def test_is_ioc_with_no_matching():
"""Helpers - No known IOC detected in a record"""
rec = {
'account': 12345,
'region': '123456123456',
'detail': {
'eventSource': '...',
'userAgent': '...',
'sourceIPAddress': '1.1.1.2',
'recipientAccountId': '12345'
},
'detail-type': '...',
'source': '1.1.1.2',
'version': '1.05',
'normalized_types': {
'sourceAddress': [['detail', 'sourceIPAddress'], ['source']],
'username': [['detail', 'userIdentity', 'userName']]
},
'time': '...',
'id': '12345',
'resources': {
'test': '...'
}
}
ioc_result = base.is_ioc(rec)
assert_equal(ioc_result, False)
def test_is_ioc_with_lowercase_ioc_is_true():
"""Helpers - IOC is lowercase while related data is mixcase."""
rec = {
'server': "test-server",
'computer_name': 'test-pc',
"domain": "test_Evil.net",
"event_type": "netconn",
"ipv4": "0.0.0.0",
"local_ip": "127.0.0.1",
"local_port": 54279,
"md5": "EF69CD89AD7ADDB9A16BB6F26F1EFAF7",
'normalized_types': {
'destinationDomain': [['domain']],
'fileHash': [['md5']]
}
}
ioc_result = base.is_ioc(rec)
assert_equal(ioc_result, True)
expected_ioc_info = [
{
'type': 'domain',
'value': 'test_evil.net'
},
{
'type': 'md5',
'value': 'ef69cd89ad7addb9a16bb6f26f1efaf7'
}
]
assert_equal(rec[StreamThreatIntel.IOC_KEY], expected_ioc_info)
def test_detect_ioc_rule():
"""Helpers - There is IOC detected in a record"""
rec = {
'account': 12345,
'region': '123456123456',
'detail': {
'eventSource': '...',
'userAgent': '...',
'sourceIPAddress': '90.163.54.11',
'recipientAccountId': '12345'
},
'detail-type': '...',
'source': '1.1.1.2',
'version': '1.05',
'normalized_types': {
'sourceAddress': [['detail', 'sourceIPAddress'], ['source']],
'username': [['detail', 'userIdentity', 'userName']]
},
'time': '...',
'id': '12345',
'resources': {
'test': '...'
}
}
ioc_result = base.is_ioc(rec)
assert_equal(ioc_result, True)
expected_ioc_info = [{
'type': 'ip',
'value': '90.163.54.11'
}]
assert_equal(rec[StreamThreatIntel.IOC_KEY], expected_ioc_info)
def test_is_ioc_with_lowercase_ioc_is_false():
"""Helpers - IOC is lowercase while lowercase_ioc flag is set to False."""
rec = {
'server': "test-server",
'computer_name': 'test-pc',
"domain": "test_Evil.net",
"event_type": "netconn",
"ipv4": "0.0.0.0",
"local_ip": "127.0.0.1",
"local_port": 54279,
"md5": "EF69CD89AD7ADDB9A16BB6F26F1EFAF7",
'normalized_types': {
'destinationDomain': [['domain']],
'fileHash': [['md5']]
}
}
ioc_result = base.is_ioc(rec, lowercase_ioc=False)
assert_equal(ioc_result, False)