Adding proper qradar fields to allow ipv6 support. (#67)

* Adding proper qradar fields to allow ipv6 support.
* fixing an issue with null domain names coming back from qradar

stix_shifter/src/modules/qradar/json/aql_event_fields.json

@@ -11,10 +11,10 @@
     "starttime as starttime",
     "endtime as endtime",
     "devicetime as devicetime",
-    "sourceip as sourceip",
+    "sourceaddress as sourceip",
     "sourceport as sourceport",
     "sourcemac as sourcemac",
-    "destinationip as destinationip",
+    "destinationaddress as destinationip",
     "destinationport as destinationport",
     "destinationmac as destinationmac",
     "username as username",

stix_shifter/src/modules/qradar/json/from_stix_map.json

@@ -6,7 +6,7 @@
   },
   "ipv6-addr": {
     "fields": {
-      "value": ["sourceip", "destinationip", "identityip"]
+      "value": ["sourceip", "destinationip"]
     }
   },
   "url": {

stix_shifter/src/transformers.py

@@ -128,11 +128,13 @@ class ToDomainName(ValueTransformer):
     @staticmethod
     def transform(url):
         try:
+            if url is None:
+                return
             parsed_url = urlparse(url)
             domain_name = parsed_url.netloc
             return domain_name
         except ValueError:
-            print("Cannot convert input to file name")
+            print("Cannot convert input to domain name")
 
 
 def get_all_transformers():

tests/stix_shifter/test_qradar_stix_to_aql.py

@@ -6,8 +6,8 @@
 selections = "SELECT QIDNAME(qid) as qidname, qid as qid, CATEGORYNAME(category) as categoryname, \
 category as categoryid, CATEGORYNAME(highlevelcategory) as high_level_category_name, \
 highlevelcategory as high_level_category_id, logsourceid as logsourceid, LOGSOURCETYPENAME(logsourceid) as logsourcename, starttime as starttime, \
-endtime as endtime, devicetime as devicetime, sourceip as sourceip, sourceport as sourceport, sourcemac as sourcemac, \
-destinationip as destinationip, destinationport as destinationport, destinationmac as destinationmac, \
+endtime as endtime, devicetime as devicetime, sourceaddress as sourceip, sourceport as sourceport, sourcemac as sourcemac, \
+destinationaddress as destinationip, destinationport as destinationport, destinationmac as destinationmac, \
 username as username, eventdirection as direction, identityip as identityip, identityhostname as identity_host_name, \
 eventcount as eventcount, PROTOCOLNAME(protocolid) as protocol, BASE64(payload) as payload, URL as url, magnitude as magnitude, Filename as filename, URL as domainname"
 
@@ -47,10 +47,10 @@ def test_ipv4_query(self):
         assert query == {'queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
 
     def test_ipv6_query(self):
-        stix_pattern = "[ipv6-addr:value = '192.168.122.83']"
+        stix_pattern = "[ipv6-addr:value = '3001:0:0:0:0:0:0:2']"
         query = shifter.translate('qradar', 'query', '{}', stix_pattern)
-        where_statement = "WHERE (sourceip = '192.168.122.83' OR destinationip = '192.168.122.83' OR identityip = '192.168.122.83') {} {}".format(default_limit, default_time)
-        parsed_stix = [{'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '192.168.122.83'}]
+        where_statement = "WHERE (sourceip = '3001:0:0:0:0:0:0:2' OR destinationip = '3001:0:0:0:0:0:0:2') {} {}".format(default_limit, default_time)
+        parsed_stix = [{'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '3001:0:0:0:0:0:0:2'}]
         assert query == {'queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
 
     def test_url_query(self):