def test_first_fetch_incidents(mocked_parse_date_range, requests_mock): mock_date = "2010-01-01T00:00:00Z" mocked_parse_date_range.return_value = (mock_date, "never mind") requests_mock.get(MOCK_URL + "/v2/siem/all?format=json&sinceTime=2010-01-01T00%3A00%3A00Z", json=MOCK_ALL_EVENTS) client = Client( proofpoint_url=MOCK_URL, api_version="v2", service_principal="user1", secret="123", verify=False ) next_run, incidents = fetch_incidents( client=client, last_run={}, first_fetch_time="3 month", event_type_filter=ALL_EVENTS, threat_status="", threat_type="" ) assert len(incidents) == 4 assert json.loads(incidents[0]['rawJSON'])["messageID"] == "*****@*****.**" assert next_run == {"last_fetch": "2010-01-30T00:01:00.000Z"}
def test_next_fetch(requests_mock): mock_date = "2010-01-01T00:00:00Z" requests_mock.get(MOCK_URL + "/v2/siem/all?format=json&sinceTime=2010-01-01T00%3A00%3A00Z" "&threatStatus=active&threatStatus=cleared", json=MOCK_ALL_EVENTS) client = Client( proofpoint_url=MOCK_URL, api_version="v2", service_principal="user1", secret="123", verify=False ) next_run, incidents = fetch_incidents( client=client, last_run={"last_fetch": mock_date}, first_fetch_time="3 month", event_type_filter=ALL_EVENTS, threat_status=["active", "cleared"], threat_type="" ) assert len(incidents) == 4 assert json.loads(incidents[0]['rawJSON'])["messageID"] == "*****@*****.**" assert next_run == {"last_fetch": "2010-01-30T00:01:00.000Z"}
def test_next_fetch(requests_mock, mocker): mock_date = "2010-01-01T00:00:00Z" mocker.patch('ProofpointTAP_v2.get_now', return_value=datetime.strptime(mock_date, "%Y-%m-%dT%H:%M:%SZ")) requests_mock.get(MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%' '2F2010-01-01T00%3A00%3A00Z&threatStatus=active&threatStatus=cleared', json=MOCK_ALL_EVENTS) client = Client( proofpoint_url=MOCK_URL, api_version="v2", service_principal="user1", secret="123", verify=False, proxies=None ) next_run, incidents, _ = fetch_incidents( client=client, last_run={"last_fetch": mock_date}, first_fetch_time="3 month", event_type_filter=ALL_EVENTS, threat_status=["active", "cleared"], threat_type="", limit=50 ) assert len(incidents) == 4 assert json.loads(incidents[3]['rawJSON'])["messageID"] == "4444"
def test_first_fetch_incidents(requests_mock, mocker): mocker.patch('ProofpointTAP_v2.get_now', return_value=get_mocked_time()) mocker.patch('ProofpointTAP_v2.parse_date_range', return_value=("2010-01-01T00:00:00Z", 'never mind')) requests_mock.get( MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%2F2010-01-01T00%3A00%3A00Z', json=MOCK_ALL_EVENTS) client = Client( proofpoint_url=MOCK_URL, api_version="v2", service_principal="user1", secret="123", verify=False, proxies=None ) next_run, incidents, _ = fetch_incidents( client=client, last_run={}, first_fetch_time="3 month", event_type_filter=ALL_EVENTS, threat_status="", threat_type="" ) assert len(incidents) == 4 assert json.loads(incidents[3]['rawJSON'])["messageID"] == "4444"
def test_fetch_limit(requests_mock, mocker): mock_date = "2010-01-01T00:00:00Z" this_run = {"last_fetch": "2010-01-01T00:00:00Z"} mocker.patch('ProofpointTAP_v2.get_now', return_value=datetime.strptime(mock_date, "%Y-%m-%dT%H:%M:%SZ")) requests_mock.get(MOCK_URL + '/v2/siem/all', json=MOCK_ALL_EVENTS) client = Client( proofpoint_url=MOCK_URL, api_version="v2", service_principal="user1", secret="123", verify=False, proxies=None ) next_run, incidents, remained = fetch_incidents( client=client, last_run=this_run, first_fetch_time="3 days", event_type_filter=ALL_EVENTS, threat_status=["active", "cleared"], threat_type="", limit=3 ) assert next_run['last_fetch'] == '2010-01-01T00:00:00Z' assert len(incidents) == 3 assert len(remained) == 1 # test another run next_run, incidents, remained = fetch_incidents( client=client, last_run=this_run, first_fetch_time="3 days", event_type_filter=ALL_EVENTS, threat_status=["active", "cleared"], threat_type="", limit=3, integration_context={'incidents': remained} ) assert next_run['last_fetch'] == '2010-01-01T00:00:00Z' assert len(incidents) == 1 assert not remained
def test_fetch_incidents_with_encoding(requests_mock, mocker): """ Given: - Message with latin chars in its subject - Raw JSON encoding param set to latin-1 When: - Running fetch incidents Then: - Ensure subject is returned properly in the raw JSON """ mocker.patch( 'ProofpointTAP_v2.get_now', return_value=get_mocked_time() ) mocker.patch( 'ProofpointTAP_v2.parse_date_range', return_value=("2010-01-01T00:00:00Z", 'never mind') ) requests_mock.get( MOCK_URL + '/v2/siem/all?format=json&interval=2010-01-01T00%3A00%3A00Z%2F2010-01-01T00%3A00%3A00Z', json={ "messagesDelivered": [ { 'subject': 'p\u00c3\u00a9rdida', 'messageTime': '2010-01-30T00:00:59.000Z', }, ], }, ) client = Client( proofpoint_url=MOCK_URL, api_version='v2', service_principal='user1', secret='123', verify=False, proxies=None, ) _, incidents, _ = fetch_incidents( client=client, last_run={}, first_fetch_time='3 month', event_type_filter=ALL_EVENTS, threat_status='', threat_type='', raw_json_encoding='latin-1', ) assert json.loads(incidents[0]['rawJSON'])['subject'] == 'pérdida'
def test_fetch_limit(requests_mock): mock_date = "2010-01-01T00:00:00Z" requests_mock.get(MOCK_URL + '/v2/siem/all', json=MOCK_ALL_EVENTS) client = Client(proofpoint_url=MOCK_URL, api_version="v2", service_principal="user1", secret="123", verify=False, proxies=None) next_run, incidents = fetch_incidents(client=client, last_run={"last_fetch": mock_date}, first_fetch_time="3 month", event_type_filter=ALL_EVENTS, threat_status=["active", "cleared"], threat_type="", limit=3) assert len(incidents) == 3 assert next_run.get('last_fetch') == '2010-01-11T00:00:21Z'