def test_fetch_indicators_command(mocker):
"""
Tests, The work of fetch indicators command.
"""
import csv
from SecurityIntelligenceServicesFeed import fetch_indicators_command, datetime, timezone
expected_response = [{'value': '007blog.icu',
'type': 'Domain',
'rawJSON': OrderedDict([('value', '007blog.icu'),
('Timestamp', '1590810346'),
('type', 'Domain')]),
'fields': {'service': 'Passive Total', 'tags': ['s3', 's4'],
'firstseenbysource': datetime.fromtimestamp(1590810346,
timezone.utc).isoformat()}}]
mocker.patch('SecurityIntelligenceServicesFeed.Client.request_list_objects',
return_value=[{'Key': 'key1.gz', 'LastModified': datetime.now(timezone.utc)}])
mocker.patch('SecurityIntelligenceServicesFeed.Client.build_iterator',
return_value=[csv.DictReader(f=['007blog.icu\t1590810346'], fieldnames=['value', 'Timestamp'],
delimiter='\t')])
assert next(fetch_indicators_command(client=CLIENT, feed_types=['domain'],
first_fetch_interval='1 day', tags=['s3', 's4'])) == expected_response
# When no latest key found.
mocker.patch('SecurityIntelligenceServicesFeed.Client.request_list_objects', return_value=[])
mocker.patch('SecurityIntelligenceServicesFeed.get_last_key_from_integration_context_dict',
return_value='key1')
mocker.patch('SecurityIntelligenceServicesFeed.Client.build_iterator',
return_value=[csv.DictReader(f=['007blog.icu\t1590810346'], fieldnames=['value', 'Timestamp'],
delimiter='\t')])
assert next(fetch_indicators_command(client=CLIENT, feed_types=['domain'],
first_fetch_interval='0 day', limit='1',
tags=['s3', 's4'])) == expected_response
def test_indicator_field_mapping():
"""
Tests, indicator field mapping for various feed.
"""
from SecurityIntelligenceServicesFeed import indicator_field_mapping, datetime, timezone
expected_res = {'service': 'Passive Total',
'firstseenbysource': datetime.fromtimestamp(1590810346, timezone.utc).isoformat(), 'tags': ['s3']}
assert indicator_field_mapping('domain', {'value': '007blog.icu', 'Timestamp': '1590810346'},
tags=['s3'], tlp_color='') == expected_res
expected_res = {'service': 'Passive Total', 'siscategory': 'category',
'threattypes': [{'threatcategory': 'Phishing'}],
'sismatchtype': 'type',
'sisexpiration': '2020-06-15T00:25:44+00:00', 'tags': ['s3'],
'trafficlightprotocol': 'AMBER'}
assert indicator_field_mapping('phish', {'value': '007blog.icu', 'type': 'URL', 'MatchType': 'type',
'Category': 'category',
'Expiration': '2020-06-15 00:25:44.0',
}, tags=['s3'], tlp_color='AMBER') == expected_res
expected_res = {'service': 'Passive Total', 'sismalwaretype': 'category',
'threattypes': [{'threatcategory': 'Malware'}],
'sismatchtype': 'type',
'sisexpiration': '2020-06-15T00:25:44+00:00', 'tags': ['s3']}
assert indicator_field_mapping('malware',
{'value': '007blog.icu', 'type': 'URL', 'MatchType': 'type',
'MaliciousExpiration': '2020-06-15 00:25:44.0',
'MalwareType': 'category',
'Expiration': '2020-06-15 00:25:44.0',
}, tags=['s3'], tlp_color=None) == expected_res
def test_get_indicators_command(mocker):
"""
Tests, The work of get indicators command.
"""
import csv
from SecurityIntelligenceServicesFeed import get_indicators_command, datetime, timezone
humanreadable = '### Total indicators fetched: 1\n'
humanreadable += '### Indicators from Security Intelligence Services feed\n'
humanreadable += '|Value|Type|\n'
humanreadable += '|---|---|\n'
humanreadable += '| 007blog.icu | Domain |\n'
expected_resp = {'Type': 1,
'ContentsFormat': 'json',
'Contents': [{'value': '007blog.icu',
'type': 'Domain',
'rawJSON': OrderedDict(
[('value', '007blog.icu'),
('Timestamp', '1590810346'),
('type', 'Domain')]),
'fields':
{'service': 'Passive Total',
'firstseenbysource': datetime.fromtimestamp(1590810346,
timezone.utc).isoformat()}}],
'HumanReadable': humanreadable,
'EntryContext': {},
'IndicatorTimeline': [],
'IgnoreAutoExtract': False,
'Note': False}
mocker.patch('SecurityIntelligenceServicesFeed.Client.request_list_objects',
return_value=[{'Key': 'key1.gz', 'LastModified': datetime.now(timezone.utc)}])
mocker.patch('SecurityIntelligenceServicesFeed.Client.build_iterator',
return_value=[csv.DictReader(f=['007blog.icu\t1590810346'], fieldnames=['value', 'Timestamp'],
delimiter='\t',
quoting=csv.QUOTE_NONE)])
args = {
'feed_type': 'Domain',
'limit': 1
}
resp = get_indicators_command(CLIENT, args)
assert resp.to_context() == expected_resp
# No records
mocker.patch('SecurityIntelligenceServicesFeed.Client.build_iterator',
return_value=csv.DictReader(f='', fieldnames=['value', 'Timestamp'], delimiter='\t'))
resp = get_indicators_command(CLIENT, args)
assert resp == MESSAGES['NO_INDICATORS_FOUND']