def test_fetch_incidents(requests_mock, mocker):
from PaloAltoNetworks_XDR import fetch_incidents, Client, sort_all_list_incident_fields
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
modified_raw_incident = raw_incident['reply']['incident'].copy()
modified_raw_incident['alerts'] = raw_incident['reply'].get('alerts').get('data')
modified_raw_incident['file_artifacts'] = raw_incident['reply'].get('file_artifacts').get('data')
modified_raw_incident['network_artifacts'] = raw_incident['reply'].get('network_artifacts').get('data')
modified_raw_incident['mirror_direction'] = 'In'
modified_raw_incident['mirror_instance'] = 'MyInstance'
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident)
mocker.patch.object(demisto, 'params', return_value={"extra_data": True, "mirror_direction": "Incoming"})
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
next_run, incidents = fetch_incidents(client, '3 month', 'MyInstance')
sort_all_list_incident_fields(modified_raw_incident)
assert len(incidents) == 2
assert incidents[0]['name'] == "#1 - 'Local Analysis Malware' generated by XDR Agent detected on host AAAAA " \
"involving user Administrator"
if 'network_artifacts' not in json.loads(incidents[0]['rawJSON']):
assert False
assert incidents[0]['rawJSON'] == json.dumps(modified_raw_incident)
def test_fetch_incidents_with_rate_limit_error(requests_mock, mocker):
"""
Given:
- a Rate limit error occurs in the second call for 'get_extra_data_command'
When
- running fetch_incidents command
Then
- the first successful incident is being created
- the second incident is saved for the next run
"""
from PaloAltoNetworks_XDR import fetch_incidents, Client, sort_all_list_incident_fields
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
modified_raw_incident = raw_incident['reply']['incident'].copy()
modified_raw_incident['alerts'] = raw_incident['reply'].get('alerts').get('data')
modified_raw_incident['file_artifacts'] = raw_incident['reply'].get('file_artifacts').get('data')
modified_raw_incident['network_artifacts'] = raw_incident['reply'].get('network_artifacts').get('data')
modified_raw_incident['mirror_direction'] = 'In'
modified_raw_incident['mirror_instance'] = 'MyInstance'
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident)
mocker.patch('PaloAltoNetworks_XDR.get_incident_extra_data_command', side_effect=return_extra_data_result)
mocker.patch.object(demisto, 'params', return_value={"extra_data": True, "mirror_direction": "Incoming"})
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
next_run, incidents = fetch_incidents(client, '3 month', 'MyInstance')
sort_all_list_incident_fields(modified_raw_incident)
assert len(incidents) == 1 # because the second one raised a rate limit error
assert incidents[0]['name'] == "#1 - 'Local Analysis Malware' generated by XDR Agent detected on host AAAAA " \
"involving user Administrator"
incidents_from_previous_run = next_run.get('incidents_from_previous_run')
assert incidents_from_previous_run
assert len(incidents_from_previous_run) == 1
assert incidents_from_previous_run[0].get('incident_id') == '2'
if 'network_artifacts' not in json.loads(incidents[0]['rawJSON']):
assert False
assert incidents[0]['rawJSON'] == json.dumps(modified_raw_incident)
def test_fetch_incidents(requests_mock):
from PaloAltoNetworks_XDR import fetch_incidents, Client
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
next_run, incidents = fetch_incidents(client, '3 month', {})
assert len(incidents) == 2
assert incidents[0]['name'] == "#1 - 'Local Analysis Malware' generated by XDR Agent detected on host AAAAA " \
"involving user Administrator"
assert incidents[1]['name'] == "#2 - 'Local Analysis Malware' generated by XDR Agent detected on host BBBBB " \
"involving user Administrator"
assert incidents[0]['rawJSON'] == json.dumps(get_incidents_list_response['reply']['incidents'][0])