def test_fetch_incidents(mocker):
"""
Given
fetch incidents command running for a second time (some incidents already been fetched).
When
mock the Client's http_request, and there are incident prior to last fetch
Then
validate fetch incidents command using the Client only returns 1 new incidents
"""
from CarbonBlackResponseV2 import fetch_incidents, Client
last_run = {
'last_fetch':
dateparser.parse('2021-03-12T14:13:20+00:00').timestamp()
}
alerts = util_load_json('test_data/commands_test_data.json').get(
'fetch_incident_data')
client = Client(base_url="url",
apitoken="api_key",
use_ssl=True,
use_proxy=False)
mocker.patch.object(Client, 'get_alerts', return_value=alerts)
first_fetch_time = '7 days'
last_fetch, incidents = fetch_incidents(client,
last_run=last_run,
first_fetch_time=first_fetch_time,
max_results='3')
assert len(incidents) == 1
assert incidents[0].get('name') == 'Carbon Black EDR: 2 svchost.exe'
assert last_fetch == {'last_fetch': 1615648046.79}
def test_fetch_incidents_first_fetch(mocker):
"""
Given
fetch incidents command running for the first time.
When
mock the Client's http_request.
Then
validate fetch incidents command using the Client gets all 3 relevant incidents
"""
from CarbonBlackResponseV2 import fetch_incidents, Client
alerts = util_load_json('test_data/commands_test_data.json').get('fetch_incident_data')
client = Client(base_url="url", apitoken="api_key", use_ssl=True, use_proxy=False)
mocker.patch.object(Client, 'get_alerts', return_value=alerts)
first_fetch_time = '7 days'
_, incidents = fetch_incidents(client, last_run={}, first_fetch_time=first_fetch_time, max_results='3')
assert len(incidents) == 3
assert incidents[0].get('name') == 'Carbon Black EDR: 1 svchost.exe'