def test_query_response_found(self): query = "[url:value = '*****@*****.**']" transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG) query_response = transmission.query(query) assert query_response is not None assert 'success' in query_response assert query_response['success'] is True assert 'search_id' in query_response assert query_response['search_id'] == "[url:value = '*****@*****.**']"
def test_reversinglabs_ping(self, mock_ping_response, mock_api_client): mock_api_client.return_value = None mock_ping_response.return_value = Response({"success": True}, 200) transmission = stix_transmission.StixTransmission( MODULE_NAME, connection, config) ping_response = transmission.ping() assert ping_response is not None assert ping_response['success']
def test_delete_query_exception(mock_create_status): mock_create_status.return_value = MockExceptionResponse() search_id = '10.20.30.40' transmission = stix_transmission.StixTransmission( 'aws_cloud_watch_logs', CONNECTION, CONFIG) status_response = transmission.delete(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is False assert 'error' in status_response
def test_reversinglabs_status(self, mock_api_client): mock_api_client.return_value = None transmission = stix_transmission.StixTransmission( MODULE_NAME, connection, config) query_response = transmission.status(SAMPLE_DATA) assert query_response is not None assert 'success' in query_response, query_response['success'] is True assert 'status' in query_response, query_response[ 'status'] == 'COMPLETED' assert 'progress' in query_response, query_response['progress'] == 100
def test_delete_query_connection(mock_delete_query): """to delete the query search using search id""" mock_delete_query.return_value = ArcsightMockResponse(200, "") transmission = stix_transmission.StixTransmission( 'arcsight', CONNECTION, CONFIG) delete_response = transmission.delete(SEARCH_ID) assert delete_response is not None assert 'success' in delete_response assert delete_response['success'] is True
def test_delete_query_connection(mock_delete_query): mock_delete_query.return_value = AWSMockJsonResponse() search_id = "0c8ed381-f1c8-406d-a293-406b64607870" transmission = stix_transmission.StixTransmission( 'aws_cloud_watch_logs', CONNECTION, CONFIG) delete_response = transmission.delete(search_id) assert delete_response is not None assert 'success' in delete_response assert delete_response['success'] is True
def test_results_all_response(self, mock_results_response, mock_api_client, mock_generate_token): mock_api_client.return_value = None mock_generate_token.return_value = AdalMockResponse mocked_return_value = """{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts(fileStates)", "@odata.nextLink": "https://graph.microsoft.com/beta/security/alerts?$select=filestates&$filter=fileStates%\ 2fany(x%3ax%2fname+eq+%27services.exe%27)+and+eventDateTime+ge+2019-10-13T08%3a00Z+and+eventDateTime+le\ +2019-11-13T08%3a00Z&$top=1&$skip=1&$skiptoken=45e372bf-0f5d-4d0b-b244-7d762a909a0e", "value": [ { "fileStates": [ { "name": "services.exe", "path": "c:\\\\windows\\\\system32\\\\services.exe", "riskScore": null, "fileHash": { "hashType": "sha256", "hashValue": "00a1cf85c6ab96df38a4023f0cee4df60f62280768fc9c06a235e6d2d644169d" } }, { "name": "svchost.exe", "path": "c:\\\\windows\\\\system32\\\\svchost.exe", "riskScore": null, "fileHash": { "hashType": "sha256", "hashValue": "33a1cf85c6ab96df38a4023f0cee4df60f62280768fc9c06a235e6d644169d" } } ], "processes": [ { "processId": 1234, "fileHash": { "hashType": "sha256", "hashValue": "33a1cf85c6ab96df38a4023f0cee4df60f62280768fc9c06a235e6d644169d" } } ] } ] }""" mock_results_response.return_value = AzureSentinelMockResponse(200, mocked_return_value) query = "$select=filestates&$filter=fileStates/any(x:x/name eq 'services.exe') and eventDateTime ge \ 2019-10-13T08:00Z and eventDateTime le 2019-11-13T08:00Z&$top=1&$skip=1" offset = 0 length = 1 transmission = stix_transmission.StixTransmission('azure_sentinel', self.connection(), self.config()) results_response = transmission.results(query, offset, length) assert results_response is not None assert results_response['success'] assert 'data' in results_response assert results_response['data'] is not None
def test_ping_endpoint_auth_failed(self, mock_ping_response): mock_ping_response.post('https://iam.cloud.ibm.com/identity/token', status_code = 500) mock_ping_response.get('http://test_sec_adv.com/abc/providers', status_code = 500) transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False
def test_ping_endpoint_exception(self, mock_ping_response): mock_ping_response.post('https://iam.cloud.ibm.com/identity/token', text= '{ "access_token" : "ertyuiojhgfcvbnbv" }') transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False assert ping_response['error'] is not None
def test_create_status_exception(mock_create_status): mock_create_status.return_value = MockExceptionResponse() search_id = "xyz" transmission = stix_transmission.StixTransmission( 'aws_cloud_watch_logs', CONNECTION, CONFIG) status_response = transmission.status(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is False assert 'error' in status_response assert status_response['code'] == 'invalid_query'
def test_ping_internal_server_exception(self, mock_ping_response): """check 500 bad query exception""" mocked_return_value = '{"reply": {"err_msg":"Internal server error","err_extra":"server error"}}' mock_ping = PaloaltoMockResponse(500, mocked_return_value) mock_ping_response.return_value = PingResponse(mock_ping) transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) ping_response = transmission.ping() assert ping_response is not None assert ping_response['success'] is False assert "Internal server error" in ping_response["error"] assert ping_response["code"] == "invalid_parameter"
def test_ping_400_exception(self, mock_ping_response): """Test ping response with 400 exception""" mocked_return_value = '{"reply":{"err_msg": "InvalidJson"}}' mock_ping = PaloaltoMockResponse(400, mocked_return_value) mock_ping_response.return_value = PingResponse(mock_ping) transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) ping_response = transmission.ping() assert ping_response is not None assert ping_response['success'] is False assert 'error' in ping_response assert ping_response['code'] == "invalid_query"
def test_delete_query_exception(self, mock_delete_response, mock_api_client): error_msg = 'an error occured while checking the if the query is deleted' mock_api_client.return_value = None mock_delete_response.return_value = False mock_delete_response.side_effect = Exception(error_msg) transmission = stix_transmission.StixTransmission( MODULE_NAME, connection, config) query_response = transmission.delete("") assert 'success' in query_response, query_response['success'] is False assert 'error' in query_response, query_response['error'] == error_msg
def test_auth_exception(mock_auth_value): """to check auth token generation exception""" mock_auth_value.return_value = ArcsightMockResponse(400, '') transmission = stix_transmission.StixTransmission( 'arcsight', CONNECTION, CONFIG) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False assert 'error' in ping_response assert ping_response['code'] == 'authentication_fail'
def test_ping_exception(mock_create_status): mock_create_status.return_value = MockExceptionResponse() transmission = stix_transmission.StixTransmission( 'aws_athena', CONNECTION, CONFIGURATION) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False assert 'error' in ping_response assert ping_response['code'] == 'authentication_fail'
def test_status_response(self, mock_status_response): """test status response""" mocked_return_value = '{"reply" : {"status": "SUCCESS","number_of_results":100}}' mock_status_response.return_value = StatusResponse(200, mocked_return_value) search_id = "e1d1b56ca81845_15180_inv" transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) status_response = transmission.status(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is True assert status_response['status'] == "COMPLETED"
def test_create_query_exception(mock_create_query): mock_create_query.return_value = Exception("Invalid Query") query = 'sample query' transmission = stix_transmission.StixTransmission( 'aws_cloud_watch_logs', CONNECTION, CONFIG) query_response = transmission.query(query) assert query_response is not None assert 'success' in query_response assert query_response['success'] is False assert 'error' in query_response assert query_response['code'] == "invalid_query"
def test_ping_401_auth_exception(self, mock_ping_response): """test 401 authentication error exception""" mocked_return_value = '{"reply": { "err_msg" : "auth Error"}}' mock_ping = PaloaltoMockResponse(401, mocked_return_value) mock_ping_response.return_value = PingResponse(mock_ping) transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) ping_response = transmission.ping() assert ping_response is not None assert ping_response['success'] is False assert ping_response['code'] == "authentication_fail" assert "Invalid api_key" in ping_response['error']
def test_ping_endpoint_bad_return_code(self, mock_ping_response): mock_ping_response.post('https://iam.cloud.ibm.com/identity/token', text= '{ "access_token" : "ertyuiojhgfcvbnbv" }') mock_ping_response.get('http://test_sec_adv.com/abc/providers', status_code = 500) transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False
def test_ping_endpoint_bad_return_code(mock_ping_response): mocked_return_value = MockHttpResponse('/exception') mock_ping_response.return_value = BigFixMockHttpXMLResponse(500, mocked_return_value) transmission = stix_transmission.StixTransmission('bigfix', CONNECTION, CONFIG) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False assert ping_response['error'] is not None
def test_delete_query_exception(mock_create_status): mock_create_status.return_value = MockExceptionResponse() search_id = '0c8ed381-f1c8-406d-a293-406b64604323:vpcflow' transmission = stix_transmission.StixTransmission( 'aws_athena', CONNECTION, CONFIGURATION) status_response = transmission.delete(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is False assert 'error' in status_response
def test_max_additional_quota_exception(self, mock_ping): """test maximum additional quota threshold exception""" response = { 'reply': {'license_quota': 5, 'additional_purchased_quota': 10.0, 'used_quota': 12, 'eval_quota': 0.0}} mock_ping.side_effect = [MockResponse(MockStatusObj(200), json.dumps(response))] transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) query_response = transmission.query({}) assert query_response is not None assert query_response['success'] is False assert query_response['code'] == "service_unavailable" assert "query usage exceeded max daily quota" in query_response['error']
def test_status_value_error_exception(self, mock_search_status): """test status connector value error with invalid json""" mocked_return_value = "Invalid json" mock_search_status.return_value = StatusResponse(200, mocked_return_value) search_id = "e1d1b56ca81845_15180_inv" transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) status_response = transmission.status(search_id) assert status_response is not None assert status_response['success'] is False assert 'error' in status_response assert "Cannot parse response" in status_response["error"]
def test_ping_endpoint_exception(mock_ping_response): mocked_return_value = MockHttpResponse('/exception') mock_ping_response.return_value = BigFixMockHttpXMLResponse(200, mocked_return_value) mock_ping_response.side_effect = Exception('an error occured retriving ping information') transmission = stix_transmission.StixTransmission('bigfix', CONNECTION, CONFIG) ping_response = transmission.ping() assert ping_response is not None assert 'success' in ping_response assert ping_response['success'] is False assert ping_response['error'] is not None
def test_status_403_exception(self, get_search_results): """test results with 403 exception""" mocked_return_value = '{"reply": { "err_msg" : "api permission exception"}}' get_search_results.return_value = StatusResponse(403, mocked_return_value) search_id = "e1d1b56ca81845_15180_inv" transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) status_response = transmission.status(search_id) assert status_response is not None assert status_response['success'] is False assert status_response['code'] == "forbidden" assert "The provided API Key does not have the required RBAC permissions to run this API" in \ status_response['error']
def test_status_pending_response(self, mock_search_response): """Test status pending exception""" mocked_return_value = '{"reply" : {"status": "PENDING"}}' mock_search_response.return_value = StatusResponse(200, mocked_return_value) search_id = "e1d1b56ca81845_15180_inv" transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) status_response = transmission.status(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is True assert status_response['status'] == "RUNNING" assert status_response['progress'] == 50
def test_ping_value_error_exception(self, mock_search_response): """test ping connector value error with invalid json""" mocked_return_value = "Invalid_json" mock_search = PaloaltoMockResponse(200, mocked_return_value) search_response = PingResponse(mock_search) mock_search_response.return_value = search_response transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) query_response = transmission.ping() assert query_response is not None assert query_response['success'] is False assert 'error' in query_response assert "Cannot parse response" in query_response["error"]
def test_status_fail_exception(self, mock_search_response): """Test status fail exception""" mocked_return_value = '{"reply" : {"status": "FAIL"}}' mock_search_response.return_value = StatusResponse(200, mocked_return_value) search_id = "e1d1b56ca81845_15180_inv" transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) status_response = transmission.status(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is False assert "Tenant Query Failed" in status_response['error'] assert status_response['code'] == "invalid_query"
def test_status_partial_success_exception(self, mock_status_response): """Test partial success status response exception""" mocked_return_value = '{"reply" : {"status": "PARTIAL_SUCCESS"}}' mock_status_response.return_value = StatusResponse(200, mocked_return_value) search_id = "e1d1b56ca81845_15180_inv" transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) status_response = transmission.status(search_id) assert status_response is not None assert 'success' in status_response assert status_response['success'] is True assert status_response['message'] == "Partial Success -At least one tenant failed to execute the query" assert status_response['status'] == "COMPLETED"
def test_ping_402_license_exception(self, mock_ping_response): """Check 402 invalid license exception""" mocked_return_value = '{"reply": { "err_msg" : "Invalid license"}}' mock_ping = PaloaltoMockResponse(402, mocked_return_value) mock_ping_response.return_value = PingResponse(mock_ping) transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration()) ping_response = transmission.ping() assert ping_response is not None assert ping_response['success'] is False assert 'error' in ping_response assert ping_response['code'] == "service_unavailable" assert "User does not have the required license type to run this API" in ping_response['error']