def test_first_fetch_incidents(mocked_parse_date_range, requests_mock):
mock_date = "2010-01-01T00:00:00Z"
mocked_parse_date_range.return_value = (mock_date, "never mind")
requests_mock.get(MOCK_URL + "/v2/siem/all?format=json&sinceTime=2010-01-01T00%3A00%3A00Z",
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False
)
next_run, incidents = fetch_incidents(
client=client,
last_run={},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status="",
threat_type=""
)
assert len(incidents) == 4
assert json.loads(incidents[0]['rawJSON'])["messageID"] == "*****@*****.**"
assert next_run == {"last_fetch": "2010-01-30T00:01:00.000Z"}
def test_next_fetch(requests_mock):
mock_date = "2010-01-01T00:00:00Z"
requests_mock.get(MOCK_URL + "/v2/siem/all?format=json&sinceTime=2010-01-01T00%3A00%3A00Z"
"&threatStatus=active&threatStatus=cleared",
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False
)
next_run, incidents = fetch_incidents(
client=client,
last_run={"last_fetch": mock_date},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type=""
)
assert len(incidents) == 4
assert json.loads(incidents[0]['rawJSON'])["messageID"] == "*****@*****.**"
assert next_run == {"last_fetch": "2010-01-30T00:01:00.000Z"}
def test_next_fetch(requests_mock, mocker):
mock_date = "2010-01-01T00:00:00Z"
mocker.patch('ProofpointTAP_v2.get_now', return_value=datetime.strptime(mock_date, "%Y-%m-%dT%H:%M:%SZ"))
requests_mock.get(MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%'
'2F2010-01-01T00%3A00%3A00Z&threatStatus=active&threatStatus=cleared',
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
next_run, incidents, _ = fetch_incidents(
client=client,
last_run={"last_fetch": mock_date},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=50
)
assert len(incidents) == 4
assert json.loads(incidents[3]['rawJSON'])["messageID"] == "4444"
def test_first_fetch_incidents(requests_mock, mocker):
mocker.patch('ProofpointTAP_v2.get_now',
return_value=get_mocked_time())
mocker.patch('ProofpointTAP_v2.parse_date_range', return_value=("2010-01-01T00:00:00Z", 'never mind'))
requests_mock.get(
MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%2F2010-01-01T00%3A00%3A00Z',
json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
next_run, incidents, _ = fetch_incidents(
client=client,
last_run={},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status="",
threat_type=""
)
assert len(incidents) == 4
assert json.loads(incidents[3]['rawJSON'])["messageID"] == "4444"
def test_fetch_limit(requests_mock, mocker):
mock_date = "2010-01-01T00:00:00Z"
this_run = {"last_fetch": "2010-01-01T00:00:00Z"}
mocker.patch('ProofpointTAP_v2.get_now', return_value=datetime.strptime(mock_date, "%Y-%m-%dT%H:%M:%SZ"))
requests_mock.get(MOCK_URL + '/v2/siem/all', json=MOCK_ALL_EVENTS)
client = Client(
proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None
)
next_run, incidents, remained = fetch_incidents(
client=client,
last_run=this_run,
first_fetch_time="3 days",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=3
)
assert next_run['last_fetch'] == '2010-01-01T00:00:00Z'
assert len(incidents) == 3
assert len(remained) == 1
# test another run
next_run, incidents, remained = fetch_incidents(
client=client,
last_run=this_run,
first_fetch_time="3 days",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=3,
integration_context={'incidents': remained}
)
assert next_run['last_fetch'] == '2010-01-01T00:00:00Z'
assert len(incidents) == 1
assert not remained
def test_fetch_incidents_with_encoding(requests_mock, mocker):
"""
Given:
- Message with latin chars in its subject
- Raw JSON encoding param set to latin-1
When:
- Running fetch incidents
Then:
- Ensure subject is returned properly in the raw JSON
"""
mocker.patch(
'ProofpointTAP_v2.get_now',
return_value=get_mocked_time()
)
mocker.patch(
'ProofpointTAP_v2.parse_date_range',
return_value=("2010-01-01T00:00:00Z", 'never mind')
)
requests_mock.get(
MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%2F2010-01-01T00%3A00%3A00Z',
json={
"messagesDelivered": [
{
'subject': 'p\u00c3\u00a9rdida',
'messageTime': '2010-01-30T00:00:59.000Z',
},
],
},
)
client = Client(
proofpoint_url=MOCK_URL,
api_version='v2',
service_principal='user1',
secret='123',
verify=False,
proxies=None,
)
_, incidents, _ = fetch_incidents(
client=client,
last_run={},
first_fetch_time='3 month',
event_type_filter=ALL_EVENTS,
threat_status='',
threat_type='',
raw_json_encoding='latin-1',
)
assert json.loads(incidents[0]['rawJSON'])['subject'] == 'pérdida'
def test_fetch_limit(requests_mock):
mock_date = "2010-01-01T00:00:00Z"
requests_mock.get(MOCK_URL + '/v2/siem/all', json=MOCK_ALL_EVENTS)
client = Client(proofpoint_url=MOCK_URL,
api_version="v2",
service_principal="user1",
secret="123",
verify=False,
proxies=None)
next_run, incidents = fetch_incidents(client=client,
last_run={"last_fetch": mock_date},
first_fetch_time="3 month",
event_type_filter=ALL_EVENTS,
threat_status=["active", "cleared"],
threat_type="",
limit=3)
assert len(incidents) == 3
assert next_run.get('last_fetch') == '2010-01-11T00:00:21Z'
