From 875f3dac4495c484acb8cc2ff49d673f764dc667 Mon Sep 17 00:00:00 2001 From: DerekRushton <41486484+DerekRushton@users.noreply.github.com> Date: Wed, 10 Jul 2024 16:44:08 -0300 Subject: [PATCH] Allowing_Tenant_To_Be_Optional (#1708) Signed-off-by: DerekRushton --- .../paloalto/configuration/config.json | 4 +- .../paloalto/configuration/lang_en.json | 2 +- .../paloalto/stix_transmission/api_client.py | 3 +- .../tests/stix_transmission/test_paloalto.py | 67 +++++++++++++++++++ 4 files changed, 73 insertions(+), 3 deletions(-) diff --git a/stix_shifter_modules/paloalto/configuration/config.json b/stix_shifter_modules/paloalto/configuration/config.json index c13686f2f..6c19c1f38 100644 --- a/stix_shifter_modules/paloalto/configuration/config.json +++ b/stix_shifter_modules/paloalto/configuration/config.json @@ -24,7 +24,9 @@ "auth": { "type" : "fields", "tenant": { - "type": "password" + "type": "password", + "optional" : true, + "default": "" }, "api_key": { "type": "password" diff --git a/stix_shifter_modules/paloalto/configuration/lang_en.json b/stix_shifter_modules/paloalto/configuration/lang_en.json index ea7d083bc..a9244dcc4 100644 --- a/stix_shifter_modules/paloalto/configuration/lang_en.json +++ b/stix_shifter_modules/paloalto/configuration/lang_en.json @@ -17,7 +17,7 @@ "auth": { "tenant": { "label": "Tenant", - "description": "Tenant Id of Palo Alto Cortex XDR Application" + "description": "Tenant Id of Palo Alto Cortex XDR Application. When using a multi-tenant environment, this value is used to determine the tenant that will be used." }, "api_key": { "label": "API key", diff --git a/stix_shifter_modules/paloalto/stix_transmission/api_client.py b/stix_shifter_modules/paloalto/stix_transmission/api_client.py index 89e391bde..10a14a5d4 100644 --- a/stix_shifter_modules/paloalto/stix_transmission/api_client.py +++ b/stix_shifter_modules/paloalto/stix_transmission/api_client.py @@ -125,7 +125,8 @@ async def create_search(self, query): query = json.loads(query) for dataset in query.keys(): - query[dataset]["tenants"] = self.auth['tenant'].split(",") + if(self.auth['tenant']): + query[dataset]["tenants"] = self.auth['tenant'].split(",") data = { "request_data": query[dataset] diff --git a/stix_shifter_modules/paloalto/tests/stix_transmission/test_paloalto.py b/stix_shifter_modules/paloalto/tests/stix_transmission/test_paloalto.py index 601075f6f..15ca42878 100644 --- a/stix_shifter_modules/paloalto/tests/stix_transmission/test_paloalto.py +++ b/stix_shifter_modules/paloalto/tests/stix_transmission/test_paloalto.py @@ -543,3 +543,70 @@ def test_result_with_empty_user_response(self, mock_result_response): assert result_response['data'] == [{'xdr_data': {'actor_primary_user_sid': 'S123', 'actor_primary_username': 'username', 'actor_process_logon_id': 'id12'}}] + + + @patch('stix_shifter_modules.paloalto.stix_transmission.api_client.APIClient.create_search') + def test_query_response_no_tenant_id(self, mock_search_response): + """test create search query""" + mocked_return_value = '{"reply": {"search_id": "07f63c733f5946_15006_inv"}}' + mock_search = RequestMockResponse(200, mocked_return_value) + search_response = get_mock_response(200, mocked_return_value, 'byte',response=mock_search) + mock_search_response.return_value = search_response + + query = json.dumps({"xdr_data": {"query": "dataset = xdr_data | filter ((action_process_image_name not in (" + "\"conhost.exe\",\"AtBroker.exe\") or actor_process_image_name not " + "in (\"conhost.exe\",\"AtBroker.exe\") or " + "causality_actor_process_image_name not in (\"conhost.exe\"," + "\"AtBroker.exe\") or os_actor_process_image_name not in (" + "\"conhost.exe\",\"AtBroker.exe\")) and (to_epoch(_time," + "\"millis\") >= 1644451200000 and to_epoch(_time,\"millis\") <= " + "1644883200000)) or ((action_process_file_create_time = " + "1643704990003 or actor_process_file_create_time = 1643704990003 or " + "causality_actor_process_file_create_time = 1643704990003 or " + "os_actor_process_file_create_time = 1643704990003) and (to_epoch(" + "_time,\"millis\") >= 1644451200000 and to_epoch(_time,\"millis\") " + "<= 1644883200000)) or ((action_process_image_name ~= \"wildfire$\" " + "or actor_process_image_name ~= \"wildfire$\" or " + "causality_actor_process_image_name ~= \"wildfire$\" or " + "os_actor_process_image_name ~= \"wildfire$\") and (to_epoch(" + "_time,\"millis\") >= 1644451200000 and to_epoch(_time,\"millis\") " + "<= 1644883200000)) | alter dataset_name = \"xdr_data\" | fields " + "dataset_name,action_local_ip,action_remote_ip," + "agent_ip_addresses_v6,dst_agent_ip_addresses_v6,action_local_port," + "action_remote_port,action_network_protocol,action_file_name," + "action_file_size,action_file_md5,action_module_md5," + "action_process_image_md5,action_file_authenticode_sha1," + "action_file_authenticode_sha2,action_file_sha256," + "action_module_sha256,action_process_image_sha256," + "action_file_access_time,actor_process_file_access_time," + "os_actor_process_file_access_time,action_file_mod_time," + "actor_process_file_mod_time,os_actor_process_file_mod_time," + "action_file_create_time,action_file_path," + "action_process_image_path,action_registry_file_path," + "actor_process_image_path,causality_actor_process_image_path," + "os_actor_process_image_path,action_process_image_command_line," + "actor_process_command_line,causality_actor_process_command_line," + "os_actor_process_command_line,action_process_file_create_time," + "actor_process_file_create_time," + "causality_actor_process_file_create_time," + "os_actor_process_file_create_time,action_process_image_name," + "actor_process_image_name,causality_actor_process_image_name," + "os_actor_process_image_name,action_module_process_os_pid ," + "action_process_os_pid,actor_process_os_pid," + "causality_actor_process_os_pid,os_actor_process_os_pid," + "action_process_requested_parent_pid,action_thread_parent_pid," + "action_thread_child_pid,action_process_username,auth_domain," + "dst_host_metadata_domain,host_metadata_domain," + "dst_action_url_category ,action_registry_key_name," + "action_registry_value_name,mac,associated_mac,dst_associated_mac ," + "dst_mac,dst_user_id,user_id,action_username," + "actor_primary_username,actor_process_logon_id | limit 10000 ", + "timeframe": {"from": 1644451200000, "to": 1644883200000}}}) + + configuration_local = self.configuration() + configuration_local["auth"]["tenant"] = "" + transmission = stix_transmission.StixTransmission('paloalto', self.connection(), configuration_local) + query_response = transmission.query(query) + assert query_response is not None + assert 'success' in query_response + assert query_response['success'] is True \ No newline at end of file