Skip to content

Commit

Permalink
Reaqta various mapping fixes (#1683)
Browse files Browse the repository at this point in the history
  • Loading branch information
@DerekRushton
DerekRushton authored May 7, 2024
1 parent 31a9b9c commit 853f2f7
Show file tree
Hide file tree
Showing 5 changed files with 239 additions and 165 deletions.
131 changes: 66 additions & 65 deletions stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"eventId": {
"key": "x-oca-event.code",
Expand Down Expand Up @@ -30,21 +30,21 @@
"transformer": "ToString"
},
"incidents": {
"key": "x-ibm-finding.extensions.x-reaqta-alert-ext.incidents",
"object": "x-ibm-finding"
"key": "x-oca-event.extensions.x-reaqta-alert-ext.incidents",
"object": "event"
},
"triggeredIncidents": {
"key": "x-ibm-finding.extensions.x-reaqta-alert-ext.triggered_incidents",
"object": "x-ibm-finding"
"key": "x-oca-even.extensions.x-reaqta-alert-ext.triggered_incidents",
"object": "event"
},
"localId": {
"key": "x-reaqta-event.local_id",
"object": "x-reaqta"
},
"process": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -204,8 +204,8 @@
"data": {
"accessorProcess": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -372,8 +372,8 @@
},
"allocatorProc": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -574,8 +574,8 @@
},
"childProcess": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -835,8 +835,8 @@
},
"engineProcess": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -1449,20 +1449,15 @@
"object": "nt",
"references": "src_ip"
},
{
"key": "x-ibm-finding.src_ip_ref",
"object": "x-ibm-finding",
"references": "src_ip"
},
{
"key": "x-oca-event.network_ref",
"object": "event",
"references": "nt"
},
{
"group": true,
"key": "x-oca-asset.ip_refs",
"object": "asset",
"key": "x-oca-event.ip_refs",
"object": "event",
"references": [
"src_ip"
]
Expand All @@ -1478,20 +1473,15 @@
"object": "nt",
"references": "src_ip"
},
{
"key": "x-ibm-finding.src_ip_ref",
"object": "x-ibm-finding",
"references": "src_ip"
},
{
"key": "x-oca-event.network_ref",
"object": "event",
"references": "nt"
},
{
"group": true,
"key": "x-oca-asset.ip_refs",
"object": "asset",
"key": "x-oca-event.ip_refs",
"object": "event",
"references": [
"src_ip"
]
Expand Down Expand Up @@ -1586,11 +1576,6 @@
"object": "nt",
"references": "dst_ip"
},
{
"key": "x-ibm-finding.dst_ip_ref",
"object": "x-ibm-finding",
"references": "dst_ip"
},
{
"key": "x-oca-event.network_ref",
"object": "event",
Expand All @@ -1607,11 +1592,6 @@
"object": "nt",
"references": "dst_ip"
},
{
"key": "x-ibm-finding.dst_ip_ref",
"object": "x-ibm-finding",
"references": "dst_ip"
},
{
"key": "x-oca-event.network_ref",
"object": "event",
Expand Down Expand Up @@ -1641,8 +1621,8 @@
},
"serviceProcess": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -1819,25 +1799,41 @@
"key": "x-reaqta-event.start_type",
"object": "x-reaqta"
},
"tactics": [
"mod_tactics": {
"tactic_number" : {
"key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.x_reaqta_tactic_number",
"object": "x-ibm-ttp-tagging"
},
"tactic_name" : {
"key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_name",
"object": "x-ibm-ttp-tagging"
},
"technique": [
{
"key": "x-ibm-finding.ttp_tagging_refs",
"object": "x-ibm-finding",
"references": ["x-ibm-ttp-tagging"]
"key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name",
"object": "x-ibm-ttp-tagging"
},
{
"key": "x-ibm-ttp-tagging.extensions.'mitre-attack-ext'.tactic_name",
"key": "x-ibm-ttp-tagging.extensions.name",
"object": "x-ibm-ttp-tagging"
}],
"groupReference": {
"key": "x-oca-event.ttp_tagging_refs",
"object": "event",
"references": [
"x-ibm-ttp-tagging"
],
"group_ref": true
}
],
},
"tags": {
"key": "x-reaqta-event.tags",
"object": "x-reaqta"
},
"targetProcess": {
"endpointId": {
"key": "x-oca-asset.host_id",
"object": "asset"
"key": "x-reaqta-event.host_id",
"object": "x-reaqta"
},
"id": {
"key": "process.x_unique_id",
Expand Down Expand Up @@ -2010,21 +2006,6 @@
"key": "x-reaqta-event.task_name",
"object": "x-reaqta"
},
"technique": [
{
"key": "x-ibm-finding.ttp_tagging_refs",
"object": "x-ibm-finding",
"references": ["x-ibm-ttp-tagging"]
},
{
"key": "x-ibm-ttp-tagging.extensions.'mitre-attack-ext'.technique_name",
"object": "x-ibm-ttp-tagging"
},
{
"key": "x-ibm-ttp-tagging.extensions.name",
"object": "x-ibm-ttp-tagging"
}
],
"url": {
"key": "url.value",
"object": "url"
Expand All @@ -2041,6 +2022,26 @@
"key": "process.pid",
"object": "wmi_process",
"transformer": "ToInteger"
},
"matched": {
"policyId": [
{
"key":"x-ibm-finding.finding_type",
"object":"alert_id",
"value":"alert"
},
{
"key":"x-ibm-finding.name",
"object":"alert_id"
}],
"versionId": {
"key":"x-ibm-finding.x_reaqta_version_id",
"object":"alert_id"
},
"matcherId": {
"key":"x-ibm-finding.x_reaqta_matcher_id",
"object":"alert_id"
}
}
}
}
Expand Down
Loading

0 comments on commit 853f2f7

Please sign in to comment.