def test_parse_reports_relationships(mocker):
"""
Given
- STIX Report indicators.
- Relationship objects.
- Malware and Attack-Pattern objects.
When
- Parsing STIX Report indicators.
Then
- Update a STIX Report indicator with relationships' data.
"""
def mock_get_stix_objects(test, **kwargs):
type_ = kwargs.get('type')
client.objects_data[type_] = TYPE_TO_RESPONSE[type_]
client = Client(api_key='1234', verify=False)
mocker.patch.object(client,
'fetch_stix_objects_from_api',
side_effect=mock_get_stix_objects)
indicators = fetch_indicators(client)
for indicator in indicators:
indicator_fields = indicator.get('fields')
if indicator_fields.get('stixid') == 'report--a':
assert set([i.get('value') for i in indicator_fields.get('feedrelatedindicators')]) == \
{'T1047', 'XBash', 'c1ec28bc82500bd70f95edcbdf9306746198bbc04a09793ca69bb87f2abdb839'}
break
def test_feed_tags_param(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the feed tags param.
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate The value of the tags field.
"""
def mock_get_stix_objects(test, **kwargs):
type_ = kwargs.get('type')
client.objects_data[type_] = TYPE_TO_RESPONSE[type_]
client = Client(api_key='1234', verify=False)
mocker.patch.object(client,
'fetch_stix_objects_from_api',
side_effect=mock_get_stix_objects)
indicators = fetch_indicators(client, ['test_tag'])
assert set(indicators[0].get('fields').get('tags')) == {
'malicious-activity', 'test_tag'
}
def test_fetch_indicators_with_mitre_external_reference(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate the connections in between the indicators
"""
client = Client(api_key='1234', verify=False)
mocker.patch.object(client, 'get_stix_objects', return_value=RESPONSE_DATA)
indicators = fetch_indicators(client)
for indicator in indicators:
indicator_fields = indicator.get('fields')
if indicator_fields.get('indicatoridentification') == 'indicator--010bb9ad-5686-485d-97e5-93c2187e56ce':
assert indicator_fields.get('feedrelatedindicators') == {
'type': 'MITRE ATT&CK',
'value': ['T1047'],
'description': [
'example.com',
'https://attack.mitre.org/techniques/T1047',
'https://msdn.microsoft.com/en-us/library/aa394582.aspx',
'https://technet.microsoft.com/en-us/library/cc787851.aspx',
'https://en.wikipedia.org/wiki/Server_Message_Block'
]
}
break
def test_fetch_indicators_with_malware_reference(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate the connections in between the indicators
"""
def mock_get_stix_objects(test, **kwargs):
type_ = kwargs.get('type')
client.objects_data[type_] = TYPE_TO_RESPONSE[type_]
client = Client(api_key='1234', verify=False)
mocker.patch.object(client,
'fetch_stix_objects_from_api',
side_effect=mock_get_stix_objects)
indicators = fetch_indicators(client)
for indicator in indicators:
indicator_fields = indicator.get('fields')
if indicator_fields.get(
'indicatoridentification'
) == 'indicator--0025039e-f0b5-4ad2-aaab-5374fe3734be':
assert set(indicator_fields.get('malwarefamily')) == {
'Muirim', 'XBash', 'Muirim2'
}
break
def test_fetch_indicators_with_feedrelatedindicators(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate the connections in between the indicators
"""
def mock_get_stix_objects(test, **kwargs):
type_ = kwargs.get('type')
client.objects_data[type_] = TYPE_TO_RESPONSE[type_]
client = Client(api_key='1234', verify=False)
mocker.patch.object(client, 'fetch_stix_objects_from_api', side_effect=mock_get_stix_objects)
indicators = fetch_indicators(client)
for indicator in indicators:
indicator_fields = indicator.get('fields')
if indicator_fields.get('indicatoridentification') == 'indicator--010bb9ad-5686-485d-97e5-93c2187e56ce':
assert indicator_fields.get('feedrelatedindicators') == [
{
'description': 'example.com,https://attack.mitre.org/techniques/T1047,https://msdn.microsoft.com'
'/en-us/library/aa394582.aspx,https://technet.microsoft.com/en-us/library/cc787851'
'.aspx,https://en.wikipedia.org/wiki/Server_Message_Block',
'type': 'MITRE ATT&CK',
'value': 'T1047'}
]
break
def test_fetch_indicators_command(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate the amount of indicators fetched
"""
client = Client(api_key='1234', verify=False)
mocker.patch.object(client, 'get_stix_objects', return_value=RESPONSE_DATA)
indicators = fetch_indicators(client)
assert len(indicators) == 10
def test_feed_tags_param(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the feed tags param.
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate The value of the tags field.
"""
client = Client(api_key='1234', verify=False)
mocker.patch.object(client, 'get_stix_objects', return_value=RESPONSE_DATA)
indicators = fetch_indicators(client, ['test_tag'])
assert set(indicators[0].get('fields').get('tags')) == set({'malicious-activity', 'test_tag'})
def test_fetch_indicators_with_malware_reference(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate the connections in between the indicators
"""
client = Client(api_key='1234', verify=False)
mocker.patch.object(client, 'get_stix_objects', return_value=RESPONSE_DATA)
indicators = fetch_indicators(client)
for indicator in indicators:
indicator_fields = indicator.get('fields')
if indicator_fields.get('indicatoridentification') == 'indicator--0025039e-f0b5-4ad2-aaab-5374fe3734be':
assert set(indicator_fields.get('malwarefamily')) == set({'Muirim', 'Muirim2'})
break
def test_fetch_indicators_command(mocker):
"""Unit test
Given
- fetch incidents command
- command args
- command raw response
When
- mock the Client's get_stix_objects.
Then
- run the fetch incidents command using the Client
Validate the amount of indicators fetched
"""
def mock_get_stix_objects(test, **kwargs):
type_ = kwargs.get('type')
client.objects_data[type_] = TYPE_TO_RESPONSE[type_]
client = Client(api_key='1234', verify=False)
mocker.patch.object(client, 'fetch_stix_objects_from_api', side_effect=mock_get_stix_objects)
indicators = fetch_indicators(client)
assert len(indicators) == 13