def test_get_remote_data_command_with_rate_limit_exception(mocker):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a Rate limit exception is raises from get_extra_data_command method
When
- running get_remote_data_command
Then
- an "API rate limit" error is thrown so that the server will stop the sync loop and will resume from the last
incident.
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
args = {
'id': 1,
'lastUpdate': 0
}
mocker.patch.object(demisto, 'results')
mocker.patch('PaloAltoNetworks_XDR.get_incident_extra_data_command', side_effect=Exception("Rate limit exceeded"))
with pytest.raises(SystemExit):
_ = get_remote_data_command(client, args)
assert demisto.results.call_args[0][0].get('Contents') == "API rate limit"
def test_get_remote_data_command_should_close_issue(requests_mock):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a raw incident (get-extra-data results) indicating the incident was closed on XDR side
When
- running get_remote_data_command
Then
- the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident
- the entries in the GetRemoteDataResponse holds the closing entry
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'id': 1, 'lastUpdate': 0}
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
raw_incident['reply']['incident']['status'] = 'resolved_threat_handled'
raw_incident['reply']['incident']['resolve_comment'] = 'Handled'
expected_modified_incident = raw_incident['reply']['incident'].copy()
expected_modified_incident['alerts'] = raw_incident['reply'].get(
'alerts').get('data')
expected_modified_incident['network_artifacts'] = raw_incident[
'reply'].get('network_artifacts').get('data')
expected_modified_incident['file_artifacts'] = raw_incident['reply'].get(
'file_artifacts').get('data')
expected_modified_incident['id'] = expected_modified_incident.get(
'incident_id')
expected_modified_incident['assigned_user_mail'] = ''
expected_modified_incident['assigned_user_pretty_name'] = ''
expected_modified_incident['closeReason'] = 'Resolved'
expected_modified_incident['closeNotes'] = 'Handled'
expected_modified_incident['in_mirror_error'] = ''
del expected_modified_incident['creation_time']
expected_closing_entry = {
'Type': 1,
'Contents': {
'dbotIncidentClose': True,
'closeReason': 'Resolved',
'closeNotes': 'Handled'
},
'ContentsFormat': 'json'
}
requests_mock.post(
f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/',
json=raw_incident)
response = get_remote_data_command(client, args)
sort_all_list_incident_fields(expected_modified_incident)
assert response.mirrored_object == expected_modified_incident
assert expected_closing_entry in response.entries
def test_get_remote_data_command_sync_owners(requests_mock, mocker):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a raw incident (get-extra-data results) with assigned mail [email protected]
When
- running get_remote_data_command
Then
- the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident with the equivalent
owner of the assigned mail
- the entries in the GetRemoteDataResponse in empty
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields
mocker.patch.object(demisto, 'params', return_value={"sync_owners": True})
mocker.patch.object(demisto,
'findUser',
return_value={
"email": "*****@*****.**",
'username': '******'
})
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'id': 1, 'lastUpdate': 0}
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
raw_incident['reply']['incident']['assigned_user_mail'] = '*****@*****.**'
expected_modified_incident = raw_incident['reply']['incident'].copy()
expected_modified_incident['alerts'] = raw_incident['reply'].get(
'alerts').get('data')
expected_modified_incident['network_artifacts'] = raw_incident[
'reply'].get('network_artifacts').get('data')
expected_modified_incident['file_artifacts'] = raw_incident['reply'].get(
'file_artifacts').get('data')
expected_modified_incident['id'] = expected_modified_incident.get(
'incident_id')
expected_modified_incident['assigned_user_mail'] = '*****@*****.**'
expected_modified_incident['assigned_user_pretty_name'] = None
expected_modified_incident['owner'] = 'username'
expected_modified_incident['in_mirror_error'] = ''
del expected_modified_incident['creation_time']
requests_mock.post(
f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/',
json=raw_incident)
response = get_remote_data_command(client, args)
sort_all_list_incident_fields(expected_modified_incident)
assert response.mirrored_object == expected_modified_incident
assert response.entries == []
def test_get_remote_data_command_should_update(requests_mock):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a raw incident (get-extra-data results)
When
- running get_remote_data_command
Then
- the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident
- the entries in the GetRemoteDataResponse in empty
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'id': 1, 'lastUpdate': 0}
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
expected_modified_incident = raw_incident['reply']['incident'].copy()
expected_modified_incident['alerts'] = raw_incident['reply'].get(
'alerts').get('data')
expected_modified_incident['network_artifacts'] = raw_incident[
'reply'].get('network_artifacts').get('data')
expected_modified_incident['file_artifacts'] = raw_incident['reply'].get(
'file_artifacts').get('data')
expected_modified_incident['id'] = expected_modified_incident.get(
'incident_id')
expected_modified_incident['assigned_user_mail'] = ''
expected_modified_incident['assigned_user_pretty_name'] = ''
expected_modified_incident['in_mirror_error'] = ''
del expected_modified_incident['creation_time']
requests_mock.post(
f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/',
json=raw_incident)
response = get_remote_data_command(client, args)
sort_all_list_incident_fields(expected_modified_incident)
assert response.mirrored_object == expected_modified_incident
assert response.entries == []
