def test_create_enrichment_batches_one_indicator(mocker):
import FeedElasticsearch as esf
mocker.patch.object(esf,
'hit_to_indicator',
return_value=PARSED_INSIGHT_HIT)
_, ioc_enrch_lst = esf.extract_indicators_from_insight_hit(
PARSED_INSIGHT_HIT, ['tag1', 'tag2'], 'AMBER')
ioc_enrch_lst_of_lsts = esf.create_enrichment_batches(ioc_enrch_lst)
assert len(ioc_enrch_lst_of_lsts) == 2
assert ioc_enrch_lst_of_lsts[0][0] == ioc_enrch_lst[0][0]
assert ioc_enrch_lst_of_lsts[1][0] == ioc_enrch_lst[0][1]
def test_hit_to_indicator():
import FeedElasticsearch as esf
ioc = esf.hit_to_indicator(MockHit(CUSTOM_HIT), CUSTOM_VAL_KEY,
CUSTOM_TYPE_KEY, None)
assert ioc == PARSED_CUSTOM_HIT
no_type_hit = dict(CUSTOM_HIT)
no_type_hit[CUSTOM_TYPE_KEY] = ''
ioc = esf.hit_to_indicator(MockHit(no_type_hit), CUSTOM_VAL_KEY,
CUSTOM_TYPE_KEY, 'IP')
assert ioc['type'] == 'IP'
assert ioc[CUSTOM_TYPE_KEY] == ''
def test_elasticsearch_builder_called_with_no_creds(mocker):
from elasticsearch import Elasticsearch
import FeedElasticsearch as esf
es_mock = mocker.patch.object(Elasticsearch, '__init__', return_value=None)
client = esf.ElasticsearchClient()
client._elasticsearch_builder()
assert es_mock.call_args[1].get('http_auth') is None
assert es_mock.call_args[1].get('api_key') is None
def test_create_enrichment_batches_mult_indicators():
import FeedElasticsearch as esf
ioc_enrch_lst = [[1, 2, 3], [4, 5], [6, 7, 8, 9]]
ioc_enrch_lst_of_lsts = esf.create_enrichment_batches(ioc_enrch_lst)
assert len(ioc_enrch_lst_of_lsts) == 4
assert ioc_enrch_lst_of_lsts[0] == [1, 4, 6]
assert ioc_enrch_lst_of_lsts[1] == [2, 5, 7]
assert ioc_enrch_lst_of_lsts[2] == [3, 8]
assert ioc_enrch_lst_of_lsts[3] == [9]
def test_extract_indicators_from_generic_hit(mocker):
import FeedElasticsearch as esf
mocker.patch.object(esf,
'hit_to_indicator',
return_value=PARSED_CUSTOM_HIT)
ioc_lst = esf.extract_indicators_from_generic_hit(CUSTOM_HIT,
CUSTOM_VAL_KEY,
CUSTOM_TYPE_KEY, None)
assert ioc_lst == [PARSED_CUSTOM_HIT]
def test_elasticsearch_builder_called_with_api_key(mocker):
from elasticsearch import Elasticsearch
import FeedElasticsearch as esf
es_mock = mocker.patch.object(Elasticsearch, '__init__', return_value=None)
api_id = 'demisto'
api_key = 'mock'
client = esf.ElasticsearchClient(api_key=api_key, api_id=api_id)
client._elasticsearch_builder()
assert es_mock.call_args[1].get('http_auth') is None
assert es_mock.call_args[1].get('api_key') == (api_id, api_key)
def test_elasticsearch_builder_called_with_username_password(mocker):
from elasticsearch import Elasticsearch
import FeedElasticsearch as esf
es_mock = mocker.patch.object(Elasticsearch, '__init__', return_value=None)
username = '******'
password = '******'
client = esf.ElasticsearchClient(username=username, password=password)
client._elasticsearch_builder()
assert es_mock.call_args[1].get('http_auth') == (username, password)
assert es_mock.call_args[1].get('api_key') is None
def test_extract_indicators_from_insight_hit(mocker):
import FeedElasticsearch as esf
mocker.patch.object(esf,
'hit_to_indicator',
return_value=dict(PARSED_INSIGHT_HIT))
ioc_lst, ioc_enrch_lst = esf.extract_indicators_from_insight_hit(
PARSED_INSIGHT_HIT, ['tag1', 'tag2'], 'AMBER')
# moduleToFeedMap with isEnrichment: False should not be added to ioc_lst
assert len(ioc_lst) == 1
assert len(ioc_enrch_lst[0]) == 2
assert ioc_lst[0].get('value')
# moduleToFeedMap with isEnrichment: False should be added to ioc_lst
assert ioc_lst[0].get('moduleToFeedMap').get('Demisto.Demisto')
assert ioc_lst[0].get('moduleToFeedMap').get(
'VirusTotal.VirusTotal') is None
set(FEED_IOC_KEYS).issubset(ioc_enrch_lst[0][0])
set(FEED_IOC_KEYS).issubset(ioc_enrch_lst[0][1])
def test_extract_api_from_username_password_username_api_key():
import FeedElasticsearch as esf
username = esf.API_KEY_PREFIX + 'api_id'
assert esf.extract_api_from_username_password(username,
'api_key') == ('api_id',
'api_key')
def test_extract_api_from_username_password_username_username():
import FeedElasticsearch as esf
assert esf.extract_api_from_username_password('username',
'password') == (None, None)
def test_extract_api_from_username_password_empty():
import FeedElasticsearch as esf
assert esf.extract_api_from_username_password(None, None) == (None, None)