fix: [tests] Better tests for Campaign objects conversion

chrisr3d · chrisr3d · commit 84b3f4355547 · 2025-04-16T17:37:29.000+02:00
- Updated samples and tests for STIX 2.x Campaign
  objects import to cover all supported fields
- Added tests for custom Galaxy Clusters imported
  from STIX 2.x Campaign objects conversion back
  to STIX 2.x
diff --git a/tests/_test_stix_export.py b/tests/_test_stix_export.py
@@ -164,6 +164,13 @@ def _check_attribute_vulnerability_features(self, vulnerability, attribute, iden
         self.assertEqual(vulnerability.created, timestamp)
         self.assertEqual(vulnerability.modified, timestamp)
 
+    def _check_campaign_meta_fields(self, stix_object, meta):
+        self.assertEqual(stix_object.aliases, meta['synonyms'])
+        self.assertEqual(
+            stix_object.last_seen, self._datetime_from_str(meta['last_seen'])
+        )
+        self.assertEqual(stix_object.objective, meta['objective'])
+
     def _check_course_of_action_meta_fields(self, stix_object, meta):
         self.assertEqual(stix_object.external_references[0].external_id, meta['external_id'])
         for external_ref, ref in zip(stix_object.external_references[1:], meta['refs']):
diff --git a/tests/test_events.py b/tests/test_events.py
@@ -985,6 +985,25 @@
     "uuid": "2d018cbb-4236-53c8-aeba-0aa1b51e636e"
 }
 
+_TEST_CUSTOM_CAMPAIGN_GALAXY = {
+    "GalaxyCluster": [
+        {
+            "meta": {
+                "synonyms": [
+                    "Doppelganger"
+                ],
+                "last_seen": "2020-10-25T16:22:00Z",
+                "objective": "manipulation"
+            },
+            "uuid": "0dd0896b-8834-5025-a4d4-c0f4bbf7d403",
+            "value": "RRN",
+            "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors."
+        }
+    ],
+    "description": "A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.",
+    "uuid": "3d29c2ad-cb5a-5173-8ef6-1afd3bd2ed34"
+}
+
 _TEST_INTRUSION_SET_GALAXY = {
     "uuid": "1023f364-7831-11e7-8318-43b5531983ab",
     "name": "Intrusion Set",
@@ -3361,6 +3380,20 @@ def get_event_with_custom_attack_pattern_galaxy(version: str):
     return event
 
 
+def get_event_with_custom_campaign_galaxy(version: str):
+    event = deepcopy(_BASE_EVENT)
+    custom_galaxy = deepcopy(_TEST_CUSTOM_CAMPAIGN_GALAXY)
+    custom_galaxy['GalaxyCluster'][0]['type'] = f'stix-{version}-campaign'
+    custom_galaxy.update(
+        {
+            'type': f'stix-{version}-campaign',
+            'name': f'STIX {version} Campaign'
+        }
+    )
+    event['Event']['Galaxy'] = [custom_galaxy]
+    return event
+
+
 def get_event_with_custom_galaxy():
     event = deepcopy(_BASE_EVENT)
     event['Event']['Galaxy'] = [
diff --git a/tests/test_external_stix20_bundles.py b/tests/test_external_stix20_bundles.py
@@ -171,6 +171,7 @@
         "aliases": [
             "Doppelganger"
         ],
+        "objective": "manipulation",
         "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.",
         "first_seen": "2020-10-25T16:22:00.000Z"
     },
diff --git a/tests/test_external_stix20_import.py b/tests/test_external_stix20_import.py
@@ -83,12 +83,14 @@ def test_stix20_bundle_with_campaign_galaxy(self):
         _, report, event_campaign, indicator, attribute_campaign, _ = bundle.objects
         self._check_misp_event_features(event, report)
         meta = self._check_galaxy_features(event.galaxies, event_campaign)
-        self.assertEqual(meta, {'synonyms': event_campaign.aliases})
+        self.assertEqual(meta['synonyms'], event_campaign.aliases)
+        self.assertEqual(meta['objective'], event_campaign.objective)
+        self.assertEqual(meta['first_seen'], event_campaign.first_seen)
         self.assertEqual(len(event.attributes), 1)
         attribute = event.attributes[0]
         self.assertEqual(attribute.uuid, indicator.id.split('--')[1])
         meta = self._check_galaxy_features(attribute.galaxies, attribute_campaign)
-        self.assertEqual(meta, {})
+        self.assertEqual(meta, {'first_seen': attribute_campaign.first_seen})
 
     def test_stix20_bundle_with_course_of_action_galaxy(self):
         bundle = TestExternalSTIX20Bundles.get_bundle_with_course_of_action_galaxy()
diff --git a/tests/test_external_stix21_bundles.py b/tests/test_external_stix21_bundles.py
@@ -324,6 +324,7 @@
         "aliases": [
             "Doppelganger"
         ],
+        "objective": "manipulation",
         "description": "Active since 2008, this campaign mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.",
         "first_seen": "2020-10-25T16:22:00.000Z"
     },
diff --git a/tests/test_external_stix21_import.py b/tests/test_external_stix21_import.py
@@ -104,12 +104,14 @@ def test_stix21_bundle_with_campaign_galaxy(self):
         _, grouping, event_campaign, indicator, attribute_campaign, _ = bundle.objects
         self._check_misp_event_features_from_grouping(event, grouping)
         meta = self._check_galaxy_features(event.galaxies, event_campaign)
-        self.assertEqual(meta, {'synonyms': event_campaign.aliases})
+        self.assertEqual(meta['synonyms'], event_campaign.aliases)
+        self.assertEqual(meta['objective'], event_campaign.objective)
+        self.assertEqual(meta['first_seen'], event_campaign.first_seen)
         self.assertEqual(len(event.attributes), 1)
         attribute = event.attributes[0]
         self.assertEqual(attribute.uuid, indicator.id.split('--')[1])
         meta = self._check_galaxy_features(attribute.galaxies, attribute_campaign)
-        self.assertEqual(meta, {})
+        self.assertEqual(meta, {'first_seen': attribute_campaign.first_seen})
 
     def test_stix21_bundle_with_course_of_action_galaxy(self):
         bundle = TestExternalSTIX21Bundles.get_bundle_with_course_of_action_galaxy()
diff --git a/tests/test_stix20_export.py b/tests/test_stix20_export.py
@@ -4620,6 +4620,15 @@ def _test_event_with_attack_pattern_galaxy(self, event):
         self.assertEqual(attack_pattern.type, 'attack-pattern')
         self._check_galaxy_features(attack_pattern, galaxy, timestamp)
 
+    def _test_event_with_campaign_galaxy(self, event):
+        galaxy = event['Galaxy'][0]
+        timestamp = event['timestamp']
+        if not isinstance(timestamp, datetime):
+            timestamp = self._datetime_from_timestamp(timestamp)
+        campaign = self._run_galaxy_tests(event, timestamp)
+        self.assertEqual(campaign.type, 'campaign')
+        self._check_galaxy_features(campaign, galaxy, timestamp)
+
     def _test_event_with_course_of_action_galaxy(self, event):
         galaxy = event['Galaxy'][0]
         timestamp = event['timestamp']
@@ -4743,6 +4752,22 @@ def test_event_with_custom_attack_pattern_21_galaxy(self):
             attack_pattern = self.parser.stix_objects[-1]
         )
 
+    def test_event_with_custom_campaign_20_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.0')
+        self._test_event_with_campaign_galaxy(event['Event'])
+        self._populate_documentation(
+            galaxy = event['Event']['Galaxy'][0],
+            campaign = self.parser.stix_objects[-1]
+        )
+
+    def test_event_with_custom_campaign_21_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.1')
+        self._test_event_with_campaign_galaxy(event['Event'])
+        self._populate_documentation(
+            galaxy = event['Event']['Galaxy'][0],
+            campaign = self.parser.stix_objects[-1]
+        )
+
     def test_event_with_custom_galaxy(self):
         event = get_event_with_custom_galaxy()
         self._test_event_with_custom_galaxy(event['Event'])
@@ -4828,6 +4853,18 @@ def test_event_with_custom_attack_pattern_21_galaxy(self):
         misp_event.from_dict(**event)
         self._test_event_with_attack_pattern_galaxy(misp_event)
 
+    def test_event_with_custom_campaign_20_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.0')
+        misp_event = MISPEvent()
+        misp_event.from_dict(**event)
+        self._test_event_with_campaign_galaxy(misp_event)
+
+    def test_event_with_custom_campaign_21_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.1')
+        misp_event = MISPEvent()
+        misp_event.from_dict(**event)
+        self._test_event_with_campaign_galaxy(misp_event)
+
     def test_event_with_custom_galaxy(self):
         event = get_event_with_custom_galaxy()
         misp_event = MISPEvent()
diff --git a/tests/test_stix21_export.py b/tests/test_stix21_export.py
@@ -5840,6 +5840,15 @@ def _test_event_with_attack_pattern_galaxy(self, event):
         self.assertEqual(attack_pattern.type, 'attack-pattern')
         self._check_galaxy_features(attack_pattern, galaxy, timestamp)
 
+    def _test_event_with_campaign_galaxy(self, event):
+        galaxy = event['Galaxy'][0]
+        timestamp = event['timestamp']
+        if not isinstance(timestamp, datetime):
+            timestamp = self._datetime_from_timestamp(timestamp)
+        campaign = self._run_galaxy_tests(event, timestamp)
+        self.assertEqual(campaign.type, 'campaign')
+        self._check_galaxy_features(campaign, galaxy, timestamp)
+
     def _test_event_with_course_of_action_galaxy(self, event):
         galaxy = event['Galaxy'][0]
         timestamp = event['timestamp']
@@ -6010,6 +6019,22 @@ def test_event_with_custom_attack_pattern_21_galaxy(self):
             attack_pattern = self.parser.stix_objects[-1]
         )
 
+    def test_event_with_custom_campaign_20_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.0')
+        self._test_event_with_campaign_galaxy(event['Event'])
+        self._populate_documentation(
+            galaxy = event['Event']['Galaxy'][0],
+            campaign = self.parser.stix_objects[-1]
+        )
+
+    def test_event_with_custom_campaign_21_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.1')
+        self._test_event_with_campaign_galaxy(event['Event'])
+        self._populate_documentation(
+            galaxy = event['Event']['Galaxy'][0],
+            campaign = self.parser.stix_objects[-1]
+        )
+
     def test_event_with_custom_galaxy(self):
         event = get_event_with_custom_galaxy()
         self._test_event_with_custom_galaxy(event['Event'])
@@ -6110,6 +6135,18 @@ def test_event_with_custom_attack_pattern_21_galaxy(self):
         misp_event.from_dict(**event)
         self._test_event_with_attack_pattern_galaxy(misp_event)
 
+    def test_event_with_custom_campaign_20_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.0')
+        misp_event = MISPEvent()
+        misp_event.from_dict(**event)
+        self._test_event_with_campaign_galaxy(misp_event)
+
+    def test_event_with_custom_campaign_21_galaxy(self):
+        event = get_event_with_custom_campaign_galaxy('2.1')
+        misp_event = MISPEvent()
+        misp_event.from_dict(**event)
+        self._test_event_with_campaign_galaxy(misp_event)
+
     def test_event_with_custom_galaxy(self):
         event = get_event_with_custom_galaxy()
         misp_event = MISPEvent()
