diff --git a/stix_shifter_modules/vectra/README.md b/stix_shifter_modules/vectra/README.md index ddc37e43b..89bfe6d70 100644 --- a/stix_shifter_modules/vectra/README.md +++ b/stix_shifter_modules/vectra/README.md @@ -44,7 +44,7 @@ translate vectra query {} "[ipv4-addr:value='1.1.1.1' AND x-ibm-finding:name='Hi ```shell transmit vectra -"{\"host\":\"instance.vectra.com\"}" +"{\"host\":\"instance.vectra.com\", \"port\":xxxx}" "{\"auth\":{\"apitoken\": \"xxxx\"}}" results "[query_string=(detection.detection_type:\"Hidden HTTP Tunnel\" AND (detection.src_ip:\"1.1.1.1\" OR detection.grouped_details.dst_ips:\"1.1.1.1\" OR detection.grouped_details.dst_hosts.dst_ip:\"1.1.1.1\" OR detection.grouped_details.origin_ip:\"1.1.1.1\" OR detection.grouped_details.sessions.dst_ip:\"1.1.1.1\" OR detection.grouped_details.subnet:\"1.1.1.1\" OR detection.grouped_details.events.dst_ip:\"1.1.1.1\" OR detection.grouped_details.events.dst_ips:\"1.1.1.1\" OR detection.grouped_details.events.sessions.dst_ip:\"1.1.1.1\" OR detection.grouped_details.connection_events.target_host.ip:\"1.1.1.1\") AND (detection.last_timestamp:[2023-04-01T0000 to 2023-06-12T0000]))]" @@ -301,7 +301,7 @@ execute vectra vectra "{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"Vectra NDR\",\"identity_class\":\"system\",\"created\":\"2023-02-23T13:22:50.336Z\",\"modified\":\"2022-02-23T13:22:50.336Z\"}" -"{\"host\":\"xyz\"}" +"{\"host\":\"xyz\", \"port\":xxxx}" "{\"auth\":{\"api_token\": \"xxx\"}}" "([x-ibm-finding:confidence>20 AND x-sql-request-info:response_code=404] AND [x-ibm-finding:severity>20 AND x-sql-request-info:user_agent LIKE 'Mozilla']) START t'2023-04-01T00:00:00.000Z' STOP t'2023-06-12T00:00:00.000Z'" ``` @@ -437,3 +437,4 @@ vectra - [Advanced Search Reference Guide](https://support.vectra.ai/s/article/KB-VS-1116) - [Understanding Vectra AI](https://support.vectra.ai/s/article/KB-VS-1285) - [Detection and Campaign lifespan and retention periods](https://support.vectra.ai/s/article/KB-VS-1099) + diff --git a/stix_shifter_modules/vectra/configuration/config.json b/stix_shifter_modules/vectra/configuration/config.json index d15c190bf..3bebf80d8 100644 --- a/stix_shifter_modules/vectra/configuration/config.json +++ b/stix_shifter_modules/vectra/configuration/config.json @@ -8,15 +8,15 @@ "type": "text", "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$" }, + "port": { + "type": "number", + "default": 443, + "min": 1, + "max": 65535 + }, "help": { "type": "link", "default": "data-sources.html" - }, - "options": { - "type": "fields", - "result_limit": { - "max": 10000 - } } }, "configuration": { diff --git a/stix_shifter_modules/vectra/configuration/lang_en.json b/stix_shifter_modules/vectra/configuration/lang_en.json index 2f5708bd1..5b587b26f 100644 --- a/stix_shifter_modules/vectra/configuration/lang_en.json +++ b/stix_shifter_modules/vectra/configuration/lang_en.json @@ -4,6 +4,10 @@ "label": "Management IP address or Hostname", "description": "Specify the IP address or hostname of the data source" }, + "port": { + "label": "Host port", + "description": "Set the port number that is associated with the hostname or IP address" + }, "help": { "label": "Need additional help?", "description": "More details on the data source setting can be found in the specified link" @@ -12,7 +16,8 @@ "configuration": { "auth": { "api_token": { - "type": "password" + "label": "API token", + "description": "Vectra API token to authenticate requests for Vectra APIs" } } } diff --git a/stix_shifter_modules/vectra/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/vectra/stix_translation/json/stix_2_1/to_stix_map.json index 00e982618..eb1784cd1 100644 --- a/stix_shifter_modules/vectra/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/vectra/stix_translation/json/stix_2_1/to_stix_map.json @@ -62,7 +62,8 @@ }, "num_successes": { "key": "x-ibm-finding.x_num_successes", - "object": "detection" + "object": "detection", + "transformer": "ToString" }, "dst_ports": { "key": "x-ibm-finding.x_dst_ports", diff --git a/stix_shifter_modules/vectra/stix_translation/json/to_stix_map.json b/stix_shifter_modules/vectra/stix_translation/json/to_stix_map.json index 230a6696c..1940601e8 100644 --- a/stix_shifter_modules/vectra/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/vectra/stix_translation/json/to_stix_map.json @@ -62,7 +62,8 @@ }, "num_successes": { "key": "x-ibm-finding.x_num_successes", - "object": "detection" + "object": "detection", + "transformer": "ToString" }, "dst_ports": { "key": "x-ibm-finding.x_dst_ports", diff --git a/stix_shifter_modules/vectra/stix_translation/transformers.py b/stix_shifter_modules/vectra/stix_translation/transformers.py index a86371349..29c43e5f3 100644 --- a/stix_shifter_modules/vectra/stix_translation/transformers.py +++ b/stix_shifter_modules/vectra/stix_translation/transformers.py @@ -39,7 +39,7 @@ class ConvertToReal(ValueTransformer): def transform(obj): try: if not isinstance(obj, float): - obj = obj * 1.0 + obj = obj / 100 except ValueError: LOGGER.error('Cannot convert input %s to a float value between 0 to 1', obj) return obj diff --git a/stix_shifter_modules/vectra/stix_transmission/api_client.py b/stix_shifter_modules/vectra/stix_transmission/api_client.py index 01ddc7fcd..6930542b6 100644 --- a/stix_shifter_modules/vectra/stix_transmission/api_client.py +++ b/stix_shifter_modules/vectra/stix_transmission/api_client.py @@ -13,7 +13,7 @@ def __init__(self, connection, configuration): self.headers = {"Authorization": "Token " + self.auth["api_token"], 'Content-Type': "application/json", 'Cache-Control': "no-cache"} - self.client = RestApiClientAsync(connection.get('host'), port=None, headers=self.headers) + self.client = RestApiClientAsync(connection.get('host'), port=connection.get('port'), headers=self.headers) self.host = connection.get('host') async def ping_data_source(self): diff --git a/stix_shifter_modules/vectra/stix_transmission/connector.py b/stix_shifter_modules/vectra/stix_transmission/connector.py index b1a25a935..32f9b135c 100644 --- a/stix_shifter_modules/vectra/stix_transmission/connector.py +++ b/stix_shifter_modules/vectra/stix_transmission/connector.py @@ -223,6 +223,12 @@ def get_results_data(self, response_dict): detection_type = record.get('detection_type', '') + # if x-ibm-finding object event_count is not available, setting the default value to 1. + # if default value is not set, CP4S inserts NaN value for event_count which causes rendering issue in UI. + if record.get('summary') and \ + 'num_attempts' not in record['summary'] and 'num_sessions' not in record['summary']: + record['summary']['num_sessions'] = 1 + if 'Privilege' in detection_type: # Skip any preprocessing for these detections. continue diff --git a/stix_shifter_modules/vectra/test/stix_transmission/test_vectra.py b/stix_shifter_modules/vectra/test/stix_transmission/test_vectra.py index 8e79640f7..9cbb10273 100644 --- a/stix_shifter_modules/vectra/test/stix_transmission/test_vectra.py +++ b/stix_shifter_modules/vectra/test/stix_transmission/test_vectra.py @@ -333,7 +333,10 @@ class TestVectraConnection(unittest.TestCase, object): def connection(self): """format for connection""" - return {"host": "hostbla"} + return { + "host": "hostbla", + "port": 443 + } def configuration(self): """format for configuration"""