From 052e5377293b97747f16b270da23c32078debc87 Mon Sep 17 00:00:00 2001 From: Ben Craig Date: Mon, 21 Jan 2019 11:21:04 -0400 Subject: [PATCH] Dynamic mapping for fields for splunk. (#100) * Dynamic mapping for fields for splunk. --- .../src/modules/splunk/stix_to_splunk.py | 25 +++++++++++-------- .../test_splunk_stix_to_spl.py | 11 ++++++-- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/stix_shifter/stix_translation/src/modules/splunk/stix_to_splunk.py b/stix_shifter/stix_translation/src/modules/splunk/stix_to_splunk.py index 7671a4902..e07f1eb0d 100644 --- a/stix_shifter/stix_translation/src/modules/splunk/stix_to_splunk.py +++ b/stix_shifter/stix_translation/src/modules/splunk/stix_to_splunk.py @@ -4,6 +4,7 @@ from ...patterns.parser import generate_query from ..base.base_query_translator import BaseQueryTranslator from . import splunk_query_constructor +from ..cim import cim_data_mapping logger = logging.getLogger(__name__) @@ -30,19 +31,21 @@ def transform_query(self, data, options, mapping=None): query_object = generate_query(data) data_mapper = options.get('data_mapper') mapping = options.get('mapping') + fields = options.get('fields') if not data_mapper: - data_mapper = 'cim' - - data_mapper_module_name = ''.join(["stix_shifter.stix_translation.src.modules.", data_mapper, ".", data_mapper, "_data_mapping"]) - - try: - data_mapper_module = importlib.import_module(data_mapper_module_name) - data_model_mapper = data_mapper_module.mapper_class(mapping) - except ModuleNotFoundError: - raise NotImplementedError(f"Module {data_mapper_module_name} not implemented") - except AttributeError: - raise NotImplementedError(f"Module {data_mapper_module_name} does not implement mapper_class attribute") + data_mapper_module = cim_data_mapping + data_model_mapper = data_mapper_module.mapper_class(mapping, fields) + else: + data_mapper_module_name = ''.join(["stix_shifter.stix_translation.src.modules.", data_mapper, ".", data_mapper, "_data_mapping"]) + + try: + data_mapper_module = importlib.import_module(data_mapper_module_name) + data_model_mapper = data_mapper_module.mapper_class(mapping) + except ModuleNotFoundError: + raise NotImplementedError(f"Module {data_mapper_module_name} not implemented") + except AttributeError: + raise NotImplementedError(f"Module {data_mapper_module_name} does not implement mapper_class attribute") result_limit = options['result_limit'] if 'result_limit' in options else DEFAULT_LIMIT timerange = options['timerange'] if 'timerange' in options else DEFAULT_TIMERANGE diff --git a/tests/stix_translation/test_splunk_stix_to_spl.py b/tests/stix_translation/test_splunk_stix_to_spl.py index 39e5c9819..c28218f09 100644 --- a/tests/stix_translation/test_splunk_stix_to_spl.py +++ b/tests/stix_translation/test_splunk_stix_to_spl.py @@ -172,10 +172,17 @@ def test_custom_mapping(self): "value": ["src_ip","dest_ip"] } } - } + }, + "fields": { + "default": + [ + "src_ip", + "src_port", + ] + } } query = translation.translate('splunk', 'query', '{}', stix_pattern, options) - queries = 'search ((mac = "00-00-5E-00-53-00") AND ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83"))) earliest="-15minutes" | head 1000 | fields src_ip, src_port, src_mac, src_ipv6, dest_ip, dest_port, dest_mac, dest_ipv6, file_hash, user, url, protocol' + queries = 'search ((mac = "00-00-5E-00-53-00") AND ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83"))) earliest="-15minutes" | head 1000 | fields src_ip, src_port' parsed_stix = [{'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00'}, {'attribute': 'ipv4-addr:value', 'comparison_operator': '=', 'value': '192.168.122.83'}] assert query == {'queries': queries, 'parsed_stix': parsed_stix}