Resolved issues found during integration testing. Also updating the l…

…ocal deployment docker file. (#1721) * Resolved some issues with the Tanium image. Signed-off-by: DerekRushton <[email protected]> * Tanium test fixed and stix2.1 Signed-off-by: DerekRushton <[email protected]> --------- Signed-off-by: DerekRushton <[email protected]>
opencybersecurityalliance · Aug 15, 2024 · 6b19a23 · 6b19a23
1 parent ab5ec39
commit 6b19a23
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 90 deletions.
diff --git a/deployment/ibm_cloud_pak_for_security/Dockerfile b/deployment/ibm_cloud_pak_for_security/Dockerfile
@@ -1,12 +1,11 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal
+FROM registry.access.redhat.com/ubi9/ubi-minimal
 ARG APP
 ARG VERSION
 
 USER root
 
 RUN microdnf update -y && rm -fr /var/cache/yum && \
-    microdnf update -y gnutls systemd kernel-headers && \
-    microdnf install --nodocs python3 python3-devel unzip openssl && \
+    microdnf install -y --nodocs python3 unzip openssl python3-pip && \
     rm -fr /var/cache/yum && microdnf update -y && rm -rf /var/cache/yum && \
     microdnf clean all
 

diff --git a/stix_shifter_modules/tanium/configuration/config.json b/stix_shifter_modules/tanium/configuration/config.json
@@ -14,14 +14,20 @@
             "min": 1,
             "max": 65535
         },
+        "help": {
+            "type": "link",
+            "default": "data-sources.html"
+        },
         "options": {
             "unmapped_fallback": {
-                "default": true
+                "type": "boolean",
+                "default": false
             }
         }
     },
     "configuration": {
         "auth": {
+            "type": "fields",
             "accessToken": {
                 "type": "password"
             }

diff --git a/stix_shifter_modules/tanium/configuration/lang_en.json b/stix_shifter_modules/tanium/configuration/lang_en.json
@@ -7,6 +7,10 @@
         "port": {
             "label": "Host port",
             "description": "Set the port number that is associated with the hostname or IP address"
+        },
+        "help": {
+            "label": "Need additional help?",
+            "description": "More details on the data source setting can be found in the specified link"
         }
     },
     "configuration": {

diff --git a/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json
@@ -287,10 +287,6 @@
             "key": "x-ibm-finding.x_finding_source_name",
             "object": "alert"
           },
-          "intel_intra_ids": {
-            "key": "x-ibm-finding.x_finding_intel_intra_ids",
-            "object": "alert"
-          },
           "artifact_activity": {
             "acting_artifact": {
               "process": {
@@ -783,7 +779,7 @@
     },
     "alertedAt": [
       {
-        "key": "x-ibm-finding.x_alertedAt",
+        "key": "x-ibm-finding.x_alerted_at",
         "object": "alert"
       }
     ],
@@ -940,35 +936,35 @@
         "object": "alert"
       },
       "unresolvedAlertCount": {
-        "key": "x-tanium-inteldocument.unresolvedAlertCount",
+        "key": "x-tanium-inteldocument.unresolved_alert_count",
         "object": "intel-document"
       },
       "customHash": {
-        "key": "x-tanium-inteldocument.customHash",
+        "key": "x-tanium-inteldocument.custom_hash",
         "object": "intel-document"
       },
       "throttledFindingCount": {
-        "key": "x-tanium-inteldocument.throttledFindingCount",
+        "key": "x-tanium-inteldocument.throttled_finding_count",
         "object": "intel-document"
       },
       "allowAutoDisable": {
-        "key": "x-tanium-inteldocument.allowAutoDisable",
+        "key": "x-tanium-inteldocument.allow_auto_disable",
         "object": "intel-document"
       },
       "disabled": {
         "key": "x-tanium-inteldocument.disabled",
         "object": "intel-document"
       },
       "disabledEndpointCount": {
-        "key": "x-tanium-inteldocument.disabledEndpointCount",
+        "key": "x-tanium-inteldocument.disabled_endpoint_count",
         "object": "intel-document"
       },
       "firstDeploymentTimestamp": {
-        "key": "x-tanium-inteldocument.firstDeploymentTimestamp",
+        "key": "x-tanium-inteldocument.first_deployment_timestamp",
         "object": "intel-document"
       },
       "lastDeploymentTimestamp": {
-        "key": "x-tanium-inteldocument.lastDeploymentTimestamp",
+        "key": "x-tanium-inteldocument.last_deployment_timestamp",
         "object": "intel-document"
       },
       "status": {

diff --git a/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json b/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json
@@ -218,13 +218,6 @@
               "object": "processFile",
               "references": "processFileDirectory"
             },
-            {
-              "key": "directory.contains_refs",
-              "object": "processFileDirectory",
-              "references": [
-                "processFile"
-              ]
-            },
             {
               "key": "process.binary_ref",
               "object": "process",
@@ -241,11 +234,6 @@
             "key": "process.parent_ref",
             "object": "process",
             "references": "parent-process"
-          },
-          {
-            "key": "process.child_ref",
-            "object": "parent-process",
-            "references": "process"
           }
         ],
         "start_time": {
@@ -292,10 +280,6 @@
           "key": "x-ibm-finding.x_finding_source_name",
           "object": "alert"
         },
-        "intel_intra_ids": {
-          "key": "x-ibm-finding.x_finding_intel_intra_ids",
-          "object": "alert"
-        },
         "artifact_activity": {
           "acting_artifact": {
             "process": {
@@ -366,13 +350,6 @@
                       "object": "processFileDirectory",
                       "transformer": "ProcessCWDPathTransformer"
                     },
-                    {
-                      "key": "directory.contains_refs",
-                      "object": "processFileDirectory",
-                      "references": [
-                        "processFile"
-                      ]
-                    },
                     {
                       "key": "file.parent_directory_ref",
                       "object": "processFile",
@@ -429,11 +406,6 @@
                       "key": "x-oca-event.parent_process_ref",
                       "object": "event",
                       "references": "process"
-                    },
-                    {
-                      "key": "process.child_ref",
-                      "object": "parent-process",
-                      "references": "process"
                     }
                   ],
                   "arguments": {
@@ -486,13 +458,6 @@
                           "object": "parent-processFileDirectory",
                           "transformer": "ProcessCWDPathTransformer"
                         },
-                        {
-                          "key": "directory.contains_refs",
-                          "object": "parent-processFileDirectory",
-                          "references": [
-                            "parent-processFile"
-                          ]
-                        },
                         {
                           "key": "file.parent_directory_ref",
                           "object": "parent-processFile",
@@ -595,13 +560,6 @@
                     "object": "file-directory-action",
                     "transformer": "ProcessCWDPathTransformer"
                   },
-                  {
-                    "key": "directory.contains_refs",
-                    "object": "file-directory-action",
-                    "references": [
-                      "file-action"
-                    ]
-                  },
                   {
                     "key": "file.parent_directory_ref",
                     "object": "file-action",
@@ -663,13 +621,6 @@
                       "object": "file-directory-action",
                       "transformer": "ProcessCWDPathTransformer"
                     },
-                    {
-                      "key": "directory.contains_refs",
-                      "object": "file-directory-action",
-                      "references": [
-                        "file-action"
-                      ]
-                    },
                     {
                       "key": "file.parent_directory_ref",
                       "object": "file-action",
@@ -788,7 +739,7 @@
   },
   "alertedAt": [
     {
-      "key": "x-ibm-finding.x_alertedAt",
+      "key": "x-ibm-finding.x_alerted_at",
       "object": "alert"
     }
   ],
@@ -945,35 +896,35 @@
       "object": "alert"
     },
     "unresolvedAlertCount": {
-      "key": "x-tanium-inteldocument.unresolvedAlertCount",
+      "key": "x-tanium-inteldocument.unresolved_alert_count",
       "object": "intel-document"
     },
     "customHash": {
-      "key": "x-tanium-inteldocument.customHash",
+      "key": "x-tanium-inteldocument.custom_hash",
       "object": "intel-document"
     },
     "throttledFindingCount": {
-      "key": "x-tanium-inteldocument.throttledFindingCount",
+      "key": "x-tanium-inteldocument.throttled_finding_count",
       "object": "intel-document"
     },
     "allowAutoDisable": {
-      "key": "x-tanium-inteldocument.allowAutoDisable",
+      "key": "x-tanium-inteldocument.allow_auto_disable",
       "object": "intel-document"
     },
     "disabled": {
       "key": "x-tanium-inteldocument.disabled",
       "object": "intel-document"
     },
     "disabledEndpointCount": {
-      "key": "x-tanium-inteldocument.disabledEndpointCount",
+      "key": "x-tanium-inteldocument.disabled_endpoint_count",
       "object": "intel-document"
     },
     "firstDeploymentTimestamp": {
-      "key": "x-tanium-inteldocument.firstDeploymentTimestamp",
+      "key": "x-tanium-inteldocument.first_deployment_timestamp",
       "object": "intel-document"
     },
     "lastDeploymentTimestamp": {
-      "key": "x-tanium-inteldocument.lastDeploymentTimestamp",
+      "key": "x-tanium-inteldocument.last_deployment_timestamp",
       "object": "intel-document"
     },
     "status": {

diff --git a/stix_shifter_modules/tanium/stix_transmission/connector.py b/stix_shifter_modules/tanium/stix_transmission/connector.py
@@ -44,20 +44,17 @@ async def create_results_connection(self, query, offset, length):
         self.current_offset = offset
 
         #This can be any value up to 500.
-        max_per_query_length = 500
-
-        if(length < max_per_query_length):
-            per_query_length = length
+        per_query_length = min(500, length)
 
         try:
-            results = await self.get_results(per_query_length, query, self.current_offset) 
+            results = await self.get_results(per_query_length, query, self.current_offset)
+
             #Are we done?
             while(len(self.final_results) < length and len(results) > 0):
                 results = await self.get_results(per_query_length, query, self.current_offset)
-                
+
             self.return_obj["data"] = self.final_results
             self.return_obj['success'] = True
-
         except Exception as err:
             self.logger.error(f'error when connecting to the Tanium datasource {self.return_obj["error"]}:')
         return self.return_obj

diff --git a/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py b/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py
@@ -144,6 +144,9 @@ def _test_against_sample_data(self, result_bundle_object, type_name):
                 self.x_tanium_inteldocument(result_bundle_object)
             elif(type_name == 'x-compiled-terms'):
                 self.x_compiled_terms(result_bundle_object)
+            elif(type_name == 'x-Tanium'):
+                #Unmapped fields aren't necessarily an error (In this case they map be duplicates)
+                self.x_tanium(result_bundle_object)
             else:
                 raise   
         except:
@@ -181,7 +184,7 @@ def _test_against_sample_data_stix21(self, result_bundle_object, type_name):
                 self.x_compiled_terms(result_bundle_object)
             elif(type_name == 'x-Tanium'):
                 #Unmapped fields aren't necessarily an error (In this case they map be duplicates)
-                return
+                self.x_tanium(result_bundle_object)
             else:
                 raise   
         except:
@@ -232,7 +235,7 @@ def alert_asserts(self, result_bundle_object):
         assert result_bundle_object["x_config_id"] == 2
         assert result_bundle_object["x_path"] == 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'
         assert result_bundle_object["x_received_at"] == '2023-10-16T12:29:34.609Z'
-        assert result_bundle_object["x_alertedAt"] == "2023-10-16T12:26:51.000Z"
+        assert result_bundle_object["x_alerted_at"] == "2023-10-16T12:26:51.000Z"
         assert result_bundle_object["x_acked_at"] == "2023-10-16T12:38:03.961Z"
         assert result_bundle_object["x_first_eid_resolution_attempt"] == "2023-10-16T12:29:37.091Z"
         assert result_bundle_object["x_intel_doc_ref"] is not None
@@ -249,7 +252,6 @@ def alert_asserts(self, result_bundle_object):
         assert result_bundle_object["x_match_recorder_id"] == "3994044258139188996"
 
         assert result_bundle_object["x_finding_source_name"] == "recorder"
-        assert result_bundle_object["x_finding_intel_intra_ids"] == [{'id_v2': '901388892329936882'}]
         assert result_bundle_object["x_finding_process_ref"]  is not None
         assert result_bundle_object["x_finding_id"] == "1245935966959239109"
         assert result_bundle_object["x_finding_domain"] == "threatresponse"
@@ -308,7 +310,6 @@ def file_asserts21(self, result_bundle_object):
 
     def directory_asserts(self, result_bundle_object):
         assert result_bundle_object["path"] == 'C:/Program Files (x86)/Microsoft/Edge/Application'
-        assert result_bundle_object["contains_refs"] is not None
 
 
     def certificate_asserts(self, result_bundle_object):
@@ -360,13 +361,13 @@ def x_tanium_inteldocument(self, result_bundle_object):
         assert result_bundle_object["syntax_version"] == 6
         assert result_bundle_object["is_schema_valid"] == True
         assert result_bundle_object["source_id"] == 2
-        assert result_bundle_object["unresolvedAlertCount"] == 8
-        assert result_bundle_object["throttledFindingCount"] == 0
-        assert result_bundle_object["allowAutoDisable"] == True
+        assert result_bundle_object["unresolved_alert_count"] == 8
+        assert result_bundle_object["throttled_finding_count"] == 0
+        assert result_bundle_object["allow_auto_disable"] == True
         assert result_bundle_object["disabled"] == False
-        assert result_bundle_object["disabledEndpointCount"] == 0
-        assert result_bundle_object["firstDeploymentTimestamp"] == "2023-10-13T19:28:05.584Z"
-        assert result_bundle_object["lastDeploymentTimestamp"] == "2023-11-28T18:50:31.920Z"
+        assert result_bundle_object["disabled_endpoint_count"] == 0
+        assert result_bundle_object["first_deployment_timestamp"] == "2023-10-13T19:28:05.584Z"
+        assert result_bundle_object["last_deployment_timestamp"] == "2023-11-28T18:50:31.920Z"
         assert result_bundle_object["status"] == "HIGH_FIDELITY"
 
     def x_compiled_terms(self, result_bundle_object):
@@ -375,3 +376,7 @@ def x_compiled_terms(self, result_bundle_object):
         assert result_bundle_object["value"] == "eicar"
         assert result_bundle_object["object"] == "file"
         assert result_bundle_object["property"] == "path"
+
+    #Unmapped fields
+    def x_tanium(self, result_bundle_object):
+        assert result_bundle_object["intel_intra_ids"] == [{'id_v2': '901388892329936882'}]