def test_signal_get_details(requests_mock):
"""Tests sumologic-sec-signal-get-details command function.
"""
from SumoLogicCloudSIEM import Client, signal_get_details, insight_signal_to_readable, DEFAULT_HEADERS
mock_response = util_load_json('test_data/signal_details.json')
signal_id = '2b449e56-f6e8-5306-980a-447a8c026b77'
signal = mock_response.get('data')
del signal['allRecords']
signal = insight_signal_to_readable(signal)
requests_mock.get('{}/sec/v1/signals/{}'.format(MOCK_URL, signal_id), json=mock_response)
client = Client(
base_url=MOCK_URL,
verify=False,
headers=DEFAULT_HEADERS,
proxy=False,
auth=('access_id', 'access_key'),
ok_codes=[200])
args = {
'signal_id': signal_id
}
response = signal_get_details(client, args)
assert response.outputs_prefix == 'SumoLogicSec.Signal'
assert response.outputs_key_field == 'Id'
assert response.outputs == signal
def test_insight_set_status(requests_mock):
"""Tests sumologic-sec-insight-set-status command function.
"""
from SumoLogicCloudSIEM import Client, insight_set_status, insight_signal_to_readable, DEFAULT_HEADERS
mock_response = util_load_json('test_data/insight_status.json')
insight_id = 'INSIGHT-221'
for signal in mock_response['data']['signals']:
del signal['allRecords']
insight = insight_signal_to_readable(mock_response.get('data'))
requests_mock.put('{}/sec/v1/insights/{}/status'.format(MOCK_URL, insight_id), json=mock_response)
client = Client(
base_url=MOCK_URL,
verify=False,
headers=DEFAULT_HEADERS,
proxy=False,
auth=('access_id', 'access_key'),
ok_codes=[200])
args = {
'insight_id': insight_id,
'status': 'closed',
'resolution': 'Resolved'
}
response = insight_set_status(client, args)
assert response.outputs_prefix == 'SumoLogicSec.Insight'
assert response.outputs_key_field == 'Id'
assert response.outputs == insight
def test_signal_search(requests_mock):
"""Tests sumologic-sec-signal-search command function.
"""
from SumoLogicCloudSIEM import Client, signal_search, insight_signal_to_readable, DEFAULT_HEADERS
mock_response = util_load_json('test_data/signal_list.json')
signals = []
for signal in mock_response['data']['objects']:
del signal['allRecords']
signals.append(insight_signal_to_readable(signal))
requests_mock.get('{}/sec/v1/signals?q=contentType:\"ANOMALY\"&limit=2'.format(MOCK_URL), json=mock_response)
client = Client(
base_url=MOCK_URL,
verify=False,
headers=DEFAULT_HEADERS,
proxy=False,
auth=('access_id', 'access_key'),
ok_codes=[200])
args = {
'created': 'All time',
'contentType': 'ANOMALY',
'limit': '2'
}
response = signal_search(client, args)
assert response.outputs_prefix == 'SumoLogicSec.SignalList'
assert response.outputs_key_field == 'Id'
assert response.outputs == signals
def test_insight_get_details(requests_mock):
"""Tests sumologic-sec-insight-get-details command function.
"""
from SumoLogicCloudSIEM import Client, insight_get_details, insight_signal_to_readable, DEFAULT_HEADERS
mock_response = util_load_json('test_data/insight_details.json')
insight_id = 'INSIGHT-220'
insight = insight_signal_to_readable(mock_response.get('data'))
requests_mock.get('{}/sec/v1/insights/{}'.format(MOCK_URL, insight_id), json=mock_response)
client = Client(
base_url=MOCK_URL,
verify=False,
headers=DEFAULT_HEADERS,
proxy=False,
auth=('access_id', 'access_key'),
ok_codes=[200])
args = {
'insight_id': insight_id
}
response = insight_get_details(client, args)
assert response.outputs_prefix == 'SumoLogicSec.Insight'
assert response.outputs_key_field == 'Id'
assert response.outputs == insight
assert response.readable_output == tableToMarkdown(
'Insight Details:', [insight],
['Id', 'ReadableId', 'Name', 'Action', 'Status', 'Assignee', 'Description', 'LastUpdated', 'LastUpdatedBy', 'Severity',
'Closed', 'ClosedBy', 'Timestamp', 'Entity', 'Resolution'], headerTransform=pascalToSpace)
def test_insight_search(requests_mock):
"""Tests sumologic-sec-insight-search command function.
"""
from SumoLogicCloudSIEM import Client, insight_search, insight_signal_to_readable, DEFAULT_HEADERS
mock_response = util_load_json('test_data/insight_list.json')
insights = []
for insight in mock_response['data']['objects']:
insights.append(insight_signal_to_readable(insight))
requests_mock.get('{}/sec/v1/insights?limit=2'.format(MOCK_URL), json=mock_response)
client = Client(
base_url=MOCK_URL,
verify=False,
headers=DEFAULT_HEADERS,
proxy=False,
auth=('access_id', 'access_key'),
ok_codes=[200])
args = {
'limit': '2'
}
response = insight_search(client, args)
assert response.outputs_prefix == 'SumoLogicSec.InsightList'
assert response.outputs_key_field == 'Id'
assert response.outputs == insights
def test_insight_get_details(requests_mock):
"""Tests sumologic-sec-insight-get-details command function.
"""
from SumoLogicCloudSIEM import Client, insight_get_details, insight_signal_to_readable, DEFAULT_HEADERS
mock_response = util_load_json('test_data/insight_details.json')
insight_id = 'INSIGHT-220'
insight = insight_signal_to_readable(mock_response.get('data'))
requests_mock.get(
'{}/sec/v1/insights/{}?exclude=signals.allRecords&recordSummaryFields=action%2C'
'description%2Cdevice_hostname%2Cdevice_ip%2CdstDevice_hostname%2CdstDevice_ip%2Cemail_sender%2C'
'file_basename%2Cfile_hash_md5%2Cfile_hash_sha1%2Cfile_hash_sha256%2CsrcDevice_hostname%2C'
'srcDevice_ip%2Cthreat_name%2Cthreat_category%2Cthreat_identifier%2Cuser_username%2Cthreat_url%2ClistMatches'
.format(MOCK_URL, insight_id),
json=mock_response)
client = Client(base_url=MOCK_URL,
verify=False,
headers=DEFAULT_HEADERS,
proxy=False,
auth=('access_id', 'access_key'),
ok_codes=[200])
args = {
'insight_id': insight_id,
'record_summary_fields': RECORD_SUMMARY_FIELDS_DEFAULT
}
response = insight_get_details(client, args)
assert response.outputs_prefix == 'SumoLogicSec.Insight'
assert response.outputs_key_field == 'Id'
assert response.outputs == insight
assert response.readable_output == tableToMarkdown(
'Insight Details:', [insight], [
'Id', 'ReadableId', 'Name', 'Action', 'Status', 'Assignee',
'Description', 'LastUpdated', 'LastUpdatedBy', 'Severity',
'Closed', 'ClosedBy', 'Timestamp', 'Entity', 'Resolution'
],
headerTransform=pascalToSpace)