table of mapping script update for to-stix dialects

docs/supported-mappings.md

@@ -1,7 +1,6 @@
 # Currently supported STIX objects and properties
 
 Each connector supports a set of STIX objects and properties as defined in the connector's mapping files. There is also a set of common STIX properties that all cyber observable objects must contain. See [STIX™ Version 2.0. Part 4: Cyber Observable Objects](http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber-observable-objects.html) for more information on STIX objects.
-
 ## Common cyber observable properties
 
 - created
@@ -14,33 +13,36 @@ Each connector supports a set of STIX objects and properties as defined in the c
 
 Stix-shifter currently offers connector support for the following cybersecurity products. Click on a data source to see a list of STIX attributes and properties it supports.
 
-- [IBM QRadar](../stix_shifter_modules/qradar/qradar_supported_stix.md)
-- [Splunk Enterprise Security](../stix_shifter_modules/splunk/splunk_supported_stix.md)
-- [HCL BigFix](../stix_shifter_modules/bigfix/bigfix_supported_stix.md)
-- [Carbon Black CB Response](../stix_shifter_modules/carbonblack/carbonblack_supported_stix.md)
-- [Carbon Black Cloud](../stix_shifter_modules/cbcloud/cbcloud_supported_stix.md)
-- [Elasticsearch ECS](../stix_shifter_modules/elastic_ecs/elastic_ecs_supported_stix.md)
-- [Microsoft Defender for Endpoint](../stix_shifter_modules/msatp/msatp_supported_stix.md)
-- [IBM Guardium Data Protection](../stix_shifter_modules/guardium/guardium_supported_stix.md)
-- [Amazon CloudWatch Logs](../stix_shifter_modules/aws_cloud_watch_logs/aws_cloud_watch_logs_supported_stix.md)
-- [Microsoft Graph Security](../stix_shifter_modules/azure_sentinel/azure_sentinel_supported_stix.md)
 - [Alertflex](../stix_shifter_modules/alertflex/alertflex_supported_stix.md)
 - [Micro Focus ArcSight](../stix_shifter_modules/arcsight/arcsight_supported_stix.md)
 - [Amazon Athena](../stix_shifter_modules/aws_athena/aws_athena_supported_stix.md)
+- [Amazon CloudWatch Logs](../stix_shifter_modules/aws_cloud_watch_logs/aws_cloud_watch_logs_supported_stix.md)
+- [Amazon GuardDuty](../stix_shifter_modules/aws_guardduty/aws_guardduty_supported_stix.md)
+- [Azure Log Analytics](../stix_shifter_modules/azure_log_analytics/azure_log_analytics_supported_stix.md)
+- [Microsoft Graph Security](../stix_shifter_modules/azure_sentinel/azure_sentinel_supported_stix.md)
+- [HCL BigFix](../stix_shifter_modules/bigfix/bigfix_supported_stix.md)
+- [Carbon Black CB Response](../stix_shifter_modules/carbonblack/carbonblack_supported_stix.md)
+- [Carbon Black Cloud](../stix_shifter_modules/cbcloud/cbcloud_supported_stix.md)
+- [Cisco Secure Email](../stix_shifter_modules/cisco_secure_email/cisco_secure_email_supported_stix.md)
 - [CrowdStrike Falcon](../stix_shifter_modules/crowdstrike/crowdstrike_supported_stix.md)
-- [Trend Micro Vision One](../stix_shifter_modules/trendmicro_vision_one/trendmicro_vision_one_supported_stix.md)
-- [OneLogin](../stix_shifter_modules/onelogin/onelogin_supported_stix.md)
-- [IBM Security Verify Privilege Vault](../stix_shifter_modules/secretserver/secretserver_supported_stix.md)
-- [Sumo Logic](../stix_shifter_modules/sumologic/sumologic_supported_stix.md)
-- [Datadog](../stix_shifter_modules/datadog/datadog_supported_stix.md)
-- [Proofpoint (SIEM API)](../stix_shifter_modules/proofpoint/proofpoint_supported_stix.md)
 - [Cybereason](../stix_shifter_modules/cybereason/cybereason_supported_stix.md)
-- [PaloAlto Cortex XDR](../stix_shifter_modules/paloalto/paloalto_supported_stix.md)
-- [SentinelOne](../stix_shifter_modules/sentinelone/sentinelone_supported_stix.md)
-- [IBM Security QRadar EDR](../stix_shifter_modules/reaqta/reaqta_supported_stix.md)
 - [Darktrace](../stix_shifter_modules/darktrace/darktrace_supported_stix.md)
-- [Red Hat Advanced Cluster Security for Kubernetes (StackRox)](../stix_shifter_modules/rhacs/rhacs_supported_stix.md)
-- [IBM Security Verify](../stix_shifter_modules/ibm_security_verify/ibm_security_verify_supported_stix.md)
+- [Datadog](../stix_shifter_modules/datadog/datadog_supported_stix.md)
+- [Elasticsearch ECS](../stix_shifter_modules/elastic_ecs/elastic_ecs_supported_stix.md)
 - [GCP Chronicle](../stix_shifter_modules/gcp_chronicle/gcp_chronicle_supported_stix.md)
-- [Azure Log Analytics](../stix_shifter_modules/azure_log_analytics/azure_log_analytics_supported_stix.md)
+- [IBM Guardium Data Protection](../stix_shifter_modules/guardium/guardium_supported_stix.md)
+- [IBM Security Verify](../stix_shifter_modules/ibm_security_verify/ibm_security_verify_supported_stix.md)
+- [Microsoft Defender for Endpoint](../stix_shifter_modules/msatp/msatp_supported_stix.md)
 - [Okta](../stix_shifter_modules/okta/okta_supported_stix.md)
+- [OneLogin](../stix_shifter_modules/onelogin/onelogin_supported_stix.md)
+- [PaloAlto Cortex XDR](../stix_shifter_modules/paloalto/paloalto_supported_stix.md)
+- [Proofpoint (SIEM API)](../stix_shifter_modules/proofpoint/proofpoint_supported_stix.md)
+- [IBM QRadar](../stix_shifter_modules/qradar/qradar_supported_stix.md)
+- [IBM Security QRadar EDR](../stix_shifter_modules/reaqta/reaqta_supported_stix.md)
+- [Red Hat Advanced Cluster Security for Kubernetes](../stix_shifter_modules/rhacs/rhacs_supported_stix.md)
+- [IBM Security Verify Privilege Vault](../stix_shifter_modules/secretserver/secretserver_supported_stix.md)
+- [SentinelOne](../stix_shifter_modules/sentinelone/sentinelone_supported_stix.md)
+- [Splunk Enterprise Security](../stix_shifter_modules/splunk/splunk_supported_stix.md)
+- [Sumo Logic](../stix_shifter_modules/sumologic/sumologic_supported_stix.md)
+- [Trend Micro Vision One](../stix_shifter_modules/trendmicro_vision_one/trendmicro_vision_one_supported_stix.md)
+- [Vectra NDR](../stix_shifter_modules/vectra/vectra_supported_stix.md)

stix_shifter/scripts/supported_property_exporter.py

@@ -11,43 +11,46 @@
 current_dir = path.abspath(path.dirname(__file__))
 
 CONNECTOR_MODULE_PATH = path.abspath(path.join(current_dir, "../../stix_shifter_modules"))
-ADAPTER_GUIDE_PATH = path.abspath(path.join(current_dir, '../../adapter-guide'))
+TABLE_CONTENTS_PATH = path.abspath(path.join(current_dir, '../../docs/supported-mappings.md'))
 
 # Add new connectors to this dictionary as they become available. The key must match the name of the translation module.
 # Comment out any connectors you wish to ommit.
 SCO_CONNECTORS = {
-    "qradar": "IBM QRadar", 
-    "splunk": "Splunk Enterprise Security", 
-    "bigfix": "HCL BigFix", 
-    "carbonblack": "Carbon Black CB Response",
-    "cbcloud": "Carbon Black Cloud", 
-    "elastic_ecs": "Elasticsearch ECS", 
-    "msatp": "Microsoft Defender for Endpoint",
-    # "security_advisor": "IBM Cloud Security Advisor",
-    "guardium": "IBM Guardium Data Protection",
-    "aws_cloud_watch_logs": "Amazon CloudWatch Logs",
-    # "azure_sentinel": "Microsoft Graph Security",
     "alertflex": "Alertflex",
     "arcsight": "Micro Focus ArcSight",
     "aws_athena": "Amazon Athena",
+    "aws_cloud_watch_logs": "Amazon CloudWatch Logs",
+    "aws_guardduty": "Amazon GuardDuty",
+    "azure_log_analytics": "Azure Log Analytics",
+    "azure_sentinel": "Microsoft Graph Security", #
+    "bigfix": "HCL BigFix",
+    "carbonblack": "Carbon Black CB Response",
+    "cbcloud": "Carbon Black Cloud", 
+    "cisco_secure_email": "Cisco Secure Email",
     "crowdstrike": 'CrowdStrike Falcon',
-    "trendmicro_vision_one": "Trend Micro Vision One",
-    "onelogin": "OneLogin",
-    "secretserver": "IBM Security Verify Privilege Vault",
-    "sumologic": "Sumo Logic",
+    "cybereason": "Cybereason",
+    "darktrace": "Darktrace",
     "datadog": "Datadog",
-    "proofpoint": "Proofpoint (SIEM API)",
+    "elastic_ecs": "Elasticsearch ECS",
+    "gcp_chronicle": "GCP Chronicle",
+    "guardium": "IBM Guardium Data Protection",
+    "ibm_security_verify": "IBM Security Verify",
     # "infoblox": "Infoblox BloxOne Threat Defense",
-    "cybereason": "Cybereason",
+    "msatp": "Microsoft Defender for Endpoint",
+    "okta": "Okta",
+    "onelogin": "OneLogin",
     "paloalto": "PaloAlto Cortex XDR",
-    "sentinelone": "SentinelOne",
+    "proofpoint": "Proofpoint (SIEM API)",
+    "qradar": "IBM QRadar",
     "reaqta": "IBM Security QRadar EDR",
-    "darktrace": "Darktrace",
-    "rhacs": "Red Hat Advanced Cluster Security for Kubernetes (StackRox)",
-    "ibm_security_verify": "IBM Security Verify",
-    "gcp_chronicle": "GCP Chronicle",
-    "azure_log_analytics": "Azure Log Analytics",
-    "okta": "Okta"
+    "rhacs": "Red Hat Advanced Cluster Security for Kubernetes",
+    "secretserver": "IBM Security Verify Privilege Vault",
+    # "security_advisor": "IBM Cloud Security Advisor",
+    "sentinelone": "SentinelOne",
+    "splunk": "Splunk Enterprise Security",
+    "sumologic": "Sumo Logic",
+    "trendmicro_vision_one": "Trend Micro Vision One",
+    "vectra": "Vectra NDR"
 }
 
 SDO_CONNECTORS = {
@@ -64,23 +67,28 @@
 
 DEFAULT_DIALECT = "default"
 
-DIALECTS = {
-    "qradar": ["events", "flows"],
+FROM_STIX_DIALECTS = {
     "aws_athena": ["guardduty", "ocsf", "vpcflow"],
     "aws_cloud_watch_logs": ["guardduty", "vpcflow"],
+    "azure_log_analytics": ["SecurityAlert", "SecurityEvent", "SecurityIncident"],
+    "azure_sentinel": ["alert", "alertV2"],
     "datadog": ["events", "processes"],
+    "elastic_ecs": [DEFAULT_DIALECT, "beats"],
     "guardium": ["qsearch", "report"],
     "infoblox": ["dnsEventData", "dossierData", "tideDbData"],
     "paloalto": ["xdr_data"],
+    "qradar": ["events", "flows"],
     "secretserver": ["event"],
-    "trendmicro_vision_one": ["endpointActivityData", "messageActivityData"],
-    "azure_log_analytics": ["SecurityAlert", "SecurityEvent", "SecurityIncident"],
-    "elastic_ecs": [DEFAULT_DIALECT, "beats"]
+    "trendmicro_vision_one": ["endpointActivityData", "messageActivityData"]
+}
+
+TO_STIX_DIALECTS = {
+    "aws_athena" : ["guardduty", "ocsf", "vpcflow"]
 }
 
 STIX_OPERATORS = {
-    "ComparisonExpressionOperators.And": "AND (Comparision)",
-    "ComparisonExpressionOperators.Or": "OR (Comparision)",
+    "ComparisonExpressionOperators.And": "AND (Comparison)",
+    "ComparisonExpressionOperators.Or": "OR (Comparison)",
     "ComparisonComparators.GreaterThan": ">",
     "ComparisonComparators.GreaterThanOrEqual": ">=",
     "ComparisonComparators.LessThan": "<",
@@ -125,8 +133,8 @@ def __main__():
     table_of_contents += "## Supported data sources\n\n"
     table_of_contents += "Stix-shifter currently offers connector support for the following cybersecurity products. Click on a data source to see a list of STIX attributes and properties it supports.\n\n"
 
-    table_of_contents_file_path = path.abspath(path.join(ADAPTER_GUIDE_PATH, "supported-mappings.md"))
-    table_of_contents_file = open(table_of_contents_file_path, "w")
+    # table_of_contents_file_path = TABLE_CONTENTS_PATH
+    table_of_contents_file = open(TABLE_CONTENTS_PATH, "w")
 
     for _, (key, module) in enumerate(CONNECTORS.items()):
 
@@ -168,8 +176,8 @@ def __main__():
         try:
             # TODO: Dynamically fetch dialects and wrap in loop to capture all dialects
             dialects = [DEFAULT_DIALECT]
-            if key in DIALECTS:
-                dialects = DIALECTS[key]
+            if key in FROM_STIX_DIALECTS:
+                dialects = FROM_STIX_DIALECTS[key]
             for dialect in dialects:
                 if dialect == DEFAULT_DIALECT:
                     dialect = ""
@@ -188,10 +196,23 @@ def __main__():
         # TO-STIX 
         if not args.sdo:
             try:
-                filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "to_stix_map.json"))    
-                to_stix_json_file = open(filepath) 
-                output_string = _generate_to_stix_table(key, to_stix_json_file, data_field_alias_mapping, output_string)
-                to_stix_json_file.close()
+
+                dialects = [DEFAULT_DIALECT]
+                if key in TO_STIX_DIALECTS:
+                    dialects = TO_STIX_DIALECTS[key]
+                for dialect in dialects:
+                    if dialect == DEFAULT_DIALECT:
+                        dialect = ""
+                        output_string += "### Supported STIX Objects and Properties for Query Results\n"
+                        filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "to_stix_map.json"))
+                    else:
+                        output_string += "### Supported STIX Objects and Properties for Query Results from {} dialect\n".format(dialect.capitalize())
+                        filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "{}to_stix_map.json".format(dialect + "_")))
+
+                    # filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "to_stix_map.json"))    
+                    to_stix_json_file = open(filepath) 
+                    output_string = _generate_to_stix_table(key, to_stix_json_file, data_field_alias_mapping, output_string)
+                    to_stix_json_file.close()
             except Exception as e:
                 print("Error constructing to-STIX mapping table for {} module: {}".format(key, e))
                 continue
@@ -257,7 +278,7 @@ def _generate_to_stix_table(key, to_stix_json_file, data_field_alias_mapping, ou
     stix_attribute_collection = _parse_attributes(loaded_to_stix_json, key, {})
     sorted_attribute_objects = json.dumps(stix_attribute_collection, sort_keys=True)
     sorted_attribute_objects = json.loads(sorted_attribute_objects)
-    output_string += "### Supported STIX Objects and Properties for Query Results\n"
+    # output_string += "### Supported STIX Objects and Properties for Query Results\n"
     output_string += "| STIX Object | STIX Property | Data Source Field |\n"
     output_string += "|--|--|--|\n"
     for stix_object, property_list in sorted_attribute_objects.items():

stix_shifter_modules/alertflex/alertflex_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 05/15/23
+##### Updated on 10/25/23
 ## Alertflex
 ### Results STIX Domain Objects
 * Identity
@@ -9,8 +9,8 @@
 
 | STIX Operator | Data Source Operator |
 |--|--|
-| AND (Comparision) | AND |
-| OR (Comparision) | OR |
+| AND (Comparison) | AND |
+| OR (Comparison) | OR |
 | > | > |
 | >= | >= |
 | < | < |

stix_shifter_modules/arcsight/arcsight_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 05/15/23
+##### Updated on 10/25/23
 ## Micro Focus ArcSight
 ### Results STIX Domain Objects
 * Identity
@@ -9,8 +9,8 @@
 
 | STIX Operator | Data Source Operator |
 |--|--|
-| AND (Comparision) | AND |
-| OR (Comparision) | OR |
+| AND (Comparison) | AND |
+| OR (Comparison) | OR |
 | > | > |
 | >= | >= |
 | < | < |