def setup():
"""Setup before each method"""
test_config = {
'threat_intel': {
'enabled': True,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
def test_do_not_load_intelligence(self):
"""Threat Intel - Do not load intelligence to memory when it is disabled"""
test_config = {
'threat_intel': {
'enabled': False,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
intelligence = StreamThreatIntel._StreamThreatIntel__intelligence # pylint: disable=no-member
assert_equal(len(intelligence), 0)
def test_no_config_loaded(self):
"""Threat Intel - No datatypes_ioc_mapping config loaded if it is disabled"""
test_config = {
'threat_intel': {
'enabled': False,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
datatypes_ioc_mapping = StreamThreatIntel.get_config()
assert_equal(len(datatypes_ioc_mapping), 0)
def test_get_intelligence(self):
"""Threat Intel - get intelligence dictionary"""
test_config = {
'threat_intel': {
'enabled': True,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
intelligence = StreamThreatIntel.get_intelligence()
expected_keys = ['domain', 'md5', 'ip']
assert_items_equal(intelligence.keys(), expected_keys)
assert_equal(len(intelligence['domain']), 10)
assert_equal(len(intelligence['md5']), 10)
assert_equal(len(intelligence['ip']), 10)
def test_load_intelligence(self):
"""Threat Intel - Load intelligence to memory"""
test_config = {
'threat_intel': {
'enabled': True,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
intelligence = StreamThreatIntel._StreamThreatIntel__intelligence # pylint: disable=no-member
expected_keys = ['domain', 'md5', 'ip']
assert_items_equal(intelligence.keys(), expected_keys)
assert_equal(len(intelligence['domain']), 10)
assert_equal(len(intelligence['md5']), 10)
assert_equal(len(intelligence['ip']), 10)
def test_get_config(self):
"""Threat Intel - get intelligence dictionary"""
test_config = {
'threat_intel': {
'enabled': True,
'mapping': {
'sourceAddress': 'ip',
'destinationDomain': 'domain',
'fileHash': 'md5'
}
}
}
StreamThreatIntel.load_intelligence(test_config, 'tests/unit/fixtures')
datatypes_ioc_mapping = StreamThreatIntel.get_config()
expected_keys = ['sourceAddress', 'destinationDomain', 'fileHash']
assert_items_equal(datatypes_ioc_mapping.keys(), expected_keys)
assert_equal(datatypes_ioc_mapping['sourceAddress'], 'ip')
assert_equal(datatypes_ioc_mapping['destinationDomain'], 'domain')
assert_equal(datatypes_ioc_mapping['fileHash'], 'md5')
def __init__(self, context, enable_alert_processor=True):
"""Initializer
Args:
context (dict): An AWS context object which provides metadata on the currently
executing lambda function.
enable_alert_processor (bool): If the user wants to send the alerts using their
own methods, 'enable_alert_processor' can be set to False to suppress
sending with the StreamAlert alert processor.
"""
# Load the config. Validation occurs during load, which will
# raise exceptions on any ConfigErrors
StreamAlert.config = StreamAlert.config or load_config()
# Load the environment from the context arn
self.env = load_env(context)
# Instantiate the sink here to handle sending the triggered alerts to the
# alert processor
self.sinker = StreamSink(self.env)
# Instantiate a classifier that is used for this run
self.classifier = StreamClassifier(config=self.config)
self.enable_alert_processor = enable_alert_processor
self._failed_record_count = 0
self._processed_size = 0
self._alerts = []
# Create a dictionary to hold parsed payloads by log type.
# Firehose needs this information to send to its corresponding
# delivery stream.
self.categorized_payloads = defaultdict(list)
# Firehose client initialization
self.firehose_client = None
StreamThreatIntel.load_intelligence(self.config)
