2018-07-03 13:00:18 +02:00
|
|
|
import datetime as dt
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
import pytz
|
|
|
|
|
|
|
|
import stix2
|
2019-07-25 22:57:15 +02:00
|
|
|
import stix2.v21
|
2018-07-03 13:00:18 +02:00
|
|
|
|
2019-01-29 16:52:59 +01:00
|
|
|
from .constants import IDENTITY_ID, THREAT_ACTOR_ID
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
EXPECTED = """{
|
|
|
|
"type": "threat-actor",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
2019-01-29 16:52:59 +01:00
|
|
|
"created_by_ref": "identity--311b2d2d-f010-4473-83ec-1edf84858f4c",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2016-04-06T20:03:48.000Z",
|
|
|
|
"modified": "2016-04-06T20:03:48.000Z",
|
|
|
|
"name": "Evil Org",
|
2018-10-15 20:48:52 +02:00
|
|
|
"description": "The Evil Org threat actor group",
|
2018-07-12 20:33:00 +02:00
|
|
|
"threat_actor_types": [
|
2018-07-03 13:00:18 +02:00
|
|
|
"crime-syndicate"
|
2018-10-15 20:48:52 +02:00
|
|
|
]
|
2018-07-03 13:00:18 +02:00
|
|
|
}"""
|
|
|
|
|
|
|
|
|
|
|
|
def test_threat_actor_example():
|
2018-07-03 15:40:51 +02:00
|
|
|
threat_actor = stix2.v21.ThreatActor(
|
2019-01-23 16:56:20 +01:00
|
|
|
id=THREAT_ACTOR_ID,
|
2019-01-29 16:52:59 +01:00
|
|
|
created_by_ref=IDENTITY_ID,
|
2018-07-03 13:00:18 +02:00
|
|
|
created="2016-04-06T20:03:48.000Z",
|
|
|
|
modified="2016-04-06T20:03:48.000Z",
|
|
|
|
name="Evil Org",
|
|
|
|
description="The Evil Org threat actor group",
|
2018-07-12 20:33:00 +02:00
|
|
|
threat_actor_types=["crime-syndicate"],
|
2018-07-03 13:00:18 +02:00
|
|
|
)
|
|
|
|
|
2021-03-31 18:39:14 +02:00
|
|
|
assert threat_actor.serialize(pretty=True) == EXPECTED
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
|
2018-07-13 17:10:05 +02:00
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"data", [
|
|
|
|
EXPECTED,
|
|
|
|
{
|
|
|
|
"created": "2016-04-06T20:03:48.000Z",
|
2019-01-29 16:52:59 +01:00
|
|
|
"created_by_ref": IDENTITY_ID,
|
2018-07-13 17:10:05 +02:00
|
|
|
"description": "The Evil Org threat actor group",
|
2019-01-23 16:56:20 +01:00
|
|
|
"id": THREAT_ACTOR_ID,
|
2018-07-13 17:10:05 +02:00
|
|
|
"threat_actor_types": [
|
|
|
|
"crime-syndicate",
|
|
|
|
],
|
|
|
|
"modified": "2016-04-06T20:03:48.000Z",
|
|
|
|
"name": "Evil Org",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"type": "threat-actor",
|
|
|
|
},
|
|
|
|
],
|
|
|
|
)
|
2018-07-03 13:00:18 +02:00
|
|
|
def test_parse_threat_actor(data):
|
2018-07-03 15:40:51 +02:00
|
|
|
actor = stix2.parse(data, version="2.1")
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert actor.type == 'threat-actor'
|
2018-07-03 15:40:51 +02:00
|
|
|
assert actor.spec_version == '2.1'
|
2018-07-03 13:00:18 +02:00
|
|
|
assert actor.id == THREAT_ACTOR_ID
|
|
|
|
assert actor.created == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
|
|
|
|
assert actor.modified == dt.datetime(2016, 4, 6, 20, 3, 48, tzinfo=pytz.utc)
|
2019-01-29 16:52:59 +01:00
|
|
|
assert actor.created_by_ref == IDENTITY_ID
|
2018-07-03 13:00:18 +02:00
|
|
|
assert actor.description == "The Evil Org threat actor group"
|
|
|
|
assert actor.name == "Evil Org"
|
2018-07-12 20:33:00 +02:00
|
|
|
assert actor.threat_actor_types == ["crime-syndicate"]
|
2018-07-03 13:00:18 +02:00
|
|
|
|
2019-07-25 22:57:15 +02:00
|
|
|
|
|
|
|
def test_seen_ordering_constraint():
|
|
|
|
"""
|
|
|
|
Test first_seen/last_seen value co-constraint.
|
|
|
|
"""
|
|
|
|
with pytest.raises(ValueError):
|
|
|
|
stix2.v21.ThreatActor(
|
|
|
|
name="Bad Person",
|
2020-07-10 02:13:53 +02:00
|
|
|
threat_actor_types=["hacker", "criminal"],
|
2019-07-25 22:57:15 +02:00
|
|
|
first_seen="2010-04-21T09:31:11Z",
|
|
|
|
last_seen="2009-02-06T03:39:31Z",
|
|
|
|
)
|
|
|
|
|
|
|
|
# equal timestamps is okay.
|
|
|
|
stix2.v21.ThreatActor(
|
|
|
|
name="Bad Person",
|
2020-07-10 02:13:53 +02:00
|
|
|
threat_actor_types=["hacker", "criminal"],
|
2019-07-25 22:57:15 +02:00
|
|
|
first_seen="2010-04-21T09:31:11Z",
|
|
|
|
last_seen="2010-04-21T09:31:11Z",
|
|
|
|
)
|
|
|
|
|
|
|
|
|
2018-07-03 13:00:18 +02:00
|
|
|
# TODO: Add other examples
|