def test_antispyware_signature_search_wrongful_arguments(): """ Given: - wrongful args to the antispyware_signature_search command When: - running antispyware_signature_search Then: - validating the raised error """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False) wrong_args_err = 'Please provide either a signature_name or a cve or a vendor.' with pytest.raises(Exception, match=wrong_args_err): antispyware_signature_search(client, args={ 'signature_name': '1234', 'cve': 'CVE-2020' }) with pytest.raises(Exception, match=wrong_args_err): antispyware_signature_search(client, args={ 'signature_name': '1234', 'vendor': 'panw' }) with pytest.raises(Exception, match=wrong_args_err): antispyware_signature_search(client, args={ 'vendor': 'panw', 'cve': 'CVE-2020' })
def test_ip_geo_get(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-direct-searches/get-geolocation.html Given: - an ip When: - mocking the server response for an IP, running ip_geo_get Then: - validating the returned context data """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False) return_data = { 'ipAddress': '1.1.1.1', 'countryCode': 'AU', 'countryName': 'Australia' } mocker.patch.object(client, 'ip_geo_get_request', return_value=return_data) command_results = ip_geo_get(client, args={'ip': '1.1.1.1'}) output = command_results.to_context() expected_result = { 'ThreatVault.IP(val.ipAddress == obj.ipAddress)': { 'ipAddress': '1.1.1.1', 'countryCode': 'AU', 'countryName': 'Australia' } } assert output.get('EntryContext') == expected_result
def test_antispyware_get_by_id(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-direct-searches/get-vulnerability-signature.html Given: - a anti spyware signature ID When: - mocking the server response for an ID, running antispyware_get_by_id Then: - validating the returned context data """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False, reliability='D - Not usually reliable') return_data = { 'metadata': { 'severity': 'medium', 'reference': 'http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Autorun,' 'http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-' 'and-autorun.aspx,http://nakedsecurity.sophos.com/2011/06/15/usb-autorun-malware-on-the-wane/', 'panOsMaximumVersion': '', 'description': 'This signature detects a variety of user-agents in HTTP request headers that have been' ' known to be used by the Autorun family of malicious software, and not known to be used by' ' legitimate clients. The request header should be inspected to investigate the suspect' ' user-agent. If the user-agent is atypical or unexpected, the endpoint should be inspected' ' to determine the user-agent used to generate the request on the machine' ' (typically malware).', 'panOsMinimumVersion': '6.1.0', 'action': 'alert', 'category': 'spyware', 'changeData': '' }, 'cve': '', 'signatureName': 'Autorun User-Agent Traffic', 'vendor': '', 'signatureType': 'spyware', 'firstReleaseTime': '2011-05-23 UTC', 'signatureId': 10001, 'latestReleaseTime': '2020-10-30 UTC', 'latestReleaseVersion': 8338, 'status': 'released', 'firstReleaseVersion': 248 } mocker.patch.object(client, 'antispyware_get_by_id_request', return_value=return_data) command_results = antispyware_get_by_id(client, args={'signature_id': '10001'}) output = command_results.to_context() expected_result = { 'ThreatVault.AntiSpyware(val.signatureId && val.signatureId == obj.signatureId)': { 'metadata': { 'severity': 'medium', 'reference': 'http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=' 'Win32/Autorun,http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-' 'the-romance-between-malware-and-autorun.aspx,http://nakedsecurity.sophos.com/' '2011/06/15/usb-autorun-malware-on-the-wane/', 'panOsMaximumVersion': '', 'description': 'This signature detects a variety of user-agents in HTTP request headers that' ' have been known to be used by the Autorun family of malicious software, and' ' not known to be used by legitimate clients. The request header should be' ' inspected to investigate the suspect user-agent. If the user-agent is atypical' ' or unexpected, the endpoint should be inspected to determine the user-agent' ' used to generate the request on the machine (typically malware).', 'panOsMinimumVersion': '6.1.0', 'action': 'alert', 'category': 'spyware', 'changeData': '' }, 'cve': '', 'signatureName': 'Autorun User-Agent Traffic', 'vendor': '', 'signatureType': 'spyware', 'firstReleaseTime': '2011-05-23 UTC', 'signatureId': 10001, 'latestReleaseTime': '2020-10-30 UTC', 'latestReleaseVersion': 8338, 'status': 'released', 'firstReleaseVersion': 248 } } assert output.get('EntryContext') == expected_result
def test_dns_get_by_id(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-direct-searches/get-anti-spyware-signature.html Given: - a dns signature ID When: - mocking the server response for an ID, running dns_get_by_id Then: - validating the returned context data """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False) return_data = { 'signatureId': 325235352, 'signatureName': 'generic:accounts.google.com.sign-google.com', 'domainName': 'accounts.google.com.sign-google.com', 'createTime': '2020-01-15 23:57:54 (UTC)', 'category': 'malware', 'active': True, 'release': { 'wildfire': { 'latestReleaseVersion': 0, 'firstReleaseVersion': 0 }, 'antivirus': { 'latestReleaseVersion': 0, 'firstReleaseVersion': 0 } } } mocker.patch.object(client, 'dns_signature_get_request', return_value=return_data) command_results = dns_get_by_id(client, args={'dns_signature_id': '325235352'}) output = command_results.to_context() expected_result = { 'ThreatVault.DNS(val.signatureId == obj.signatureId)': { 'signatureId': 325235352, 'signatureName': 'generic:accounts.google.com.sign-google.com', 'domainName': 'accounts.google.com.sign-google.com', 'createTime': '2020-01-15 23:57:54 (UTC)', 'category': 'malware', 'active': True, 'release': { 'wildfire': { 'latestReleaseVersion': 0, 'firstReleaseVersion': 0 }, 'antivirus': { 'latestReleaseVersion': 0, 'firstReleaseVersion': 0 } } } } assert output.get('EntryContext') == expected_result
def test_antivirus_get_by_id_no_ids(): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-direct-searches/get-antivirus-signature.html Given: - no args When: - running antivirus_signature_get Then: - validating the raised error """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False, reliability='D - Not usually reliable') with pytest.raises(Exception, match="Please submit a sha256 or a signature_id."): antivirus_signature_get(client, args={})
def test_file_command(mocker): """ Given: - sha256 representing an antivirus When: - running file_command command Then - Validate the reputation of the sha256 is malicious. """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False) return_data = { "active": True, "createTime": "2010-10-01 10:28:57 (UTC)", "release": { "antivirus": { "firstReleaseTime": "2010-10-03 15:04:58 UTC", "firstReleaseVersion": 334, "latestReleaseVersion": 0 }, "wildfire": { "firstReleaseVersion": 0, "latestReleaseVersion": 0 } }, "sha256": [ "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8", "9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8" ], "signatureId": 93534285, "signatureName": "Worm/Win32.autorun.crck" } mocker.patch.object(client, 'antivirus_signature_get_request', return_value=return_data) command_results_list = file_command( client, args={ 'file': '7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8' }) assert command_results_list[0].indicator.dbot_score.score == 3
def test_ip_command(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-direct-searches/get-geolocation.html Given: - an ip When: - mocking the server response for an IP, running ip_command Then: - validating the generated indicator dbot score - validating the generated indicator country """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False, reliability='D - Not usually reliable') return_data = {'ipAddress': '8.8.8.8', 'countryCode': 'US', 'countryName': 'United States'} mocker.patch.object(client, 'ip_geo_get_request', return_value=return_data) command_results_list = ip_command(client, args={'ip': '8.8.8.8'}) assert command_results_list[0].indicator.dbot_score.score == 0 assert command_results_list[0].indicator.geo_country == 'United States'
def test_antivirus_get_by_id(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-direct-searches/get-antivirus-signature.html Given: - an antivirus signature ID When: - mocking the server response for an ID, running antivirus_signature_get Then: - validating the returned context data """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False, reliability='D - Not usually reliable') return_data = { "active": True, "createTime": "2010-10-01 10:28:57 (UTC)", "release": { "antivirus": { "firstReleaseTime": "2010-10-03 15:04:58 UTC", "firstReleaseVersion": 334, "latestReleaseVersion": 0 }, "wildfire": { "firstReleaseVersion": 0, "latestReleaseVersion": 0 } }, "sha256": [ "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8", "9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8" ], "signatureId": 93534285, "signatureName": "Worm/Win32.autorun.crck" } mocker.patch.object(client, 'antivirus_signature_get_request', return_value=return_data) command_results = antivirus_signature_get(client, args={'signature_id': '93534285'}) output = command_results.to_context() expected_result = { 'ThreatVault.Antivirus(val.signatureId && val.signatureId == obj.signatureId)': { "active": True, "createTime": "2010-10-01 10:28:57 (UTC)", "release": { "antivirus": { "firstReleaseTime": "2010-10-03 15:04:58 UTC", "firstReleaseVersion": 334, "latestReleaseVersion": 0 }, "wildfire": { "firstReleaseVersion": 0, "latestReleaseVersion": 0 } }, "sha256": [ "7a520be9db919a09d8ccd9b78c11885a6e97bc9cc87414558254cef3081dccf8", "9e12c5cdb069f74487c11758e732d72047b72bedf4373aa9e3a58e8e158380f8" ], "signatureId": 93534285, "signatureName": "Worm/Win32.autorun.crck" } } assert output.get('EntryContext') == expected_result
def test_signature_search_results_anti_spyware_cve(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-autofocus-searches/search-signatures.html Given: - a search_request_id When: - mocking the server response for a search_request_id of a cve, running signature_search_results Then: - validating the returned context data - validating the returned human readable """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False, reliability='D - Not usually reliable') return_data = { "page_count": 1, "signatures": [ { "cve": "CVE-2015-8650", "firstReleaseTime": "2015-12-28 UTC", "firstReleaseVersion": 548, "latestReleaseTime": "2020-10-30 UTC", "latestReleaseVersion": 8338, "metadata": { "action": "reset-both", "category": "code-execution", "changeData": "", "description": "Adobe Flash Player is prone to an use after free vulnerability while parsing" " certain crafted SWF files. The vulnerability is due to the lack of proper checks" " on SWF file, leading to an use after free vulnerability. An attacker could" " exploit the vulnerability by sending a crafted SWF file. A successful attack" " could lead to remote code execution with the privileges of the current" " logged-in user.", "panOsMaximumVersion": "", "panOsMinimumVersion": "7.1.0", "reference": "https://helpx.adobe.com/security/products/flash-player/apsb16-01.html", "severity": "high" }, "signatureId": 38692, "signatureName": "Adobe Flash Player Use After Free Vulnerability", "signatureType": "vulnerability", "status": "released", "vendor": "APSB16-01" } ], "status": "completed", "total_count": 1 } mocker.patch.object(client, 'signature_search_results_request', return_value=return_data) command_results = signature_search_results(client, args={'search_request_id': 'mock_cve', 'size': '1'}) output = command_results.to_context() expected_context = { 'ThreatVault.Search(val.search_request_id && val.search_request_id == obj.search_request_id)': { "page_count": 1, "search_request_id": "mock_cve", "signatures": [ { "cve": "CVE-2015-8650", "firstReleaseTime": "2015-12-28 UTC", "firstReleaseVersion": 548, "latestReleaseTime": "2020-10-30 UTC", "latestReleaseVersion": 8338, "metadata": { "action": "reset-both", "category": "code-execution", "changeData": "", "description": "Adobe Flash Player is prone to an use after free vulnerability while" " parsing certain crafted SWF files. The vulnerability is due to the lack" " of proper checks on SWF file, leading to an use after free vulnerability." " An attacker could exploit the vulnerability by sending a crafted SWF file." " A successful attack could lead to remote code execution with the" " privileges of the current logged-in user.", "panOsMaximumVersion": "", "panOsMinimumVersion": "7.1.0", "reference": "https://helpx.adobe.com/security/products/flash-player/apsb16-01.html", "severity": "high" }, "signatureId": 38692, "signatureName": "Adobe Flash Player Use After Free Vulnerability", "signatureType": "vulnerability", "status": "released", "vendor": "APSB16-01" } ], "status": "completed", "total_count": 1, } } expected_hr = '### Signature search are showing 1 of 1 results:\n|signatureId|signatureName|cve|' \ 'signatureType|status|firstReleaseTime|latestReleaseTime|\n|---|---|---|---|---|---|---|\n|' \ ' 38692 | Adobe Flash Player Use After Free Vulnerability | CVE-2015-8650 |' \ ' vulnerability | released | 2015-12-28 UTC | 2020-10-30 UTC |\n' assert output.get('EntryContext') == expected_context assert output.get('HumanReadable') == expected_hr
def test_signature_search_results_dns(mocker): """ https://docs.paloaltonetworks.com/autofocus/autofocus-api/perform-autofocus-searches/search-signatures.html Given: - a search_request_id When: - mocking the server response for a search_request_id of a domainName, running signature_search_results Then: - validating the returned context data - validating the returned human readable """ client = Client(api_key='XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX', verify=True, proxy=False, reliability='D - Not usually reliable') return_data = { "page_count": 1, "signatures": [ { "active": True, "category": "malware", "createTime": "2015-03-03 14:45:03 (UTC)", "domainName": "mail-google.com.co", "release": { "antivirus": { "firstReleaseTime": "2015-03-03 15:11:53 UTC", "firstReleaseVersion": 1890, "latestReleaseVersion": 0 }, "wildfire": { "firstReleaseVersion": 0, "latestReleaseVersion": 0 } }, "signatureId": 44101494, "signatureName": "generic:mail-google.com.co" } ], "total_count": 5306 } mocker.patch.object(client, 'signature_search_results_request', return_value=return_data) command_results = signature_search_results(client, args={'search_request_id': 'mock_domain', 'size': '1'}) output = command_results.to_context() expected_context = { 'ThreatVault.Search(val.search_request_id && val.search_request_id == obj.search_request_id)': { "page_count": 1, "signatures": [ { "active": True, "category": "malware", "createTime": "2015-03-03 14:45:03 (UTC)", "domainName": "mail-google.com.co", "release": { "antivirus": { "firstReleaseTime": "2015-03-03 15:11:53 UTC", "firstReleaseVersion": 1890, "latestReleaseVersion": 0 }, "wildfire": { "firstReleaseVersion": 0, "latestReleaseVersion": 0 } }, "signatureId": 44101494, "signatureName": "generic:mail-google.com.co" } ], "total_count": 5306, 'search_request_id': 'mock_domain', 'status': 'completed' } } expected_hr = '### Signature search are showing 1 of 5306 results:\n|signatureId|signatureName|domainName|' \ 'category|\n|---|---|---|---|\n| 44101494 | generic:mail-google.com.co | mail-google.com.co |' \ ' malware |\n' assert output.get('EntryContext') == expected_context assert output.get('HumanReadable') == expected_hr