def test_positive_smoke_empty_observables(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Microsoft Graph Security doesn't have information, will return empty data ID: CCTRI-1707-335903f4-b387-4ad9-8f8b-badfb1ae7f8c Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Microsoft Graph Security module Importance: Critical """ observables = [ { "value": observable, "type": observable_type }, ] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) assert direct_observables['module'] == MODULE_NAME assert direct_observables['module_instance_id'] assert direct_observables['module_type_id'] assert direct_observables['data'] == {}
def test_positive_smoke_empty_observables(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which CyberCrime Tracker doesn't have information, will return empty data ID: CCTRI-1707-07e734d0-1dcc-4f6a-b169-b8f1b4f53d3d Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from CyberCrime Tracker module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_cybercrime_module = get_observables( response_from_all_modules, MODULE_NAME) assert response_from_cybercrime_module['module'] == MODULE_NAME assert response_from_cybercrime_module['module_instance_id'] assert response_from_cybercrime_module['module_type_id'] assert response_from_cybercrime_module['data'] == {}
def test_positive_smoke_observe_observables_empty_observables( module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Gigamon ThreatINSIGHT module doesn't have information, will return empty data ID: CCTRI-1695-dfc0dce8-6ed3-4c8d-a1b1-ce9675ce15f9 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains empty dict from Gigamon ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon['module'] == MODULE_NAME assert response_from_gigamon['module_instance_id'] assert response_from_gigamon['module_type_id'] assert response_from_gigamon['data'] == {}
def test_positive_smoke_empty_observables( module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Qualys doesn't have information, will return empty data ID: CCTRI-1707-2af2e5ec-d6bd-4a9b-83c1-5cb78786f145 Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Qualys module Importance: Critical """ observables = [{"value": observable, "type": observable_type}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_qualys_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_qualys_module['module'] == MODULE_NAME assert response_from_qualys_module['module_instance_id'] assert response_from_qualys_module['module_type_id'] assert response_from_qualys_module['data'] == {}
def test_positive_smoke_empty_observable(module_headers): """Perform testing for enrich observe observables endpoint to check that observable, on which Have I Been Pwned doesn't have information, will return empty data ID: CCTRI-1695-b98d1d01-fd20-492f-bda5-bafb313a0737 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains empty dict from Have I Been Pwned Importance: Critical """ observable = [{'type': 'email', 'value': '*****@*****.**'}] response_from_all_modules = enrich_observe_observables( payload=observable, **{'headers': module_headers}) response_from_hibp_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_hibp_module['module'] == MODULE_NAME assert response_from_hibp_module['module_instance_id'] assert response_from_hibp_module['module_type_id'] assert response_from_hibp_module['data'] == {}
def test_positive_verdict(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to get verdicts for observable from CyberCrime Tracker ID: CCTRI-813-700a7520-6454-485c-8daf-f876c6e57602 Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected verdicts for observable from CyberCrime Tracker Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_cybercrime_module = get_observables( response_from_all_modules, MODULE_NAME) assert response_from_cybercrime_module['module'] == MODULE_NAME assert response_from_cybercrime_module['module_instance_id'] assert response_from_cybercrime_module['module_type_id'] verdicts = response_from_cybercrime_module['data']['verdicts'] assert verdicts['count'] == 1 for verdict in verdicts['docs']: assert verdict['type'] == 'verdict' assert verdict['disposition'] == 2 assert verdict['observable'] == observables[0] assert verdict['valid_time']['start_time'] assert verdict['valid_time']['end_time']
def test_positive_smoke_empty_observables(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which Google Chronicle doesn't have information, will return empty data ID: CCTRI-1707-1a53cc5b-80c7-4859-bdd2-dc6f301ffac9 Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Google Chronicle module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_chronicle_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_chronicle_module['module'] == MODULE_NAME assert response_from_chronicle_module['module_instance_id'] assert response_from_chronicle_module['module_type_id'] assert response_from_chronicle_module['data'] == {}
def test_positive_smoke_observe_observables_empty_observables( module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check that observable, on which AlienVault OTX doesn't have information, will return empty data ID: CCTRI-1695-8f48503a-5277-4578-9f38-8d31b2aaa3cb Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains empty dict from AlienVault OTX module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_alien_vault = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_alien_vault['module'] == MODULE_NAME assert response_from_alien_vault['module_instance_id'] assert response_from_alien_vault['module_type_id'] assert response_from_alien_vault['data'] == {}
def test_positive_smoke_empty_observables(module_headers): """Perform testing for enrich observe observables endpoint to check that observable, on which Spycloud doesn't have information, will return empty data ID: CCTRI-1695-2b2f141b-d2ac-4a26-a254-2f9524e5ad75 Steps: 1. Send request to enrich observe observables endpoint Expectedresults: 1. Response body contains empty data dict from Spycloud module Importance: Critical """ observable = [{'type': 'email', 'value': '*****@*****.**'}] response_from_all_modules = enrich_observe_observables( payload=observable, **{'headers': module_headers}) response_from_spycloud_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_spycloud_module['module'] == MODULE_NAME assert response_from_spycloud_module['module_instance_id'] assert response_from_spycloud_module['module_type_id'] assert response_from_spycloud_module['data'] == {}
def test_positive_sighting(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check sightings of Urlscan module ID: CCTRI-818-acd56463-e158-4c67-9b26-57f08bbe775c Steps: 1. Send request to enrich observe observable endpoint and check sighting Expectedresults: 1. Response body contains sightings entity with needed fields from Urlscan module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_urlscan_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_urlscan_module['module'] == MODULE_NAME assert response_from_urlscan_module['module_instance_id'] assert response_from_urlscan_module['module_type_id'] sightings = response_from_urlscan_module['data']['sightings'] assert len(sightings['docs']) > 0 for sighting in sightings['docs']: assert sighting['description'] == 'Scan Result' assert sighting['schema_version'] assert sighting['observables'] == observables assert sighting['type'] == 'sighting' assert sighting['source'] == URLSCAN assert sighting['external_ids'] assert sighting['internal'] is False assert sighting['source_uri'] == ( f'{URL}/result/{sighting["external_ids"][0]}') assert sighting['id'].startswith('transient:sighting') assert sighting['count'] == 1 assert sighting['confidence'] == CONFIDENCE_LEVEL assert sighting['observed_time']['start_time'] == ( sighting['observed_time']['end_time']) assert sighting['data']['columns'] assert sighting['data']['rows'] assert [relation['relation'] for relation in sighting['relations']] == RELATION_TYPES for relation in sighting['relations']: assert relation['origin'] == f'{URLSCAN} Module' assert relation['source']['value'] assert relation['source']['type'] assert relation['related']['value'] assert relation['related']['type'] assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_smoke_enrich_relationships(module_headers, observable, observable_type): """Perform testing for enrich observe observable endpoint to check relationships of AlienVault OTX module ID: CCTRI-1335-943cacc5-0157-42d8-af5c-3778c4b79031 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Response body contains relationships entity with needed fields from AlienVault OTX module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_alien_vault = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_alien_vault['module'] == MODULE_NAME assert response_from_alien_vault['module_instance_id'] assert response_from_alien_vault['module_type_id'] relationships = response_from_alien_vault['data']['relationships'] indicators_ids = { indicator['id'] for indicator in response_from_alien_vault['data']['indicators'] ['docs'] } sightings_ids = { sighting['id'] for sighting in response_from_alien_vault['data']['sightings']['docs'] } target_ref = { relationship['target_ref'] for relationship in response_from_alien_vault['data']['relationships'] ['docs'] } source_ref = { relationship['source_ref'] for relationship in response_from_alien_vault['data']['relationships'] ['docs'] } assert target_ref == indicators_ids assert source_ref == sightings_ids assert len(relationships['docs']) > 0 for relationship in relationships['docs']: assert relationship['schema_version'] assert relationship['type'] == 'relationship' assert relationship['id'].startswith('transient:relationship') assert relationship['relationship_type'] == 'member-of' assert relationships['count'] == len(relationships['docs'])
def test_positive_enrich_observe_observables_sha256(module_headers): """Perform testing for enrich observe observables endpoint for sha256 in Graph Security module ID: CCTRI-354-38e92acf-45e2-4ff6-b5f4-c7e7f4e20f2d Steps: 1. Send request with observable that has SHA256 type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = ( '091835b16192e526ee1b8a04d0fcef534544cad306672066f2ad6973a4b18b19') observable_type = 'sha256' expected_observable = { 'description': ('Attackers can implant the right-to-left-override (RLO) in a ' 'filename to change the order of the characters in the filename ' 'and make it appear legitimate. This technique is used in ' 'different social engineering attacks to convince the user to run' ' the file, and may also be used for hiding purposes. The file ' 'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'), 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Right-to-Left-Override (RLO) technique observed', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data assert direct_observables['module'] == MODULE_NAME assert direct_observables['module_instance_id'] assert direct_observables['module_type_id'] sightings = direct_observables['data']['sightings'] assert sightings['count'] == 2 sighting = sightings['docs'][0] assert sighting['observables'] == observables for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_ip(module_headers): """ Perform testing for enrich observe observables endpoint for IP in Graph Security module ID: CCTRI-467-63340fd2-3ed5-44f5-b274-c5595322dc43 Steps: 1. Send request with observable that has IP type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = '10.8.168.41' observable_type = 'ip' expected_observable = { 'description': ('SQL Injection, Cross-Site Scripting. We observed the following ' 'suspicious value enter the application through the HTTP Request ' 'Parameter "userid":POST /WebGoat/SqlInjection/attack5b HTTP/1.0 ' 'userid=4+OR+1%3D1 This value was again observed altering the ' 'meaning of the SQL query executed within ' 'org.hsqldb.jdbc.JDBCStatement.executeQuery(Unknown Source):' 'SELECT * FROM user_data WHERE userid = 4 OR 1=1.'), 'external_ids': ['257F2933-A145-4061-9464-2D964A91EB91'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'High', 'source': 'Microsoft Graph Security', 'title': 'Active attack EXPLOITED in QA', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_sighting_relation(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check relationships in sighting of Gigamon ThreatINSIGHT module ID: CCTRI-1174-fb8d55ae-0352-4170-9b17-ddf49fa81783 Steps: 1. Send request to enrich observe observable endpoint and check relationships in sighting Expectedresults: 1. Response body contains relationships in sightings entity with needed fields from Gigamon ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon['module'] == MODULE_NAME assert response_from_gigamon['module_instance_id'] assert response_from_gigamon['module_type_id'] sightings = response_from_gigamon['data']['sightings'] assert len(sightings['docs']) > 0 for sighting in sightings['docs']: if 'HTTP' in sighting['description'].splitlines()[0]: http_relations = { relation['relation'] for relation in sighting['relations'] } assert 'Connected_To' in http_relations download_relations = {'Downloaded_To', 'Downloaded_From'} upload_relations = {'Uploaded_From', 'Uploaded_To'} intersection_relations = http_relations & (download_relations | upload_relations) assert not intersection_relations or (intersection_relations == download_relations) or ( intersection_relations == upload_relations) for relation in sighting['relations']: assert relation['origin'] == INTEGRATION_NAME assert relation['relation'] in RELATIONS_TYPES assert relation['source']['value'] assert relation['source']['type'] in RELATED_OBSERVABLES_TYPES assert relation['related']['value'] assert relation['related']['type'] in RELATED_OBSERVABLES_TYPES if relation['relation'] == 'Hosted_On': assert relation['source']['value'].startswith('http') and ( relation['source']['type'] == 'url') assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_relationship(module_headers, observable_type, observable): """Perform testing for enrich observe observables endpoint to get relationship for observable from Google Chronicle module ID: CCTRI-859-923556f5-f678-4ed3-a2ed-f2c37bd4b5e5 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains expected relationship for observable from Google Chronicle module and it connects expected entities Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_chronicle_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_chronicle_module['module'] == MODULE_NAME assert response_from_chronicle_module['module_instance_id'] assert response_from_chronicle_module['module_type_id'] indicators_ids = { indicator['id'] for indicator in ( response_from_chronicle_module['data']['indicators']['docs'] ) } sightings_ids = { sighting['id'] for sighting in ( response_from_chronicle_module['data']['sightings']['docs'] ) } relationships = ( response_from_chronicle_module['data']['relationships'] ) assert len(relationships['docs']) > 0 for relationship in relationships['docs']: assert relationship['schema_version'] assert relationship['type'] == 'relationship' assert relationship['relationship_type'] == 'sighting-of' assert relationship['target_ref'] in indicators_ids assert relationship['source_ref'] in sightings_ids assert relationships['count'] == ( len(relationships['docs'])) <= ( CTR_ENTITIES_LIMIT )
def test_positive_indicators(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check indicators of Gigamon ThreatINSIGHT module ID: CCTRI-1094-fb59a541-a42e-41fc-b859-52a1b564c14e Steps: 1. Send request to enrich observe observable endpoint and check indicators Expectedresults: 1. Response body contains indicators entity with needed fields from ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon_module['module'] == MODULE_NAME assert response_from_gigamon_module['module_instance_id'] assert response_from_gigamon_module['module_type_id'] indicators = response_from_gigamon_module['data']['indicators'] assert len(indicators['docs']) > 0 for indicator in indicators['docs']: assert indicator['description'] assert indicator['producer'] == INTEGRATION_NAME assert indicator['schema_version'] assert indicator['type'] == 'indicator' assert indicator['source'] == INTEGRATION_NAME assert indicator['short_description'] assert indicator['title'] assert indicator['confidence'] in CONFIDENCE assert indicator['severity'] in SEVERITY assert indicator['external_ids'] assert indicator['id'] == ( f"transient:indicator-{indicator['external_ids'][0]}") assert indicator['valid_time']['start_time'] assert 'tags' in indicator assert indicator['source_uri'] == ( f'{GIGAMON_URL}/detections/rules/{indicator["external_ids"][0]}') for external_reference in indicator['external_references']: assert external_reference['description'] assert external_reference['external_id'] == ( indicator['external_ids'][0]) assert external_reference['source_name'] == INTEGRATION_NAME assert external_reference['url'] == ( f'{GIGAMON_URL}' f'/detections/rules/{indicator["external_ids"][0]}') assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_enrich_observe_observables_file_path(module_headers): """ Perform testing for enrich observe observables endpoint for FILE_PATH in Graph Security module ID: CCTRI-471-a7435d3f-2160-43c6-b8de-a2da65f9c40d Steps: 1. Send request with observable that has FILE_PATH type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = r'C:\Windows\SYSTEM32\ntdll.dll' observable_type = 'file_path' external_id = '0F72C58F-1D01-4284-BB32-C53DD45B5C01' expected_observable = { 'description': ('A process suspiciously tried to access the export address table ' '(EAT) to look for potentially useful APIs. This might indicate ' 'an exploitation attempt. The process svchost.exe, with process ' 'ID 404, tried accessing the Export Address table for module ' r'C:\\Windows\\SYSTEM32\\ntdll.dll and was blocked'), 'schema_version': '1.0.12', 'sensor': 'endpoint', 'source': 'Microsoft Graph Security', 'external_ids': [external_id], 'type': 'sighting', 'title': 'Exploit Guard blocked dynamic code execution', 'severity': 'High' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) assert direct_observables['data']['sightings']['count'] == 2 current_observables = direct_observables['data']['sightings']['docs'] sighting = [ observable for observable in current_observables if observable['external_ids'][0] == external_id ][0] assert sighting['observables'] == observables for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_file_name(module_headers): """ Perform testing for enrich observe observables endpoint for file_name in Graph Security module ID: CCTRI-470-ef6c5b84-ac4e-463d-bf3f-bf8dd08b7a07 Steps: 1. Send request with observable that has file_name type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'photoview1sp.jpg' observable_type = 'file_name' expected_observable = { 'description': ('Attackers can implant the right-to-left-override (RLO) in a ' 'filename to change the order of the characters in the filename ' 'and make it appear legitimate. This technique is used in ' 'different social engineering attacks to convince the user to run ' 'the file, and may also be used for hiding purposes. The file ' 'photoviewgpj.ps1 disguises itself as photoview1sp.jpg'), 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Right-to-Left-Override (RLO) technique observed', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_url(module_headers): """ Perform testing for enrich observe observables endpoint for URL in Graph Security module ID: CCTRI-468-dfcd642e-f02b-428b-9695-168e7d59d533 Steps: 1. Send request with observable that has URL type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'http://register.fabricam.com/start.php' observable_type = 'url' expected_observable = { 'description': ('Analysis of host data detected a powershell script running on ' 'LAP-DOUGLASF that has features in common with known suspicious ' 'scripts. This script could either be legitimate activity, or an ' 'indication of a compromised host.'), 'external_ids': ['D16B2923-2134-4F94-9FF1-B40761EA3E1D'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Suspicious Powershell Activity Detected', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_enrich_observe_observables_hostname(module_headers): """ Perform testing for enrich observe observables endpoint for HOSTNAME in Graph Security module ID: CCTRI-472-67881b85-20d7-4f11-94d6-dd228d72753c Steps: 1. Send request with observable that has HOSTNAME type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'DT-ALDOM' observable_type = 'hostname' expected_observable = { 'description': ('The system process c:\\windows\\fonts\\csrss.exe was observed ' 'running in an abnormal context. Malware often use this process ' 'name to masquerade its malicious activity.'), 'external_ids': ['597E99F8-50B6-4D7B-A45A-A35BDB35EFF8'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Medium', 'source': 'Microsoft Graph Security', 'title': 'Suspicious system process executed', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_sighting_email(module_headers): """Perform testing for enrich observe observables endpoint to get sighting for observable from Have I Been Pwned module ID: CCTRI-812-57f2d8d6-a897-4ce4-abcf-331296e2d86a Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected sighting for observable from Have I Been Pwned module Importance: Critical """ observable = [{'type': 'email', 'value': '*****@*****.**'}] response = enrich_observe_observables(payload=observable, **{'headers': module_headers}) sightings = get_observables(response, 'Have I Been Pwned')['data']['sightings'] assert len(sightings['docs']) > 0 # check some generic properties for sighting in sightings['docs']: assert sighting['type'] == 'sighting' assert sighting['count'] == 1 assert sighting['internal'] is False assert sighting['title'] == f'Found on {MODULE_NAME}' assert sighting['observables'] == observable assert sighting['source'] == MODULE_NAME assert sighting['source_uri'] == ( f'{HIBP_URL}/account/user%40example.com') assert sighting['targets'][0]['type'] == 'email' assert sighting['targets'][0]['observables'] == observable assert sighting['observed_time']['start_time'] == ( sighting['observed_time']['end_time']) assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT # check properties of one unique sighting sighting = [d for d in sightings['docs'] if 'Apollo' in d['description']][0] assert sighting['description'] == ( f'{observable[0]["value"]} present in Apollo breach.') relation = { 'origin': MODULE_NAME, 'origin_uri': f'{HIBP_URL}/account/user%40example.com', 'relation': 'Leaked_From', 'source': observable[0], 'related': { 'value': 'apollo.io', 'type': 'domain' } } assert sighting['relations'][0] == relation assert sighting['confidence'] == 'High' assert sighting['severity'] == 'Medium'
def test_positive_relationships(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check relationships of Gigamon ThreatINSIGHT module ID: CCTRI-1094-52303f90-0ac9-42e5-80b7-aab5b5d83f47 Steps: 1. Send request to enrich observe observable endpoint and check relationships Expectedresults: 1. Response body contains relationships entity with needed fields from ThreatINSIGHT module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_gigamon = get_observables( response_from_all_modules, MODULE_NAME) assert response_from_gigamon['module'] assert response_from_gigamon['module_instance_id'] assert response_from_gigamon['module_type_id'] relationships = response_from_gigamon['data']['relationships'] indicators = response_from_gigamon['data']['indicators'] sightings = response_from_gigamon['data']['sightings'] indicators_ids = frozenset( indicator['id'] for indicator in indicators['docs']) sightings_ids = frozenset( sighting['id'] for sighting in sightings['docs']) assert len(relationships['docs']) > 0 for relationship in relationships['docs']: assert relationship['schema_version'] assert relationship['target_ref'].startswith('transient:indicator') assert relationship['target_ref'] in indicators_ids assert relationship['type'] == 'relationship' assert relationship['source_ref'].startswith('transient:sighting') assert relationship['source_ref'] in sightings_ids assert relationship['id'].startswith('transient:relationship') assert relationship['relationship_type'] == 'sighting-of' assert relationships['count'] == ( len(relationships['docs'])) <= ( CTR_ENTITIES_LIMIT )
def test_positive_enrich_observe_observables_domain(module_headers): """ Perform testing for enrich observe observables endpoint for domain in Graph Security module ID: CCTRI-354-91094c36-a118-48a6-9ba9-5f73a1f63208 Steps: 1. Send request with observable that has domain type to observe observables endpoint Expectedresults: 1. Check that data in response body contains expected information from Microsoft Graph Security module Importance: Critical """ observable = 'www.febrikam.com' observable_type = 'domain' expected_observable = { 'description': ('A Windows process has connected to a newly registered domain.'), 'external_ids': ['F007461A-C92F-48E5-A734-89A4E5F38A15'], 'schema_version': '1.0.12', 'sensor': 'endpoint', 'severity': 'Low', 'source': 'Microsoft Graph Security', 'title': 'Connection to newly registered domain', 'type': 'sighting' } # Get sightings observables = [{"value": observable, "type": observable_type}] response = enrich_observe_observables(payload=observables, **{'headers': module_headers}) direct_observables = get_observables(response, MODULE_NAME) # Check respond data sightings = direct_observables['data']['sightings'] assert sightings['count'] == 1 sighting = sightings['docs'][0] assert sighting['observables'] == observables assert set(sighting['observed_time'].keys()) == {'start_time', 'end_time'} for key in expected_observable.keys(): assert expected_observable[key] == sighting[key]
def test_positive_judgement(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to check judgements of Urlscan module ID: CCTRI-1032-edddfab6-e48f-4121-af52-23f25044b72f Steps: 1. Send request to enrich observe observable endpoint and check judgement Expectedresults: 1. Response body contains judgements entity with needed fields from Urlscan module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_urlscan_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_urlscan_module['module'] == MODULE_NAME assert response_from_urlscan_module['module_instance_id'] assert response_from_urlscan_module['module_type_id'] judgements = response_from_urlscan_module['data']['judgements'] assert len(judgements['docs']) > 0 for judgement in judgements['docs']: assert judgement['valid_time']['start_time'] assert judgement['valid_time']['end_time'] assert judgement['schema_version'] assert judgement['observable'] == observables[0] assert judgement['type'] == 'judgement' assert judgement['source'] == URLSCAN assert judgement['disposition'] == 2 assert judgement['reason'] assert judgement['source_uri'].startswith(URL) assert judgement['disposition_name'] == 'Malicious' assert judgement['priority'] assert judgement['id'].startswith('transient:judgement') assert judgement['severity'] == SEVERITY_LEVEL assert judgement['confidence'] == CONFIDENCE_LEVEL for external_reference in judgement['external_references']: assert external_reference['source_name'] == URLSCAN assert external_reference['description'] assert external_reference['url'] assert judgements['count'] == len(judgements['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_indicator_email(module_headers): """Perform testing for enrich observe observables endpoint to get indicator for observable from Have I Been Pwned module ID: CCTRI-843-2a0ae451-954a-4daf-b4e9-33f8f7b2e8b0 Steps: 1. Send request to enrich deliberate observable endpoint Expectedresults: 1. Check that data in response body contains expected indicator for observable from Have I Been Pwned module Importance: Critical """ observable = [{'type': 'email', 'value': '*****@*****.**'}] response_from_all_modules = enrich_observe_observables( payload=observable, **{'headers': module_headers}) response_from_hibp_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_hibp_module['module'] == MODULE_NAME assert response_from_hibp_module['module_instance_id'] assert response_from_hibp_module['module_type_id'] indicators = response_from_hibp_module['data']['indicators'] assert len(indicators['docs']) > 0 # check some generic properties for indicator in indicators['docs']: assert indicator['type'] == 'indicator' assert indicator['producer'] == MODULE_NAME assert indicator['source'] == f'{MODULE_NAME} Breaches' assert indicator['tlp'] == 'white' if (indicator['confidence'] == 'High' and 'Passwords' in indicator['tags']): assert indicator['severity'] == 'High' else: assert indicator['severity'] == 'Medium' assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT # check properties of one unique indicator indicator = [d for d in indicators['docs'] if d['title'] == 'PDL'][0] assert indicator[ 'short_description'] == 'Data Enrichment Exposure From PDL Customer' assert ('Exposed information included email addresses, ' 'phone numbers, social media') in indicator['description'] tags = [ 'Email addresses', 'Employers', 'Geographic locations', 'Job titles', 'Names', 'Phone numbers', 'Social media profiles' ] assert indicator['tags'] == tags assert indicator['confidence'] == 'High'
def test_positive_smoke_enrich_sightings(module_headers, observable, observable_type): """Perform testing for enrich observe observable endpoint to check sightings of AlienVault OTX module ID: CCTRI-1333-027027d6-bdd9-4c03-8704-65a541f8b7ee Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Response body contains sighting entity with needed fields from AlienVault OTX module Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} )['data'] response_from_alien_vault = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_alien_vault['module'] == MODULE_NAME assert response_from_alien_vault['module_instance_id'] assert response_from_alien_vault['module_type_id'] sightings = response_from_alien_vault['data']['sightings'] assert len(sightings['docs']) > 0 for sighting in sightings['docs']: assert 'description' in sighting assert sighting['schema_version'] assert sighting['observables'] == observables assert sighting['type'] == 'sighting' assert sighting['source'] == MODULE_NAME assert sighting['external_ids'] assert sighting['title'] assert sighting['internal'] is False assert sighting['source_uri'] == ( f'{ALIEN_VAULT_URL}/pulse/{sighting["external_ids"][0]}') assert sighting['id'].startswith('transient:sighting') assert sighting['count'] == 1 assert sighting['tlp'] assert sighting['confidence'] == CONFIDENCE_LEVEL assert sighting['observed_time']['start_time'] == ( sighting['observed_time']['end_time']) assert sightings['count'] == len(sightings['docs'])
def test_positive_indicators(module_headers, observable, observable_type): """Perform testing for enrich observe observables endpoint to get indicators from Google Chronicle ID: CCTRI-859-56c35f55-a7f7-4857-8ba1-39ef7f644932 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains expected indicators for observable from Google Chronicle Importance: Critical """ observables = [{'type': observable_type, 'value': observable}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers} ) response_from_chronicle_module = get_observables( response_from_all_modules, MODULE_NAME) assert response_from_chronicle_module['module'] == MODULE_NAME assert response_from_chronicle_module['module_instance_id'] assert response_from_chronicle_module['module_type_id'] indicators = response_from_chronicle_module['data']['indicators'] assert len(indicators['docs']) > 0 # check some generic properties for indicator in indicators['docs']: assert 'valid_time' in indicator assert indicator['type'] == 'indicator' assert indicator['producer'] == PRODUCER assert indicator['schema_version'] assert indicator['short_description'] assert indicator['title'] == indicator['short_description'] assert indicator['id'].startswith('transient:indicator-') assert indicator['severity'] in SEVERITY assert indicator['confidence'] in CONFIDENCE if 'external_references' in indicator: for external_references in indicator['external_references']: assert external_references['source_name'] == SOURCE_NAME assert external_references['url'].startswith('http') assert indicators['count'] == ( len(indicators['docs'])) <= ( CTR_ENTITIES_LIMIT )
def test_positive_indicators_ip_observable(module_headers): """Perform testing for enrich observe observables endpoint to get indicators for observable from Abuse IPDB module ID: CCTRI-840-10da94e0-4b1b-4fa2-bd4f-3e9885426918 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains expected indicators for observable from Abuse IPDB module Importance: Critical """ observables = [{'type': 'ip', 'value': '1.1.1.1'}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_abuse_module = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_abuse_module['module'] == MODULE_NAME assert response_from_abuse_module['module_instance_id'] assert response_from_abuse_module['module_type_id'] indicators = response_from_abuse_module['data']['indicators'] assert len(indicators['docs']) > 0 for indicator in indicators['docs']: assert indicator['type'] == 'indicator' assert indicator['id'].startswith('transient:indicator-') assert indicator['schema_version'] assert indicator['producer'] == SOURCE assert indicator['valid_time'] == {} assert indicator['confidence'] == 'Medium' assert indicator['title'] assert indicator['description'] assert indicator['external_ids'] assert indicator['external_references'] == [{ 'source_name': SOURCE, 'description': f'{SOURCE} attack categories', 'url': f'{ABUSE_IPDB_URL}/categories', 'external_id': indicator["external_ids"][0] }] assert indicators['count'] == len(indicators['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_enrich_observe_observables_judgements( module_headers, observable, observable_type, disposition_name, disposition): """Perform testing for enrich observe observables endpoint to get judgements for observable Qualys module ID: CCTRI-797-9ce334d2-74bc-4c3a-bb8a-181f260076f0 Steps: 1. Send request to enrich observe observable endpoint Expectedresults: 1. Check that data in response body contains expected judgements for observable from Qualys module Importance: Critical """ observables = [{"value": observable, "type": observable_type}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_qualys_ioc = get_observables(response_from_all_modules, 'Qualys IOC') assert response_from_qualys_ioc['module'] assert response_from_qualys_ioc['module_instance_id'] assert response_from_qualys_ioc['module_type_id'] judgements = response_from_qualys_ioc['data']['judgements'] assert len(judgements['docs']) > 0 for judgement in judgements['docs']: assert 'valid_time' in judgement assert judgement['schema_version'] assert judgement['observable'] == observables[0] assert judgement['type'] == 'judgement' assert judgement['source'] == MODULE_NAME assert judgement['external_ids'] assert judgement['disposition'] == disposition assert 'external_references' in judgement assert 'reason' in judgement assert judgement['disposition_name'] == disposition_name assert judgement['priority'] == 90 assert judgement['id'].startswith('transient:judgement-') assert judgement['severity'] assert judgement['confidence'] == CONFIDENCE assert judgements['count'] == len(judgements['docs']) <= CTR_ENTITIES_LIMIT
def test_positive_sighting_x509(module_headers): """Perform testing for Gigamon ThreatINSIGHT module sightings functionality for x509 event types specifically ID: CCTRI-1125-82b45fee-9266-4793-9642-b89a324b8e26 Steps: 1. Send request to enrich observe observable endpoint and check sighting. Use observables that contains sightings for x509 event type Expectedresults: 1. Response body contains sightings entity with expected data for x509 event type Importance: Critical """ observables = [{'type': 'domain', 'value': 'wp.com'}] response_from_all_modules = enrich_observe_observables( payload=observables, **{'headers': module_headers}) response_from_gigamon = get_observables(response_from_all_modules, MODULE_NAME) assert response_from_gigamon['module'] == MODULE_NAME assert response_from_gigamon['module_instance_id'] assert response_from_gigamon['module_type_id'] sightings = response_from_gigamon['data']['sightings'] assert len(sightings['docs']) > 0 assert [ sighting for sighting in sightings['docs'] if 'Event: `X509`' in sighting['description'] ], 'There are no sightings with necessary event type' for sighting in sightings['docs']: if 'Event: `X509`' in sighting['description']: relation = [ r for r in sighting['relations'] if r['relation'] == 'SAN_DNS_For' ] assert relation assert relation[0]['origin'] == INTEGRATION_NAME assert relation[0]['source'] == observables[0] assert relation[0]['related']['type'] == 'ip' assert relation[0]['related']['value'] assert sightings['count'] == len(sightings['docs']) <= CTR_ENTITIES_LIMIT