def test_whitelist_files_command_with_no_comment_file(requests_mock):
"""
Given:
- List of files' hashes to put in whitelist without passing the comment argument.
When
- A user desires to whitelist files without adding a comment.
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import whitelist_files_command, Client
test_data = load_test_data(
'test_data/blacklist_whitelist_files_success.json')
expected_command_result = {
'PaloAltoNetworksXDR.whiteList.fileHash(val.fileHash == obj.fileHash)':
test_data['no_comment_command_args']['hash_list']
}
requests_mock.post(f'{XDR_URL}/public_api/v1/hash_exceptions/whitelist/',
json=test_data['api_response'])
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
client._headers = {}
markdown, context, raw = whitelist_files_command(
client, test_data['no_comment_command_args'])
assert expected_command_result == context
def test_blacklist_files_command_with_more_than_one_file(requests_mock):
"""
Given:
- List of files' hashes to put in blacklist
When
- A user desires to mark more than one file
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import blacklist_files_command, Client
test_data = load_test_data(
'test_data/blacklist_whitelist_files_success.json')
expected_command_result = {
'PaloAltoNetworksXDR.blackList.fileHash(val.fileHash == obj.fileHash)':
test_data['multi_command_args']['hash_list']
}
requests_mock.post(f'{XDR_URL}/public_api/v1/hash_exceptions/blacklist/',
json=test_data['api_response'])
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
client._headers = {}
markdown, context, raw = blacklist_files_command(
client, test_data['multi_command_args'])
assert expected_command_result == context
def test_restore_file_command(requests_mock):
"""
Given:
- file_hash
When
- A user desires to restore a file.
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import restore_file_command, Client
restore_expected_tesult = {
'PaloAltoNetworksXDR.restoredFiles.actionId(val.actionId == obj.actionId)':
123
}
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/restore/',
json={"reply": {
"action_id": 123
}})
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
client._headers = {}
markdown, context, raw = restore_file_command(client, {"file_hash": "123"})
assert restore_expected_tesult == context
def test_endpoint_scan_command(requests_mock):
"""
Given:
- endpoint_id_list, dist_name, gte_first_seen, gte_last_seen, lte_first_seen, lte_last_seen, ip_list,
group_name, platform, alias, isolate, hostname
When
- A user desires to scan endpoint.
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import endpoint_scan_command, Client
test_data = load_test_data('test_data/scan_endpoints.json')
scan_expected_tesult = {
'PaloAltoNetworksXDR.endpointScan.actionId(val.actionId == obj.actionId)':
123
}
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/scan/',
json={"reply": {
"action_id": 123
}})
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
client._headers = {}
markdown, context, raw = endpoint_scan_command(client,
test_data['command_args'])
assert scan_expected_tesult == context
def test_get_quarantine_status_command(requests_mock):
"""
Given:
- Endpoint_id, file_path, file_hash
When
- A user desires to check a file's quarantine status.
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import get_quarantine_status_command, Client
test_data = load_test_data('test_data/get_quarantine_status.json')
quarantine_files_expected_tesult = {
'PaloAltoNetworksXDR.quarantineFiles.status(val.fileHash === obj.fileHash &&val.endpointId'
' === obj.endpointId && val.filePath === obj.filePath)':
test_data['context_data']
}
requests_mock.post(f'{XDR_URL}/public_api/v1/quarantine/status/',
json=test_data['api_response'])
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
client._headers = {}
markdown, context, raw = get_quarantine_status_command(
client, test_data['command_args'])
assert quarantine_files_expected_tesult == context
def test_get_incident_extra_data(requests_mock):
from PaloAltoNetworks_XDR import get_incident_extra_data_command, Client
get_incident_extra_data_response = load_test_data('./test_data/get_incident_extra_data.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/',
json=get_incident_extra_data_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
'incident_id': '1'
}
_, outputs, _ = get_incident_extra_data_command(client, args)
expected_incident = get_incident_extra_data_response.get('reply').get('incident')
expected_incident.update({
'alerts': get_incident_extra_data_response.get('reply').get('alerts').get('data'),
'network_artifacts': get_incident_extra_data_response.get('reply').get('network_artifacts').get('data', []),
'file_artifacts': get_incident_extra_data_response.get('reply').get('file_artifacts').get('data')
})
expected_output = {
'PaloAltoNetworksXDR.Incident(val.incident_id==obj.incident_id)': expected_incident
}
assert expected_output == outputs
def test_unisolate_endpoint(requests_mock):
from PaloAltoNetworks_XDR import unisolate_endpoint_command, Client
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/get_endpoint/', json={
'reply': {
'endpoints': [
{
'endpoint_id': '1111'
}
]
}
})
unisolate_endpoint_response = load_test_data('./test_data/unisolate_endpoint.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/unisolate', json=unisolate_endpoint_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
"endpoint_id": "1111"
}
readable_output, outputs, _ = unisolate_endpoint_command(client, args)
assert outputs is None
assert readable_output == 'Endpoint 1111 has un-isolated successfully'
def test_insert_parsed_alert(requests_mock):
from PaloAltoNetworks_XDR import insert_parsed_alert_command, Client
insert_alerts_response = load_test_data('./test_data/create_alerts.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/alerts/insert_parsed_alerts/', json=insert_alerts_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
"product": "VPN & Firewall-1",
"vendor": "Check Point",
"local_ip": "192.168.1.254",
"local_port": "35398",
"remote_ip": "0.0.0.0",
"remote_port": "0",
"event_timestamp": "1543270652000",
"severity": "Low",
"alert_name": "Alert Name Example",
"alert_description": "Alert Description"
}
readable_output, outputs, _ = insert_parsed_alert_command(client, args)
assert outputs is None
assert readable_output == 'Alert inserted successfully'
def test_unisolate_endpoint(requests_mock):
from PaloAltoNetworks_XDR import unisolate_endpoint_command, Client
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/get_endpoint/', json={
'reply': {
'endpoints': [
{
'endpoint_id': '1111',
"endpoint_status": "CONNECTED"
}
]
}
})
unisolate_endpoint_response = load_test_data('./test_data/unisolate_endpoint.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/unisolate', json=unisolate_endpoint_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
args = {
"endpoint_id": "1111"
}
readable_output, _, _ = unisolate_endpoint_command(client, args)
assert readable_output == 'The un-isolation request has been submitted successfully on Endpoint 1111.\n' \
'To check the endpoint isolation status please run:' \
' !xdr-get-endpoints endpoint_id_list=1111 and look at the [is_isolated] field.'
def test_get_distribution_url(requests_mock):
from PaloAltoNetworks_XDR import get_distribution_url_command, Client
get_distribution_url_response = load_test_data('./test_data/get_distribution_url.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/distributions/get_dist_url/', json=get_distribution_url_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
'distribution_id': '1111',
'package_type': 'x86'
}
readable_output, outputs, _ = get_distribution_url_command(client, args)
expected_url = get_distribution_url_response.get('reply').get('distribution_url')
assert outputs == {
'PaloAltoNetworksXDR.Distribution(val.id == obj.id)': {
'id': '1111',
'url': expected_url
}
}
assert readable_output == f'[Distribution URL]({expected_url})'
def test_unisolate_endpoint_pending_isolation(requests_mock):
from PaloAltoNetworks_XDR import unisolate_endpoint_command, Client
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/get_endpoint/', json={
'reply': {
'endpoints': [
{
'endpoint_id': '1111',
"is_isolated": "AGENT_PENDING_ISOLATION"
}
]
}
})
unisolate_endpoint_response = load_test_data('./test_data/unisolate_endpoint.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/unisolate', json=unisolate_endpoint_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
args = {
"endpoint_id": "1111"
}
with pytest.raises(ValueError, match='Error: Endpoint 1111 is pending isolation and therefore can not be'
' un-isolated.'):
unisolate_endpoint_command(client, args)
def test_get_modified_remote_data_command(requests_mock):
"""
Given:
- an XDR client
- arguments - lastUpdate time
- raw incidents (result of client.get_incidents)
When
- running get_modified_remote_data_command
Then
- the method is returning a list of incidents IDs that were modified
"""
from PaloAltoNetworks_XDR import get_modified_remote_data_command, Client
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
args = {
'lastUpdate': '2020-11-18T13:16:52.005381+02:00'
}
response = get_modified_remote_data_command(client, args)
assert response.modified_incident_ids == ['1', '2']
def test_isolate_endpoint_unconnected_machine(requests_mock, mocker):
from PaloAltoNetworks_XDR import isolate_endpoint_command, Client
# return_error_mock = mocker.patch(RETURN_ERROR_TARGET)
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/get_endpoint/', json={
'reply': {
'endpoints': [
{
'endpoint_id': '1111',
"endpoint_status": "DISCONNECTED"
}
]
}
})
isolate_endpoint_response = load_test_data('./test_data/isolate_endpoint.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/isolate', json=isolate_endpoint_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
args = {
"endpoint_id": "1111"
}
with pytest.raises(ValueError, match='Error: Endpoint 1111 is disconnected and therefore can not be isolated.'):
isolate_endpoint_command(client, args)
def test_insert_cef_alerts(requests_mock):
from PaloAltoNetworks_XDR import insert_cef_alerts_command, Client
insert_cef_alerts_response = load_test_data('./test_data/insert_cef_alerts.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/alerts/insert_cef_alerts/', json=insert_cef_alerts_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
'cef_alerts': [
'CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|microsoft-ds|Unknown|act=AcceptdeviceDirection=0 '
'rt=1569477512000 spt=56957 dpt=445 cs2Label=Rule Name cs2=ADPrimery '
'layer_name=FW_Device_blackened Securitylayer_uuid=07693fc7-1a5c-4f31-8afe-77ae96c71b8c match_id=1806 '
'parent_rule=0rule_action=Accept rule_uid=8e45f36b-d106-4d81-a1f0-9d1ed9a6be5c ifname=bond2logid=0 '
'loguid={0x5d8c5388,0x61,0x29321fac,0xc0000022} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,'
'O=Blackend sequencenum=363 version=5dst=1.1.1.1 inzone=External outzone=Internal product=VPN-1 & '
'FireWall-1 proto=6service_id=microsoft-ds src=1.1.1.1',
'CEF:0|Check Point|VPN-1 & FireWall-1|Check Point|Log|Log|Unknown|act=AcceptdeviceDirection=0 '
'rt=1569477501000 spt=63088 dpt=5985 cs2Label=Rule Namelayer_name=FW_Device_blackened Securitylayer_'
'uuid=07693fc7-1a5c-4f31-8afe-77ae96c71b8c match_id=8899 parent_rule=0rule_action=Accept rule_'
'uid=ae987933-82c0-470f-ab1c-1ad552c82369conn_direction=Internal ifname=bond1.12 '
'logid=0loguid={0x5d8c537d,0xbb,0x29321fac,0xc0000014} origin=1.1.1.1originsicname=CN=DWdeviceBlackend,'
'O=Blackend sequencenum=899 version=5dst=1.1.1.1 product=VPN-1 & FireWall-1 proto=6 src=1.1.1.1'
]
}
readable_output, _, _ = insert_cef_alerts_command(client, args)
assert readable_output == 'Alerts inserted successfully'
def test_get_distribution_versions(requests_mock):
from PaloAltoNetworks_XDR import get_distribution_versions_command, Client
get_distribution_versions_response = load_test_data('./test_data/get_distribution_versions.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/distributions/get_versions/', json=get_distribution_versions_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
readable_output, outputs, _ = get_distribution_versions_command(client)
assert outputs == {
'PaloAltoNetworksXDR.DistributionVersions': {
"windows": [
"7.0.0.27797"
],
"linux": [
"7.0.0.1915"
],
"macos": [
"7.0.0.1914"
]
}
}
def test_create_distribution(requests_mock):
from PaloAltoNetworks_XDR import create_distribution_command, Client
create_distribution_response = load_test_data('./test_data/create_distribution.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/distributions/create/', json=create_distribution_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
"name": "dfslcxe",
"platform": "windows",
"package_type": "standalone",
"agent_version": "7.0.0.28644"
}
readable_output, outputs, _ = create_distribution_command(client, args)
expected_distribution_id = create_distribution_response.get('reply').get('distribution_id')
assert outputs == {
'PaloAltoNetworksXDR.Distribution(val.id == obj.id)': {
'id': expected_distribution_id,
"name": "dfslcxe",
"platform": "windows",
"package_type": "standalone",
"agent_version": "7.0.0.28644",
'description': None
}
}
assert readable_output == f'Distribution {expected_distribution_id} created successfully'
def test_get_remote_data_command_with_rate_limit_exception(mocker):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a Rate limit exception is raises from get_extra_data_command method
When
- running get_remote_data_command
Then
- an "API rate limit" error is thrown so that the server will stop the sync loop and will resume from the last
incident.
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
args = {
'id': 1,
'lastUpdate': 0
}
mocker.patch.object(demisto, 'results')
mocker.patch('PaloAltoNetworks_XDR.get_incident_extra_data_command', side_effect=Exception("Rate limit exceeded"))
with pytest.raises(SystemExit):
_ = get_remote_data_command(client, args)
assert demisto.results.call_args[0][0].get('Contents') == "API rate limit"
def test_fetch_incidents(requests_mock, mocker):
from PaloAltoNetworks_XDR import fetch_incidents, Client, sort_all_list_incident_fields
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
modified_raw_incident = raw_incident['reply']['incident'].copy()
modified_raw_incident['alerts'] = raw_incident['reply'].get('alerts').get('data')
modified_raw_incident['file_artifacts'] = raw_incident['reply'].get('file_artifacts').get('data')
modified_raw_incident['network_artifacts'] = raw_incident['reply'].get('network_artifacts').get('data')
modified_raw_incident['mirror_direction'] = 'In'
modified_raw_incident['mirror_instance'] = 'MyInstance'
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident)
mocker.patch.object(demisto, 'params', return_value={"extra_data": True, "mirror_direction": "Incoming"})
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
next_run, incidents = fetch_incidents(client, '3 month', 'MyInstance')
sort_all_list_incident_fields(modified_raw_incident)
assert len(incidents) == 2
assert incidents[0]['name'] == "#1 - 'Local Analysis Malware' generated by XDR Agent detected on host AAAAA " \
"involving user Administrator"
if 'network_artifacts' not in json.loads(incidents[0]['rawJSON']):
assert False
assert incidents[0]['rawJSON'] == json.dumps(modified_raw_incident)
def test_get_remote_data_command_should_close_issue(requests_mock):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a raw incident (get-extra-data results) indicating the incident was closed on XDR side
When
- running get_remote_data_command
Then
- the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident
- the entries in the GetRemoteDataResponse holds the closing entry
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'id': 1, 'lastUpdate': 0}
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
raw_incident['reply']['incident']['status'] = 'resolved_threat_handled'
raw_incident['reply']['incident']['resolve_comment'] = 'Handled'
expected_modified_incident = raw_incident['reply']['incident'].copy()
expected_modified_incident['alerts'] = raw_incident['reply'].get(
'alerts').get('data')
expected_modified_incident['network_artifacts'] = raw_incident[
'reply'].get('network_artifacts').get('data')
expected_modified_incident['file_artifacts'] = raw_incident['reply'].get(
'file_artifacts').get('data')
expected_modified_incident['id'] = expected_modified_incident.get(
'incident_id')
expected_modified_incident['assigned_user_mail'] = ''
expected_modified_incident['assigned_user_pretty_name'] = ''
expected_modified_incident['closeReason'] = 'Resolved'
expected_modified_incident['closeNotes'] = 'Handled'
expected_modified_incident['in_mirror_error'] = ''
del expected_modified_incident['creation_time']
expected_closing_entry = {
'Type': 1,
'Contents': {
'dbotIncidentClose': True,
'closeReason': 'Resolved',
'closeNotes': 'Handled'
},
'ContentsFormat': 'json'
}
requests_mock.post(
f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/',
json=raw_incident)
response = get_remote_data_command(client, args)
sort_all_list_incident_fields(expected_modified_incident)
assert response.mirrored_object == expected_modified_incident
assert expected_closing_entry in response.entries
def test_endpoint_scan_command_scan_all_endpoints(requests_mock):
"""
Given:
- no filters.
When
- A user desires to scan all endpoints.
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import endpoint_scan_command, Client
scan_expected_tesult = {'PaloAltoNetworksXDR.endpointScan.actionId(val.actionId == obj.actionId)': 123}
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/scan/', json={"reply": {"action_id": 123}})
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
client._headers = {}
markdown, context, raw = endpoint_scan_command(client, {})
assert scan_expected_tesult == context
def test_quarantine_files_command(requests_mock):
"""
Given:
- List of files' hashes to put in quarantine
When
- A user desires to quarantine files.
Then
- returns markdown, context data and raw response.
"""
from PaloAltoNetworks_XDR import quarantine_files_command, Client
test_data = load_test_data('test_data/quarantine_files.json')
quarantine_files_expected_tesult = {
'PaloAltoNetworksXDR.quarantineFiles.actionIds(val.actionId === obj.actionId)': test_data['context_data']}
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/quarantine/', json=test_data['api_response'])
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
client._headers = {}
markdown, context, raw = quarantine_files_command(client, test_data['command_args'])
assert quarantine_files_expected_tesult == context
def test_get_endpoints(requests_mock):
from PaloAltoNetworks_XDR import get_endpoints_command, Client
get_endpoints_response = load_test_data('./test_data/get_endpoints.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/get_endpoint/',
json=get_endpoints_response)
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'hostname': 'foo', 'page': 1, 'limit': 3}
_, outputs, _ = get_endpoints_command(client, args)
assert get_endpoints_response.get('reply').get('endpoints') == \
outputs['PaloAltoNetworksXDR.Endpoint(val.endpoint_id == obj.endpoint_id)']
def test_update_incident(requests_mock):
from PaloAltoNetworks_XDR import update_incident_command, Client
update_incident_response = load_test_data(
'./test_data/update_incident.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/update_incident/',
json=update_incident_response)
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'incident_id': '1', 'status': 'new'}
readable_output, outputs, _ = update_incident_command(client, args)
assert outputs is None
assert readable_output == 'Incident 1 has been updated'
def test_get_remote_data_command_sync_owners(requests_mock, mocker):
"""
Given:
- an XDR client
- arguments (id and lastUpdate time set to a lower than incident modification time)
- a raw incident (get-extra-data results) with assigned mail [email protected]
When
- running get_remote_data_command
Then
- the mirrored_object in the GetRemoteDataResponse is the same as the modified raw incident with the equivalent
owner of the assigned mail
- the entries in the GetRemoteDataResponse in empty
"""
from PaloAltoNetworks_XDR import get_remote_data_command, Client, sort_all_list_incident_fields
mocker.patch.object(demisto, 'params', return_value={"sync_owners": True})
mocker.patch.object(demisto,
'findUser',
return_value={
"email": "*****@*****.**",
'username': '******'
})
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'id': 1, 'lastUpdate': 0}
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
raw_incident['reply']['incident']['assigned_user_mail'] = '*****@*****.**'
expected_modified_incident = raw_incident['reply']['incident'].copy()
expected_modified_incident['alerts'] = raw_incident['reply'].get(
'alerts').get('data')
expected_modified_incident['network_artifacts'] = raw_incident[
'reply'].get('network_artifacts').get('data')
expected_modified_incident['file_artifacts'] = raw_incident['reply'].get(
'file_artifacts').get('data')
expected_modified_incident['id'] = expected_modified_incident.get(
'incident_id')
expected_modified_incident['assigned_user_mail'] = '*****@*****.**'
expected_modified_incident['assigned_user_pretty_name'] = None
expected_modified_incident['owner'] = 'username'
expected_modified_incident['in_mirror_error'] = ''
del expected_modified_incident['creation_time']
requests_mock.post(
f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/',
json=raw_incident)
response = get_remote_data_command(client, args)
sort_all_list_incident_fields(expected_modified_incident)
assert response.mirrored_object == expected_modified_incident
assert response.entries == []
def test_get_all_endpoints_using_limit(requests_mock):
from PaloAltoNetworks_XDR import get_endpoints_command, Client
get_endpoints_response = load_test_data(
'./test_data/get_all_endpoints.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/endpoints/get_endpoints/',
json=get_endpoints_response)
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'limit': 1, 'page': 0, 'sort_order': 'asc'}
_, outputs, _ = get_endpoints_command(client, args)
expected_endpoint = get_endpoints_response.get('reply')[0]
assert [expected_endpoint] == outputs[
'PaloAltoNetworksXDR.Endpoint(val.endpoint_id == obj.endpoint_id)']
def test_get_incident_list(requests_mock):
from PaloAltoNetworks_XDR import get_incidents_command, Client
get_incidents_list_response = load_test_data(
'./test_data/get_incidents_list.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/',
json=get_incidents_list_response)
client = Client(base_url=f'{XDR_URL}/public_api/v1', headers={})
args = {'incident_id_list': '1 day'}
_, outputs, _ = get_incidents_command(client, args)
expected_output = {
'PaloAltoNetworksXDR.Incident(val.incident_id==obj.incident_id)':
get_incidents_list_response.get('reply').get('incidents')
}
assert expected_output == outputs
def test_fetch_incidents_with_rate_limit_error(requests_mock, mocker):
"""
Given:
- a Rate limit error occurs in the second call for 'get_extra_data_command'
When
- running fetch_incidents command
Then
- the first successful incident is being created
- the second incident is saved for the next run
"""
from PaloAltoNetworks_XDR import fetch_incidents, Client, sort_all_list_incident_fields
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
raw_incident = load_test_data('./test_data/get_incident_extra_data.json')
modified_raw_incident = raw_incident['reply']['incident'].copy()
modified_raw_incident['alerts'] = raw_incident['reply'].get('alerts').get('data')
modified_raw_incident['file_artifacts'] = raw_incident['reply'].get('file_artifacts').get('data')
modified_raw_incident['network_artifacts'] = raw_incident['reply'].get('network_artifacts').get('data')
modified_raw_incident['mirror_direction'] = 'In'
modified_raw_incident['mirror_instance'] = 'MyInstance'
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incident_extra_data/', json=raw_incident)
mocker.patch('PaloAltoNetworks_XDR.get_incident_extra_data_command', side_effect=return_extra_data_result)
mocker.patch.object(demisto, 'params', return_value={"extra_data": True, "mirror_direction": "Incoming"})
client = Client(
base_url=f'{XDR_URL}/public_api/v1', headers={}
)
next_run, incidents = fetch_incidents(client, '3 month', 'MyInstance')
sort_all_list_incident_fields(modified_raw_incident)
assert len(incidents) == 1 # because the second one raised a rate limit error
assert incidents[0]['name'] == "#1 - 'Local Analysis Malware' generated by XDR Agent detected on host AAAAA " \
"involving user Administrator"
incidents_from_previous_run = next_run.get('incidents_from_previous_run')
assert incidents_from_previous_run
assert len(incidents_from_previous_run) == 1
assert incidents_from_previous_run[0].get('incident_id') == '2'
if 'network_artifacts' not in json.loads(incidents[0]['rawJSON']):
assert False
assert incidents[0]['rawJSON'] == json.dumps(modified_raw_incident)
def test_get_audit_agent_reports(requests_mock):
from PaloAltoNetworks_XDR import get_audit_agent_reports_command, Client
get_audit_agent_reports_response = load_test_data('./test_data/get_audit_agent_report.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/audits/agents_reports/', json=get_audit_agent_reports_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
'endpoint_names': 'woo.demisto',
'limit': '3',
'timestamp_gte': '3 month'
}
readable_output, outputs, _ = get_audit_agent_reports_command(client, args)
expected_outputs = get_audit_agent_reports_response.get('reply').get('data')
assert outputs['PaloAltoNetworksXDR.AuditAgentReports'] == expected_outputs
def test_fetch_incidents(requests_mock):
from PaloAltoNetworks_XDR import fetch_incidents, Client
get_incidents_list_response = load_test_data('./test_data/get_incidents_list.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/incidents/get_incidents/', json=get_incidents_list_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
next_run, incidents = fetch_incidents(client, '3 month', {})
assert len(incidents) == 2
assert incidents[0]['name'] == "#1 - 'Local Analysis Malware' generated by XDR Agent detected on host AAAAA " \
"involving user Administrator"
assert incidents[1]['name'] == "#2 - 'Local Analysis Malware' generated by XDR Agent detected on host BBBBB " \
"involving user Administrator"
assert incidents[0]['rawJSON'] == json.dumps(get_incidents_list_response['reply']['incidents'][0])
def test_get_audit_management_logs(requests_mock):
from PaloAltoNetworks_XDR import get_audit_management_logs_command, Client
get_audit_management_logs_response = load_test_data('./test_data/get_audit_management_logs.json')
requests_mock.post(f'{XDR_URL}/public_api/v1/audits/management_logs/', json=get_audit_management_logs_response)
client = Client(
base_url=f'{XDR_URL}/public_api/v1'
)
args = {
'email': '*****@*****.**',
'limit': '3',
'timestamp_gte': '3 month'
}
readable_output, outputs, _ = get_audit_management_logs_command(client, args)
expected_outputs = get_audit_management_logs_response.get('reply').get('data')
assert outputs['PaloAltoNetworksXDR.AuditManagementLogs(val.AUDIT_ID == obj.AUDIT_ID)'] == expected_outputs