Merge pull request #1012 from opencybersecurityalliance/develop

Merge develop into master

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/stix_shifter/" # Location of package manifests
+    schedule:
+      interval: "daily"

.gitignore

@@ -61,7 +61,7 @@ coverage.xml
 .venv
 venv/
 ENV/
-virtualenv/
+virtualenv*/
 
 # mkdocs documentation
 /site

CHANGELOG.md

@@ -0,0 +1,167 @@
+# CHANGELOG
+
+We have started this changelogs from version 4.0.0. So, changes on previously released versions can be found in tag branches. Please follow the below format to update add changelogs for new tag version.
+
+## <Tag_Version> (Date)
+### Breaking changes:
+*List the breaking changes in this section. Breaking changes is anything that either changes the input or output of stix-shifter, or a change that breaks the compatibility between a connector and the core stix-shifter functions.*
+### Deprecations:
+*List the Deprecated functions, input and output.*
+### Changes:
+*List the newly added functions, input and output.*
+### Fixes:
+*List the bug fixes.*
+### Dependency update:
+*List the dependecy upgrade or downgrade.*
+
+-------------------------------------
+
+## 4.2.0 (2022-06-29)
+### Breaking changes:
+
+### Deprecations:
+
+### Changes:
+
+* Added reaqta from_stix generate script [#977](https://github.com/opencybersecurityalliance/stix-shifter/pull/977)
+* Change certificate parameter type [#1000](https://github.com/opencybersecurityalliance/stix-shifter/pull/1000)
+* splunk: add index to options [#993](https://github.com/opencybersecurityalliance/stix-shifter/pull/993)
+* Best practices document for connector development [#986](https://github.com/opencybersecurityalliance/stix-shifter/pull/986)
+* Update supported attributes and overview readme [#976](https://github.com/opencybersecurityalliance/stix-shifter/pull/976)
+* Guardium rel 1.10 [#958](https://github.com/opencybersecurityalliance/stix-shifter/pull/958)
+* Updated the readme mappings for darktrace. [#942](https://github.com/opencybersecurityalliance/stix-shifter/pull/942)
+* Added Darktrace UDI connector. [#896](https://github.com/opencybersecurityalliance/stix-shifter/pull/896)
+* Update table of mappings for ReaQta and IN operator support [#937](https://github.com/opencybersecurityalliance/stix-shifter/pull/937)
+* Updated the Readme mapping files [#932](https://github.com/opencybersecurityalliance/stix-shifter/pull/932)
+* Adding SentinelOne UDI connector [#888](https://github.com/opencybersecurityalliance/stix-shifter/pull/888)
+* Reaqta connector [#879](https://github.com/opencybersecurityalliance/stix-shifter/pull/879)
+
+### Fixes:
+
+* Fixed unique_cybox_objects storing [#1005](https://github.com/opencybersecurityalliance/stix-shifter/pull/1005)
+* fallback to random UUID if STIX object contains no defined id contributing properties [#990](https://github.com/opencybersecurityalliance/stix-shifter/pull/990)
+* error_test timeouts on translate and status [#987](https://github.com/opencybersecurityalliance/stix-shifter/pull/987)
+* fix two deprecation warnings [#940](https://github.com/opencybersecurityalliance/stix-shifter/pull/940)
+* splunk: fix mapping of process command line [#918] [#971](https://github.com/opencybersecurityalliance/stix-shifter/pull/971)
+* splunk: fix incorrect dst_ref.value mapping [#919] [#970](https://github.com/opencybersecurityalliance/stix-shifter/pull/970)
+* splunk: fix translation of IN, LIKE, and MATCHES [#789] [#969](https://github.com/opencybersecurityalliance/stix-shifter/pull/969)
+* fix eventType mapping for reaqta connector [#967](https://github.com/opencybersecurityalliance/stix-shifter/pull/967)
+* Reaqta: Fix network traffic for inbound and mapping update [#952](https://github.com/opencybersecurityalliance/stix-shifter/pull/952)
+* Remove deprecated SourceImage field from aql search [#950](https://github.com/opencybersecurityalliance/stix-shifter/pull/950)
+* Reaqta: implemented grater/less fields translation, fixed from_stix fields sorting, fixed unittests [#938](https://github.com/opencybersecurityalliance/stix-shifter/pull/938)
+* Reaqta Connector:Update mapping and unittest [#964](https://github.com/opencybersecurityalliance/stix-shifter/pull/964)
+* Fixed stix parsing with setvalue types [#907](https://github.com/opencybersecurityalliance/stix-shifter/pull/907)
+
+### Dependency update:
+
+* Bump boto3 from 1.21.5 to 1.22.10 [#935](https://github.com/opencybersecurityalliance/stix-shifter/pull/935)
+* Bump xmltodict from 0.12.0 to 0.13.0 [#934](https://github.com/opencybersecurityalliance/stix-shifter/pull/934)
+* Bump stix2-matcher from 2.0.1 to 2.0.2 [#915](https://github.com/opencybersecurityalliance/stix-shifter/pull/915)
+
+
+--------------------------------------
+
+
+## 4.1.0 (2022-04-12)
+### Breaking changes:
+
+### Deprecations:
+
+### Changes:
+
+* Updated mappings for PaloAlto readme [#890](https://github.com/opencybersecurityalliance/stix-shifter/pull/890)
+* Added Palo Alto Cortext XDR UDI Connector [#858](https://github.com/opencybersecurityalliance/stix-shifter/pull/858)
+* package utils/normalization [#882](https://github.com/opencybersecurityalliance/stix-shifter/pull/882)
+* add sample transformer to template modules [#870](https://github.com/opencybersecurityalliance/stix-shifter/pull/870)
+* Added IN operator for Vision One UDI connector [#861](https://github.com/opencybersecurityalliance/stix-shifter/pull/861)
+* Update arcsight custom attributes [#865](https://github.com/opencybersecurityalliance/stix-shifter/pull/865)
+* results metadata support [#813](https://github.com/opencybersecurityalliance/stix-shifter/pull/813)
+* Template projects rename [#854](https://github.com/opencybersecurityalliance/stix-shifter/pull/854)
+* doc update for operators and custom transformers [#846](https://github.com/opencybersecurityalliance/stix-shifter/pull/846)
+* Adding BaseNormalization Class [#820](https://github.com/opencybersecurityalliance/stix-shifter/pull/820)
+* Add IN operator for sumologic connector [#845](https://github.com/opencybersecurityalliance/stix-shifter/pull/845)
+* Adding IN operator support to CB connector [#835](https://github.com/opencybersecurityalliance/stix-shifter/pull/835)
+* Stix validator update [#838](https://github.com/opencybersecurityalliance/stix-shifter/pull/838)
+* CrowdStrike: Adding IN operator support [#842](https://github.com/opencybersecurityalliance/stix-shifter/pull/842)
+* Adding changelog [#833](https://github.com/opencybersecurityalliance/stix-shifter/pull/833)
+* New UDI connector module for IBM Security Verify [#802](https://github.com/opencybersecurityalliance/stix-shifter/pull/802)
+* Adding connector name in the error responses [#824](https://github.com/opencybersecurityalliance/stix-shifter/pull/824)
+
+### Fixes:
+
+* use simple setup for mysql endpoints [#885](https://github.com/opencybersecurityalliance/stix-shifter/pull/885)
+* Mysql tablename fix [#868](https://github.com/opencybersecurityalliance/stix-shifter/pull/868)
+* RestApiClient in stix-shifter using https mount call [#864](https://github.com/opencybersecurityalliance/stix-shifter/pull/864)
+* Fixed StixObjectId conversion to string [#863](https://github.com/opencybersecurityalliance/stix-shifter/pull/863)
+* Fixed stix-validator 3.0.2 usage in translator [#851](https://github.com/opencybersecurityalliance/stix-shifter/pull/851)
+* remove process_user field mapping from windows-registry-key stix object [#850](https://github.com/opencybersecurityalliance/stix-shifter/pull/850)
+* Secret server 1.9 [#836](https://github.com/opencybersecurityalliance/stix-shifter/pull/836)
+* Fixed calculating and updating deterministic IDs and the… [#826](https://github.com/opencybersecurityalliance/stix-shifter/pull/826)
+
+
+--------------------------------------
+
+
+## 4.0.1 (2022-03-01)
+### Breaking changes:
+### Deprecations:
+### Changes:
+* CrowdStrike connector mapping update [#823](https://github.com/opencybersecurityalliance/stix-shifter/pull/823)
+
+### Fixes:
+### Dependency update:
+* Downgrade pyopenssl from 22.0.0 to 21.0.0
+
+--------------------------------------
+
+## 4.0.0 (2022-02-23)
+### Breaking changes:
+
+* Handling unmapped operators in stix pattern
+* Optimization of results translation 
+
+### Deprecations:
+
+### Changes:
+
+* Added New connector: Cybereason
+* Added Stix 2.1 ids and mapping update in [#731](https://github.com/opencybersecurityalliance/stix-shifter/pull/731) [#721](https://github.com/opencybersecurityalliance/stix-shifter/pull/721)
+* Added stix-shifter CLI parameters to configure max returned results and saving to a file in [#730](https://github.com/opencybersecurityalliance/stix-shifter/pull/730)
+* Azure Sentinel Mapping update in [710](https://github.com/opencybersecurityalliance/stix-shifter/pull/710)
+* Handling unmapped operators in stix pattern in [#744](https://github.com/opencybersecurityalliance/stix-shifter/pull/744)
+* Placeholder for datadog certificate in [#782](https://github.com/opencybersecurityalliance/stix-shifter/pull/782)
+* Proofpoint: Update labels in configuration in [792](https://github.com/opencybersecurityalliance/stix-shifter/pull/792)
+* Added Operator list in adapter guide in [#804](https://github.com/opencybersecurityalliance/stix-shifter/pull/804)
+* Splunk mapping update in [#797](https://github.com/opencybersecurityalliance/stix-shifter/pull/797)
+* Keep both helper description and the link description in [818](https://github.com/opencybersecurityalliance/stix-shifter/pull/818)
+* Optimization of results translation in [#718](https://github.com/opencybersecurityalliance/stix-shifter/pull/718)
+* QRadar mapping update in [#751](https://github.com/opencybersecurityalliance/stix-shifter/pull/751)
+
+
+### Fixes
+* Datadog ssl cert fix.[#758](https://github.com/opencybersecurityalliance/stix-shifter/pull/758)
+* cbcloud: fix ipv4 stix pattern translation [#761](https://github.com/opencybersecurityalliance/stix-shifter/pull/761)
+* fix configuration in proofpoint and sumologic [#745](https://github.com/opencybersecurityalliance/stix-shifter/pull/745)
+* Crowdstrike unittest fix [#775](https://github.com/opencybersecurityalliance/stix-shifter/pull/775)
+* Fix error reponse of ms defender connector [#747](https://github.com/opencybersecurityalliance/stix-shifter/pull/747)
+* fix: handling zero and non-zero values for the transformers [#774](https://github.com/opencybersecurityalliance/stix-shifter/pull/774)
+* Fix Proofpoint: avoid mapping error for standard STIX Pattern translation [#786](https://github.com/opencybersecurityalliance/stix-shifter/pull/786)
+* Proofpoint results connection fix [#739](https://github.com/opencybersecurityalliance/stix-shifter/pull/739)
+* Fix local build and install [#779](https://github.com/opencybersecurityalliance/stix-shifter/pull/779)
+* fix collections.abc warning [#793](https://github.com/opencybersecurityalliance/stix-shifter/pull/793)
+* fix instances of reserved STIX 2.1 id property [#819](https://github.com/opencybersecurityalliance/stix-shifter/pull/819)
+* Fix category in ecs to be list type [#734](https://github.com/opencybersecurityalliance/stix-shifter/pull/734)
+* fix debug cli param [#735](https://github.com/opencybersecurityalliance/stix-shifter/pull/735)
+* fix azure sentinel: Incorrect string conversion of datasource values [#771](https://github.com/opencybersecurityalliance/stix-shifter/pull/771)
+
+### Dependency update
+* Bump stix2-patterns from 1.3.0 to 1.3.2 
+* Bump flatten-json from 0.1.7 to 0.1.13
+* Bump flask from 1.1.2 to 2.0.3
+* Bump python-dateutil from 2.8.1 to 2.8.2
+* Bump jsonmerge from 1.7.0 to 1.8.0
+* Bump colorlog from 4.1.0 to 6.6.0
+* Bump adal from 1.2.2 to 1.2.7
+* Bump pyopenssl from 20.0.1 to 22.0.0
+* Bump stix2-validator from 1.1.2 to 3.0.2
+* Bump boto3 from 1.17.20 to 1.21.5## 4.0.0 (2022-02-23)

OVERVIEW.md

@@ -152,10 +152,11 @@ List updated: October 29, 2021
 |       [Datadog](adapter-guide/connectors/datadog_supported_stix.md)       |    datadog    |  Default   | GS Lab |     Yes     |     Yes      |   Released    |
 |       [Infoblox BloxOne Threat Defense](adapter-guide/connectors/infoblox_supported_stix.md)       |    infoblox    |  Default   | Infoblox |     Yes     |     Yes      |   Released    |
 |       [Proofpoint (SIEM API)](adapter-guide/connectors/proofpoint_supported_stix.md)       |    proofpoint    |  Default   | IBM Security |     Yes     |     Yes      |   Released    |
-
-
-
-
+|       [Cybereason](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/cybereason_supported_stix.md)                        | cybereason              | Default    | IBM Security | Yes         | Yes          | Released     |
+|       [Palo Alto Cortex XDR](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/paloalto_supported_stix.md)                        | paloalto              | Default    | IBM Security | Yes         | Yes          | Released     |
+|       [SentinelOne](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/sentinelone_supported_stix.md)                        | sentinelone              | Default    | IBM Security | Yes         | Yes          | Released     |
+|       [Darktrace](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/darktrace_supported_stix.md)                           | darktrace              | Default    | IBM Security | Yes         | Yes          | Released     |
+|       [IBM Security ReaQta](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/reaqta_supported_stix.md)                           | reaqta             | Default    | IBM Security | Yes         | Yes          | Released     |
 
 
 ## How to use
@@ -224,7 +225,7 @@ _pattern.txt_
 
 `python main.py translate qradar query '{}' '' < /path/to/file/pattern.txt`
 
-### 2. Translate a JSON data source query result to a STIX bundle of observable objects
+### 2. Translate a JSON data source query result to a STIX 2.0 bundle of observable objects
 
 #### INPUT: JSON data source query result
 
@@ -241,13 +242,14 @@ _pattern.txt_
 ]
 ```
 
-#### OUTPUT: STIX bundle of observable objects
+#### OUTPUT: STIX 2.0 bundle of observable objects
 
 ```
 # STIX Observables
 {
     "type": "bundle",
     "id": "bundle--2042a6e9-7f34-4a03-a745-502e358594c3",
+    "spec_version": "2.0",
     "objects": [
         {
             "type": "identity",
@@ -296,15 +298,38 @@ Alternatively, you can run the CLI commands from the source. Open a terminal and
 
 The module name refers to the name of the folder in stix-shifter that contains the connector code. The current module names can be found in the [Available Connectors](#available-connectors) table above. The STIX Identity object represents the data source and is passed in to allow stix-shifter to create a reference between the data source and the generated STIX observed objects.
 
-Using the Qradar connector as an example:
+Using the QRadar connector as an example:
+
+```
+python main.py translate qradar results \
+'{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events"}' \
+'[{"sourceip": "192.0.2.0", "filename": "someFile.exe", "sourceport": "0123", "username": "root"}]'
+```
+
+### Translating results into STIX 2.1
+
+By default, JSON results are translated into STIX 2.0. To return STIX 2.1 results include `'{"stix_2.1": true}'` in the CLI command
 
 ```
 python main.py translate qradar results \
 '{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events"}' \
-'[{"sourceip": "192.0.2.0", "filename": "someFile.exe", "sourceport": "0123", "username": "root"}]' --stix-validator
+'[{"sourceip": "192.0.2.0", "filename": "someFile.exe", "sourceport": "0123", "username": "root"}]' '{"stix_2.1": true}'
 ```
 
-The `--stix-validator` flag at the end will run validation on the returned STIX objects to ensure they conform to the STIX 2 standard. Alternatively, `'{ "stix_validator": true }'` can be passed in at the end as an options dictionary.
+
+### Validating translated STIX 2.1 bundle from the CLI
+
+You can validate translated STIX results from the CLI provided they conform to the 2.1 standard. The `--stix-validator` flag at the end will run validation on the returned STIX objects to ensure they conform to the STIX 2.1 standard. Alternatively, `'{ "stix_validator": true }'` can be passed in at the end as an options dictionary.
+
+```
+python main.py translate qradar results \
+'{"type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events"}' \
+'[{"sourceip": "192.0.2.0", "filename": "someFile.exe", "sourceport": "0123", "username": "root"}]' '{"stix_2.1": true, "stix_validator: true}'
+```
+
+### Validating STIX 2.0 and 2.1 bundles with the validator script
+
+Refer to the [STIX validator](bundle_validator/README.md)
 
 ### Results translation using an input file
 
@@ -506,9 +531,21 @@ The `execute` command tests all steps of the translation-transmission flow:
 
 ### Debug
 
-You can add `--debug` option at the end of your CLI command to see more logs. 
+You can add the `--debug` option to your CLI command to see more logs. 
+
+`stix-shifter --debug execute <TRANSMISSION MODULE NAME> <TRANSLATION MODULE NAME> '<STIX IDENTITY OBJECT>' '<CONNECTION OBJECT>' '<CONFIGURATION OBJECT>' '<STIX PATTERN>'` 
+
+### Change max returned results
+
+You can add the `--results` option with an integer value at the end of your CLI command to limit the maximum number of returned search results (default 10).
+
+`stix-shifter execute <TRANSMISSION MODULE NAME> <TRANSLATION MODULE NAME> '<STIX IDENTITY OBJECT>' '<CONNECTION OBJECT>' '<CONFIGURATION OBJECT>' '<STIX PATTERN>' --results 50`
+
+### Save the STIX results to a file
+
+You can redirect the output of your CLI command to a file to save the STIX results.
 
-`stix-shifter execute <TRANSMISSION MODULE NAME> <TRANSLATION MODULE NAME> '<STIX IDENTITY OBJECT>' '<CONNECTION OBJECT>' '<CONFIGURATION OBJECT>' '<STIX PATTERN>' --debug` 
+`stix-shifter execute <TRANSMISSION MODULE NAME> <TRANSLATION MODULE NAME> '<STIX IDENTITY OBJECT>' '<CONNECTION OBJECT>' '<CONFIGURATION OBJECT>' '<STIX PATTERN>' > results.json`
 
 ## Modules