def test_query_response_found(self):
query = "[url:value = '*****@*****.**']"
transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG)
query_response = transmission.query(query)
assert query_response is not None
assert 'success' in query_response
assert query_response['success'] is True
assert 'search_id' in query_response
assert query_response['search_id'] == "[url:value = '*****@*****.**']"
def test_reversinglabs_ping(self, mock_ping_response, mock_api_client):
mock_api_client.return_value = None
mock_ping_response.return_value = Response({"success": True}, 200)
transmission = stix_transmission.StixTransmission(
MODULE_NAME, connection, config)
ping_response = transmission.ping()
assert ping_response is not None
assert ping_response['success']
def test_delete_query_exception(mock_create_status):
mock_create_status.return_value = MockExceptionResponse()
search_id = '10.20.30.40'
transmission = stix_transmission.StixTransmission(
'aws_cloud_watch_logs', CONNECTION, CONFIG)
status_response = transmission.delete(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is False
assert 'error' in status_response
def test_reversinglabs_status(self, mock_api_client):
mock_api_client.return_value = None
transmission = stix_transmission.StixTransmission(
MODULE_NAME, connection, config)
query_response = transmission.status(SAMPLE_DATA)
assert query_response is not None
assert 'success' in query_response, query_response['success'] is True
assert 'status' in query_response, query_response[
'status'] == 'COMPLETED'
assert 'progress' in query_response, query_response['progress'] == 100
def test_delete_query_connection(mock_delete_query):
"""to delete the query search using search id"""
mock_delete_query.return_value = ArcsightMockResponse(200, "")
transmission = stix_transmission.StixTransmission(
'arcsight', CONNECTION, CONFIG)
delete_response = transmission.delete(SEARCH_ID)
assert delete_response is not None
assert 'success' in delete_response
assert delete_response['success'] is True
def test_delete_query_connection(mock_delete_query):
mock_delete_query.return_value = AWSMockJsonResponse()
search_id = "0c8ed381-f1c8-406d-a293-406b64607870"
transmission = stix_transmission.StixTransmission(
'aws_cloud_watch_logs', CONNECTION, CONFIG)
delete_response = transmission.delete(search_id)
assert delete_response is not None
assert 'success' in delete_response
assert delete_response['success'] is True
def test_results_all_response(self, mock_results_response, mock_api_client, mock_generate_token):
mock_api_client.return_value = None
mock_generate_token.return_value = AdalMockResponse
mocked_return_value = """{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts(fileStates)",
"@odata.nextLink": "https://graph.microsoft.com/beta/security/alerts?$select=filestates&$filter=fileStates%\
2fany(x%3ax%2fname+eq+%27services.exe%27)+and+eventDateTime+ge+2019-10-13T08%3a00Z+and+eventDateTime+le\
+2019-11-13T08%3a00Z&$top=1&$skip=1&$skiptoken=45e372bf-0f5d-4d0b-b244-7d762a909a0e",
"value": [
{
"fileStates": [
{
"name": "services.exe",
"path": "c:\\\\windows\\\\system32\\\\services.exe",
"riskScore": null,
"fileHash": {
"hashType": "sha256",
"hashValue": "00a1cf85c6ab96df38a4023f0cee4df60f62280768fc9c06a235e6d2d644169d"
}
},
{
"name": "svchost.exe",
"path": "c:\\\\windows\\\\system32\\\\svchost.exe",
"riskScore": null,
"fileHash": {
"hashType": "sha256",
"hashValue": "33a1cf85c6ab96df38a4023f0cee4df60f62280768fc9c06a235e6d644169d"
}
}
],
"processes": [
{
"processId": 1234,
"fileHash": {
"hashType": "sha256",
"hashValue": "33a1cf85c6ab96df38a4023f0cee4df60f62280768fc9c06a235e6d644169d"
}
}
]
}
]
}"""
mock_results_response.return_value = AzureSentinelMockResponse(200, mocked_return_value)
query = "$select=filestates&$filter=fileStates/any(x:x/name eq 'services.exe') and eventDateTime ge \
2019-10-13T08:00Z and eventDateTime le 2019-11-13T08:00Z&$top=1&$skip=1"
offset = 0
length = 1
transmission = stix_transmission.StixTransmission('azure_sentinel', self.connection(), self.config())
results_response = transmission.results(query, offset, length)
assert results_response is not None
assert results_response['success']
assert 'data' in results_response
assert results_response['data'] is not None
def test_ping_endpoint_auth_failed(self, mock_ping_response):
mock_ping_response.post('https://iam.cloud.ibm.com/identity/token', status_code = 500)
mock_ping_response.get('http://test_sec_adv.com/abc/providers', status_code = 500)
transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
def test_ping_endpoint_exception(self, mock_ping_response):
mock_ping_response.post('https://iam.cloud.ibm.com/identity/token', text= '{ "access_token" : "ertyuiojhgfcvbnbv" }')
transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
assert ping_response['error'] is not None
def test_create_status_exception(mock_create_status):
mock_create_status.return_value = MockExceptionResponse()
search_id = "xyz"
transmission = stix_transmission.StixTransmission(
'aws_cloud_watch_logs', CONNECTION, CONFIG)
status_response = transmission.status(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is False
assert 'error' in status_response
assert status_response['code'] == 'invalid_query'
def test_ping_internal_server_exception(self, mock_ping_response):
"""check 500 bad query exception"""
mocked_return_value = '{"reply": {"err_msg":"Internal server error","err_extra":"server error"}}'
mock_ping = PaloaltoMockResponse(500, mocked_return_value)
mock_ping_response.return_value = PingResponse(mock_ping)
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
ping_response = transmission.ping()
assert ping_response is not None
assert ping_response['success'] is False
assert "Internal server error" in ping_response["error"]
assert ping_response["code"] == "invalid_parameter"
def test_ping_400_exception(self, mock_ping_response):
"""Test ping response with 400 exception"""
mocked_return_value = '{"reply":{"err_msg": "InvalidJson"}}'
mock_ping = PaloaltoMockResponse(400, mocked_return_value)
mock_ping_response.return_value = PingResponse(mock_ping)
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
ping_response = transmission.ping()
assert ping_response is not None
assert ping_response['success'] is False
assert 'error' in ping_response
assert ping_response['code'] == "invalid_query"
def test_delete_query_exception(self, mock_delete_response,
mock_api_client):
error_msg = 'an error occured while checking the if the query is deleted'
mock_api_client.return_value = None
mock_delete_response.return_value = False
mock_delete_response.side_effect = Exception(error_msg)
transmission = stix_transmission.StixTransmission(
MODULE_NAME, connection, config)
query_response = transmission.delete("")
assert 'success' in query_response, query_response['success'] is False
assert 'error' in query_response, query_response['error'] == error_msg
def test_auth_exception(mock_auth_value):
"""to check auth token generation exception"""
mock_auth_value.return_value = ArcsightMockResponse(400, '')
transmission = stix_transmission.StixTransmission(
'arcsight', CONNECTION, CONFIG)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
assert 'error' in ping_response
assert ping_response['code'] == 'authentication_fail'
def test_ping_exception(mock_create_status):
mock_create_status.return_value = MockExceptionResponse()
transmission = stix_transmission.StixTransmission(
'aws_athena', CONNECTION, CONFIGURATION)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
assert 'error' in ping_response
assert ping_response['code'] == 'authentication_fail'
def test_status_response(self, mock_status_response):
"""test status response"""
mocked_return_value = '{"reply" : {"status": "SUCCESS","number_of_results":100}}'
mock_status_response.return_value = StatusResponse(200, mocked_return_value)
search_id = "e1d1b56ca81845_15180_inv"
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
status_response = transmission.status(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is True
assert status_response['status'] == "COMPLETED"
def test_create_query_exception(mock_create_query):
mock_create_query.return_value = Exception("Invalid Query")
query = 'sample query'
transmission = stix_transmission.StixTransmission(
'aws_cloud_watch_logs', CONNECTION, CONFIG)
query_response = transmission.query(query)
assert query_response is not None
assert 'success' in query_response
assert query_response['success'] is False
assert 'error' in query_response
assert query_response['code'] == "invalid_query"
def test_ping_401_auth_exception(self, mock_ping_response):
"""test 401 authentication error exception"""
mocked_return_value = '{"reply": { "err_msg" : "auth Error"}}'
mock_ping = PaloaltoMockResponse(401, mocked_return_value)
mock_ping_response.return_value = PingResponse(mock_ping)
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
ping_response = transmission.ping()
assert ping_response is not None
assert ping_response['success'] is False
assert ping_response['code'] == "authentication_fail"
assert "Invalid api_key" in ping_response['error']
def test_ping_endpoint_bad_return_code(self, mock_ping_response):
mock_ping_response.post('https://iam.cloud.ibm.com/identity/token', text= '{ "access_token" : "ertyuiojhgfcvbnbv" }')
mock_ping_response.get('http://test_sec_adv.com/abc/providers', status_code = 500)
transmission = stix_transmission.StixTransmission('security_advisor', CONNECTION, CONFIG)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
def test_ping_endpoint_bad_return_code(mock_ping_response):
mocked_return_value = MockHttpResponse('/exception')
mock_ping_response.return_value = BigFixMockHttpXMLResponse(500, mocked_return_value)
transmission = stix_transmission.StixTransmission('bigfix', CONNECTION, CONFIG)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
assert ping_response['error'] is not None
def test_delete_query_exception(mock_create_status):
mock_create_status.return_value = MockExceptionResponse()
search_id = '0c8ed381-f1c8-406d-a293-406b64604323:vpcflow'
transmission = stix_transmission.StixTransmission(
'aws_athena', CONNECTION, CONFIGURATION)
status_response = transmission.delete(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is False
assert 'error' in status_response
def test_max_additional_quota_exception(self, mock_ping):
"""test maximum additional quota threshold exception"""
response = {
'reply': {'license_quota': 5, 'additional_purchased_quota': 10.0, 'used_quota': 12, 'eval_quota': 0.0}}
mock_ping.side_effect = [MockResponse(MockStatusObj(200), json.dumps(response))]
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
query_response = transmission.query({})
assert query_response is not None
assert query_response['success'] is False
assert query_response['code'] == "service_unavailable"
assert "query usage exceeded max daily quota" in query_response['error']
def test_status_value_error_exception(self, mock_search_status):
"""test status connector value error with invalid json"""
mocked_return_value = "Invalid json"
mock_search_status.return_value = StatusResponse(200, mocked_return_value)
search_id = "e1d1b56ca81845_15180_inv"
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
status_response = transmission.status(search_id)
assert status_response is not None
assert status_response['success'] is False
assert 'error' in status_response
assert "Cannot parse response" in status_response["error"]
def test_ping_endpoint_exception(mock_ping_response):
mocked_return_value = MockHttpResponse('/exception')
mock_ping_response.return_value = BigFixMockHttpXMLResponse(200, mocked_return_value)
mock_ping_response.side_effect = Exception('an error occured retriving ping information')
transmission = stix_transmission.StixTransmission('bigfix', CONNECTION, CONFIG)
ping_response = transmission.ping()
assert ping_response is not None
assert 'success' in ping_response
assert ping_response['success'] is False
assert ping_response['error'] is not None
def test_status_403_exception(self, get_search_results):
"""test results with 403 exception"""
mocked_return_value = '{"reply": { "err_msg" : "api permission exception"}}'
get_search_results.return_value = StatusResponse(403, mocked_return_value)
search_id = "e1d1b56ca81845_15180_inv"
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
status_response = transmission.status(search_id)
assert status_response is not None
assert status_response['success'] is False
assert status_response['code'] == "forbidden"
assert "The provided API Key does not have the required RBAC permissions to run this API" in \
status_response['error']
def test_status_pending_response(self, mock_search_response):
"""Test status pending exception"""
mocked_return_value = '{"reply" : {"status": "PENDING"}}'
mock_search_response.return_value = StatusResponse(200, mocked_return_value)
search_id = "e1d1b56ca81845_15180_inv"
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
status_response = transmission.status(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is True
assert status_response['status'] == "RUNNING"
assert status_response['progress'] == 50
def test_ping_value_error_exception(self, mock_search_response):
"""test ping connector value error with invalid json"""
mocked_return_value = "Invalid_json"
mock_search = PaloaltoMockResponse(200, mocked_return_value)
search_response = PingResponse(mock_search)
mock_search_response.return_value = search_response
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
query_response = transmission.ping()
assert query_response is not None
assert query_response['success'] is False
assert 'error' in query_response
assert "Cannot parse response" in query_response["error"]
def test_status_fail_exception(self, mock_search_response):
"""Test status fail exception"""
mocked_return_value = '{"reply" : {"status": "FAIL"}}'
mock_search_response.return_value = StatusResponse(200, mocked_return_value)
search_id = "e1d1b56ca81845_15180_inv"
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
status_response = transmission.status(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is False
assert "Tenant Query Failed" in status_response['error']
assert status_response['code'] == "invalid_query"
def test_status_partial_success_exception(self, mock_status_response):
"""Test partial success status response exception"""
mocked_return_value = '{"reply" : {"status": "PARTIAL_SUCCESS"}}'
mock_status_response.return_value = StatusResponse(200, mocked_return_value)
search_id = "e1d1b56ca81845_15180_inv"
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
status_response = transmission.status(search_id)
assert status_response is not None
assert 'success' in status_response
assert status_response['success'] is True
assert status_response['message'] == "Partial Success -At least one tenant failed to execute the query"
assert status_response['status'] == "COMPLETED"
def test_ping_402_license_exception(self, mock_ping_response):
"""Check 402 invalid license exception"""
mocked_return_value = '{"reply": { "err_msg" : "Invalid license"}}'
mock_ping = PaloaltoMockResponse(402, mocked_return_value)
mock_ping_response.return_value = PingResponse(mock_ping)
transmission = stix_transmission.StixTransmission('paloalto', self.connection(), self.configuration())
ping_response = transmission.ping()
assert ping_response is not None
assert ping_response['success'] is False
assert 'error' in ping_response
assert ping_response['code'] == "service_unavailable"
assert "User does not have the required license type to run this API" in ping_response['error']
