tests/test_ttp.py · CTI Detection Automation

36 lines · python

from cti.models import Indicator
from cti.ttp import coverage_report, extract_techniques
 
 
def test_extract_dedups_and_counts():
    indicators = [
        Indicator(type="ip", value="1.1.1.1", source="threatfox", threat_type="c2",
                  confidence=90, techniques=["T1071.001", "T1059.001"]),
        Indicator(type="ip", value="2.2.2.2", source="feodo", threat_type="c2",
                  confidence=90, techniques=["T1071.001"]),
    ]
    techniques = extract_techniques(indicators)
    by_id = {t.technique_id: t for t in techniques}
    assert by_id["T1071.001"].indicator_count == 2
    assert by_id["T1059.001"].indicator_count == 1
    assert techniques[0].technique_id == "T1071.001"
 
 
def test_technique_names_resolved():
    indicators = [
        Indicator(type="url", value="http://x", source="openphish", threat_type="phishing",
                  confidence=80, techniques=["T1566.002"]),
    ]
    techniques = extract_techniques(indicators)
    assert techniques[0].name.startswith("Phishing")
    assert techniques[0].tactic == "initial-access"
 
 
def test_coverage_report_renders_rows():
    indicators = [
        Indicator(type="ip", value="1.1.1.1", source="feodo", threat_type="c2",
                  confidence=90, techniques=["T1071.001"]),
    ]
    report = coverage_report(extract_techniques(indicators))
    assert "T1071.001" in report
    assert "| Technique |" in report

1	from cti.models import Indicator
2	from cti.ttp import coverage_report, extract_techniques
3
4
5	def test_extract_dedups_and_counts():
6	indicators = [
7	Indicator(type="ip", value="1.1.1.1", source="threatfox", threat_type="c2",
8	confidence=90, techniques=["T1071.001", "T1059.001"]),
9	Indicator(type="ip", value="2.2.2.2", source="feodo", threat_type="c2",
10	confidence=90, techniques=["T1071.001"]),
11	]
12	techniques = extract_techniques(indicators)
13	by_id = {t.technique_id: t for t in techniques}
14	assert by_id["T1071.001"].indicator_count == 2
15	assert by_id["T1059.001"].indicator_count == 1
16	assert techniques[0].technique_id == "T1071.001"
17
18
19	def test_technique_names_resolved():
20	indicators = [
21	Indicator(type="url", value="http://x", source="openphish", threat_type="phishing",
22	confidence=80, techniques=["T1566.002"]),
23	]
24	techniques = extract_techniques(indicators)
25	assert techniques[0].name.startswith("Phishing")
26	assert techniques[0].tactic == "initial-access"
27
28
29	def test_coverage_report_renders_rows():
30	indicators = [
31	Indicator(type="ip", value="1.1.1.1", source="feodo", threat_type="c2",
32	confidence=90, techniques=["T1071.001"]),
33	]
34	report = coverage_report(extract_techniques(indicators))
35	assert "T1071.001" in report
36	assert "\| Technique \|" in report