loaded_raw_alert = json.loads(fetched_incidents[0]['rawJSON'])
assert loaded_raw_alert['demisto_score'] == 4
assert fetched_incidents[1]['name'] == 'orca-242'
loaded_raw_alert = json.loads(fetched_incidents[1]['rawJSON'])
assert loaded_raw_alert['demisto_score'] == 4
assert last_run["lastRun"] is not None
def test_fetch_incidents_first_run_should_succeed(mocker, requests_mock, orca_client: OrcaClient) -> None:
mock_response = {
"version": "0.1.0",
"status": "success",
"total_items": 58,
"total_ungrouped_items": 58,
"total_supported_items": 10000,
"data": [
{
"type": "malware",
"rule_id": "r1111ea1111",
"type_string": "Malware",
"type_key": "/test_eicar_file",
"category": "Malware",
"description": "Malware EICAR-Test-File found on asset",
"details": "We have detected a file infected with EICAR-Test-File on the asset.",
"recommendation": "Remediate the host and attend additional alerts on the host to close the infection path.",
"alert_labels": [
"malware_found"
],
"asset_category": "Storage",
"cloud_provider_id": "111111111111",
"cloud_provider": "aws",
"cloud_account_id": "10b11111-1111-1111-91d5-11111de11111",
"cloud_vendor_id": "111111111111",
"account_name": "111111111111",
"asset_unique_id": "storage_111111e11111_scan-me-s3-bucket-s8rrr",
"asset_name": "scan-me-s3-bucket-s8rrr",
"asset_type": "storage",
"asset_type_string": "AWS S3 Bucket",
"group_unique_id": "storage_111111e11111_scan-me-s3-bucket-s8rrr",
"group_name": "scan-me-s3-bucket-s8rrr",
"group_type": "storage",
"group_type_string": "NonGroup",
"group_val": "nongroup",
"cluster_unique_id": "storage_111111e11111_scan-me-s3-bucket-s8rrr",
"cluster_name": "scan-me-s3-bucket-s8rrr",
"cluster_type": "storage",
"level": 0,
"asset_state": "enabled",
"asset_labels": [
"internet_facing",
"pii"
],
"asset_vendor_id": "scan-me-s3-bucket-s8rrr",
"asset_regions": [
"us-east-1"
],
"asset_regions_names": [
"N. Virginia"
],
"source": "test_eicar_file",
"findings": {
"malware": [
{
"type": "malware",
"labels": [
"malware_found"
],
"virus_names": [
"EICAR-Test-File"
],
"modification_time": "2020-04-26T14:26:11+00:00",
"file": "/test_eicar_file",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"md5": "44d88612fea8a8f36de82e1278abb02f",
"has_macro": False
}
]
},
"configuration": {
"user_status": "closed",
"jira_issue_link": "https://www.jira.com/myproject",
"jira_issue": "TP-41"
},
"state": {
"alert_id": "orca-59",
"status": "in_progress",
"status_time": "2020-12-30T09:57:33+00:00",
"created_at": "2020-11-08T12:58:52+00:00",
"last_seen": "2020-12-30T10:35:46+00:00",
"score": 1,
"severity": "compromised",
"low_since": None,
"high_since": "2020-12-15T15:33:49+00:00",
"in_verification": None
},
"priv": {
"key": "3ea22222274111114b011111bb311111",
"score": 1,
"orig_score": 1,
"alert_id": "orca-59",
"full_scan_time": "2020-12-30T10:35:46+00:00",
"organization_id": "11111111-1111-1111-1111-c111881c1111",
"organization_name": "Orca Security",
"context": "data",
"account_action_id_ctx": {
"data": "11111111-1111-1111-1111-8a529a011111"
},
"scan_id_ctx": {
"data": "11111111-1111-1111-1111-8a529a011111_111111111111_bucket-111111e11111-us-east-1"
},
"first_seen": "2020-11-08T13:03:37+00:00"
},
"hdr": {
"asset_category": "Storage",
"organization_id": "11111111-1111-1111-1111-c111881c1111",
"organization_name": "Orca Security",
"cloud_provider": "aws",
"cloud_provider_id": "111111111111",
"cloud_account_id": "10b11111-1111-1111-91d5-11111de11111",
"context": "data",
"asset_unique_id": "storage_111111e11111_scan-me-s3-bucket-s8rrr",
"asset_type": "storage",
"asset_type_string": "AWS S3 Bucket",
"asset_name": "scan-me-s3-bucket-s8rrr",
"group_unique_id": "storage_111111e11111_scan-me-s3-bucket-s8rrr",
"group_name": "scan-me-s3-bucket-s8rrr",
"group_type": "storage",
"group_type_string": "NonGroup",
"cluster_unique_id": "storage_111111e11111_scan-me-s3-bucket-s8rrr",
"cluster_type": "storage",
"cluster_name": "scan-me-s3-bucket-s8rrr",
"level": 0,
"group_val": "nongroup",
"asset_vendor_id": "scan-me-s3-bucket-s8rrr",
"cloud_vendor_id": "111111111111",
"asset_state": "enabled",
"account_name": "111111111111",
"asset_labels": [
"internet_facing"
]
},
"insert_time": "2020-12-30T10:45:21+00:00"
},
{
"type": "malware",
"rule_id": "r1111ea1111",
"type_string": "Malware",
"type_key": "/usr/local/bin/eicarcom2.zip",
"category": "Malware",
"description": "Malware EICAR-Test-File found on asset",
"details": "We have detected a file infected with EICAR-Test-File on the asset.",
"recommendation": "Remediate the host and attend additional alerts on the host to close the infection path.",
"alert_labels": [
"malware_found"
],
"asset_category": "Image",
"cloud_provider_id": "111111111111",
"cloud_provider": "aws",
"cloud_account_id": "10b11111-1111-1111-91d5-11111de11111",
"cloud_vendor_id": "111111111111",
"account_name": "111111111111",
"asset_unique_id": "vmimage_111111e11111_ami-11111c111111d7911",
"asset_name": "my_test_image-1231asdasjdn",
"asset_type": "vmimage",
"asset_type_string": "VM Image",
"group_unique_id": "vmimage_111111e11111_ami-11111c111111d7911",
"group_name": "my_test_image-1231asdasjdn",
"group_type": "vmimage",
"group_type_string": "NonGroup",
"group_val": "nongroup",
"cluster_unique_id": "vmimage_111111e11111_ami-11111c111111d7911",
"cluster_name": "my_test_image-1231asdasjdn",
"cluster_type": "vmimage",
"level": 0,
"asset_vendor_id": "ami-11111c111111d7911",
"asset_distribution_name": "Ubuntu",
"asset_distribution_version": "18.04",
"asset_role_names": [
"mysql",
"ssh",
"haproxy",
"postgresql"
],
"source": "eicarcom2.zip",
"findings": {
"malware": [
{
"type": "malware",
"labels": [
"malware_found"
],
"virus_names": [
"EICAR-Test-File"
],
"modification_time": "2019-07-09T21:16:26+00:00",
"file": "/usr/local/bin/eicarcom2.zip",
"sha256": "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397",
"sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae",
"md5": "e4968ef99266df7c9a1f0637d2389dab",
"has_macro": False
}
]
},
"configuration": {},
"state": {
"alert_id": "orca-242",
"status": "open",
"status_time": "2020-11-08T12:58:54+00:00",
"created_at": "2020-11-08T12:58:54+00:00",
"last_seen": "2020-12-30T10:35:48+00:00",
"score": 1,
"severity": "compromised",
"low_since": None,
"high_since": "2020-11-08T13:04:32+00:00",
"in_verification": None
},
"priv": {
"key": "3696080647d937b881eee2cfdd6c3943",
"score": 1,
"orig_score": 1,
"alert_id": "orca-242",
"full_scan_time": "2020-12-30T10:35:48+00:00",
"organization_id": "11111111-1111-1111-1111-c111881c1111",
"organization_name": "Orca Security",
"context": "data",
"account_action_id_ctx": {
"data": "11111111-1111-1111-1111-8a529a011111"
},
"scan_id_ctx": {
"data": "11111111-1111-1111-1111-8a529a011111_111111111111_ami-11111c111111d7911"
},
"first_seen": "2020-11-08T13:04:32+00:00"
},
"hdr": {
"asset_category": "Image",
"organization_id": "11111111-1111-1111-1111-c111881c1111",
"organization_name": "Orca Security",
"cloud_provider": "aws",
"cloud_provider_id": "111111111111",
"cloud_account_id": "10b11111-1111-1111-91d5-11111de11111",
"context": "data",
"asset_unique_id": "vmimage_111111e11111_ami-11111c111111d7911",
"asset_type": "vmimage",
"asset_type_string": "VM Image",
"asset_name": "my_test_image-1231asdasjdn",
"group_unique_id": "vmimage_111111e11111_ami-11111c111111d7911",
"group_name": "my_test_image-1231asdasjdn",
"group_type": "vmimage",
"group_type_string": "NonGroup",
"cluster_unique_id": "vmimage_111111e11111_ami-11111c111111d7911",
"cluster_type": "vmimage",
"cluster_name": "my_test_image-1231asdasjdn",
"level": 0,
"group_val": "nongroup",
"asset_vendor_id": "ami-11111c111111d7911",
"cloud_vendor_id": "111111111111",
"account_name": "111111111111"
},
"insert_time": "2020-12-30T10:44:11+00:00"
}
]
}
mocker.patch.object(demisto, 'getLastRun', return_value={'lastRun': None})
requests_mock.get(f"{ORCA_API_DNS_NAME}/query/alerts", json=mock_response)
fetched_incidents = fetch_incidents(orca_client, max_fetch=20, pull_existing_alerts=True, first_fetch_time=None)
assert fetched_incidents[0]['name'] == 'orca-59'
loaded_raw_alert = json.loads(fetched_incidents[0]['rawJSON'])
assert loaded_raw_alert['demisto_score'] == 4
assert fetched_incidents[1]['name'] == 'orca-242'
loaded_raw_alert = json.loads(fetched_incidents[1]['rawJSON'])
assert loaded_raw_alert['demisto_score'] == 4