Python main примеры, DBotFindSimilarIncidents.main Python примеры использования

Пример #1

0

Показать файл

Файл: DBotFindSimilarIncidents_test.py Проект: stevengoossensB/content

def test_main_regular(mocker):
    global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
    FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
    CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
    SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
    mocker.patch.object(demisto, 'args',
                        return_value={
                            'incidentId': 12345,
                            'similarTextField': 'incident.commandline, commandline, command, '
                                                'empty_current_incident_field, empty_fetched_incident_field',
                            'similarCategoricalField': 'signature, filehash, incident.commandline',
                            'similarJsonField': 'CustomFields',
                            'limit': 10000,
                            'fieldExactMatch': '',
                            'fieldsToDisplay': 'filehash, destinationip, closeNotes, sourceip, alertdescription',
                            'showIncidentSimilarityForAllFields': True,
                            'minimunIncidentSimilarity': 0.2,
                            'maxIncidentsToDisplay': 100,
                            'query': '',
                            'aggreagateIncidentsDifferentDate': 'False',
                            'includeIndicatorsSimilarity': 'True'
                        })
    mocker.patch.object(demisto, 'dt', return_value=None)
    mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
    res, msg = main()
    assert ('empty_current_incident_field' not in res.columns)
    assert (res.loc['3', 'Identical indicators'] == 'ind_2')
    assert (res.loc['2', 'Identical indicators'] == "")
    assert check_exist_dataframe_columns(SIMILARITY_COLUNM_NAME_INDICATOR, SIMILARITY_COLUNM_NAME,
                                         COLUMN_ID, COLUMN_TIME, 'name', df=res)
    assert res.loc['3', 'similarity indicators'] == 0.4
    assert res.loc['2', 'similarity indicators'] == 0.0

Пример #2

0

Показать файл

Файл: DBotFindSimilarIncidents_test.py Проект: stevengoossensB/content

def test_main_no_fetched_incidents_found(mocker):
    """
    Test output if no related incidents found - Should return None and MESSAGE_NO_INCIDENT_FETCHED
    :param mocker:
    :return:
    """
    global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
    FETCHED_INCIDENT = FETCHED_INCIDENT_EMPTY
    CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
    SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
    mocker.patch.object(demisto, 'args',
                        return_value={
                            'incidentId': 12345,
                            'similarTextField': 'incident.commandline, commandline, command, '
                                                'empty_current_incident_field, empty_fetched_incident_field',
                            'similarCategoricalField': 'signature, filehash',
                            'similarJsonField': 'CustomFields',
                            'limit': 10000,
                            'fieldExactMatch': '',
                            'fieldsToDisplay': 'filehash, destinationip, closeNotes, sourceip, alertdescription',
                            'showIncidentSimilarityForAllFields': True,
                            'minimunIncidentSimilarity': 0.2,
                            'maxIncidentsToDisplay': 100,
                            'query': '',
                            'aggreagateIncidentsDifferentDate': 'False',
                            'includeIndicatorsSimilarity': 'True'
                        })
    mocker.patch.object(demisto, 'dt', return_value=None)
    mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
    res = main()
    assert (not res[0])
    assert MESSAGE_NO_INCIDENT_FETCHED in res[1]

Пример #3

0

Показать файл

def test_main_incident_nested(mocker):
    """
    Test if fetched incident truncated  -  Should return MESSAGE_WARNING_TRUNCATED in the message
    :param mocker:
    :return:
    """
    global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
    FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
    CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
    SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
    wrong_field_2 = 'wrong_field_2'
    wrong_field_3 = 'wrong_field_3'
    wrong_field_4 = 'wrong_field_4'
    nested_field = 'xdralerts.cmd'

    mocker.patch.object(demisto,
                        'args',
                        return_value={
                            'incidentId': 12345,
                            'similarTextField': nested_field,
                            'similarCategoricalField': wrong_field_2,
                            'similarJsonField': wrong_field_3,
                            'limit': 3,
                            'fieldExactMatch': '',
                            'fieldsToDisplay': wrong_field_4,
                            'showIncidentSimilarityForAllFields': True,
                            'minimunIncidentSimilarity': 0.2,
                            'maxIncidentsToDisplay': 100,
                            'query': '',
                            'aggreagateIncidentsDifferentDate': 'False',
                            'includeIndicatorsSimilarity': 'True'
                        })
    mocker.patch.object(demisto,
                        'dt',
                        return_value=['nested_val_1', 'nested_val_2'])
    mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
    df, msg = main()
    assert not df.empty
    assert (df['similarity %s' % nested_field] == [1.0, 1.0, 1.0]).all()

Пример #4

0

Показать файл

def test_main_all_incorrect_field(mocker):
    """
    Test if only incorrect fields  -  Should return None and MESSAGE_INCORRECT_FIELD message for wrong fields
    :param mocker:
    :return:
    """
    global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
    FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
    CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
    SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
    wrong_field_1 = 'wrong_field_1'
    wrong_field_2 = 'wrong_field_2'
    wrong_field_3 = 'wrong_field_3'
    wrong_field_4 = 'wrong_field_4'
    mocker.patch.object(demisto,
                        'args',
                        return_value={
                            'incidentId': 12345,
                            'similarTextField': wrong_field_1,
                            'similarCategoricalField': wrong_field_2,
                            'similarJsonField': wrong_field_3,
                            'limit': 10000,
                            'fieldExactMatch': '',
                            'fieldsToDisplay': wrong_field_4,
                            'showIncidentSimilarityForAllFields': True,
                            'minimunIncidentSimilarity': 0.2,
                            'maxIncidentsToDisplay': 100,
                            'query': '',
                            'aggreagateIncidentsDifferentDate': 'False',
                            'includeIndicatorsSimilarity': 'True'
                        })
    mocker.patch.object(demisto, 'dt', return_value=None)
    mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
    df, msg = main()
    assert (not df)
    assert MESSAGE_INCORRECT_FIELD % ' , '.join(
        [wrong_field_1, wrong_field_3, wrong_field_2, wrong_field_4]) in msg
    assert all(field in msg for field in
               [wrong_field_1, wrong_field_2, wrong_field_3, wrong_field_4])

Пример #5

0

Показать файл

def test_main_incident_truncated(mocker):
    """
    Test if fetched incident truncated  -  Should return MESSAGE_WARNING_TRUNCATED in the message
    :param mocker:
    :return:
    """
    global SIMILAR_INDICATORS, FETCHED_INCIDENT, CURRENT_INCIDENT
    FETCHED_INCIDENT = FETCHED_INCIDENT_NOT_EMPTY
    CURRENT_INCIDENT = CURRENT_INCIDENT_NOT_EMPTY
    SIMILAR_INDICATORS = SIMILAR_INDICATORS_NOT_EMPTY
    correct_field_1 = 'commandline'
    wrong_field_2 = 'wrong_field_2'
    wrong_field_3 = 'wrong_field_3'
    wrong_field_4 = 'wrong_field_4'
    mocker.patch.object(demisto,
                        'args',
                        return_value={
                            'incidentId': 12345,
                            'similarTextField': correct_field_1,
                            'similarCategoricalField': wrong_field_2,
                            'similarJsonField': wrong_field_3,
                            'limit': 3,
                            'fieldExactMatch': '',
                            'fieldsToDisplay': wrong_field_4,
                            'showIncidentSimilarityForAllFields': True,
                            'minimunIncidentSimilarity': 0.2,
                            'maxIncidentsToDisplay': 100,
                            'query': '',
                            'aggreagateIncidentsDifferentDate': 'False',
                            'includeIndicatorsSimilarity': 'True'
                        })
    mocker.patch.object(demisto, 'dt', return_value=None)
    mocker.patch.object(demisto, 'executeCommand', side_effect=executeCommand)
    df, msg = main()
    limit = demisto.args()['limit']
    assert not df.empty
    assert MESSAGE_WARNING_TRUNCATED % (limit, limit) in msg

Python main примеры использования