diff --git a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json index 7fe286f24..1930cb6eb 100644 --- a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json @@ -1,7 +1,7 @@ { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "eventId": { "key": "x-oca-event.code", @@ -30,12 +30,12 @@ "transformer": "ToString" }, "incidents": { - "key": "x-ibm-finding.extensions.x-reaqta-alert-ext.incidents", - "object": "x-ibm-finding" + "key": "x-oca-event.extensions.x-reaqta-alert-ext.incidents", + "object": "event" }, "triggeredIncidents": { - "key": "x-ibm-finding.extensions.x-reaqta-alert-ext.triggered_incidents", - "object": "x-ibm-finding" + "key": "x-oca-even.extensions.x-reaqta-alert-ext.triggered_incidents", + "object": "event" }, "localId": { "key": "x-reaqta-event.local_id", @@ -43,8 +43,8 @@ }, "process": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -204,8 +204,8 @@ "data": { "accessorProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -372,8 +372,8 @@ }, "allocatorProc": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -574,8 +574,8 @@ }, "childProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -835,8 +835,8 @@ }, "engineProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -1449,11 +1449,6 @@ "object": "nt", "references": "src_ip" }, - { - "key": "x-ibm-finding.src_ip_ref", - "object": "x-ibm-finding", - "references": "src_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1461,8 +1456,8 @@ }, { "group": true, - "key": "x-oca-asset.ip_refs", - "object": "asset", + "key": "x-oca-event.ip_refs", + "object": "event", "references": [ "src_ip" ] @@ -1478,11 +1473,6 @@ "object": "nt", "references": "src_ip" }, - { - "key": "x-ibm-finding.src_ip_ref", - "object": "x-ibm-finding", - "references": "src_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1490,8 +1480,8 @@ }, { "group": true, - "key": "x-oca-asset.ip_refs", - "object": "asset", + "key": "x-oca-event.ip_refs", + "object": "event", "references": [ "src_ip" ] @@ -1586,11 +1576,6 @@ "object": "nt", "references": "dst_ip" }, - { - "key": "x-ibm-finding.dst_ip_ref", - "object": "x-ibm-finding", - "references": "dst_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1607,11 +1592,6 @@ "object": "nt", "references": "dst_ip" }, - { - "key": "x-ibm-finding.dst_ip_ref", - "object": "x-ibm-finding", - "references": "dst_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1641,8 +1621,8 @@ }, "serviceProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -1819,25 +1799,41 @@ "key": "x-reaqta-event.start_type", "object": "x-reaqta" }, - "tactics": [ + "mod_tactics": { + "tactic_number" : { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.x_reaqta_tactic_number", + "object": "x-ibm-ttp-tagging" + }, + "tactic_name" : { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_name", + "object": "x-ibm-ttp-tagging" + }, + "technique": [ { - "key": "x-ibm-finding.ttp_tagging_refs", - "object": "x-ibm-finding", - "references": ["x-ibm-ttp-tagging"] + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name", + "object": "x-ibm-ttp-tagging" }, { - "key": "x-ibm-ttp-tagging.extensions.'mitre-attack-ext'.tactic_name", + "key": "x-ibm-ttp-tagging.extensions.name", "object": "x-ibm-ttp-tagging" + }], + "groupReference": { + "key": "x-oca-event.ttp_tagging_refs", + "object": "event", + "references": [ + "x-ibm-ttp-tagging" + ], + "group_ref": true } - ], + }, "tags": { "key": "x-reaqta-event.tags", "object": "x-reaqta" }, "targetProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -2010,21 +2006,6 @@ "key": "x-reaqta-event.task_name", "object": "x-reaqta" }, - "technique": [ - { - "key": "x-ibm-finding.ttp_tagging_refs", - "object": "x-ibm-finding", - "references": ["x-ibm-ttp-tagging"] - }, - { - "key": "x-ibm-ttp-tagging.extensions.'mitre-attack-ext'.technique_name", - "object": "x-ibm-ttp-tagging" - }, - { - "key": "x-ibm-ttp-tagging.extensions.name", - "object": "x-ibm-ttp-tagging" - } - ], "url": { "key": "url.value", "object": "url" @@ -2041,6 +2022,26 @@ "key": "process.pid", "object": "wmi_process", "transformer": "ToInteger" + }, + "matched": { + "policyId": [ + { + "key":"x-ibm-finding.finding_type", + "object":"alert_id", + "value":"alert" + }, + { + "key":"x-ibm-finding.name", + "object":"alert_id" + }], + "versionId": { + "key":"x-ibm-finding.x_reaqta_version_id", + "object":"alert_id" + }, + "matcherId": { + "key":"x-ibm-finding.x_reaqta_matcher_id", + "object":"alert_id" + } } } } diff --git a/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json index 070dc14fc..235f711c3 100644 --- a/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json @@ -1,7 +1,7 @@ { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "eventId": { "key": "x-oca-event.code", @@ -30,12 +30,12 @@ "transformer": "ToString" }, "incidents": { - "key": "x-ibm-finding.extensions.x-reaqta-alert.incidents", - "object": "x-ibm-finding" + "key": "x-oca-event.extensions.x-reaqta-alert.incidents", + "object": "event" }, "triggeredIncidents": { - "key": "x-ibm-finding.extensions.x-reaqta-alert.triggered_incidents", - "object": "x-ibm-finding" + "key": "x-oca-even.extensions.x-reaqta-alert.triggered_incidents", + "object": "event" }, "localId": { "key": "x-reaqta-event.local_id", @@ -43,8 +43,8 @@ }, "process": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -204,8 +204,8 @@ "data": { "accessorProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -372,8 +372,8 @@ }, "allocatorProc": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -574,8 +574,8 @@ }, "childProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -835,8 +835,8 @@ }, "engineProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -1413,11 +1413,6 @@ "object": "nt", "references": "src_ip" }, - { - "key": "x-ibm-finding.src_ip_ref", - "object": "x-ibm-finding", - "references": "src_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1425,8 +1420,8 @@ }, { "group": true, - "key": "x-oca-asset.ip_refs", - "object": "asset", + "key": "x-oca-event.ip_refs", + "object": "event", "references": [ "src_ip" ] @@ -1442,11 +1437,6 @@ "object": "nt", "references": "src_ip" }, - { - "key": "x-ibm-finding.src_ip_ref", - "object": "x-ibm-finding", - "references": "src_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1454,8 +1444,8 @@ }, { "group": true, - "key": "x-oca-asset.ip_refs", - "object": "asset", + "key": "x-oca-event.ip_refs", + "object": "event", "references": [ "src_ip" ] @@ -1550,11 +1540,6 @@ "object": "nt", "references": "dst_ip" }, - { - "key": "x-ibm-finding.dst_ip_ref", - "object": "x-ibm-finding", - "references": "dst_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1571,11 +1556,6 @@ "object": "nt", "references": "dst_ip" }, - { - "key": "x-ibm-finding.dst_ip_ref", - "object": "x-ibm-finding", - "references": "dst_ip" - }, { "key": "x-oca-event.network_ref", "object": "event", @@ -1605,8 +1585,8 @@ }, "serviceProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -1783,25 +1763,41 @@ "key": "x-reaqta-event.start_type", "object": "x-reaqta" }, - "tactics": [ + "mod_tactics": { + "tactic_number" : { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.x_reaqta_tactic_number", + "object": "x-ibm-ttp-tagging" + }, + "tactic_name" : { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_name", + "object": "x-ibm-ttp-tagging" + }, + "technique": [ { - "key": "x-ibm-finding.ttp_tagging_refs", - "object": "x-ibm-finding", - "references": ["x-ibm-ttp-tagging"] + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name", + "object": "x-ibm-ttp-tagging" }, { - "key": "x-ibm-ttp-tagging.extensions.'mitre-attack-ext'.tactic_name", + "key": "x-ibm-ttp-tagging.extensions.name", "object": "x-ibm-ttp-tagging" + }], + "groupReference": { + "key": "x-oca-event.ttp_tagging_refs", + "object": "event", + "references": [ + "x-ibm-ttp-tagging" + ], + "group_ref": true } - ], + }, "tags": { "key": "x-reaqta-event.tags", "object": "x-reaqta" }, "targetProcess": { "endpointId": { - "key": "x-oca-asset.host_id", - "object": "asset" + "key": "x-reaqta-event.host_id", + "object": "x-reaqta" }, "id": { "key": "process.x_unique_id", @@ -1974,21 +1970,6 @@ "key": "x-reaqta-event.task_name", "object": "x-reaqta" }, - "technique": [ - { - "key": "x-ibm-finding.ttp_tagging_refs", - "object": "x-ibm-finding", - "references": ["x-ibm-ttp-tagging"] - }, - { - "key": "x-ibm-ttp-tagging.extensions.'mitre-attack-ext'.technique_name", - "object": "x-ibm-ttp-tagging" - }, - { - "key": "x-ibm-ttp-tagging.extensions.name", - "object": "x-ibm-ttp-tagging" - } - ], "url": { "key": "url.value", "object": "url" @@ -2005,6 +1986,26 @@ "key": "process.pid", "object": "wmi_process", "transformer": "ToInteger" + }, + "matched": { + "policyId": [ + { + "key":"x-ibm-finding.finding_type", + "object":"alert_id", + "value":"alert" + }, + { + "key":"x-ibm-finding.name", + "object":"alert_id" + }], + "versionId": { + "key":"x-ibm-finding.x_reaqta_version_id", + "object":"alert_id" + }, + "matcherId": { + "key":"x-ibm-finding.x_reaqta_matcher_id", + "object":"alert_id" + } } } } diff --git a/stix_shifter_modules/reaqta/stix_transmission/connector.py b/stix_shifter_modules/reaqta/stix_transmission/connector.py index 9b8a368b0..488872c7d 100644 --- a/stix_shifter_modules/reaqta/stix_transmission/connector.py +++ b/stix_shifter_modules/reaqta/stix_transmission/connector.py @@ -104,6 +104,27 @@ async def create_results_connection(self, search_id, offset, length): @classmethod def modify_result(cls, data): + #For whatever reason, the api does not return the name of the Tactic, just an ID that maps loosely to a few tactics. + #This is a mapping of the UI useful name with the internal ID they are using. + #I determined this by using their HunQ search tool within the Reaqta environment. + #This could change in the future and may need to be updated or removed. + tactic_name_mapping = { + "0":"Unknown", + "1":"Initial Access", + "2":"Execution", + "3":"Persistence", + "4":"Privilege Escalation", + "5":"Defense Evasion", + "6":"Credential Access", + "7":"Discovery", + "8":"Lateral Movement", + "9":"Collection", + "10":"Command and Control", + "11":"Exfiltration", + "12":"Impact" + } + + transmit_basepath = os.path.abspath(__file__) translate_basepath = transmit_basepath.split(os.sep) event_names_path = os.sep.join([*translate_basepath, "stix_translation", "json", "event_names_map.json"]) @@ -121,6 +142,21 @@ def modify_result(cls, data): payload['eventName'] = event_name result['payload'] = cls.update_net_traffic_flow(payload, network_protocol) + + if result.get('payload') and result['payload'].get('data') and result['payload']['data'].get('tactics'): + tactic_list = result['payload']['data']['tactics'] + technique = result['payload']['data']['technique'] + result['payload']['data']['mod_tactics'] = {} + dict_list = [] + for tactic in tactic_list: + + if (f"{tactic}" in tactic_name_mapping): + dict_list.append({"tactic_number": tactic, "tactic_name": tactic_name_mapping.get(f"{tactic}"), "technique":technique}) + else: + dict_list.append({"tactic_number": tactic, "tactic_name": "Unknown", "technique":technique}) + result['payload']['data']['mod_tactics'] = dict_list + + @classmethod def update_net_traffic_flow(cls, payload, network_protocol): result_data = payload.get('data') diff --git a/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json b/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json index d83965fa1..aefc8c11e 100644 --- a/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json +++ b/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json @@ -239,9 +239,26 @@ "noGui": false, "logonId": "0x3e7" }, - "technique": "T1043", + "technique": "T1053", "tactics": [ - 10 + 2,3,4 + ], + "mod_tactics": [ + { + "tactic_number": 2, + "tactic_name": "Execution", + "technique": "T1053" + }, + { + "tactic_number": 3, + "tactic_name": "Persistence", + "technique": "T1053" + }, + { + "tactic_number": 4, + "tactic_name": "Privilege Escalation", + "technique": "T1053" + } ], "hijackingType": 2, "scriptBlockText": "# Localized\t12/07/2019 05:47 AM (GMT)\t303:6.40.20520\r\nadminTSHistorySize=Disk space\r\n###PSLOC\r\n'@\r\n", diff --git a/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py b/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py index 0473c7813..0bc71a066 100644 --- a/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py +++ b/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py @@ -25,6 +25,7 @@ def find(element, dd, default=None): DATA_HAPPENED_AT_TIMESTAMP = find('happenedAt', DATA) DATA_EVENT_ID = find('eventId', DATA) DATA_EVENT_TYPE = find('payload.eventType', DATA) +DATA_HOST_ID = find('payload.hostId', DATA) DATA_LOCAL_ID = find('payload.localId', DATA) DATA_PROCESS_GUID = find('payload.process.id', DATA) DATA_PROCESS_PARENT_ID = find('payload.process.parentId', DATA) @@ -307,40 +308,13 @@ def test_x_oca_event(self): assert(ip_obj['type'] == 'ipv4-addr') assert(ip_obj['value'] == DATA_REMOTE_IP) - - def test_x_ibm_finding(self): - objects = TestReaqtaResultsToStix.get_observed_data_objects() - event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') - - assert(event is not None), "x-ibm-finding not found" - assert(event.keys() == {'type', 'extensions', 'ttp_tagging_refs', 'src_ip_ref', 'dst_ip_ref'}) - assert(event['type'] == "x-ibm-finding") - - ip_ref = event['src_ip_ref'] - assert(ip_ref in objects), f"src_ip_ref with key {event['src_ip_ref']} not found" - ip_obj = objects[ip_ref] - assert(ip_obj.keys() == {'type', 'value'}) - assert(ip_obj['type'] == 'ipv4-addr') - assert(ip_obj['value'] == DATA_LOCAL_IP) - - ip_ref = event['dst_ip_ref'] - assert(ip_ref in objects), f"dst_ip_ref with key {event['dst_ip_ref']} not found" - ip_obj = objects[ip_ref] - assert(ip_obj.keys() == {'type', 'value'}) - assert(ip_obj['type'] == 'ipv4-addr') - assert(ip_obj['value'] == DATA_REMOTE_IP) - - extensions = find('extensions.x-reaqta-alert', event) - assert(extensions is not None), "file extensions not found" - assert(extensions.keys() == {'incidents'}) - assert(extensions['incidents'] == [254356654453, 4352345234525]) def test_x_reaqta_event(self): objects = TestReaqtaResultsToStix.get_observed_data_objects() event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-reaqta-event') assert(event is not None), "x-reaqta-event not found" - assert(event.keys() == {'type', 'local_id', 'root_object', 'name', 'data', 'version', 'namespace_name', 'operation', 'is_local', 'queryName', 'custom_type', 'custom_name', 'relevance', 'region_size', 'pe_type', 'return_code', 'task_name', 'action_name', 'service_name', 'start_type', 'service_type'}) + assert(event.keys() == {'type', 'host_id', 'local_id', 'root_object', 'name', 'data', 'version', 'namespace_name', 'operation', 'is_local', 'queryName', 'custom_type', 'custom_name', 'relevance', 'region_size', 'pe_type', 'return_code', 'task_name', 'action_name', 'service_name', 'start_type', 'service_type'}) assert(event['type'] == "x-reaqta-event") assert(event['local_id'] == DATA_LOCAL_ID) assert(event['relevance'] == DATA_RELEVANCE) @@ -401,7 +375,6 @@ def test_stix_21_prop(self): assert(sum(obj['type'] == 'url' for obj in result_bundle_objects) == 1) assert(sum(obj['type'] == 'user-account' for obj in result_bundle_objects) == 5) assert(sum(obj['type'] == 'x-ibm-finding' for obj in result_bundle_objects) == 1) - assert(sum(obj['type'] == 'x-oca-asset' for obj in result_bundle_objects) == 3) assert(sum(obj['type'] == 'x-oca-event' for obj in result_bundle_objects) == 4) assert(sum(obj['type'] == 'x-reaqta-etw' for obj in result_bundle_objects) == 1) assert(sum(obj['type'] == 'x-reaqta-event' for obj in result_bundle_objects) == 1) @@ -411,7 +384,7 @@ def test_stix_21_prop(self): event = TestReaqtaResultsToStix.get_first_cybox_of_type_stix_2_1(result_bundle_objects, 'x-reaqta-event') assert(event is not None), "x-reaqta-event not found" - assert(event.keys() == {'type', 'local_id', 'id', 'spec_version', 'root_object', 'name', 'data', 'version', 'namespace_name', 'operation', 'is_local', 'queryName', 'custom_type', 'custom_name', 'relevance', 'region_size', 'pe_type', 'return_code', 'task_name', 'action_name', 'service_name', 'start_type', 'service_type'}) + assert(event.keys() == {'type', 'local_id', 'host_id', 'id', 'spec_version', 'root_object', 'name', 'data', 'version', 'namespace_name', 'operation', 'is_local', 'queryName', 'custom_type', 'custom_name', 'relevance', 'region_size', 'pe_type', 'return_code', 'task_name', 'action_name', 'service_name', 'start_type', 'service_type'}) assert(event['type'] == "x-reaqta-event") assert(event['local_id'] == DATA_LOCAL_ID) assert(event['relevance'] == DATA_RELEVANCE) @@ -474,8 +447,8 @@ def test_cybox_observables_network_traffic_inbound(self): assert(extensions['address_family'] == 'IPv4') assert(extensions['outbound'] == False) - x_oca_asset = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-oca-asset') - ip_refs = x_oca_asset['ip_refs'] + x_oca_event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') + ip_refs = x_oca_event['ip_refs'] obj_num = ip_refs[0] ip_obj = objects[obj_num] assert(ip_obj['value'] == DATA_LOCAL_IP) # DATA_REMOTE_IP is switched to local ip for inbound connection @@ -506,4 +479,50 @@ def test_windows_process_event(self): pid = proc_obj['pid'] hex_pid = hex(pid) original_pid = data['payload']['data']['etwProcessId'] - assert hex_pid == original_pid \ No newline at end of file + assert hex_pid == original_pid + + def test_updated_finding_fields(self): + data = {'eventId': '1119732427405660161', 'endpointId': '1114241789272784896', 'payload': {'localId': '1119732154209667073', 'process': {'id': '1114241789272784896:4704:1713564948917', 'parentId': '1114241789272784896:4060:1713564802263', 'endpointId': '1114241789272784896', 'program': {'path': 'c:\\users\\test\\desktop\\maze_rw.exe', 'filename': 'maze_rw.exe', 'md5': '01010101010101010101010101010101', 'sha1': '0101010101010101010101010101010101010101', 'sha256': '010101010101010101010101010101010101010101010101010101010101010', 'size': 495616, 'arch': 'x32', 'fsName': 'maze_rw.exe'}, 'user': 'USER-Desktop\\Desktop', 'pid': 4704, 'startTime': '2024-04-19T22:15:48.917Z', 'ppid': 4060, 'pstartTime': '2024-04-19T22:13:22.263Z', 'userSID': 'S-1-5-21-0101010101-0101010101-0101010101-1001', 'privilegeLevel': 'HIGH', 'noGui': False, 'logonId': '0x14c9e0'}, 'incidents': [], 'triggeredIncidents': ['1119732154268387330'], 'data': {'matched': [{'policyId': '1072556371783712772', 'versionId': '1072556371783716869', 'matcherId': '1072556371783720966'}]}, 'eventType': 28}, 'happenedAt': '2024-04-19T22:15:49.181Z', 'receivedAt': '2024-04-19T22:16:54.316Z'} + result_bundle = run_in_thread(ENTRY_POINT.translate_results, DATA_SOURCE, [data]) + result_bundle_objects = result_bundle['objects'] + observed_data = result_bundle_objects[1] + objects = observed_data['objects'] + + finding = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') + assert(finding is not None), 'process object type not found' + assert(finding["type"] == "x-ibm-finding") + assert(finding["finding_type"] == "alert") + assert(finding["name"] == "1072556371783712772") + assert(finding["x_reaqta_version_id"] == "1072556371783716869") + assert(finding["x_reaqta_matcher_id"] == "1072556371783720966") + + def test_updated_mitre_fields(self): + result_bundle = run_in_thread(ENTRY_POINT.translate_results, DATA_SOURCE, [DATA]) + result_bundle_objects = result_bundle['objects'] + observed_data = result_bundle_objects[1] + objects = observed_data['objects'] + + mitre_2 = objects["38"] + mitre_3 = objects["39"] + mitre_4 = objects["40"] + + assert(mitre_2 is not None), 'process object type not found' + assert(mitre_2["type"] == "x-ibm-ttp-tagging") + assert(mitre_2["extensions"]["name"] == "T1053") + assert(mitre_2["extensions"]["mitre-attack-ext"]["x_reaqta_tactic_number"] == 2) + assert(mitre_2["extensions"]["mitre-attack-ext"]["tactic_name"] == 'Execution') + assert(mitre_2["extensions"]["mitre-attack-ext"]["technique_name"] == 'T1053') + + assert(mitre_3 is not None), 'process object type not found' + assert(mitre_3["type"] == "x-ibm-ttp-tagging") + assert(mitre_3["extensions"]["name"] == "T1053") + assert(mitre_3["extensions"]["mitre-attack-ext"]["x_reaqta_tactic_number"] == 3) + assert(mitre_3["extensions"]["mitre-attack-ext"]["tactic_name"] == 'Persistence') + assert(mitre_3["extensions"]["mitre-attack-ext"]["technique_name"] == 'T1053') + + assert(mitre_4 is not None), 'process object type not found' + assert(mitre_4["type"] == "x-ibm-ttp-tagging") + assert(mitre_4["extensions"]["name"] == "T1053") + assert(mitre_4["extensions"]["mitre-attack-ext"]["x_reaqta_tactic_number"] == 4) + assert(mitre_4["extensions"]["mitre-attack-ext"]["tactic_name"] == 'Privilege Escalation') + assert(mitre_4["extensions"]["mitre-attack-ext"]["technique_name"] == 'T1053')