[AbnormalSecurity] Expand integration commands (#29994)

* AbnormalSecurity.py * AbnormalSecurity.yml * AbnormalSecurity_test.py * command_examples * README * adding test data * adding test files * test file content * test file contents * test file contents * test file contents * test file contents * test file * test file content * release notes * Secrets * updating version * updating docker image * adjusting abuse mailbox context path * adding test files * adding test data * adding test files * fixing tests * test data * nit - tests * nit -tests * nit - remove hardcoded last fetch time * remove page numbers from threats command * remove nextPageNumber key * remove hardcoded last fetch time * linting fix * markdown fixes * release notes * fix vendors list command * fix vendor cases command * tests fix * nit - linting error: * update version * fixing context output * dont include vendors key * exclude vendors key * nit * exlude vendorCases key * nit * removing white spacE * fix unit tests * revert pack metadata change * revert release notes change * nit * revert release notes * nit * new release notes file * nit * update pack metadata * fix docker version in release files
demisto · Oct 5, 2023 · c590ec7 · c590ec7
1 parent 2a6b05c
commit c590ec7
Show file tree

Hide file tree

Showing 15 changed files with 2,202 additions and 908 deletions.
diff --git a/Packs/AbnormalSecurity/.secrets-ignore b/Packs/AbnormalSecurity/.secrets-ignore
@@ -3,3 +3,5 @@ https://api.abnormalplatform.com/v1
 abc@def.com
 XDM_CONST.OUTCOME_PARTIAL,
 XDM_CONST.OUTCOME_PARTIAL,
+192.158.1.38
+jane@doe.com
diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.py
diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity.yml
diff --git a/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py b/Packs/AbnormalSecurity/Integrations/AbnormalSecurity/AbnormalSecurity_test.py
@@ -2,18 +2,31 @@
 import demistomock as demisto
 import io
 import json
-from AbnormalSecurity import Client, check_the_status_of_an_action_requested_on_a_case_command, \
-    check_the_status_of_an_action_requested_on_a_threat_command, \
-    get_a_list_of_abnormal_cases_identified_by_abnormal_security_command, get_a_list_of_threats_command, \
-    get_details_of_an_abnormal_case_command, manage_a_threat_identified_by_abnormal_security_command, \
-    manage_an_abnormal_case_command, submit_an_inquiry_to_request_a_report_on_misjudgement_by_abnormal_security_command, \
-    get_the_latest_threat_intel_feed_command, download_data_from_threat_log_in_csv_format_command, \
-    get_a_list_of_campaigns_submitted_to_abuse_mailbox_command, get_details_of_an_abuse_mailbox_campaign_command, \
-    get_employee_identity_analysis_genome_data_command, get_employee_information_command, \
-    get_employee_login_information_for_last_30_days_in_csv_format_command, \
-    provides_the_analysis_and_timeline_details_of_a_case_command, submit_false_negative_report_command, \
-    submit_false_positive_report_command
+from AbnormalSecurity import (Client, check_the_status_of_an_action_requested_on_a_case_command,
+                              check_the_status_of_an_action_requested_on_a_threat_command,
+                              get_a_list_of_abnormal_cases_identified_by_abnormal_security_command,
+                              get_a_list_of_threats_command,
+                              get_details_of_an_abnormal_case_command,
+                              manage_a_threat_identified_by_abnormal_security_command,
+                              manage_an_abnormal_case_command,
+                              submit_an_inquiry_to_request_a_report_on_misjudgement_by_abnormal_security_command,
+                              get_the_latest_threat_intel_feed_command,
+                              download_data_from_threat_log_in_csv_format_command,
+                              get_a_list_of_campaigns_submitted_to_abuse_mailbox_command,
+                              get_details_of_an_abuse_mailbox_campaign_command,
+                              get_employee_identity_analysis_genome_data_command,
+                              get_employee_information_command,
+                              get_employee_login_information_for_last_30_days_in_csv_format_command,
+                              provides_the_analysis_and_timeline_details_of_a_case_command,
+                              submit_false_negative_report_command,
+                              submit_false_positive_report_command,
+                              get_a_list_of_vendors_command, get_the_details_of_a_specific_vendor_command,
+                              get_the_activity_of_a_specific_vendor_command,
+                              get_a_list_of_vendor_cases_command,
+                              get_the_details_of_a_vendor_case_command,
+                              get_a_list_of_unanalyzed_abuse_mailbox_campaigns_command, fetch_incidents, ISO_8601_FORMAT)
 from CommonServerPython import DemistoException
+from datetime import datetime
 
 from test_data.fixtures \
     import BASE_URL, apikey
@@ -65,6 +78,24 @@ def mock_client(mocker, http_request_result=None, throw_error=False):
 """
 
 
+@pytest.fixture
+def mock_get_a_list_of_threats_request(mocker):
+    mocker.patch("AbnormalSecurity.Client.get_a_list_of_threats_request").return_value \
+        = util_load_json('test_data/test_get_list_of_abnormal_threats.json')
+
+
+@pytest.fixture
+def mock_get_a_list_of_campaigns_submitted_to_abuse_mailbox_request(mocker):
+    mocker.patch("AbnormalSecurity.Client.get_a_list_of_campaigns_submitted_to_abuse_mailbox_request").return_value\
+        = util_load_json('test_data/test_get_list_of_abuse_campaigns.json')
+
+
+@pytest.fixture
+def mock_get_a_list_of_abnormal_cases_identified_by_abnormal_security_request(mocker):
+    mocker.patch("AbnormalSecurity.Client.get_a_list_of_abnormal_cases_identified_by_abnormal_security_request").return_value\
+        = util_load_json('test_data/test_get_list_of_abnormal_cases.json')
+
+
 def test_check_the_status_of_an_action_requested_on_a_case_command(mocker):
     """
         When:
@@ -120,11 +151,96 @@ def test_get_a_list_of_threats_command(mocker):
     client = mock_client(mocker, util_load_json('test_data/test_get_list_of_abnormal_threats.json'))
     results = get_a_list_of_threats_command(client, {})
     assert results.outputs.get('threats')[0].get('threatId') == '184712ab-6d8b-47b3-89d3-a314efef79e2'
-    assert results.outputs.get('pageNumber', 0) > 0
-    assert results.outputs.get('nextPageNumber') == results.outputs.get('pageNumber', 0) + 1
     assert results.outputs_prefix == 'AbnormalSecurity.inline_response_200'
 
 
+def test_get_a_list_of_vendors_command(mocker):
+    """
+        When:
+            - Retrieving list of vendors identified
+        Then
+            - Assert the context data is as expected.
+            - Assert output prefix data is as expected
+    """
+    client = mock_client(mocker, util_load_json('test_data/test_get_a_list_of_vendors.json'))
+    results = get_a_list_of_vendors_command(client, {})
+    assert results.outputs[0].get('vendorDomain') == 'test-domain-1.com'
+    assert results.outputs_prefix == 'AbnormalSecurity.VendorsList'
+
+
+def test_get_the_details_of_a_specific_vendor_command(mocker):
+    """
+        When:
+            - Retrieving details of a vendor
+        Then
+            - Assert the context data is as expected.
+            - Assert output prefix data is as expected
+    """
+    client = mock_client(mocker, util_load_json('test_data/test_get_the_details_of_a_specific_vendor.json'))
+    results = get_the_details_of_a_specific_vendor_command(client, {'vendor_domain': "test-domain-1.com"})
+    assert results.outputs.get('vendorDomain') == 'test-domain-1.com'
+    assert results.outputs.get('vendorContacts')[0] == 'john.doe@test-domain-1.com'
+    assert results.outputs_prefix == 'AbnormalSecurity.VendorDetails'
+
+
+def test_get_the_activity_of_a_specific_vendor_command(mocker):
+    """
+        When:
+            - Retrieving activity of a vendor
+        Then
+            - Assert the context data is as expected.
+            - Assert output prefix data is as expected
+    """
+    client = mock_client(mocker, util_load_json('test_data/test_get_the_activity_of_a_specific_vendor.json'))
+    results = get_the_activity_of_a_specific_vendor_command(client, {'vendor_domain': "test-domain-1.com"})
+    assert results.outputs.get('eventTimeline')[0].get('suspiciousDomain') == 'test@test-domain.com'
+    assert results.outputs_prefix == 'AbnormalSecurity.VendorActivity'
+
+
+def test_get_a_list_of_vendor_cases_command(mocker):
+    """
+        When:
+            - Retrieving list of vendor cases identified
+        Then
+            - Assert the context data is as expected.
+            - Assert output prefix data is as expected
+    """
+    client = mock_client(mocker, util_load_json('test_data/test_get_a_list_of_vendor_cases.json'))
+    results = get_a_list_of_vendor_cases_command(client, {})
+    assert results.outputs[0].get('vendorCaseId') == 123
+    assert results.outputs_prefix == 'AbnormalSecurity.VendorCases'
+
+
+def test_get_the_details_of_a_vendor_case_command(mocker):
+    """
+        When:
+            - Retrieving details of a vendor case
+        Then
+            - Assert the context data is as expected.
+            - Assert output prefix data is as expected
+    """
+    client = mock_client(mocker, util_load_json('test_data/test_get_the_details_of_a_vendor_case.json'))
+    results = get_the_details_of_a_vendor_case_command(client, {"case_id": 2})
+    assert results.outputs.get('vendorCaseId') == 123
+    assert results.outputs.get('timeline')[0].get('threatId') == 1234
+    assert results.outputs_prefix == 'AbnormalSecurity.VendorCaseDetails'
+
+
+def test_get_a_list_of_unanalyzed_abuse_mailbox_campaigns_command(mocker):
+    """
+        When:
+            - Retrieving a list of abuse mailbox messages that is yet to be analyzed
+        Then
+            - Assert the context data is as expected.
+            - Assert output prefix data is as expected
+    """
+    client = mock_client(mocker, util_load_json('test_data/test_get_a_list_of_unanalyzed_abuse_mailbox_messages.json'))
+    results = get_a_list_of_unanalyzed_abuse_mailbox_campaigns_command(client, {})
+    assert results.outputs.get('results')[0].get('abx_message_id') == 123456789
+    assert results.outputs.get('results')[0].get('recipient').get('email') == 'john.doe@some-domain.com'
+    assert results.outputs_prefix == 'AbnormalSecurity.UnanalyzedAbuseCampaigns'
+
+
 def test_get_details_of_an_abnormal_case_command(mocker):
     """
         When:
@@ -355,3 +471,20 @@ def test_provides_the_analysis_and_timeline_details_of_a_case_command(mocker):
     assert len(results.outputs.get('insights')) > 0
     assert len(results.outputs.get('eventTimeline')) > 0
     assert results.outputs_prefix == 'AbnormalSecurity.CaseAnalysis'
+
+
+def test_fetch_incidents(mocker, mock_get_a_list_of_threats_request,
+                         mock_get_a_list_of_campaigns_submitted_to_abuse_mailbox_request,
+                         mock_get_a_list_of_abnormal_cases_identified_by_abnormal_security_request):
+    client = mock_client(mocker, util_load_json('test_data/test_get_case_analysis_and_timeline.json'))
+    first_fetch_time = datetime.now().strftime(ISO_8601_FORMAT)
+    next_run, incidents = fetch_incidents(
+        client=client,
+        last_run={"last_fetch": "2023-09-17T14:43:09Z"},
+        first_fetch_time=first_fetch_time,
+        max_incidents_to_fetch=200,
+        fetch_account_takeover_cases=True,
+        fetch_abuse_campaigns=True,
+        fetch_threats=True
+    )
+    assert len(incidents) == 4