Vectra config changes (#1581)

opencybersecurityalliance · Oct 10, 2023 · 068e9ee · 068e9ee
1 parent 76264e9
commit 068e9ee
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 14 deletions.
diff --git a/stix_shifter_modules/vectra/README.md b/stix_shifter_modules/vectra/README.md
@@ -44,7 +44,7 @@ translate vectra query {} "[ipv4-addr:value='1.1.1.1' AND x-ibm-finding:name='Hi
 ```shell
 transmit 
 vectra 
-"{\"host\":\"instance.vectra.com\"}" 
+"{\"host\":\"instance.vectra.com\", \"port\":xxxx}" 
 "{\"auth\":{\"apitoken\": \"xxxx\"}}" 
 results 
 "[query_string=(detection.detection_type:\"Hidden HTTP Tunnel\" AND (detection.src_ip:\"1.1.1.1\" OR detection.grouped_details.dst_ips:\"1.1.1.1\" OR detection.grouped_details.dst_hosts.dst_ip:\"1.1.1.1\" OR detection.grouped_details.origin_ip:\"1.1.1.1\" OR detection.grouped_details.sessions.dst_ip:\"1.1.1.1\" OR detection.grouped_details.subnet:\"1.1.1.1\" OR detection.grouped_details.events.dst_ip:\"1.1.1.1\" OR detection.grouped_details.events.dst_ips:\"1.1.1.1\" OR detection.grouped_details.events.sessions.dst_ip:\"1.1.1.1\" OR detection.grouped_details.connection_events.target_host.ip:\"1.1.1.1\") AND (detection.last_timestamp:[2023-04-01T0000 to 2023-06-12T0000]))]"
@@ -301,7 +301,7 @@ execute
 vectra
 vectra
 "{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"Vectra NDR\",\"identity_class\":\"system\",\"created\":\"2023-02-23T13:22:50.336Z\",\"modified\":\"2022-02-23T13:22:50.336Z\"}"
-"{\"host\":\"xyz\"}"
+"{\"host\":\"xyz\", \"port\":xxxx}"
 "{\"auth\":{\"api_token\": \"xxx\"}}"
 "([x-ibm-finding:confidence>20 AND x-sql-request-info:response_code=404] AND [x-ibm-finding:severity>20 AND x-sql-request-info:user_agent LIKE 'Mozilla']) START t'2023-04-01T00:00:00.000Z' STOP t'2023-06-12T00:00:00.000Z'"
 ```
@@ -437,3 +437,4 @@ vectra
 - [Advanced Search Reference Guide](https://support.vectra.ai/s/article/KB-VS-1116)
 - [Understanding Vectra AI](https://support.vectra.ai/s/article/KB-VS-1285)
 - [Detection and Campaign lifespan and retention periods](https://support.vectra.ai/s/article/KB-VS-1099)
+
diff --git a/stix_shifter_modules/vectra/configuration/config.json b/stix_shifter_modules/vectra/configuration/config.json
@@ -8,15 +8,15 @@
             "type": "text",
             "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$"
         },
+        "port": {
+            "type": "number",
+            "default": 443,
+            "min": 1,
+            "max": 65535
+        },
         "help": {
             "type": "link",
             "default": "data-sources.html"
-        },
-        "options": {
-            "type": "fields",
-            "result_limit": {
-                "max": 10000
-            }
         }
     },
     "configuration": {

diff --git a/stix_shifter_modules/vectra/configuration/lang_en.json b/stix_shifter_modules/vectra/configuration/lang_en.json
@@ -4,6 +4,10 @@
             "label": "Management IP address or Hostname",
             "description": "Specify the IP address or hostname of the data source"
         },
+        "port": {
+            "label": "Host port",
+            "description": "Set the port number that is associated with the hostname or IP address"
+        },
         "help": {
             "label": "Need additional help?",
             "description": "More details on the data source setting can be found in the specified link"
@@ -12,7 +16,8 @@
     "configuration": {
         "auth": {
             "api_token": {
-                "type": "password"
+                "label": "API token",
+                "description": "Vectra API token to authenticate requests for Vectra APIs"
             }
         }
     }

diff --git a/stix_shifter_modules/vectra/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/vectra/stix_translation/json/stix_2_1/to_stix_map.json
@@ -62,7 +62,8 @@
     },
     "num_successes": {
       "key": "x-ibm-finding.x_num_successes",
-      "object": "detection"
+      "object": "detection",
+      "transformer": "ToString"
     },
     "dst_ports": {
       "key": "x-ibm-finding.x_dst_ports",

diff --git a/stix_shifter_modules/vectra/stix_translation/json/to_stix_map.json b/stix_shifter_modules/vectra/stix_translation/json/to_stix_map.json
@@ -62,7 +62,8 @@
     },
     "num_successes": {
       "key": "x-ibm-finding.x_num_successes",
-      "object": "detection"
+      "object": "detection",
+      "transformer": "ToString"
     },
     "dst_ports": {
       "key": "x-ibm-finding.x_dst_ports",

diff --git a/stix_shifter_modules/vectra/stix_translation/transformers.py b/stix_shifter_modules/vectra/stix_translation/transformers.py
@@ -39,7 +39,7 @@ class ConvertToReal(ValueTransformer):
     def transform(obj):
         try:
             if not isinstance(obj, float):
-                obj = obj * 1.0
+                obj = obj / 100
         except ValueError:
             LOGGER.error('Cannot convert input %s to a float value between 0 to 1', obj)
         return obj

diff --git a/stix_shifter_modules/vectra/stix_transmission/api_client.py b/stix_shifter_modules/vectra/stix_transmission/api_client.py
@@ -13,7 +13,7 @@ def __init__(self, connection, configuration):
         self.headers = {"Authorization": "Token " + self.auth["api_token"],
                         'Content-Type': "application/json",
                         'Cache-Control': "no-cache"}
-        self.client = RestApiClientAsync(connection.get('host'), port=None, headers=self.headers)
+        self.client = RestApiClientAsync(connection.get('host'), port=connection.get('port'), headers=self.headers)
         self.host = connection.get('host')
 
     async def ping_data_source(self):

diff --git a/stix_shifter_modules/vectra/stix_transmission/connector.py b/stix_shifter_modules/vectra/stix_transmission/connector.py
@@ -223,6 +223,12 @@ def get_results_data(self, response_dict):
 
             detection_type = record.get('detection_type', '')
 
+            # if x-ibm-finding object event_count is not available, setting the default value to 1.
+            # if default value is not set, CP4S inserts NaN value for event_count which causes rendering issue in UI.
+            if record.get('summary') and \
+                    'num_attempts' not in record['summary'] and 'num_sessions' not in record['summary']:
+                record['summary']['num_sessions'] = 1
+
             if 'Privilege' in detection_type:
                 # Skip any preprocessing for these detections.
                 continue

diff --git a/stix_shifter_modules/vectra/test/stix_transmission/test_vectra.py b/stix_shifter_modules/vectra/test/stix_transmission/test_vectra.py
@@ -333,7 +333,10 @@ class TestVectraConnection(unittest.TestCase, object):
 
     def connection(self):
         """format for connection"""
-        return {"host": "hostbla"}
+        return {
+            "host": "hostbla",
+            "port": 443
+        }
 
     def configuration(self):
         """format for configuration"""