diff --git a/stix_shifter/src/modules/qradar/json/aql_event_fields.json b/stix_shifter/src/modules/qradar/json/aql_event_fields.json index 3ee5486fd..aaa6d85f5 100644 --- a/stix_shifter/src/modules/qradar/json/aql_event_fields.json +++ b/stix_shifter/src/modules/qradar/json/aql_event_fields.json @@ -11,10 +11,10 @@ "starttime as starttime", "endtime as endtime", "devicetime as devicetime", - "sourceip as sourceip", + "sourceaddress as sourceip", "sourceport as sourceport", "sourcemac as sourcemac", - "destinationip as destinationip", + "destinationaddress as destinationip", "destinationport as destinationport", "destinationmac as destinationmac", "username as username", diff --git a/stix_shifter/src/modules/qradar/json/from_stix_map.json b/stix_shifter/src/modules/qradar/json/from_stix_map.json index c14f9cfb5..f143f22c6 100644 --- a/stix_shifter/src/modules/qradar/json/from_stix_map.json +++ b/stix_shifter/src/modules/qradar/json/from_stix_map.json @@ -6,7 +6,7 @@ }, "ipv6-addr": { "fields": { - "value": ["sourceip", "destinationip", "identityip"] + "value": ["sourceip", "destinationip"] } }, "url": { diff --git a/stix_shifter/src/transformers.py b/stix_shifter/src/transformers.py index cb915ef21..34b80b938 100644 --- a/stix_shifter/src/transformers.py +++ b/stix_shifter/src/transformers.py @@ -128,11 +128,13 @@ class ToDomainName(ValueTransformer): @staticmethod def transform(url): try: + if url is None: + return parsed_url = urlparse(url) domain_name = parsed_url.netloc return domain_name except ValueError: - print("Cannot convert input to file name") + print("Cannot convert input to domain name") def get_all_transformers(): diff --git a/tests/stix_shifter/test_qradar_stix_to_aql.py b/tests/stix_shifter/test_qradar_stix_to_aql.py index 68e520747..b060904a2 100644 --- a/tests/stix_shifter/test_qradar_stix_to_aql.py +++ b/tests/stix_shifter/test_qradar_stix_to_aql.py @@ -6,8 +6,8 @@ selections = "SELECT QIDNAME(qid) as qidname, qid as qid, CATEGORYNAME(category) as categoryname, \ category as categoryid, CATEGORYNAME(highlevelcategory) as high_level_category_name, \ highlevelcategory as high_level_category_id, logsourceid as logsourceid, LOGSOURCETYPENAME(logsourceid) as logsourcename, starttime as starttime, \ -endtime as endtime, devicetime as devicetime, sourceip as sourceip, sourceport as sourceport, sourcemac as sourcemac, \ -destinationip as destinationip, destinationport as destinationport, destinationmac as destinationmac, \ +endtime as endtime, devicetime as devicetime, sourceaddress as sourceip, sourceport as sourceport, sourcemac as sourcemac, \ +destinationaddress as destinationip, destinationport as destinationport, destinationmac as destinationmac, \ username as username, eventdirection as direction, identityip as identityip, identityhostname as identity_host_name, \ eventcount as eventcount, PROTOCOLNAME(protocolid) as protocol, BASE64(payload) as payload, URL as url, magnitude as magnitude, Filename as filename, URL as domainname" @@ -47,10 +47,10 @@ def test_ipv4_query(self): assert query == {'queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix} def test_ipv6_query(self): - stix_pattern = "[ipv6-addr:value = '192.168.122.83']" + stix_pattern = "[ipv6-addr:value = '3001:0:0:0:0:0:0:2']" query = shifter.translate('qradar', 'query', '{}', stix_pattern) - where_statement = "WHERE (sourceip = '192.168.122.83' OR destinationip = '192.168.122.83' OR identityip = '192.168.122.83') {} {}".format(default_limit, default_time) - parsed_stix = [{'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '192.168.122.83'}] + where_statement = "WHERE (sourceip = '3001:0:0:0:0:0:0:2' OR destinationip = '3001:0:0:0:0:0:0:2') {} {}".format(default_limit, default_time) + parsed_stix = [{'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '3001:0:0:0:0:0:0:2'}] assert query == {'queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix} def test_url_query(self):