def test_ip_not_found():
"""
Given:
- an IP
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results with context indicate that no results were found
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=1.1.1.1'
status_code = 200
json_data = {'total_size': 0, 'page': 1, 'page_size': 25, 'more': False}
expected_output = "No results were found for ip 1.1.1.1"
ip_to_check = {'ip': '1.1.1.1'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
results = ip_command(client, ip_to_check, DBotScoreReliability.B,
doc_search_client)
output = results[0].to_context().get('HumanReadable')
assert expected_output in output
def test_uuid_command():
"""
Given:
- a domain uuid
When:
- running uuid command and validate whether the domain is malicious
Then:
- return command results containing indicator, dbotscore and associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/461b5ba2-d4fe-4b5c-ac68-35b6636c6edf'
doc_url = 'https://test.com/rest/document/v0?links.display_text.query=mydomain.com&type.values=intelligence_alert&type.values=intelligence_report' # noqa: E501
status_code = 200
json_data = UUID_RES_JSON
intel_json_data = DOMAIN_INTEL_JSON
expected_output = {
'domain': [{
'Name': 'mydomain.com'
}],
'DBOTSCORE': [{
'Indicator': 'mydomain.com',
'Type': 'domain',
'Vendor': 'iDefense',
'Score': 2,
'Reliability': 'B - Usually reliable'
}] # noqa: E501
}
uuid_to_check = {'uuid': '461b5ba2-d4fe-4b5c-ac68-35b6636c6edf'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url, status_code=status_code, json=intel_json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
results = uuid_command(client, uuid_to_check, DBotScoreReliability.B,
doc_search_client)
context_result = results.to_context()
output = results.to_context().get('EntryContext', {})
assert output.get('Domain(val.Name && val.Name == obj.Name)',
[]) == expected_output.get('domain')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert _is_intelligence_data_present_in_command_result(
context_result, intel_json_data) is True
def test_ip_command():
"""
Given:
- an IP
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results containing indicator, dbotscore and associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=0.0.0.0'
doc_url = 'https://test.com/rest/document/v0?links.display_text.query=0.0.0.0&type.values=intelligence_alert&type.values=intelligence_report' # noqa: E501
status_code = 200
json_data = IP_RES_JSON
intel_json_data = IP_INTEL_JSON
expected_output = {
'IP': [{
'Address': '0.0.0.0'
}],
'DBOTSCORE': [{
'Indicator': '0.0.0.0',
'Type': 'ip',
'Vendor': 'iDefense',
'Score': 2,
'Reliability': 'B - Usually reliable'
}]
}
ip_to_check = {'ip': '0.0.0.0'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url, status_code=status_code, json=intel_json_data)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
results = ip_command(client, ip_to_check, DBotScoreReliability.B,
doc_search_client)
context_result = results[0].to_context()
output = results[0].to_context().get('EntryContext', {})
assert output.get('IP(val.Address && val.Address == obj.Address)',
[]) == expected_output.get('IP')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert _is_intelligence_data_present_in_command_result(
context_result, intel_json_data) is True
def test_ip_command():
"""
Given:
- an IP
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results containing indicator and dbotscore
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=0.0.0.0'
status_code = 200
json_data = IP_RES_JSON
expected_output = {
'IP': [{'Address': '0.0.0.0'}],
'DBOTSCORE': [{'Indicator': '0.0.0.0', 'Type': 'ip', 'Vendor': 'iDefense', 'Score': 2,
'Reliability': 'B - Usually reliable'}]}
ip_to_check = {'ip': '0.0.0.0'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
client = Client(API_URL, 'api_token', True, False)
results = ip_command(client, ip_to_check, DBotScoreReliability.B)
output = results[0].to_context().get('EntryContext', {})
assert output.get('IP(val.Address && val.Address == obj.Address)', []) == expected_output.get('IP')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
def test_url_command():
"""
Given:
- url
When:
- running url command and validate whether the url is malicious
Then:
- return command results containing indicator and dbotscore
"""
url = 'https://test.com/rest/threatindicator/v0/url?key.values=http://www.malware.com'
status_code = 200
json_data = URL_RES_JSON
expected_output = {
'URL': [{'Data': 'http://www.malware.com'}],
'DBOTSCORE': [{'Indicator': 'http://www.malware.com', 'Type': 'url', 'Vendor': 'iDefense',
'Score': 2, 'Reliability': 'B - Usually reliable'}]}
url_to_check = {'url': 'http://www.malware.com'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
client = Client(API_URL, 'api_token', True, False)
results = url_command(client, url_to_check, DBotScoreReliability.B)
output = results[0].to_context().get('EntryContext', {})
assert output.get('URL(val.Data && val.Data == obj.Data)', []) == expected_output.get('URL')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
def test_wrong_ip():
"""
Given:
- an IP
When:
- running ip command validate at first to check if the given ip is a valid ip
Then:
- raise error before calling http request that indicates that the given argument is not valid
"""
ip_to_check = {'ip': '1'}
client = Client(API_URL, 'api_token', True, False)
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
try:
ip_command(client, ip_to_check, DBotScoreReliability.B,
doc_search_client)
except DemistoException as err:
assert "Received wrong IP value" in str(err)
def test_connection():
"""
Given:
- an api token
When:
- checking api access
Then:
- ok if there is access
"""
from iDefense_v2 import test_module
with requests_mock.Mocker() as m:
mock_address = 'https://test.com/rest/threatindicator/v0/'
m.get(mock_address, status_code=200, json={})
client = Client(API_URL, 'api_token', True, False)
assert test_module(client) in "ok"
def test_wrong_connection():
"""
Given:
- an api token
When:
- checking api access
Then:
- raise error if there is no access because of wrong api token
"""
from iDefense_v2 import test_module
with requests_mock.Mocker() as m:
mock_address = 'https://test.com/rest/threatindicator/v0/'
m.get(mock_address, status_code=401, json={})
client = Client('bad_api_key', 'wrong_token', True, False)
try:
test_module(client)
except DemistoException as err:
assert 'Error in API call - check the input parameters' in str(err)
def test_ip_command_when_api_key_not_authorised_for_document_search():
"""
Given:
- a ip and api key not authorized for doc search
When:
- running ip command and validate whether the ip is malicious
Then:
- return command results containing indicator, dbotscore and NO associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/ip?key.values=0.0.0.0'
doc_url = 'https://test.com/rest/document/v0?links.display_text.query=0.0.0.0&type.values=intelligence_alert&type.values=intelligence_report' # noqa: E501
status_code = 200
error_status_code = 403
json_data = IP_RES_JSON
doc_search_exception_response = {
'timestamp': '2021-11-12T09:09:27.983Z',
'status': 403,
'error': 'Forbidden',
'message': 'Forbidden',
'path': '/rest/document/v0'
}
expected_output = {
'IP': [{
'Address': '0.0.0.0'
}],
'DBOTSCORE': [{
'Indicator': '0.0.0.0',
'Type': 'ip',
'Vendor': 'iDefense',
'Score': 2,
'Reliability': 'B - Usually reliable'
}]
}
ip_to_check = {'ip': '0.0.0.0'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url,
status_code=error_status_code,
json=doc_search_exception_response)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
results = ip_command(client, ip_to_check, DBotScoreReliability.B,
doc_search_client)
context_result = results[0].to_context()
content = context_result['HumanReadable']
output = context_result.get('EntryContext', {})
assert output.get('IP(val.Address && val.Address == obj.Address)',
[]) == expected_output.get('IP')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert 'Intelligence Alerts' not in content
assert 'Intelligence Reports' not in content
def test_uuid_command_when_api_key_not_authorized_for_document_search():
"""
Given:
- a domain uuid and api key not authorized for doc search
When:
- running uuid command and validate whether the domain is malicious
Then:
- return command results containing indicator, dbotscore and NO associated intelligence alerts, reports
"""
url = 'https://test.com/rest/threatindicator/v0/461b5ba2-d4fe-4b5c-ac68-35b6636c6edf'
doc_url = 'https://test.com/rest/document/v0?links.display_text.query=mydomain.com&type.values=intelligence_alert&type.values=intelligence_report' # noqa: E501
status_code = 200
error_status_code = 403
json_data = UUID_RES_JSON
doc_search_exception_response = {
'timestamp': '2021-11-12T09:09:27.983Z',
'status': 403,
'error': 'Forbidden',
'message': 'Forbidden',
'path': '/rest/document/v0'
}
expected_output = {
'domain': [{
'Name': 'mydomain.com'
}],
'DBOTSCORE': [{
'Indicator': 'mydomain.com',
'Type': 'domain',
'Vendor': 'iDefense',
'Score': 2,
'Reliability': 'B - Usually reliable'
}] # noqa: E501
}
uuid_to_check = {'uuid': '461b5ba2-d4fe-4b5c-ac68-35b6636c6edf'}
with requests_mock.Mocker() as m:
m.get(url, status_code=status_code, json=json_data)
m.get(doc_url,
status_code=error_status_code,
json=doc_search_exception_response)
client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['threatindicator'])
doc_search_client = Client(API_URL, 'api_token', True, False,
ENDPOINTS['document'])
results = uuid_command(client, uuid_to_check, DBotScoreReliability.B,
doc_search_client)
context_result = results.to_context()
content = context_result['HumanReadable']
output = context_result.get('EntryContext', {})
assert output.get('Domain(val.Name && val.Name == obj.Name)',
[]) == expected_output.get('domain')
assert output.get(DBOT_KEY, []) == expected_output.get('DBOTSCORE')
assert 'Intelligence Alerts' not in content
assert 'Intelligence Reports' not in content