Adding GCP Chronicle UDI Connector (#1075)

stix_shifter_modules/gcp_chronicle/configuration/config.json

@@ -0,0 +1,27 @@
+{
+	"connection": {
+		"type": {
+			"displayName": "Google Chronicle Security"
+		},
+		"host": {
+			"type": "text",
+			"regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$"
+		},
+		"help": {
+			"type": "link",
+			"default": "data-sources.html"
+		},
+		"selfSignedCert": {
+			"type": "password"
+		}
+	},
+	"configuration": {
+		"auth": {
+			"type": "fields",
+			"client_email": {
+				"type": "password"
+			}
+
+		}
+	}
+}

stix_shifter_modules/gcp_chronicle/configuration/lang_en.json

@@ -0,0 +1,24 @@
+{
+    "connection": {
+        "host": {
+            "label": "Management IP address or Hostname",
+            "description": "Specify the IP address or  hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+        },
+        "help": {
+            "label": "Need additional help?",
+            "description": "More details on the data source setting can be found in the specified link"
+        },
+         "selfSignedCert": {
+                "label": "Private Key (Required)",
+                "description": "Private Key is a mandatory authentication parameter to communicate with the GCP Chronicle security datasource."
+            }
+    },
+    "configuration": {
+        "auth": {
+            "client_email": {
+                "label": "Client Email",
+                "description": "Client Email used in authentication to make API calls"
+            }
+        }
+    }
+}

stix_shifter_modules/gcp_chronicle/entry_point.py

@@ -0,0 +1,14 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+
+class EntryPoint(BaseEntryPoint):
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(True)
+        if connection:
+            self.setup_transmission_simple(connection, configuration)
+
+        self.setup_translation_simple(dialect_default='default')
+
+

stix_shifter_modules/gcp_chronicle/requirements.txt

@@ -0,0 +1 @@
+google-api-python-client==2.52.0

stix_shifter_modules/gcp_chronicle/stix_translation/json/config_map.json

@@ -0,0 +1,266 @@
+{
+	"int_supported_fields": [
+		"src.port",
+		"principal.port",
+		"target.port",
+		"network.received_bytes",
+		"network.sent_bytes",
+		"network.dns.id",
+		"network.session_duration.seconds",
+		"network.dns.opcode",
+		"network.dns.response_code",
+		"network.dns.questions.class",
+		"network.dns.questions.type",
+		"network.dhcp.transaction_id",
+		"network.http.response_code",
+		"src.file.size",
+		"target.file.size",
+		"about.file.size",
+		"src.process.file.size",
+		"target.process.file.size",
+		"principal.process.file.size"
+	],
+	"timestamp_supported_fields": [
+		"src.file.last_modification_time.seconds",
+		"target.file.last_modification_time.seconds",
+		"src.process.file.last_modification_time.seconds",
+		"target.process.file.last_modification_time.seconds",
+		"principal.process.file.last_modification_time.seconds",
+		"about.file.last_modification_time.seconds",
+		"network.tls.server.certificate.not_before.seconds",
+		"network.tls.client.certificate.not_before.seconds",
+		"network.tls.server.certificate.not_after.seconds",
+		"network.tls.client.certificate.not_after.seconds",
+		"metadata.event_timestamp.seconds"
+	],
+	"mac_supported_fields": [
+		"src.mac",
+		"target.mac",
+		"principal.mac"
+	],
+	"email_supported_fields": [
+		"security_result.about.email",
+		"principal.user.email_addresses",
+		"src.user.email_addresses",
+		"target.user.email_addresses",
+		"network.email.from",
+		"network.email.to",
+		"network.email.cc",
+		"network.email.bcc"
+	],
+	"enum_supported_fields": [
+		"network.ip_protocol",
+		"network.application_protocol",
+		"network.dhcp.opcode",
+		"network.dhcp.type",
+		"src.user.account_type",
+		"target.user.account_type",
+		"principal.user.account_type",
+		"src.file.file_type",
+		"target.file.file_type",
+		"src.process.file.file_type",
+		"about.file.file_type",
+		"target.process.file.file_type",
+		"principal.process.file.file_type",
+		"metadata.event_type",
+		"src.resource.resource_type",
+		"target.resource.resource_type",
+		"principal.resource.resource_type",
+		"src.resource.attribute.cloud.environment",
+		"target.resource.attribute.cloud.environment",
+		"principal.resource.attribute.cloud.environment",
+		"security_result.action",
+		"security_result.severity",
+		"security_result.alert_state",
+		"security_result.category",
+		"security_result.threat_status",
+		"principal.asset.type",
+		"src.asset.platform_software.platform",
+		"target.asset.platform_software.platform",
+		"principal.asset.platform_software.platform",
+		"src.asset.attribute.cloud.environment",
+		"target.asset.attribute.cloud.environment",
+		"principal.asset.attribute.cloud.environment",
+		"network.direction"
+	],
+	"enum_supported_values": {
+		"ip_protocol": [
+			"UNKNOWN_IP_PROTOCOL", "EIGRP", "ESP", "ETHERIP", "GRE", "ICMP", "IGMP",
+			"IP6IN4", "PIM", "TCP", "UDP", "VRRP"
+		],
+		"application_protocol": [
+			"UNKNOWN_APPLICATION_PROTOCOL", "AFP", "APPC", "AMQP", "ATOM", "BEEP", "BITCOIN",
+			"BIT_TORRENT", "CFDP", "COAP", "DDS", "DEVICE_NET", "DHCP", "DNS", "E_DONKEY", "ENRP",
+			"FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOPHER", "HL7", "H323", "HTTP", "HTTPS",
+			"IRCP", "KADEMLIA", "LDAP", "LPD", "MIME", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS",
+			"NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC",
+			"RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNTP", "SSH",
+			"SSMS", "STYX", "TCAP", "TDS", "TOR", "TSP", "VTP", "WHOIS", "WEB_DAV", "X400", "X500",
+			"XMPP"
+		],
+		"opcode": ["UNKNOWN_OPCODE", "BOOTREQUEST", "BOOTREPLY"],
+		"network.dhcp.type": [
+			"UNKNOWN_MESSAGE_TYPE", "DISCOVER", "OFFER", "REQUEST", "DECLINE", "ACK", "NAK", "RELEASE",
+			"INFORM", "WIN_DELETED", "WIN_EXPIRED"
+		],
+		"account_type": [
+			"ACCOUNT_TYPE_UNSPECIFIED", "DOMAIN_ACCOUNT_TYPE", "LOCAL_ACCOUNT_TYPE",
+			"CLOUD_ACCOUNT_TYPE", "SERVICE_ACCOUNT_TYPE", "DEFAULT_ACCOUNT_TYPE"
+		],
+		"file_type": [
+			"FILE_TYPE_UNSPECIFIED", "FILE_TYPE_PE_EXE", "FILE_TYPE_PE_DLL", "FILE_TYPE_MSI",
+			"FILE_TYPE_NE_EXE", "FILE_TYPE_NE_DLL", "FILE_TYPE_DOS_EXE", "FILE_TYPE_DOS_COM",
+			"FILE_TYPE_COFF", "FILE_TYPE_ELF", "FILE_TYPE_LINUX_KERNEL", "FILE_TYPE_RPM",
+			"FILE_TYPE_LINUX", "FILE_TYPE_MACH_O", "FILE_TYPE_JAVA_BYTECODE", "FILE_TYPE_DMG",
+			"FILE_TYPE_DEB", "FILE_TYPE_PKG", "FILE_TYPE_LNK", "FILE_TYPE_JPEG", "FILE_TYPE_TIFF",
+			"FILE_TYPE_GIF", "FILE_TYPE_PNG", "FILE_TYPE_BMP", "FILE_TYPE_GIMP", "FILE_TYPE_IN_DESIGN",
+			"FILE_TYPE_PSD", "FILE_TYPE_TARGA", "FILE_TYPE_XWD", "FILE_TYPE_DIB", "FILE_TYPE_JNG",
+			"FILE_TYPE_ICO", "FILE_TYPE_FPX", "FILE_TYPE_EPS", "FILE_TYPE_SVG", "FILE_TYPE_EMF",
+			"FILE_TYPE_WEBP", "FILE_TYPE_OGG", "FILE_TYPE_FLC", "FILE_TYPE_FLI", "FILE_TYPE_MP3",
+			"FILE_TYPE_FLAC", "FILE_TYPE_WAV", "FILE_TYPE_MIDI", "FILE_TYPE_AVI", "FILE_TYPE_MPEG",
+			"FILE_TYPE_QUICKTIME", "FILE_TYPE_ASF", "FILE_TYPE_DIVX", "FILE_TYPE_FLV", "FILE_TYPE_WMA",
+			"FILE_TYPE_WMV", "FILE_TYPE_RM", "FILE_TYPE_MOV", "FILE_TYPE_MP4", "FILE_TYPE_T3GP",
+			"FILE_TYPE_PDF", "FILE_TYPE_PS", "FILE_TYPE_DOC", "FILE_TYPE_DOCX", "FILE_TYPE_PPT",
+			"FILE_TYPE_PPTX", "FILE_TYPE_PPSX", "FILE_TYPE_XLS", "FILE_TYPE_XLSX", "FILE_TYPE_RTF",
+			"FILE_TYPE_ODP", "FILE_TYPE_ODS", "FILE_TYPE_ODT", "FILE_TYPE_HWP", "FILE_TYPE_GUL",
+			"FILE_TYPE_ODF", "FILE_TYPE_ODG", "FILE_TYPE_EBOOK", "FILE_TYPE_LATEX", "FILE_TYPE_TTF",
+			"FILE_TYPE_EOT", "FILE_TYPE_WOFF", "FILE_TYPE_CHM", "FILE_TYPE_ZIP", "FILE_TYPE_GZIP",
+			"FILE_TYPE_BZIP", "FILE_TYPE_RZIP", "FILE_TYPE_DZIP", "FILE_TYPE_SEVENZIP", "FILE_TYPE_CAB",
+			"FILE_TYPE_JAR", "FILE_TYPE_RAR", "FILE_TYPE_MSCOMPRESS", "FILE_TYPE_ACE", "FILE_TYPE_ARC",
+			"FILE_TYPE_ARJ", "FILE_TYPE_ASD", "FILE_TYPE_BLACKHOLE", "FILE_TYPE_KGB", "FILE_TYPE_ZLIB",
+			"FILE_TYPE_TAR", "FILE_TYPE_TEXT", "FILE_TYPE_SCRIPT", "FILE_TYPE_PHP", "FILE_TYPE_PYTHON",
+			"FILE_TYPE_PERL", "FILE_TYPE_RUBY", "FILE_TYPE_C", "FILE_TYPE_CPP", "FILE_TYPE_JAVA",
+			"FILE_TYPE_SHELLSCRIPT", "FILE_TYPE_PASCAL", "FILE_TYPE_AWK", "FILE_TYPE_DYALOG",
+			"FILE_TYPE_FORTRAN", "FILE_TYPE_JAVASCRIPT", "FILE_TYPE_POWERSHELL", "FILE_TYPE_VBA",
+			"FILE_TYPE_SYMBIAN", "FILE_TYPE_PALMOS", "FILE_TYPE_WINCE", "FILE_TYPE_ANDROID",
+			"FILE_TYPE_IPHONE", "FILE_TYPE_HTML", "FILE_TYPE_XML", "FILE_TYPE_SWF", "FILE_TYPE_FLA",
+			"FILE_TYPE_COOKIE", "FILE_TYPE_TORRENT", "FILE_TYPE_EMAIL_TYPE", "FILE_TYPE_OUTLOOK",
+			"FILE_TYPE_CAP", "FILE_TYPE_ISOIMAGE", "FILE_TYPE_APPLE", "FILE_TYPE_MACINTOSH",
+			"FILE_TYPE_APPLESINGLE", "FILE_TYPE_APPLEDOUBLE", "FILE_TYPE_MACINTOSH_HFS",
+			"FILE_TYPE_APPLE_PLIST", "FILE_TYPE_MACINTOSH_LIB", "FILE_TYPE_APPLESCRIPT",
+			"FILE_TYPE_APPLESCRIPT_COMPILED", "FILE_TYPE_CRX", "FILE_TYPE_XPI", "FILE_TYPE_ROM"
+		],
+		"event_type": [
+			"EVENTTYPE_UNSPECIFIED", "PROCESS_UNCATEGORIZED", "PROCESS_LAUNCH", "PROCESS_INJECTION",
+			"PROCESS_PRIVILEGE_ESCALATION", "PROCESS_TERMINATION", "PROCESS_OPEN",
+			"PROCESS_MODULE_LOAD", "REGISTRY_UNCATEGORIZED", "REGISTRY_CREATION",
+			"REGISTRY_MODIFICATION", "REGISTRY_DELETION", "SETTING_UNCATEGORIZED", "SETTING_CREATION",
+			"SETTING_MODIFICATION", "SETTING_DELETION", "MUTEX_UNCATEGORIZED", "MUTEX_CREATION",
+			"FILE_UNCATEGORIZED", "FILE_CREATION", "FILE_DELETION", "FILE_MODIFICATION", "FILE_READ",
+			"FILE_COPYFILE_OPEN", "FILE_MOVE", "FILE_SYNCUSER_UNCATEGORIZED", "USER_LOGIN",
+			"USER_LOGOUT", "USER_CREATION", "USER_CHANGE_PASSWORD", "USER_CHANGE_PERMISSIONS",
+			"USER_BADGE_IN", "USER_DELETION", "USER_RESOURCE_CREATION",
+			"USER_RESOURCE_UPDATE_CONTENT", "USER_RESOURCE_UPDATE_PERMISSIONS", "USER_COMMUNICATION",
+			"USER_RESOURCE_ACCESS", "USER_RESOURCE_DELETION", "GROUP_UNCATEGORIZED", "GROUP_CREATION",
+			"GROUP_DELETION", "GROUP_MODIFICATION", "EMAIL_UNCATEGORIZED", "EMAIL_TRANSACTION",
+			"NETWORK_UNCATEGORIZED", "NETWORK_FLOW",
+			"NETWORK_CONNECTION", "NETWORK_FTP", "NETWORK_DHCP", "NETWORK_DNS", "NETWORK_HTTP",
+			"NETWORK_SMTP", "STATUS_UNCATEGORIZED", "STATUS_HEARTBEAT", "STATUS_STARTUP",
+			"STATUS_SHUTDOWN", "STATUS_UPDATE", "SCAN_UNCATEGORIZED", "SCAN_FILE",
+			"SCAN_PROCESS", "SCAN_HOST", "SCAN_VULN_HOST",
+			"SCAN_VULN_NETWORK", "SCAN_NETWORK", "SCHEDULED_TASK_UNCATEGORIZED",
+			"SCHEDULED_TASK_CREATION", "SCHEDULED_TASK_DELETION", "SCHEDULED_TASK_ENABLE",
+			"SCHEDULED_TASK_DISABLE", "SCHEDULED_TASK_MODIFICATION", "SYSTEM_AUDIT_LOG_UNCATEGORIZED",
+			"SYSTEM_AUDIT_LOG_WIPE", "SERVICE_UNSPECIFIED", "SERVICE_CREATION", "SERVICE_DELETION",
+			"SERVICE_START", "SERVICE_STOP", "SERVICE_MODIFICATION", "GENERIC_EVENT",
+			"RESOURCE_CREATION", "RESOURCE_DELETION", "RESOURCE_PERMISSIONS_CHANGE", "RESOURCE_READ",
+			"RESOURCE_WRITTEN", "ANALYST_UPDATE_VERDICT", "ANALYST_UPDATE_REPUTATION",
+			"ANALYST_UPDATE_SEVERITY_SCORE", "ANALYST_UPDATE_STATUS", "ANALYST_ADD_COMMENT"
+		],
+		"resource_type": [
+			"UNSPECIFIED", "MUTEX", "TASK", "PIPE", "DEVICE", "FIREWALL_RULE",
+			"MAILBOX_FOLDER", "VPC_NETWORK", "VIRTUAL_MACHINE", "STORAGE_BUCKET",
+			"STORAGE_OBJECT", "DATABASE", "TABLE", "CLOUD_PROJECT", "CLOUD_ORGANIZATION",
+			"ACCESS_POLICY", "CLUSTER", "SETTING", "DATASET", "BACKEND_SERVICE"
+		],
+		"action": ["UNKNOWN_ACTION", "ALLOW", "BLOCK", "ALLOW_WITH_MODIFICATION", "QUARANTINE", "FAIL"],
+		"severity": ["16","32","48","64","80","100"],
+		"alert_state": ["UNSPECIFIED", "NOT_ALERTING", "ALERTING"],
+		"category": ["THREAT", "VIOLATION", "POLICY", "ALERT"],
+		"threat_status": ["THREAT_STATUS_UNSPECIFIED", "ACTIVE", "CLEARED", "FALSE_POSITIVE"],
+		"type": [
+			"ROLE_UNSPECIFIED", "WORKSTATION", "LAPTOP", "IOT", "NETWORK_ATTACHED_STORAGE", "PRINTER", "SCANNER",
+			"SERVER", "TAPE_LIBRARY", "MOBILE"
+		],
+		"platform": [
+			"UNKNOWN_PLATFORM", "WINDOWS", "MAC", "LINUX"
+		],
+		"environment": [
+			"UNSPECIFIED_CLOUD_ENVIRONMENT", "GOOGLE_CLOUD_PLATFORM", "AMAZON_WEB_SERVICES", "MICROSOFT_AZURE"
+		],
+		"direction": [
+			"UNKNOWN_DIRECTION", "INBOUND", "OUTBOUND", "BROADCAST"
+		]
+	},
+	"list_type_fields": [
+		"src.ip",
+		"target.ip",
+		"principal.ip",
+		"src.mac",
+		"target.mac",
+		"principal.mac",
+		"network.smtp.server_response",
+		"security_result.about.email",
+		"security_result.about.url",
+		"principal.user.email_addresses",
+		"src.user.email_addresses",
+		"target.user.email_addresses",
+		"network.email.to",
+		"network.email.cc",
+		"network.email.bcc",
+		"security_result.threat_name",
+		"security_result.rule_name",
+		"security_result.summary",
+		"security_result.threat_id",
+		"security_result.description",
+		"network.dns.questions.name",
+		"network.email.subject",
+		"src.asset.software.name",
+		"target.asset.software.name",
+		"principal.asset.software.name",
+		"src.asset.software.version",
+		"target.asset.software.version",
+		"principal.asset.software.version",
+		"security_result.action",
+		"security_result.severity",
+		"security_result.alert_state",
+		"security_result.category",
+		"security_result.threat_status",
+		"network.dns.questions.class",
+		"network.dns.questions.type",
+		"principal.asset.hardware.cpu_platform",
+		"principal.asset.hardware.manufacturer",
+		"principal.asset.hardware.serial_number"
+	],
+	"regex_formatting_fields": [
+		"src.file.full_path",
+		"target.file.full_path",
+		"src.process.file.full_path",
+		"target.process.file.full_path",
+		"principal.process.file.full_path",
+		"target.process.parent_process.file.full_path",
+		"principal.process.parent_process.file.full_path",
+		"about.file.full_path"
+	],
+	"security_result_conversion_fields": {
+		"security_result.severity": {
+			"16": "INFORMATIONAL",
+			"32": "ERROR",
+			"48": "LOW",
+			"64": "MEDIUM",
+			"80": "HIGH",
+			"100": "CRITICAL"
+		},
+		"security_result.category": {
+			"ALERT": ["SOFTWARE_SUSPICIOUS", "NETWORK_SUSPICIOUS", "NETWORK_CATEGORIZED_CONTENT",
+				"NETWORK_DENIAL_OF_SERVICE", "NETWORK_RECON", "NETWORK_COMMAND_AND_CONTROL", "EXPLOIT",
+				"DATA_EXFILTRATION", "DATA_AT_REST", "DATA_DESTRUCTION"
+			],
+			"POLICY": ["POLICY_VIOLATION"],
+			"VIOLATION": ["ACL_VIOLATION", "AUTH_VIOLATION"],
+			"THREAT": ["SOFTWARE_MALICIOUS", "SOFTWARE_PUA", "NETWORK_MALICIOUS", "MAIL_SPAM", "MAIL_PHISHING",
+				"MAIL_SPOOFING"
+			]
+		}
+	}
+}