From b8f5f22984270dfc3862526cc96148e4fc8b9209 Mon Sep 17 00:00:00 2001
From: lakshmi51974368 <92723742+thangaraj-ramesh@users.noreply.github.com>
Date: Fri, 25 Nov 2022 14:00:27 +0000
Subject: [PATCH 01/30] Updated code to support query without millisecond in
Paloalto/Cybereason and additional minor fixes.
1. Updated code to support query without millisecond in query_cosntructor.py file in Cybereason and PaloAlto. Added the unit test cases for the same.
2. Added unit test case to test the millisecond fix in Darktrace.
3. Updated the code to correct the max range in connector.py file for Cybereason.
4. Code changes has been done to replace the byte code characters with empty character which is present in the data source output in Paloalto.
5. Updated the host label in lang_en.json of Cybereason, Darktrace, Gcp_chronicle, Paloalto, Sentinelone to make it more generic.
---
.../cybereason/configuration/lang_en.json | 2 +-
.../stix_translation/query_constructor.py | 3 +-
.../cybereason/stix_transmission/connector.py | 2 +-
.../test_cybereason_stix_to_query.py | 37 ++++++++++++++++++-
.../darktrace/configuration/lang_en.json | 2 +-
.../test_darktrace_stix_to_query.py | 17 +++++++++
.../gcp_chronicle/configuration/lang_en.json | 2 +-
.../paloalto/configuration/lang_en.json | 2 +-
.../stix_translation/query_constructor.py | 2 +
.../stix_transmission/results_connector.py | 4 ++
.../test_paloalto_stix_to_query.py | 14 +++++++
.../sentinelone/configuration/lang_en.json | 2 +-
12 files changed, 81 insertions(+), 8 deletions(-)
diff --git a/stix_shifter_modules/cybereason/configuration/lang_en.json b/stix_shifter_modules/cybereason/configuration/lang_en.json
index 481d1de8c..d66326680 100644
--- a/stix_shifter_modules/cybereason/configuration/lang_en.json
+++ b/stix_shifter_modules/cybereason/configuration/lang_en.json
@@ -3,7 +3,7 @@
"host": {
"label": "Management IP address or Hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
diff --git a/stix_shifter_modules/cybereason/stix_translation/query_constructor.py b/stix_shifter_modules/cybereason/stix_translation/query_constructor.py
index 690470b29..f4e4ec33b 100644
--- a/stix_shifter_modules/cybereason/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/cybereason/stix_translation/query_constructor.py
@@ -78,7 +78,8 @@ def _format_datetime(value):
"""
try:
time_pattern = '%Y-%m-%dT%H:%M:%S.%fZ'
-
+ if re.search(r"\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}Z", str(value)): # without milli seconds
+ time_pattern = '%Y-%m-%dT%H:%M:%SZ'
epoch = datetime(1970, 1, 1)
converted_time = int(((datetime.strptime(value,
time_pattern) - epoch).total_seconds()) * 1000)
diff --git a/stix_shifter_modules/cybereason/stix_transmission/connector.py b/stix_shifter_modules/cybereason/stix_transmission/connector.py
index dc050a21f..3db8f8734 100644
--- a/stix_shifter_modules/cybereason/stix_transmission/connector.py
+++ b/stix_shifter_modules/cybereason/stix_transmission/connector.py
@@ -53,7 +53,7 @@ def create_results_connection(self, query, offset, length):
response_dict = json.loads(response_wrapper.read().decode('utf-8'))
results = self.get_results_data(response_dict)
- return_obj['data'] = results[offset:length]
+ return_obj['data'] = results[offset:(offset+length)]
# session log out
response_wrapper = self.api_client.session_log_out(response_wrapper)
diff --git a/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py b/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py
index 5aa16d825..fda68241e 100644
--- a/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py
+++ b/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py
@@ -1985,4 +1985,39 @@ def test_invalid_email_address(self):
result = translation.translate('cybereason', 'query', '{}', stix_pattern)
assert result['success'] is False
assert ErrorCode.TRANSLATION_NOTIMPLEMENTED_MODE.value == result['code']
- assert 'Invalid email address' in result['error']
\ No newline at end of file
+ assert 'Invalid email address' in result['error']
+
+ def test_timestamp_in_seconds_and_milliseconds(self):
+ stix_pattern = "[network-traffic:src_port = 23]START t'2019-10-01T08:00:10Z' STOP t'2019-11-30T11:00:10Z' AND" \
+ "[network-traffic:protocols[*] = 'tcp'] START t'2019-10-01T08:43:10.003Z' STOP " \
+ "t'2019-11-30T10:43:10.005Z' "
+ query = translation.translate('cybereason', 'query', '{}', stix_pattern)
+ queries = [{'queryPath': [{'requestedType': 'Connection', 'filters': [{'facetName': 'transportProtocol',
+ 'filterType': 'Equals',
+ 'values': ['tcp']},
+ {'facetName': 'creationTime',
+ 'filterType': 'Between',
+ 'values': [1569919390003,
+ 1575110590005]},
+ {'facetName': 'localPort',
+ 'filterType': 'Equals',
+ 'values': [23]},
+ {'facetName': 'creationTime',
+ 'filterType': 'Between',
+ 'values': [1569916810000,
+ 1575111610000]}],
+ 'isResult': True}], 'queryLimits': {'groupingFeature':
+ {'elementInstanceType': 'Connection',
+ 'featureName': 'elementDisplayName'}},
+ 'perFeatureLimit': 1,
+ 'totalResultLimit': 9999, 'perGroupLimit': 1, 'templateContext': 'CUSTOM',
+ 'customFields': ['elementDisplayName', 'direction', 'ownerMachine', 'ownerProcess', 'serverPort',
+ 'serverAddress', 'portType', 'aggregatedReceivedBytesCount',
+ 'aggregatedTransmittedBytesCount', 'remoteAddressCountryName', 'dnsQuery',
+ 'calculatedCreationTime', 'domainName', 'endTime', 'localPort', 'portDescription',
+ 'remotePort', 'state', 'isExternalConnection', 'isIncoming',
+ 'remoteAddressInternalExternalLocal', 'transportProtocol', 'hasMalops',
+ 'hasSuspicions', 'relatedToMalop', 'isWellKnownPort', 'isProcessLegit',
+ 'isProcessMalware', 'localAddress', 'remoteAddress', 'urlDomains']}]
+
+ self._test_query_assertions(query, queries)
diff --git a/stix_shifter_modules/darktrace/configuration/lang_en.json b/stix_shifter_modules/darktrace/configuration/lang_en.json
index 683853e55..cb95009dc 100644
--- a/stix_shifter_modules/darktrace/configuration/lang_en.json
+++ b/stix_shifter_modules/darktrace/configuration/lang_en.json
@@ -2,7 +2,7 @@
"connection": {
"host": {
"label": "Management IP address or Hostname",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py b/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py
index 4a10d506c..1bcf2a75f 100644
--- a/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py
+++ b/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py
@@ -650,3 +650,20 @@ def test_combinedcomparison_and_or_operator(self):
}]
expected_query = _remove_timestamp_from_query(expected_query)
self._test_query_assertions(actual_query, expected_query)
+
+ def test_qualifier_without_milliseconds(self):
+ stix_pattern = "[x-oca-asset:hostname = '169.254.169.254'] " \
+ "START t'2022-03-01T11:50:21Z' STOP t'2022-03-31T11:55:25Z'"
+ actual_query = translation.translate('darktrace', 'query', '{}', stix_pattern)
+ expected_query = [{
+ "search": "(@fields.host:\"169.254.169.254\" AND (@fields.epochdate :>1646135421.0 "
+ "AND @fields.epochdate :<1648727725.0))",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-03-01T11:50:21.000000Z",
+ "to": "2022-03-31T11:55:25.000000Z"
+ },
+ "size": 10000
+ }]
+ self._test_query_assertions(actual_query, expected_query)
diff --git a/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json b/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json
index d5aea8872..71f2b9c67 100644
--- a/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json
+++ b/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json
@@ -2,7 +2,7 @@
"connection": {
"host": {
"label": "Management IP address or Hostname",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/paloalto/configuration/lang_en.json b/stix_shifter_modules/paloalto/configuration/lang_en.json
index be3f57075..a47affc0b 100644
--- a/stix_shifter_modules/paloalto/configuration/lang_en.json
+++ b/stix_shifter_modules/paloalto/configuration/lang_en.json
@@ -2,7 +2,7 @@
"connection": {
"host": {
"label": "Management IP address or Hostname",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"quota_threshold": {
"label": "The quota limit for the API",
diff --git a/stix_shifter_modules/paloalto/stix_translation/query_constructor.py b/stix_shifter_modules/paloalto/stix_translation/query_constructor.py
index 3ff5fae8d..a81381aef 100644
--- a/stix_shifter_modules/paloalto/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/paloalto/stix_translation/query_constructor.py
@@ -249,6 +249,8 @@ def _format_datetime(value):
"""
try:
time_pattern = '%Y-%m-%dT%H:%M:%S.%fZ'
+ if re.search(r"\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}Z", str(value)): # without milli seconds
+ time_pattern = '%Y-%m-%dT%H:%M:%SZ'
epoch = datetime(1970, 1, 1)
converted_time = int(((datetime.strptime(value,
time_pattern) - epoch).total_seconds()) * 1000)
diff --git a/stix_shifter_modules/paloalto/stix_transmission/results_connector.py b/stix_shifter_modules/paloalto/stix_transmission/results_connector.py
index 533614be8..fb7ecae06 100644
--- a/stix_shifter_modules/paloalto/stix_transmission/results_connector.py
+++ b/stix_shifter_modules/paloalto/stix_transmission/results_connector.py
@@ -126,6 +126,8 @@ def format_results_data(result_data, to_stix_mapping, mandatory_map):
if value is not None and value != "NULL" and value != '' and field != 'dataset_name' \
and (field in to_stix_mapping[dataset_map].keys()):
stix_data_map = to_stix_mapping[dataset_map][field]
+ if '\x00' in str(value):
+ value = value.replace('\x00', '')
data = ResultsConnector.check_object(stix_data_map, mandatory_map, data, log,
field, value)
elif field == 'dataset_name':
@@ -160,6 +162,8 @@ def format_stream_data(stream_data, to_stix_mapping, mandatory_map):
if value is not None and value != "NULL" and value != '' and field != 'dataset_name' \
and (field in to_stix_mapping[dataset_map].keys()):
stix_data_map = to_stix_mapping[dataset_map][field]
+ if '\x00' in str(value):
+ value = value.replace('\x00', '')
data = ResultsConnector.check_object(stix_data_map, mandatory_map,
data, log_dict, field, value)
elif field == 'dataset_name':
diff --git a/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_stix_to_query.py b/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_stix_to_query.py
index 68e7a80d9..4a6b4b5fb 100644
--- a/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_stix_to_query.py
+++ b/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_stix_to_query.py
@@ -559,3 +559,17 @@ def test_format_timestamp_fields(self):
"'to': 1645636157746}}}"]
queries = _remove_timestamp_from_query(queries)
self._test_query_assertions(query, queries)
+
+ def test_qualifier_without_milliseconds(self):
+ stix_pattern = "[ipv4-addr:value = '10.0.1.4' AND network-traffic:src_port = 52221] " \
+ "START t'2022-02-01T08:43:10Z' STOP t'2022-04-07T10:43:10Z'"
+ query = translation.translate('paloalto', 'query', '{}', stix_pattern)
+ queries = [{'xdr_data': {'query': 'dataset = xdr_data | filter (action_local_port = 52221 '
+ 'and (action_local_ip = "10.0.1.4" or action_remote_ip = "10.0.1.4"'
+ ' or agent_ip_addresses = "10.0.1.4") and '
+ '(to_epoch(_time,"millis") >= 1643704990000 and '
+ 'to_epoch(_time,"millis") <= 1649328190000)) | alter dataset_name = '
+ '"xdr_data" | fields ' + all_fields + ' | limit 10000 ',
+ 'timeframe': {'from': 1643704990000, 'to': 1649328190000}}}]
+
+ self._test_query_assertions(query, queries)
diff --git a/stix_shifter_modules/sentinelone/configuration/lang_en.json b/stix_shifter_modules/sentinelone/configuration/lang_en.json
index 9ad973dad..b00ad7f3c 100644
--- a/stix_shifter_modules/sentinelone/configuration/lang_en.json
+++ b/stix_shifter_modules/sentinelone/configuration/lang_en.json
@@ -2,7 +2,7 @@
"connection": {
"host": {
"label": "Management IP address or Hostname",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
From 19878197e35d33b6d9f68ca3a148b743d51a7f3f Mon Sep 17 00:00:00 2001
From: thangaraj-ramesh <92723742+thangaraj-ramesh@users.noreply.github.com>
Date: Wed, 30 Nov 2022 15:28:03 +0000
Subject: [PATCH 02/30] Darktrace timeout exception handled (#1210)
---
stix_shifter_modules/darktrace/README.md | 1 +
.../darktrace/stix_transmission/connector.py | 17 +++++++-
.../stix_transmission/error_mapper.py | 4 +-
.../test/stix_transmission/test_darktrace.py | 40 +++++++++++++++++--
4 files changed, 56 insertions(+), 6 deletions(-)
diff --git a/stix_shifter_modules/darktrace/README.md b/stix_shifter_modules/darktrace/README.md
index be071ea69..34d025a6a 100644
--- a/stix_shifter_modules/darktrace/README.md
+++ b/stix_shifter_modules/darktrace/README.md
@@ -864,3 +864,4 @@ ping
### Observations
- Darktrace does not support >= and <=, so the same is achieved by < and > operators by increasing and decreasing the corresponding values.
+- Query will return those records in the specified timeframe which satisfy the applied search filters. If there are no records in the given timeframe, search filter won't be applied and "Invalid parameter" error will be returned.
diff --git a/stix_shifter_modules/darktrace/stix_transmission/connector.py b/stix_shifter_modules/darktrace/stix_transmission/connector.py
index b5dcfe2e9..84b063493 100644
--- a/stix_shifter_modules/darktrace/stix_transmission/connector.py
+++ b/stix_shifter_modules/darktrace/stix_transmission/connector.py
@@ -65,17 +65,22 @@ def create_results_connection(self, search_id, offset, length):
search_id = json.dumps(search_id)
response_wrapper = self.api_client.get_search_results(search_id)
- response_dict = json.loads(response_wrapper.read().decode('utf-8'))
if response_wrapper.code == 200:
return_obj['success'] = True
- elif response_wrapper.code == 400:
+ # Both InvalidAuthentication and InvalidRequest returns the same error code 400.
+ # Verifying the error message to identify InvalidAuthentication error.
+ elif response_wrapper.code == 400 and 'API SIGNATURE ERROR' in response_wrapper.response.text:
raise InvalidAuthenticationException
+ elif response_wrapper.code == 408:
+ raise TimeoutError(response_wrapper.response.text)
elif 399 < response_wrapper.code < 500:
raise InvalidRequestException(response_wrapper.response.text)
elif response_wrapper.code == 500:
raise InternalServerErrorException(response_wrapper.response.text)
+ response_dict = json.loads(response_wrapper.read().decode('utf-8'))
+
if response_dict.get('error'):
raise InvalidArguments(response_dict['error'])
@@ -95,6 +100,14 @@ def create_results_connection(self, search_id, offset, length):
response_dict['code'] = 1003
response_dict['message'] = "Invalid Host/Port"
ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except TimeoutError as ex:
+ response_dict['code'] = 1004
+ response_dict['message'] = str(ex)
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
+ except InvalidRequestException as ex:
+ response_dict['code'] = 1005
+ response_dict['message'] = 'Bad Request' if 'Bad request' in str(ex) else str(ex)
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector)
except Exception as ex:
response_dict['type'] = ex.__class__.__name__
response_dict['message'] = ex
diff --git a/stix_shifter_modules/darktrace/stix_transmission/error_mapper.py b/stix_shifter_modules/darktrace/stix_transmission/error_mapper.py
index de795a487..78938de95 100644
--- a/stix_shifter_modules/darktrace/stix_transmission/error_mapper.py
+++ b/stix_shifter_modules/darktrace/stix_transmission/error_mapper.py
@@ -5,7 +5,9 @@
error_mapping = {
1001: ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
1002: ErrorCode.TRANSMISSION_INVALID_PARAMETER,
- 1003: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE
+ 1003: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE,
+ 1004: ErrorCode.TRANSMISSION_CONNECT,
+ 1005: ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR
}
diff --git a/stix_shifter_modules/darktrace/test/stix_transmission/test_darktrace.py b/stix_shifter_modules/darktrace/test/stix_transmission/test_darktrace.py
index 182ad0b3a..42da0a0f3 100644
--- a/stix_shifter_modules/darktrace/test/stix_transmission/test_darktrace.py
+++ b/stix_shifter_modules/darktrace/test/stix_transmission/test_darktrace.py
@@ -20,8 +20,9 @@ def read(self):
class PingResponse:
""" class for ping response"""
- def __init__(self, responseobject):
+ def __init__(self, responseobject, code=None):
self.response = responseobject
+ self.code = code
class InnerResponse:
@@ -247,8 +248,8 @@ def test_multievent_query(self, mock_ping_source):
@patch('stix_shifter_modules.darktrace.stix_transmission.api_client.APIClient.get_search_results')
def test_invalid_auth(self, mock_results_response):
- mock_response_dict = json.dumps({'error': 'Invalid Authentication'})
- mock_results_response.return_value = DarktraceMockResponse(400, mock_response_dict)
+ inner_mock = InnerResponse(400, '{"advancedsearch": "API SIGNATURE ERROR"}')
+ mock_results_response.return_value = PingResponse(inner_mock, 400)
query = json.dumps({"queries": ["{\"search\": \"(@fields.query:pop.gmail.com)\", \"fields\": [], \"timeframe\":"
" \"custom\", \"time\": {\"from\": \"2022-03-16T09:23:20.894000Z\", "
@@ -321,3 +322,36 @@ def test_ping_connection_error(self, mock_results_response):
assert results_response is not None
assert results_response['success'] is False
+
+ @patch('stix_shifter_modules.darktrace.stix_transmission.api_client.APIClient.get_search_results')
+ def test_timeout_error(self, mock_results_response):
+ mock_results_response.side_effect = TimeoutError("Request Timeout")
+
+ query = json.dumps({"queries": ["{\"search\": \"(@fields.query:pop.gmail.com)\", \"fields\": [], \"timeframe\":"
+ " \"custom\", \"time\": {\"from\": \"2022-03-16T09:23:20.894000Z\", "
+ "\"to\": \"2022-03-16T09:28:20.894000Z\"}}"]})
+
+ transmission = stix_transmission.StixTransmission('darktrace', self.connection(), self.config())
+ results_response = transmission.results(query, 0, 1)
+
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'service_unavailable'
+ assert 'Request Timeout' in results_response['error']
+
+ @patch('stix_shifter_modules.darktrace.stix_transmission.api_client.APIClient.get_search_results')
+ def test_invalid_request(self, mock_results_response):
+ inner_mock = InnerResponse(400, '400 Bad request
\nYour browser sent an invalid request.')
+ mock_results_response.return_value = PingResponse(inner_mock, 400)
+
+ query = json.dumps({"queries": ["{\"search\": \"(@fields.query:pop.gmail.com)\", \"fields\": [], \"timeframe\":"
+ " \"custom\", \"time\": {\"from\": \"2022-03-16T09:23:20.894000Z\", "
+ "\"to\": \"2022-03-16T09:28:20.894000Z\"}}"]})
+
+ transmission = stix_transmission.StixTransmission('darktrace', self.connection(), self.config())
+ results_response = transmission.results(query, 0, 1)
+
+ assert results_response is not None
+ assert results_response['success'] is False
+ assert results_response['code'] == 'invalid_query'
+ assert 'Bad Request' in results_response['error']
From c1f8926e379a9388b953342a75eb17e5e98a1b62 Mon Sep 17 00:00:00 2001
From: thangaraj-ramesh <92723742+thangaraj-ramesh@users.noreply.github.com>
Date: Mon, 5 Dec 2022 13:43:19 +0000
Subject: [PATCH 03/30] Updated cybereason code to fix the issue #1215 (#1224)
1. Changes done to treat both AND as OR operator between multiple observations.
2. Updated code to display alternate error message "Cybereason does not support AND operator between fields" when unsupported Cybereason fields are attempted to be combined using AND operator.
Added relevant unit test cases.
---
stix_shifter_modules/cybereason/README.md | 366 +++++++++++---
.../stix_translation/json/operators.json | 5 +-
.../stix_translation/query_constructor.py | 42 +-
.../test_cybereason_stix_to_query.py | 462 ++++++++++--------
4 files changed, 599 insertions(+), 276 deletions(-)
diff --git a/stix_shifter_modules/cybereason/README.md b/stix_shifter_modules/cybereason/README.md
index e2703b068..a32c76a9a 100644
--- a/stix_shifter_modules/cybereason/README.md
+++ b/stix_shifter_modules/cybereason/README.md
@@ -375,7 +375,7 @@ translate cybereason results
####STIX Translate query
```shell
-translate cybereason query '{}' "([x-cybereason-process:integrity != 'trusted'] AND [x-cybereason-file:product_type IN ('Adobe')] AND [process:command_line LIKE 'Adobe\\Acrobat Reader DC']) START t'2021-02-10T11:43:08.000Z' STOP t'2021-11-12T11:00:00.003Z'"
+translate cybereason query '{}' "([x-cybereason-process:integrity != 'trusted'] OR [x-cybereason-file:product_type IN ('Adobe')] AND [process:command_line LIKE 'Adobe\\Acrobat Reader DC']) START t'2021-02-10T11:43:08.000Z' STOP t'2021-11-12T11:00:00.003Z'"
```
#### STIX Translate query - output
@@ -404,11 +404,222 @@ translate cybereason query '{}' "([x-cybereason-process:integrity != 'trusted']
]
}
],
- "connectionFeature": {
- "elementInstanceType": "Process",
- "featureName": "imageFile"
- }
- },
+ "isResult": true
+ }
+ ],
+ "queryLimits": {
+ "groupingFeature": {
+ "elementInstanceType": "Process",
+ "featureName": "elementDisplayName"
+ }
+ },
+ "perFeatureLimit": 1,
+ "totalResultLimit": 9999,
+ "perGroupLimit": 1,
+ "templateContext": "CUSTOM",
+ "customFields": [
+ "elementDisplayName",
+ "creationTime",
+ "endTime",
+ "commandLine",
+ "imageFile.maliciousClassificationType",
+ "productType",
+ "children",
+ "parentProcess",
+ "ownerMachine",
+ "calculatedUser",
+ "imageFile",
+ "imageFile.sha1String",
+ "imageFile.md5String",
+ "imageFile.sha256String",
+ "imageFile.companyName",
+ "imageFile.productName",
+ "applicablePid",
+ "imageFileExtensionType",
+ "integrity",
+ "tid",
+ "isAggregate",
+ "isDotNetProtected",
+ "hasMalops",
+ "hasSuspicions",
+ "relatedToMalop",
+ "multipleSizeForHashEvidence",
+ "isImageFileVerified",
+ "knownMaliciousToolSuspicion",
+ "knownMalwareSuspicion",
+ "knownUnwantedSuspicion",
+ "isMaliciousByHashEvidence",
+ "imageFileMultipleCompanyNamesEvidence",
+ "multipleHashForUnsignedPeInfoEvidence",
+ "multipleNameForHashEvidence",
+ "unknownEvidence",
+ "rareHasPeMismatchEvidence",
+ "imageFile.signedInternalOrExternal",
+ "unknownUnsignedBySigningCompany",
+ "imageFileUnsignedEvidence",
+ "imageFileUnsignedHasSignedVersionEvidence",
+ "unwantedModuleSuspicion",
+ "imageFile.signerInternalOrExternal",
+ "architecture",
+ "commandLineContainsTempEvidence",
+ "hasChildren",
+ "hasClassification",
+ "hasVisibleWindows",
+ "hasWindows",
+ "isInstaller",
+ "isIdentifiedProduct",
+ "hasModuleFromTempEvidence",
+ "nonExecutableExtensionEvidence",
+ "isNotShellRunner",
+ "runningFromTempEvidence",
+ "shellOfNonShellRunnerSuspicion",
+ "shellWithElevatedPrivilegesEvidence",
+ "systemUserEvidence",
+ "hasExternalConnection",
+ "hasExternalConnectionToWellKnownPortEvidence",
+ "hasIncomingConnection",
+ "hasInternalConnection",
+ "hasMailConnectionForNonMailProcessEvidence",
+ "hasListeningConnection",
+ "hasOutgoingConnection",
+ "hasUnresolvedDnsQueriesFromDomain",
+ "multipleUnresolvedRecordNotExistsEvidence",
+ "hasNonDefaultResolverEvidence",
+ "parentProcessNotMatchHierarchySuspicion",
+ "parentProcessNotAdminUserEvidence",
+ "parentProcessFromRemovableDeviceEvidence",
+ "autorun",
+ "childrenCreatedByThread",
+ "connections",
+ "elevatedPrivilegeChildren",
+ "hackerToolChildren",
+ "hostProcess",
+ "hostUser",
+ "hostedChildren",
+ "injectedChildren",
+ "loadedModules",
+ "logonSession",
+ "remoteSession",
+ "service",
+ "execedBy",
+ "connectionsToMaliciousDomain",
+ "connectionsToMalwareAddresses",
+ "externalConnections",
+ "absoluteHighVolumeMaliciousAddressConnections",
+ "absoluteHighVolumeExternalConnections",
+ "incomingConnections",
+ "incomingExternalConnections",
+ "incomingInternalConnections",
+ "internalConnections",
+ "listeningConnections",
+ "localConnections",
+ "mailConnections",
+ "outgoingConnections",
+ "outgoingExternalConnections",
+ "outgoingInternalConnections",
+ "suspiciousExternalConnections",
+ "suspiciousInternalConnections",
+ "wellKnownPortConnections",
+ "lowTtlDnsQueries",
+ "nonDefaultResolverQueries",
+ "resolvedDnsQueriesDomainToDomain",
+ "resolvedDnsQueriesDomainToIp",
+ "resolvedDnsQueriesIpToDomain",
+ "suspiciousDnsQueryDomainToDomain",
+ "unresolvedQueryFromSuspiciousDomain",
+ "dnsQueryFromSuspiciousDomain",
+ "dnsQueryToSuspiciousDomain",
+ "unresolvedRecordNotExist",
+ "unresolvedDnsQueriesFromDomain",
+ "unresolvedDnsQueriesFromIp",
+ "maliciousToolClassificationModules",
+ "malwareClassificationModules",
+ "modulesNotInLoaderDbList",
+ "modulesFromTemp",
+ "unsignedWithSignedVersionModules",
+ "unwantedClassificationModules",
+ "accessToMalwareAddressInfectedProcess",
+ "connectingToBadReputationAddressSuspicion",
+ "hasMaliciousConnectionEvidence",
+ "hasSuspiciousExternalConnectionSuspicion",
+ "highNumberOfExternalConnectionsSuspicion",
+ "nonDefaultResolverSuspicion",
+ "hasRareExternalConnectionEvidence",
+ "hasRareRemoteAddressEvidence",
+ "suspiciousMailConnections",
+ "accessToMalwareAddressByUnknownProcess",
+ "hasAbsoluteHighVolumeConnectionToMaliciousAddressEvidence",
+ "hasAbsoluteHighVolumeExternalOutgoingConnectionEvidence",
+ "highDataTransmittedSuspicion",
+ "highDataVolumeTransmittedToMaliciousAddressSuspicion",
+ "highDataVolumeTransmittedByUnknownProcess",
+ "absoluteHighNumberOfInternalOutgoingEmbryonicConnectionsEvidence",
+ "dgaSuspicion",
+ "hasLowTtlDnsQueryEvidence",
+ "highUnresolvedToResolvedRateEvidence",
+ "manyUnresolvedRecordNotExistsEvidence",
+ "hasChildKnownHackerToolEvidence",
+ "hackingToolOfNonToolRunnerEvidence",
+ "hackingToolOfNonToolRunnerSuspicion",
+ "hasRareChildProcessKnownHackerToolEvidence",
+ "maliciousToolModuleSuspicion",
+ "deletedParentProcessEvidence",
+ "malwareModuleSuspicion",
+ "dualExtensionNameEvidence",
+ "hiddenFileExtensionEvidence",
+ "rightToLeftFileExtensionEvidence",
+ "screenSaverWithChildrenEvidence",
+ "suspicionsScreenSaverEvidence",
+ "hasPeFloatingCodeEvidence",
+ "hasSectionMismatchEvidence",
+ "detectedInjectedEvidence",
+ "detectedInjectingEvidence",
+ "detectedInjectingToProtectedProcessEvidence",
+ "hasInjectedChildren",
+ "hostingInjectedThreadEvidence",
+ "injectedProtectedProcessEvidence",
+ "maliciousInjectingCodeSuspicion",
+ "injectionMethod",
+ "isHostingInjectedThread",
+ "maliciousInjectedCodeSuspicion",
+ "maliciousPeExecutionSuspicion",
+ "hasSuspiciousInternalConnectionEvidence",
+ "highInternalOutgoingEmbryonicConnectionRateEvidence",
+ "highNumberOfInternalConnectionsEvidence",
+ "newProcessesAboveThresholdEvidence",
+ "hasRareInternalConnectionEvidence",
+ "elevatingPrivilegesToChildEvidence",
+ "parentProcessNotSystemUserEvidence",
+ "privilegeEscalationEvidence",
+ "firstExecutionOfDownloadedProcessEvidence",
+ "hasAutorun",
+ "newProcessEvidence",
+ "markedForPrevention",
+ "ransomwareAutoRemediationSuspended",
+ "totalNumOfInstances",
+ "lastMinuteNumOfInstances",
+ "lastSeenTimeStamp",
+ "wmiQueryStrings",
+ "isExectuedByWmi",
+ "absoluteHighNumberOfInternalConnectionsEvidence",
+ "scanningProcessSuspicion",
+ "imageFile.isDownloadedFromInternet",
+ "imageFile.downloadedFromDomain",
+ "imageFile.downloadedFromIpAddress",
+ "imageFile.downloadedFromUrl",
+ "imageFile.downloadedFromUrlReferrer",
+ "imageFile.downloadedFromEmailFrom",
+ "imageFile.downloadedFromEmailMessageId",
+ "imageFile.downloadedFromEmailSubject",
+ "rpcRequests",
+ "iconBase64",
+ "executionPrevented",
+ "isWhiteListClassification",
+ "matchedWhiteListRuleIds"
+ ]
+ },
+ {
+ "queryPath": [
{
"requestedType": "File",
"filters": [
@@ -428,12 +639,84 @@ translate cybereason query '{}' "([x-cybereason-process:integrity != 'trusted']
]
}
],
- "connectionFeature": {
- "elementInstanceType": "Process",
- "featureName": "imageFile"
- },
- "isReversed": true
- },
+ "isResult": true
+ }
+ ],
+ "queryLimits": {
+ "groupingFeature": {
+ "elementInstanceType": "File",
+ "featureName": "elementDisplayName"
+ }
+ },
+ "perFeatureLimit": 1,
+ "totalResultLimit": 9999,
+ "perGroupLimit": 1,
+ "templateContext": "CUSTOM",
+ "customFields": [
+ "elementDisplayName",
+ "avRemediationStatus",
+ "signerInternalOrExternal",
+ "fileHash",
+ "autoruns",
+ "ownerMachine",
+ "mount",
+ "autorun",
+ "dualExtensionEvidence",
+ "hiddenFileExtensionEvidence",
+ "rightToLeftFileExtensionEvidence",
+ "hasMalops",
+ "hasSuspicions",
+ "maliciousClassificationType",
+ "hackingToolClassificationEvidence",
+ "classificationLink",
+ "isPEFile",
+ "executedByProcessEvidence",
+ "hasAutorun",
+ "isInstallerProperties",
+ "isFromRemovableDevice",
+ "productType",
+ "secondExtensionType",
+ "temporaryFolderEvidence",
+ "multipleCompanyNamesEvidence",
+ "multipleHashForUnsignedPeInfoEvidence",
+ "unsignedHasSignedVersionEvidence",
+ "classificationComment",
+ "signedInternalOrExternal",
+ "signatureVerifiedInternalOrExternal",
+ "classificationBlocking",
+ "isDownloadedFromInternet",
+ "downloadedFromDomain",
+ "downloadedFromIpAddress",
+ "downloadedFromUrl",
+ "downloadedFromUrlReferrer",
+ "downloadedFromEmailFrom",
+ "downloadedFromEmailMessageId",
+ "downloadedFromEmailSubject",
+ "legalCopyright",
+ "legalTrademarks",
+ "privateBuild",
+ "specialBuild",
+ "companyName",
+ "createdTime",
+ "extensionType",
+ "fileDescription",
+ "internalName",
+ "md5String",
+ "modifiedTime",
+ "originalFileName",
+ "correctedPath",
+ "productName",
+ "productVersion",
+ "sha1String",
+ "size",
+ "comments",
+ "fileVersion",
+ "applicationIdentifier",
+ "sha256String"
+ ]
+ },
+ {
+ "queryPath": [
{
"requestedType": "Process",
"filters": [
@@ -669,55 +952,6 @@ translate cybereason query '{}' "([x-cybereason-process:integrity != 'trusted']
},
{
"queryPath": [
- {
- "requestedType": "Process",
- "filters": [
- {
- "facetName": "integrity",
- "filterType": "NotEquals",
- "values": [
- "trusted"
- ]
- },
- {
- "facetName": "creationTime",
- "filterType": "Between",
- "values": [
- 1612957388000,
- 1636714800003
- ]
- }
- ],
- "connectionFeature": {
- "elementInstanceType": "Process",
- "featureName": "imageFile"
- }
- },
- {
- "requestedType": "File",
- "filters": [
- {
- "facetName": "productType",
- "filterType": "Equals",
- "values": [
- "Adobe"
- ]
- },
- {
- "facetName": "createdTime",
- "filterType": "Between",
- "values": [
- 1612957388000,
- 1636714800003
- ]
- }
- ],
- "connectionFeature": {
- "elementInstanceType": "Process",
- "featureName": "imageFile"
- },
- "isReversed": true
- },
{
"requestedType": "Process",
"filters": [
@@ -953,6 +1187,7 @@ translate cybereason query '{}' "([x-cybereason-process:integrity != 'trusted']
}
]
}
+
```
@@ -1312,9 +1547,10 @@ ping
```
### Limitations
-- Cybereason does not support “OR” operator between the elements and features. It supports only "AND" operator through "connectionFeature" and "Filters".
-
-### Observations
-- Cybereason doesnt support regex based search. It supports only substring based search . Hence wildcard characters cannot be used for searches using LIKE or MATCHES operator
+- Cybereason does not support “OR” operator between Combined Comparison. It supports only "AND" operator.
+### Observations
+- Cybereason doesnt support regex based search. It supports only substring based search . Hence wildcard characters cannot be used for searches using LIKE or MATCHES operator.
+- AND operator between stix fields , can be performed only when there is a link (the relationship with the next field in the chain) available between two fields. If “AND” is given for fields which have no link, connector will throw error.
+ All the allowed links between different fields is given in config_map.json file in stix_translation\json folder.
diff --git a/stix_shifter_modules/cybereason/stix_translation/json/operators.json b/stix_shifter_modules/cybereason/stix_translation/json/operators.json
index b3a384ebd..f9dc5f91a 100644
--- a/stix_shifter_modules/cybereason/stix_translation/json/operators.json
+++ b/stix_shifter_modules/cybereason/stix_translation/json/operators.json
@@ -9,5 +9,6 @@
"ComparisonComparators.Like": "ContainsIgnoreCase",
"ComparisonComparators.In": "Equals",
"ComparisonComparators.Matches": "ContainsIgnoreCase",
- "ObservationOperators.And": "AND"
-}
+ "ObservationOperators.And": "OR",
+ "ObservationOperators.Or": "OR"
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/cybereason/stix_translation/query_constructor.py b/stix_shifter_modules/cybereason/stix_translation/query_constructor.py
index f4e4ec33b..9d563b697 100644
--- a/stix_shifter_modules/cybereason/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/cybereason/stix_translation/query_constructor.py
@@ -36,6 +36,9 @@ def __init__(self, pattern: Pattern, data_model_mapper, options):
self.options = options
self.config_map = self.load_json(CONFIG_MAP_PATH)
self.qualified_queries = []
+ self.stix_object_fields = []
+ self.link_not_found_messages = []
+ self.link_not_found_flag = False
self.parse_expression(pattern)
@staticmethod
@@ -231,9 +234,9 @@ def _formatted_query(add_query_path, add_custom_fields, options):
}
},
"perFeatureLimit": 1,
- "totalResultLimit": options["result_limit"] - 1, # Cybereason returns 1 more than totalResultLimit records along with
- "perGroupLimit": 1, # the options perfeaturelimit=1 and perGroupLimit=1
- "templateContext": "CUSTOM",
+ "totalResultLimit": options["result_limit"] - 1, # Cybereason returns 1 more than totalResultLimit records
+ "perGroupLimit": 1, # along with the options perfeaturelimit=1
+ "templateContext": "CUSTOM", # and perGroupLimit=1
"customFields": add_custom_fields
}
@@ -351,6 +354,8 @@ def _and_operator_query(self, previous_all_queries, current_all_queries):
:return : list
"""
merged_query = []
+ self.link_not_found_messages[-1].append([])
+
for previous_queries in previous_all_queries:
for current_queries in current_all_queries:
current_query = copy.deepcopy(current_queries)
@@ -364,8 +369,14 @@ def _and_operator_query(self, previous_all_queries, current_all_queries):
elif current_requested_type in self.config_map["linked_fields"][previous_requested_type].keys():
self._merge_linked_element(previous_query,
current_query, merged_query)
+ else:
+ link_error_msg = f"{self.stix_object_fields[-2]} and {self.stix_object_fields[-1]}"
+ self.link_not_found_messages[-1][-1].append(link_error_msg)
+ # set the flag to true if no link is found between elements
if not merged_query:
- raise LinkNotFoundException('Link is not found between elements')
+ self.link_not_found_flag = True
+ else:
+ self.link_not_found_messages[-1][-1] = []
return merged_query
def _parse_mapped_fields(self, comparator, value, mapped_fields_array, qualifier):
@@ -390,13 +401,16 @@ def __eval_observation_expression(self, expression, qualifier):
:param expression: expression object
:param qualifier: qualifier
"""
+ self.link_not_found_flag = False
self.qualified_queries.append([])
+ self.link_not_found_messages.append([])
self._parse_expression(expression.comparison_expression, qualifier)
- if len(self.qualified_queries) > 1:
- current_query = self.qualified_queries.pop()
- previous_query = self.qualified_queries.pop()
- merged_query = self._and_operator_query(previous_query, current_query)
- self.qualified_queries.append(merged_query)
+ self.link_not_found_messages[-1] = {item for sublist in self.link_not_found_messages[-1] for item in sublist}
+ # queries should not be added when a link is not found between elements in an observation
+ if self.link_not_found_flag:
+ self.qualified_queries[-1] = []
+ elif self.qualified_queries[-1]:
+ self.link_not_found_messages[-1] = []
def _parse_expression(self, expression, qualifier=None):
"""
@@ -406,6 +420,7 @@ def _parse_expression(self, expression, qualifier=None):
:return :None or str
"""
if isinstance(expression, ComparisonExpression): # Base Case
+ self.stix_object_fields.append(expression.object_path)
stix_object, stix_field = expression.object_path.split(':')
mapped_fields_array = self.dmm.map_field(stix_object, stix_field)
comparator = self.comparator_lookup[str(expression.comparator)]
@@ -437,7 +452,7 @@ def _parse_expression(self, expression, qualifier=None):
f'type(expression)={type(expression)}')
def parse_expression(self, pattern: Pattern):
- if "ComparisonExpressionOperators.Or" in str(pattern) or "ObservationOperators.Or" in str(pattern):
+ if "ComparisonExpressionOperators.Or" in str(pattern):
raise NotImplementedError("OR operator is not supported in Cybereason")
self._parse_expression(pattern)
@@ -453,5 +468,12 @@ def translate_pattern(pattern: Pattern, data_model_mapping, options):
"""
translated_query_strings = QueryStringPatternTranslator(pattern, data_model_mapping, options)
queries = translated_query_strings.qualified_queries
+ link_not_found_message = translated_query_strings.link_not_found_messages
final_queries = [item for sublist in queries for item in sublist]
+ link_not_found_messages = {item for sublist in link_not_found_message for item in sublist}
+ if not final_queries:
+ raise LinkNotFoundException(f"Cybereason does not allow AND operation "
+ f"between {', '.join(link_not_found_messages)}")
+ if link_not_found_messages:
+ logger.error("Cybereason does not allow AND operation between %s", ', '.join(link_not_found_messages))
return final_queries
diff --git a/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py b/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py
index fda68241e..029ac34df 100644
--- a/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py
+++ b/stix_shifter_modules/cybereason/test/stix_translation/test_cybereason_stix_to_query.py
@@ -795,7 +795,6 @@ def test_process_created_query(self):
"'process.calculatedName', 'process.calculatedUser', 'process.creationTime', 'process.endTime', "
"'process.imageFile.maliciousClassificationType']}"]
-
queries = _remove_timestamp_from_query(queries)
self._test_query_assertions(query, queries)
@@ -1162,42 +1161,54 @@ def test_multiple_observation_query(self):
"t'2019-10-01T00:00:00.030Z' STOP t'2021-10-07T00:00:00.030Z' "
query = translation.translate('cybereason', 'query', '{}', stix_pattern)
-
query['queries'] = _remove_timestamp_from_query(query['queries'])
queries = ["{'queryPath': [{'requestedType': 'RegistryEvent', 'filters': [{'facetName': "
"'detectionTimesNumber', 'filterType': 'Equals', 'values': [1]}, {'facetName': 'firstTime', "
"'filterType': 'Between', 'values': [1569888000030, 1633564800030]}], 'connectionFeature': {"
"'elementInstanceType': 'RegistryEvent', 'featureName': 'registryEntry'}}, {'requestedType': "
"'Autorun', 'filters': [{'facetName': 'elementDisplayName', 'filterType': 'Equals', 'values': ["
- "'name']}, {'facetName': 'endTime', "
- "'filterType': 'Between', 'values': [1569888000030, 1633564800030]}], "
- "'connectionFeature': {'elementInstanceType': 'Autorun', 'featureName': "
+ "'name']}, {'facetName': 'endTime', 'filterType': 'Between', 'values': [1569888000030, "
+ "1633564800030]}], 'connectionFeature': {'elementInstanceType': 'Autorun', 'featureName': "
"'dependInFile'}}, {'requestedType': 'File', 'filters': [{'facetName': 'md5String', 'filterType': "
- "'Equals', 'values': ['MD5']}, {'facetName': 'createdTime', "
- "'filterType': 'Between', 'values': [1569888000030, 1633564800030]}], "
- "'connectionFeature': {'elementInstanceType': 'Driver', "
- "'featureName': 'file'}, 'isReversed': True}, {'requestedType': 'Driver', 'filters': [{"
- "'facetName': 'ownerMachine', 'filterType': 'Equals', 'values': ['username']}, {'facetName': "
- "'endTime', 'filterType': 'Between', 'values': [1569888000030, 1633564800030]}], "
- "'connectionFeature': {'elementInstanceType': 'Driver', 'featureName': 'ownerMachine'}}, "
- "{'requestedType': 'Machine', 'filters': [{'facetName': 'timezoneUTCOffsetMinutes', 'filterType': "
- "'Equals', 'values': [4]}, {'facetName': 'lastSeenTimeStamp', "
- "'filterType': 'Between', 'values': [1569888000030, 1633564800030]}], 'isResult': True}],"
- " 'queryLimits': {'groupingFeature': {"
- "'elementInstanceType': 'Machine', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, "
+ "'Equals', 'values': ['MD5']}, {'facetName': 'createdTime', 'filterType': 'Between', 'values': ["
+ "1569888000030, 1633564800030]}], 'isResult': True}], 'queryLimits': {'groupingFeature': {"
+ "'elementInstanceType': 'File', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, "
"'totalResultLimit': 9999, 'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ["
- "'elementDisplayName', 'mountPoints', 'processes', 'services', 'logonSessions', "
- "'hasRemovableDevice', 'timezoneUTCOffsetMinutes', 'osVersionType', 'platformArchitecture', "
- "'mbrHashString', 'osType', 'domainFqdn', 'ownerOrganization', 'pylumId', 'adSid', 'adOU', "
- "'adOrganization', 'adCanonicalName', 'adCompany', 'adDNSHostName', 'adDepartment', "
- "'adDisplayName', 'adLocation', 'adMachineRole', 'adDescription', 'freeDiskSpace', "
- "'totalDiskSpace', 'freeMemory', 'totalMemory', 'cpuCount', 'isLaptop', 'deviceModel', "
- "'isActiveProbeConnected', 'uptime', 'isIsolated', 'lastSeenTimeStamp', "
- "'timeStampSinceLastConnectionTime', 'hasMalops', 'hasSuspicions', "
+ "'elementDisplayName', 'avRemediationStatus', 'signerInternalOrExternal', 'fileHash', 'autoruns', "
+ "'ownerMachine', 'mount', 'autorun', 'dualExtensionEvidence', 'hiddenFileExtensionEvidence', "
+ "'rightToLeftFileExtensionEvidence', 'hasMalops', 'hasSuspicions', 'maliciousClassificationType', "
+ "'hackingToolClassificationEvidence', 'classificationLink', 'isPEFile', "
+ "'executedByProcessEvidence', 'hasAutorun', 'isInstallerProperties', 'isFromRemovableDevice', "
+ "'productType', 'secondExtensionType', 'temporaryFolderEvidence', 'multipleCompanyNamesEvidence', "
+ "'multipleHashForUnsignedPeInfoEvidence', 'unsignedHasSignedVersionEvidence', "
+ "'classificationComment', 'signedInternalOrExternal', 'signatureVerifiedInternalOrExternal', "
+ "'classificationBlocking', 'isDownloadedFromInternet', 'downloadedFromDomain', "
+ "'downloadedFromIpAddress', 'downloadedFromUrl', 'downloadedFromUrlReferrer', "
+ "'downloadedFromEmailFrom', 'downloadedFromEmailMessageId', 'downloadedFromEmailSubject', "
+ "'legalCopyright', 'legalTrademarks', 'privateBuild', 'specialBuild', 'companyName', "
+ "'createdTime', 'extensionType', 'fileDescription', 'internalName', 'md5String', 'modifiedTime', "
+ "'originalFileName', 'correctedPath', 'productName', 'productVersion', 'sha1String', 'size', "
+ "'comments', 'fileVersion', 'applicationIdentifier', 'sha256String']}",
+ "{'queryPath': [{"
+ "'requestedType': 'Driver', 'filters': [{'facetName': 'ownerMachine', 'filterType': 'Equals', "
+ "'values': ['username']}, {'facetName': 'endTime', 'filterType': 'Between', 'values': ["
+ "1569888000030, 1633564800030]}], 'connectionFeature': {'elementInstanceType': 'Driver', "
+ "'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': "
+ "'timezoneUTCOffsetMinutes', 'filterType': 'Equals', 'values': [4]}, {'facetName': "
+ "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1569888000030, 1633564800030]}], "
+ "'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': 'Machine', "
+ "'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'mountPoints', 'processes', 'services', 'logonSessions', 'hasRemovableDevice', "
+ "'timezoneUTCOffsetMinutes', 'osVersionType', 'platformArchitecture', 'mbrHashString', 'osType', "
+ "'domainFqdn', 'ownerOrganization', 'pylumId', 'adSid', 'adOU', 'adOrganization', "
+ "'adCanonicalName', 'adCompany', 'adDNSHostName', 'adDepartment', 'adDisplayName', 'adLocation', "
+ "'adMachineRole', 'adDescription', 'freeDiskSpace', 'totalDiskSpace', 'freeMemory', 'totalMemory', "
+ "'cpuCount', 'isLaptop', 'deviceModel', 'isActiveProbeConnected', 'uptime', 'isIsolated', "
+ "'lastSeenTimeStamp', 'timeStampSinceLastConnectionTime', 'hasMalops', 'hasSuspicions', "
"'isSuspiciousOrHasSuspiciousProcessOrFile', 'maliciousTools', 'maliciousProcesses', "
"'suspiciousProcesses']}"]
-
queries = _remove_timestamp_from_query(queries)
self._test_query_assertions(query, queries)
@@ -1523,157 +1534,145 @@ def test_multiple_observation_with_qualifier_query(self):
query = translation.translate('cybereason', 'query', '{}', stix_pattern)
query['queries'] = _remove_timestamp_from_query(query['queries'])
queries = ["{'queryPath': [{'requestedType': 'File', 'filters': [{'facetName': 'size', 'filterType': "
- "'GreaterThan', 'values': [10]}, {'facetName': 'createdTime', "
- "'filterType': 'Between', 'values': [1601510400030, 1633564800030]}],"
- " 'connectionFeature': {'elementInstanceType': 'File', "
- "'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': "
- "'osVersionType', 'filterType': 'Equals', 'values': ['Windows_Server_2016']}, {'facetName': "
- "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], "
- "'connectionFeature': {'elementInstanceType': 'Machine', 'featureName': 'services'}}, "
- "{'requestedType': 'Service', 'filters': [{'facetName': 'displayName', 'filterType': 'Equals', "
- "'values': ['Windows Push Notifications User Service_2d02eb']}, "
- "{'facetName': 'endTime', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}],"
- " 'isResult': True}], "
- "'queryLimits': {'groupingFeature': {'elementInstanceType': 'Service', 'featureName': "
- "'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, 'perGroupLimit': 1, "
- "'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', 'binaryFile', 'ownerMachine',"
- " "
- "'process', 'serviceStartName', 'commandLineArguments', 'description', 'displayName', 'endTime', "
- "'isActive', 'startType', 'unitFilePath', 'serviceState', 'serviceSubState', 'isAutoRestartService',"
- " 'hasSuspicions', 'newServiceEvidence', 'rareServiceEvidence', 'serviceType', 'driver']}",
- "{'queryPath': [{'requestedType': 'File', 'filters': [{'facetName': 'size', 'filterType': "
- "'GreaterThan', 'values': [10]}, "
- "{'facetName': 'createdTime', 'filterType': 'Between', 'values': [1601510400030, 1633564800030]}],"
- " 'connectionFeature': {'elementInstanceType': 'File', "
- "'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': "
- "'osVersionType', 'filterType': 'Equals', 'values': ['Windows_Server_2016']}, {'facetName': "
- "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], "
- "'connectionFeature': {'elementInstanceType': 'Machine', 'featureName': 'services'}}, "
- "{'requestedType': 'Service', 'filters': [{'facetName': 'oldServiceStartName', 'filterType': "
- "'Equals', 'values': ['Windows Push Notifications User Service_2d02eb']}, {'facetName': 'endTime', "
- "'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], 'isResult': True}], "
- "'queryLimits': {'groupingFeature': {'elementInstanceType': 'Service', 'featureName': "
- "'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, 'perGroupLimit': 1, "
- "'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', 'binaryFile', 'ownerMachine',"
- " "
- "'process', 'serviceStartName', 'commandLineArguments', 'description', 'displayName', 'endTime', "
- "'isActive', 'startType', 'unitFilePath', 'serviceState', 'serviceSubState', 'isAutoRestartService',"
- " "
- "'hasSuspicions', 'newServiceEvidence', 'rareServiceEvidence', 'serviceType', 'driver']}",
- "{'queryPath': [{'requestedType': 'File', 'filters': [{'facetName': 'size', 'filterType': "
- "'GreaterThan', 'values': [10]}, "
- "{'facetName': 'createdTime', 'filterType': 'Between', 'values': [1601510400030, 1633564800030]}],"
- " 'connectionFeature': {'elementInstanceType': 'File', "
- "'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': "
- "'osVersionType', 'filterType': 'Equals', 'values': ['Windows_Server_2016']}, {'facetName': "
- "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], "
- "'connectionFeature': {'elementInstanceType': 'Machine', 'featureName': 'services'}}, "
- "{'requestedType': 'Service', 'filters': [{'facetName': 'elementDisplayName', 'filterType': "
- "'Equals', 'values': ['Windows Push Notifications User Service_2d02eb']}, {'facetName': 'endTime', "
- "'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], 'isResult': True}], "
- "'queryLimits': {'groupingFeature': {'elementInstanceType': 'Service', 'featureName': "
- "'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, 'perGroupLimit': 1, "
- "'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', 'binaryFile', 'ownerMachine',"
- " "
- "'process', 'serviceStartName', 'commandLineArguments', 'description', 'displayName', 'endTime', "
- "'isActive', 'startType', 'unitFilePath', 'serviceState', 'serviceSubState', 'isAutoRestartService',"
- " "
- "'hasSuspicions', 'newServiceEvidence', 'rareServiceEvidence', 'serviceType', 'driver']}",
- "{'queryPath': [{'requestedType': 'File', 'filters': [{'facetName': 'size', 'filterType': "
- "'GreaterThan', 'values': [10]}, "
- "{'facetName': 'createdTime', 'filterType': 'Between', 'values': [1601510400030, 1633564800030]}],"
- " 'connectionFeature': {'elementInstanceType': 'File', "
- "'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': "
- "'osVersionType', 'filterType': 'Equals', 'values': ['Windows_Server_2016']}, {'facetName': "
- "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], "
- "'connectionFeature': {'elementInstanceType': 'Machine', 'featureName': 'services'}}, "
- "{'requestedType': 'Service', 'filters': [{'facetName': 'serviceStartName', 'filterType': 'Equals', "
- "'values': ['Windows Push Notifications User Service_2d02eb']}, {'facetName': 'endTime', "
- "'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], 'isResult': True}], "
- "'queryLimits': {'groupingFeature': {'elementInstanceType': 'Service', 'featureName': "
- "'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, 'perGroupLimit': 1, "
- "'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', 'binaryFile', 'ownerMachine',"
- " "
- "'process', 'serviceStartName', 'commandLineArguments', 'description', 'displayName', 'endTime', "
- "'isActive', 'startType', 'unitFilePath', 'serviceState', 'serviceSubState', 'isAutoRestartService',"
- " "
- "'hasSuspicions', 'newServiceEvidence', 'rareServiceEvidence', 'serviceType', 'driver']}",
- "{'queryPath': [{'requestedType': 'File', 'filters': [{'facetName': 'size', 'filterType': "
- "'GreaterThan', 'values': [10]},"
- " {'facetName': 'createdTime', 'filterType': 'Between', 'values': [1601510400030, 1633564800030]}],"
- " 'connectionFeature': {'elementInstanceType': 'File', "
- "'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': "
+ "'GreaterThan', 'values': [10]}, {'facetName': 'createdTime', 'filterType': 'Between', 'values': ["
+ "1601510400030, 1633564800030]}], 'isResult': True}], 'queryLimits': {'groupingFeature': {"
+ "'elementInstanceType': 'File', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, "
+ "'totalResultLimit': 9999, 'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ["
+ "'elementDisplayName', 'avRemediationStatus', 'signerInternalOrExternal', 'fileHash', 'autoruns', "
+ "'ownerMachine', 'mount', 'autorun', 'dualExtensionEvidence', 'hiddenFileExtensionEvidence', "
+ "'rightToLeftFileExtensionEvidence', 'hasMalops', 'hasSuspicions', 'maliciousClassificationType', "
+ "'hackingToolClassificationEvidence', 'classificationLink', 'isPEFile', "
+ "'executedByProcessEvidence', 'hasAutorun', 'isInstallerProperties', 'isFromRemovableDevice', "
+ "'productType', 'secondExtensionType', 'temporaryFolderEvidence', 'multipleCompanyNamesEvidence', "
+ "'multipleHashForUnsignedPeInfoEvidence', 'unsignedHasSignedVersionEvidence', "
+ "'classificationComment', 'signedInternalOrExternal', 'signatureVerifiedInternalOrExternal', "
+ "'classificationBlocking', 'isDownloadedFromInternet', 'downloadedFromDomain', "
+ "'downloadedFromIpAddress', 'downloadedFromUrl', 'downloadedFromUrlReferrer', "
+ "'downloadedFromEmailFrom', 'downloadedFromEmailMessageId', 'downloadedFromEmailSubject', "
+ "'legalCopyright', 'legalTrademarks', 'privateBuild', 'specialBuild', 'companyName', "
+ "'createdTime', 'extensionType', 'fileDescription', 'internalName', 'md5String', 'modifiedTime', "
+ "'originalFileName', 'correctedPath', 'productName', 'productVersion', 'sha1String', 'size', "
+ "'comments', 'fileVersion', 'applicationIdentifier', 'sha256String']}",
+ "{'queryPath': [{"
+ "'requestedType': 'Machine', 'filters': [{'facetName': 'osVersionType', 'filterType': 'Equals', "
+ "'values': ['Windows_Server_2016']}, {'facetName': 'lastSeenTimeStamp', 'filterType': 'Between', "
+ "'values': [1669869087615, 1669869387615]}], 'connectionFeature': {'elementInstanceType': "
+ "'Machine', 'featureName': 'services'}}, {'requestedType': 'Service', 'filters': [{'facetName': "
+ "'displayName', 'filterType': 'Equals', 'values': ['Windows Push Notifications User "
+ "Service_2d02eb']}, {'facetName': 'endTime', 'filterType': 'Between', 'values': [1669869087615, "
+ "1669869387615]}], 'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': "
+ "'Service', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'binaryFile', 'ownerMachine', 'process', 'serviceStartName', 'commandLineArguments', "
+ "'description', 'displayName', 'endTime', 'isActive', 'startType', 'unitFilePath', 'serviceState', "
+ "'serviceSubState', 'isAutoRestartService', 'hasSuspicions', 'newServiceEvidence', "
+ "'rareServiceEvidence', 'serviceType', 'driver']}",
+ "{'queryPath': [{'requestedType': 'Machine', "
+ "'filters': [{'facetName': 'osVersionType', 'filterType': 'Equals', 'values': ["
+ "'Windows_Server_2016']}, {'facetName': 'lastSeenTimeStamp', 'filterType': 'Between', 'values': ["
+ "1669869087615, 1669869387615]}], 'connectionFeature': {'elementInstanceType': 'Machine', "
+ "'featureName': 'services'}}, {'requestedType': 'Service', 'filters': [{'facetName': "
+ "'oldServiceStartName', 'filterType': 'Equals', 'values': ['Windows Push Notifications User "
+ "Service_2d02eb']}, {'facetName': 'endTime', 'filterType': 'Between', 'values': [1669869087615, "
+ "1669869387615]}], 'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': "
+ "'Service', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'binaryFile', 'ownerMachine', 'process', 'serviceStartName', 'commandLineArguments', "
+ "'description', 'displayName', 'endTime', 'isActive', 'startType', 'unitFilePath', 'serviceState', "
+ "'serviceSubState', 'isAutoRestartService', 'hasSuspicions', 'newServiceEvidence', "
+ "'rareServiceEvidence', 'serviceType', 'driver']}",
+ "{'queryPath': [{'requestedType': 'Machine', "
+ "'filters': [{'facetName': 'osVersionType', 'filterType': 'Equals', 'values': ["
+ "'Windows_Server_2016']}, {'facetName': 'lastSeenTimeStamp', 'filterType': 'Between', 'values': ["
+ "1669869087615, 1669869387615]}], 'connectionFeature': {'elementInstanceType': 'Machine', "
+ "'featureName': 'services'}}, {'requestedType': 'Service', 'filters': [{'facetName': "
+ "'elementDisplayName', 'filterType': 'Equals', 'values': ['Windows Push Notifications User "
+ "Service_2d02eb']}, {'facetName': 'endTime', 'filterType': 'Between', 'values': [1669869087615, "
+ "1669869387615]}], 'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': "
+ "'Service', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'binaryFile', 'ownerMachine', 'process', 'serviceStartName', 'commandLineArguments', "
+ "'description', 'displayName', 'endTime', 'isActive', 'startType', 'unitFilePath', 'serviceState', "
+ "'serviceSubState', 'isAutoRestartService', 'hasSuspicions', 'newServiceEvidence', "
+ "'rareServiceEvidence', 'serviceType', 'driver']}",
+ "{'queryPath': [{'requestedType': 'Machine', "
+ "'filters': [{'facetName': 'osVersionType', 'filterType': 'Equals', 'values': ["
+ "'Windows_Server_2016']}, {'facetName': 'lastSeenTimeStamp', 'filterType': 'Between', 'values': ["
+ "1669869087615, 1669869387615]}], 'connectionFeature': {'elementInstanceType': 'Machine', "
+ "'featureName': 'services'}}, {'requestedType': 'Service', 'filters': [{'facetName': "
+ "'serviceStartName', 'filterType': 'Equals', 'values': ['Windows Push Notifications User "
+ "Service_2d02eb']}, {'facetName': 'endTime', 'filterType': 'Between', 'values': [1669869087615, "
+ "1669869387615]}], 'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': "
+ "'Service', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'binaryFile', 'ownerMachine', 'process', 'serviceStartName', 'commandLineArguments', "
+ "'description', 'displayName', 'endTime', 'isActive', 'startType', 'unitFilePath', 'serviceState', "
+ "'serviceSubState', 'isAutoRestartService', 'hasSuspicions', 'newServiceEvidence', "
+ "'rareServiceEvidence', 'serviceType', 'driver']}",
+ "{'queryPath': [{'requestedType': 'Machine', "
+ "'filters': [{'facetName': 'osVersionType', 'filterType': 'Equals', 'values': ["
+ "'Windows_Server_2016']}, {'facetName': 'lastSeenTimeStamp', 'filterType': 'Between', 'values': ["
+ "1669869087615, 1669869387615]}], 'connectionFeature': {'elementInstanceType': 'Machine', "
+ "'featureName': 'drivers'}}, {'requestedType': 'Driver', 'filters': [{'facetName': 'service', "
+ "'filterType': 'Equals', 'values': ['Windows Push Notifications User Service_2d02eb']}, "
+ "{'facetName': 'endTime', 'filterType': 'Between', 'values': [1669869087615, 1669869387615]}], "
+ "'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': 'Driver', "
+ "'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'creationTime', 'file', 'ownerMachine', 'service', 'endTime', 'newDriverEvidence', "
+ "'hasSuspicions']}",
+ "{'queryPath': [{'requestedType': 'Machine', 'filters': [{'facetName': "
"'osVersionType', 'filterType': 'Equals', 'values': ['Windows_Server_2016']}, {'facetName': "
- "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], "
- "'connectionFeature': {'elementInstanceType': 'Machine', 'featureName': 'drivers'}}, "
- "{'requestedType': 'Driver', 'filters': [{'facetName': 'service', 'filterType': 'Equals', "
- "'values': ['Windows Push Notifications User Service_2d02eb']}, {'facetName': 'endTime', "
- "'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], 'isResult': True}], "
- "'queryLimits': {'groupingFeature': {'elementInstanceType': 'Driver', 'featureName': "
+ "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1669869087615, 1669869387615]}], "
+ "'connectionFeature': {'elementInstanceType': 'Machine', 'featureName': 'processes'}}, "
+ "{'requestedType': 'Process', 'filters': [{'facetName': 'service', 'filterType': 'Equals', "
+ "'values': ['Windows Push Notifications User Service_2d02eb']}, {'facetName': 'creationTime', "
+ "'filterType': 'Between', 'values': [1669869087615, 1669869387615]}], 'isResult': True}], "
+ "'queryLimits': {'groupingFeature': {'elementInstanceType': 'Process', 'featureName': "
"'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, 'perGroupLimit': 1, "
- "'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', 'creationTime', 'file', "
- "'ownerMachine', 'service', 'endTime', 'newDriverEvidence', 'hasSuspicions']}",
- "{'queryPath': [{"
- "'requestedType': 'File', 'filters': [{'facetName': 'size', 'filterType': 'GreaterThan', 'values': ["
- "10]}, {'facetName': 'createdTime', "
- "'filterType': 'Between', 'values': [1601510400030, 1633564800030]}], "
- "'connectionFeature': {'elementInstanceType': 'File', 'featureName': "
- "'ownerMachine'}}, {'requestedType': 'Machine', 'filters': [{'facetName': 'osVersionType', "
- "'filterType': 'Equals', 'values': ['Windows_Server_2016']}, {'facetName': 'lastSeenTimeStamp', "
- "'filterType': 'Between', 'values': [1638180024181, 1638180324181]}], 'connectionFeature': {"
- "'elementInstanceType': 'Machine', 'featureName': 'processes'}}, {'requestedType': 'Process', "
- "'filters': [{'facetName': 'service', 'filterType': 'Equals', 'values': ['Windows Push Notifications"
- " "
- "User Service_2d02eb']},"
- " {'facetName': 'creationTime', 'filterType': 'Between', 'values': [1638180024181, 1638180324181]}],"
- " 'isResult': True}], 'queryLimits': {'groupingFeature': {"
- "'elementInstanceType': 'Process', 'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, "
- "'totalResultLimit': 9999, 'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ["
- "'elementDisplayName', 'creationTime', 'endTime', 'commandLine', "
- "'imageFile.maliciousClassificationType', 'productType', 'children', 'parentProcess', "
- "'ownerMachine', 'calculatedUser', 'imageFile', 'imageFile.sha1String', 'imageFile.md5String', "
- "'imageFile.sha256String', 'imageFile.companyName', 'imageFile.productName', 'applicablePid', "
- "'imageFileExtensionType', 'integrity', 'tid', 'isAggregate', 'isDotNetProtected', 'hasMalops', "
- "'hasSuspicions', 'relatedToMalop', 'multipleSizeForHashEvidence', 'isImageFileVerified', "
- "'knownMaliciousToolSuspicion', 'knownMalwareSuspicion', 'knownUnwantedSuspicion', "
- "'isMaliciousByHashEvidence', 'imageFileMultipleCompanyNamesEvidence', "
- "'multipleHashForUnsignedPeInfoEvidence', 'multipleNameForHashEvidence', 'unknownEvidence', "
- "'rareHasPeMismatchEvidence', 'imageFile.signedInternalOrExternal', "
- "'unknownUnsignedBySigningCompany', 'imageFileUnsignedEvidence', "
- "'imageFileUnsignedHasSignedVersionEvidence', 'unwantedModuleSuspicion', "
- "'imageFile.signerInternalOrExternal', 'architecture', 'commandLineContainsTempEvidence', "
- "'hasChildren', 'hasClassification', 'hasVisibleWindows', 'hasWindows', 'isInstaller', "
- "'isIdentifiedProduct', 'hasModuleFromTempEvidence', 'nonExecutableExtensionEvidence', "
- "'isNotShellRunner', 'runningFromTempEvidence', 'shellOfNonShellRunnerSuspicion', "
- "'shellWithElevatedPrivilegesEvidence', 'systemUserEvidence', 'hasExternalConnection', "
- "'hasExternalConnectionToWellKnownPortEvidence', 'hasIncomingConnection', 'hasInternalConnection', "
- "'hasMailConnectionForNonMailProcessEvidence', 'hasListeningConnection', 'hasOutgoingConnection', "
- "'hasUnresolvedDnsQueriesFromDomain', 'multipleUnresolvedRecordNotExistsEvidence', "
- "'hasNonDefaultResolverEvidence', 'parentProcessNotMatchHierarchySuspicion', "
- "'parentProcessNotAdminUserEvidence', 'parentProcessFromRemovableDeviceEvidence', 'autorun', "
- "'childrenCreatedByThread', 'connections', 'elevatedPrivilegeChildren', 'hackerToolChildren', "
- "'hostProcess', 'hostUser', 'hostedChildren', 'injectedChildren', 'loadedModules', 'logonSession', "
- "'remoteSession', 'service', 'execedBy', 'connectionsToMaliciousDomain', "
- "'connectionsToMalwareAddresses', 'externalConnections', "
+ "'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', 'creationTime', 'endTime', "
+ "'commandLine', 'imageFile.maliciousClassificationType', 'productType', 'children', "
+ "'parentProcess', 'ownerMachine', 'calculatedUser', 'imageFile', 'imageFile.sha1String', "
+ "'imageFile.md5String', 'imageFile.sha256String', 'imageFile.companyName', "
+ "'imageFile.productName', 'applicablePid', 'imageFileExtensionType', 'integrity', 'tid', "
+ "'isAggregate', 'isDotNetProtected', 'hasMalops', 'hasSuspicions', 'relatedToMalop', "
+ "'multipleSizeForHashEvidence', 'isImageFileVerified', 'knownMaliciousToolSuspicion', "
+ "'knownMalwareSuspicion', 'knownUnwantedSuspicion', 'isMaliciousByHashEvidence', "
+ "'imageFileMultipleCompanyNamesEvidence', 'multipleHashForUnsignedPeInfoEvidence', "
+ "'multipleNameForHashEvidence', 'unknownEvidence', 'rareHasPeMismatchEvidence', "
+ "'imageFile.signedInternalOrExternal', 'unknownUnsignedBySigningCompany', "
+ "'imageFileUnsignedEvidence', 'imageFileUnsignedHasSignedVersionEvidence', "
+ "'unwantedModuleSuspicion', 'imageFile.signerInternalOrExternal', 'architecture', "
+ "'commandLineContainsTempEvidence', 'hasChildren', 'hasClassification', 'hasVisibleWindows', "
+ "'hasWindows', 'isInstaller', 'isIdentifiedProduct', 'hasModuleFromTempEvidence', "
+ "'nonExecutableExtensionEvidence', 'isNotShellRunner', 'runningFromTempEvidence', "
+ "'shellOfNonShellRunnerSuspicion', 'shellWithElevatedPrivilegesEvidence', 'systemUserEvidence', "
+ "'hasExternalConnection', 'hasExternalConnectionToWellKnownPortEvidence', 'hasIncomingConnection', "
+ "'hasInternalConnection', 'hasMailConnectionForNonMailProcessEvidence', 'hasListeningConnection', "
+ "'hasOutgoingConnection', 'hasUnresolvedDnsQueriesFromDomain', "
+ "'multipleUnresolvedRecordNotExistsEvidence', 'hasNonDefaultResolverEvidence', "
+ "'parentProcessNotMatchHierarchySuspicion', 'parentProcessNotAdminUserEvidence', "
+ "'parentProcessFromRemovableDeviceEvidence', 'autorun', 'childrenCreatedByThread', 'connections', "
+ "'elevatedPrivilegeChildren', 'hackerToolChildren', 'hostProcess', 'hostUser', 'hostedChildren', "
+ "'injectedChildren', 'loadedModules', 'logonSession', 'remoteSession', 'service', 'execedBy', "
+ "'connectionsToMaliciousDomain', 'connectionsToMalwareAddresses', 'externalConnections', "
"'absoluteHighVolumeMaliciousAddressConnections', 'absoluteHighVolumeExternalConnections', "
"'incomingConnections', 'incomingExternalConnections', 'incomingInternalConnections', "
"'internalConnections', 'listeningConnections', 'localConnections', 'mailConnections', "
"'outgoingConnections', 'outgoingExternalConnections', 'outgoingInternalConnections', "
"'suspiciousExternalConnections', 'suspiciousInternalConnections', 'wellKnownPortConnections', "
"'lowTtlDnsQueries', 'nonDefaultResolverQueries', 'resolvedDnsQueriesDomainToDomain', "
- "'resolvedDnsQueriesDomainToIp', 'resolvedDnsQueriesIpToDomain', 'suspiciousDnsQueryDomainToDomain',"
- " "
- "'unresolvedQueryFromSuspiciousDomain', 'dnsQueryFromSuspiciousDomain', "
- "'dnsQueryToSuspiciousDomain', 'unresolvedRecordNotExist', 'unresolvedDnsQueriesFromDomain', "
- "'unresolvedDnsQueriesFromIp', 'maliciousToolClassificationModules', 'malwareClassificationModules',"
- " "
- "'modulesNotInLoaderDbList', 'modulesFromTemp', 'unsignedWithSignedVersionModules', "
- "'unwantedClassificationModules', 'accessToMalwareAddressInfectedProcess', "
- "'connectingToBadReputationAddressSuspicion', 'hasMaliciousConnectionEvidence', "
- "'hasSuspiciousExternalConnectionSuspicion', 'highNumberOfExternalConnectionsSuspicion', "
- "'nonDefaultResolverSuspicion', 'hasRareExternalConnectionEvidence', 'hasRareRemoteAddressEvidence',"
- " "
- "'suspiciousMailConnections', 'accessToMalwareAddressByUnknownProcess', "
+ "'resolvedDnsQueriesDomainToIp', 'resolvedDnsQueriesIpToDomain', "
+ "'suspiciousDnsQueryDomainToDomain', 'unresolvedQueryFromSuspiciousDomain', "
+ "'dnsQueryFromSuspiciousDomain', 'dnsQueryToSuspiciousDomain', 'unresolvedRecordNotExist', "
+ "'unresolvedDnsQueriesFromDomain', 'unresolvedDnsQueriesFromIp', "
+ "'maliciousToolClassificationModules', 'malwareClassificationModules', 'modulesNotInLoaderDbList', "
+ "'modulesFromTemp', 'unsignedWithSignedVersionModules', 'unwantedClassificationModules', "
+ "'accessToMalwareAddressInfectedProcess', 'connectingToBadReputationAddressSuspicion', "
+ "'hasMaliciousConnectionEvidence', 'hasSuspiciousExternalConnectionSuspicion', "
+ "'highNumberOfExternalConnectionsSuspicion', 'nonDefaultResolverSuspicion', "
+ "'hasRareExternalConnectionEvidence', 'hasRareRemoteAddressEvidence', 'suspiciousMailConnections', "
+ "'accessToMalwareAddressByUnknownProcess', "
"'hasAbsoluteHighVolumeConnectionToMaliciousAddressEvidence', "
"'hasAbsoluteHighVolumeExternalOutgoingConnectionEvidence', 'highDataTransmittedSuspicion', "
"'highDataVolumeTransmittedToMaliciousAddressSuspicion', "
@@ -1704,6 +1703,7 @@ def test_multiple_observation_with_qualifier_query(self):
"'imageFile.downloadedFromUrlReferrer', 'imageFile.downloadedFromEmailFrom', "
"'imageFile.downloadedFromEmailMessageId', 'imageFile.downloadedFromEmailSubject', 'rpcRequests', "
"'iconBase64', 'executionPrevented', 'isWhiteListClassification', 'matchedWhiteListRuleIds']}"]
+
queries = _remove_timestamp_from_query(queries)
self._test_query_assertions(query, queries)
@@ -1792,7 +1792,6 @@ def test_not_include_filter_query(self):
"'hasMaliciousProcess', 'hasSuspicions', 'hasSuspiciousProcess', "
"'runningMaliciousProcessEvidence', 'hasRareProcessWithExternalConnections']}"]
-
queries = _remove_timestamp_from_query(queries)
self._test_query_assertions(query, queries)
@@ -1960,11 +1959,12 @@ def test_invalid_operator_for_int(self):
assert 'LIKE OR MATCHES operator is not supported for Integer/Timestamp/Boolean fields' in result['error']
def test_observation_with_invalid_link_between_element(self):
- stix_pattern = "[x-cybereason-connection:port_type LIKE 'HTTP' AND x-oca-event:file_event_user LIKE 'FET_DELETE']"
+ stix_pattern = "[x-cybereason-connection:port_type LIKE 'HTTP' AND x-oca-event:file_event_user " \
+ "LIKE 'FET_DELETE']"
result = translation.translate('cybereason', 'query', '{}', stix_pattern)
assert result['success'] is False
assert result['code'] == 'invalid_parameter'
- assert 'Link is not found between elements' in result['error']
+ assert 'Cybereason does not allow AND operation' in result['error']
def test_observation_with_invalid_operator_for_string(self):
stix_pattern = "[x-cybereason-connection:port_type > 'HTTP']"
@@ -1992,32 +1992,96 @@ def test_timestamp_in_seconds_and_milliseconds(self):
"[network-traffic:protocols[*] = 'tcp'] START t'2019-10-01T08:43:10.003Z' STOP " \
"t'2019-11-30T10:43:10.005Z' "
query = translation.translate('cybereason', 'query', '{}', stix_pattern)
- queries = [{'queryPath': [{'requestedType': 'Connection', 'filters': [{'facetName': 'transportProtocol',
- 'filterType': 'Equals',
- 'values': ['tcp']},
- {'facetName': 'creationTime',
- 'filterType': 'Between',
- 'values': [1569919390003,
- 1575110590005]},
- {'facetName': 'localPort',
- 'filterType': 'Equals',
- 'values': [23]},
- {'facetName': 'creationTime',
- 'filterType': 'Between',
- 'values': [1569916810000,
- 1575111610000]}],
- 'isResult': True}], 'queryLimits': {'groupingFeature':
- {'elementInstanceType': 'Connection',
- 'featureName': 'elementDisplayName'}},
- 'perFeatureLimit': 1,
- 'totalResultLimit': 9999, 'perGroupLimit': 1, 'templateContext': 'CUSTOM',
- 'customFields': ['elementDisplayName', 'direction', 'ownerMachine', 'ownerProcess', 'serverPort',
- 'serverAddress', 'portType', 'aggregatedReceivedBytesCount',
- 'aggregatedTransmittedBytesCount', 'remoteAddressCountryName', 'dnsQuery',
- 'calculatedCreationTime', 'domainName', 'endTime', 'localPort', 'portDescription',
- 'remotePort', 'state', 'isExternalConnection', 'isIncoming',
- 'remoteAddressInternalExternalLocal', 'transportProtocol', 'hasMalops',
- 'hasSuspicions', 'relatedToMalop', 'isWellKnownPort', 'isProcessLegit',
- 'isProcessMalware', 'localAddress', 'remoteAddress', 'urlDomains']}]
+ queries = [{
+ 'queryPath': [{
+ 'requestedType': 'Connection',
+ 'filters': [{
+ 'facetName': 'localPort',
+ 'filterType': 'Equals',
+ 'values': [23]
+ }, {
+ 'facetName': 'creationTime',
+ 'filterType': 'Between',
+ 'values': [1569916810000, 1575111610000]
+ }],
+ 'isResult': True
+ }],
+ 'queryLimits': {
+ 'groupingFeature': {
+ 'elementInstanceType': 'Connection',
+ 'featureName': 'elementDisplayName'
+ }
+ },
+ 'perFeatureLimit': 1,
+ 'totalResultLimit': 9999,
+ 'perGroupLimit': 1,
+ 'templateContext': 'CUSTOM',
+ 'customFields': ['elementDisplayName', 'direction', 'ownerMachine', 'ownerProcess', 'serverPort',
+ 'serverAddress', 'portType', 'aggregatedReceivedBytesCount',
+ 'aggregatedTransmittedBytesCount', 'remoteAddressCountryName', 'dnsQuery',
+ 'calculatedCreationTime', 'domainName', 'endTime', 'localPort', 'portDescription',
+ 'remotePort', 'state', 'isExternalConnection', 'isIncoming',
+ 'remoteAddressInternalExternalLocal', 'transportProtocol', 'hasMalops', 'hasSuspicions',
+ 'relatedToMalop', 'isWellKnownPort', 'isProcessLegit', 'isProcessMalware', 'localAddress',
+ 'remoteAddress', 'urlDomains']
+ }, {
+ 'queryPath': [{
+ 'requestedType': 'Connection',
+ 'filters': [{
+ 'facetName': 'transportProtocol',
+ 'filterType': 'Equals',
+ 'values': ['tcp']
+ }, {
+ 'facetName': 'creationTime',
+ 'filterType': 'Between',
+ 'values': [1569919390003, 1575110590005]
+ }],
+ 'isResult': True
+ }],
+ 'queryLimits': {
+ 'groupingFeature': {
+ 'elementInstanceType': 'Connection',
+ 'featureName': 'elementDisplayName'
+ }
+ },
+ 'perFeatureLimit': 1,
+ 'totalResultLimit': 9999,
+ 'perGroupLimit': 1,
+ 'templateContext': 'CUSTOM',
+ 'customFields': ['elementDisplayName', 'direction', 'ownerMachine', 'ownerProcess', 'serverPort',
+ 'serverAddress', 'portType', 'aggregatedReceivedBytesCount',
+ 'aggregatedTransmittedBytesCount', 'remoteAddressCountryName', 'dnsQuery',
+ 'calculatedCreationTime', 'domainName', 'endTime', 'localPort', 'portDescription',
+ 'remotePort', 'state', 'isExternalConnection', 'isIncoming',
+ 'remoteAddressInternalExternalLocal', 'transportProtocol', 'hasMalops', 'hasSuspicions',
+ 'relatedToMalop', 'isWellKnownPort', 'isProcessLegit', 'isProcessMalware', 'localAddress',
+ 'remoteAddress', 'urlDomains']
+ }]
+ self._test_query_assertions(query, queries)
+
+ def test_multiple_observation_with_and_without_linked_element(self):
+ stix_pattern = "[ipv4-addr:value = '1.1.1.1' AND x-cybereason-driver:name = 'test_driver'] " \
+ "OR [AND x-oca-asset:os_type = 'windows' AND x-cybereason-service:description LIKE 'service' ]"
+ query = translation.translate('cybereason', 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+ queries = ["{'queryPath': [{'requestedType': 'Service', 'filters': [{'facetName': 'description', "
+ "'filterType': 'ContainsIgnoreCase', 'values': ['service']}, {'facetName': 'endTime', "
+ "'filterType': 'Between', 'values': [1669871110786, 1669871410786]}], 'connectionFeature': {"
+ "'elementInstanceType': 'Service', 'featureName': 'ownerMachine'}}, {'requestedType': 'Machine', "
+ "'filters': [{'facetName': 'osType', 'filterType': 'Equals', 'values': ['windows']}, {'facetName': "
+ "'lastSeenTimeStamp', 'filterType': 'Between', 'values': [1669871110786, 1669871410786]}], "
+ "'isResult': True}], 'queryLimits': {'groupingFeature': {'elementInstanceType': 'Machine', "
+ "'featureName': 'elementDisplayName'}}, 'perFeatureLimit': 1, 'totalResultLimit': 9999, "
+ "'perGroupLimit': 1, 'templateContext': 'CUSTOM', 'customFields': ['elementDisplayName', "
+ "'mountPoints', 'processes', 'services', 'logonSessions', 'hasRemovableDevice', "
+ "'timezoneUTCOffsetMinutes', 'osVersionType', 'platformArchitecture', 'mbrHashString', 'osType', "
+ "'domainFqdn', 'ownerOrganization', 'pylumId', 'adSid', 'adOU', 'adOrganization', "
+ "'adCanonicalName', 'adCompany', 'adDNSHostName', 'adDepartment', 'adDisplayName', 'adLocation', "
+ "'adMachineRole', 'adDescription', 'freeDiskSpace', 'totalDiskSpace', 'freeMemory', 'totalMemory', "
+ "'cpuCount', 'isLaptop', 'deviceModel', 'isActiveProbeConnected', 'uptime', 'isIsolated', "
+ "'lastSeenTimeStamp', 'timeStampSinceLastConnectionTime', 'hasMalops', 'hasSuspicions', "
+ "'isSuspiciousOrHasSuspiciousProcessOrFile', 'maliciousTools', 'maliciousProcesses', "
+ "'suspiciousProcesses']}"]
+ queries = _remove_timestamp_from_query(queries)
self._test_query_assertions(query, queries)
From ec975b9ee2c080fa5cb8b52ce5461eb8b7f73202 Mon Sep 17 00:00:00 2001
From: Danny Elliott
Date: Tue, 6 Dec 2022 11:51:32 -0400
Subject: [PATCH 04/30] Test for START STOP timestamp format (#1218)
---
.../stix_translation/base_query_translator.py | 3 ++-
.../test_start_stop_qualifier.py | 27 +++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 tests/stix_translation/test_start_stop_qualifier.py
diff --git a/stix_shifter_utils/modules/base/stix_translation/base_query_translator.py b/stix_shifter_utils/modules/base/stix_translation/base_query_translator.py
index b93a8378b..172bf84e7 100644
--- a/stix_shifter_utils/modules/base/stix_translation/base_query_translator.py
+++ b/stix_shifter_utils/modules/base/stix_translation/base_query_translator.py
@@ -10,7 +10,8 @@
from stix2patterns.validator import run_validator
from stix_shifter_utils.stix_translation.src.utils.exceptions import StixValidationException
-START_STOP_PATTERN = r"\s?START\s?t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d+)?Z'\sSTOP\s?t'\d{4}(-\d{2}){2}T(\d{2}:){2}\d{2}.\d{1,3}Z'\s?"
+START_STOP_PATTERN = r"\s?START\s?t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d{1,3})?Z'\sSTOP\s?t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d{1,3})?Z'\s?"
+
class BaseQueryTranslator(object, metaclass=ABCMeta):
diff --git a/tests/stix_translation/test_start_stop_qualifier.py b/tests/stix_translation/test_start_stop_qualifier.py
new file mode 100644
index 000000000..20bcb5a96
--- /dev/null
+++ b/tests/stix_translation/test_start_stop_qualifier.py
@@ -0,0 +1,27 @@
+from stix_shifter.stix_translation import stix_translation
+from stix_shifter_utils.utils.module_discovery import modules_list
+
+translation = stix_translation.StixTranslation()
+START_STOP_TIMESTAMPS = {
+ "start_stop_no_milliseconds": "START t'2022-11-18T15:00:00Z' STOP t'2022-11-20T16:00:00Z'",
+ "start_stop_partial_milliseconds": "START t'2022-11-18T15:00:00.1Z' STOP t'2022-11-20T16:00:00.2Z'",
+ "start_stop_full_milliseconds": "START t'2022-11-18T15:00:00.100Z' STOP t'2022-11-20T16:00:00.200Z'"
+}
+STIX_PATTERN = "[ipv4-addr:value = '192.168.0.100']"
+
+
+class TestQualifierTimestamps(object):
+
+ def _validate_stix_result(self, result, module, timestamp):
+ if 'error' in result:
+ if "timestamp" not in result["error"]:
+ next
+ else:
+ assert False, "{} failed to translate timestamp: {}".format(module, timestamp)
+
+ def test_qaulifier_timestamps(self):
+ modules = modules_list()
+ for module in modules:
+ for key, timestamp in START_STOP_TIMESTAMPS.items():
+ result = translation.translate(module, 'query', '', STIX_PATTERN + " " + timestamp)
+ self._validate_stix_result(result, module, timestamp)
\ No newline at end of file
From 61e8975c39836981c61ce3f6cbd1f8bf6e2eedba Mon Sep 17 00:00:00 2001
From: AmitHaim1 <79083589+AmitHaim1@users.noreply.github.com>
Date: Tue, 6 Dec 2022 23:34:08 +0200
Subject: [PATCH 05/30] fix domain_ioc mapping (removal of network_traffic ref)
(#1226)
---
.../crowdstrike/stix_translation/json/to_stix_map.json | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/stix_shifter_modules/crowdstrike/stix_translation/json/to_stix_map.json b/stix_shifter_modules/crowdstrike/stix_translation/json/to_stix_map.json
index 9e34e6a1c..602198787 100644
--- a/stix_shifter_modules/crowdstrike/stix_translation/json/to_stix_map.json
+++ b/stix_shifter_modules/crowdstrike/stix_translation/json/to_stix_map.json
@@ -157,14 +157,9 @@
"object": "domain-name"
},
{
- "key": "network-traffic.dst_ref",
- "object": "network-traffic",
- "references": "domain-name"
- },
- {
- "key": "x-oca-event.network_ref",
+ "key": "x-oca-event.domain_ref",
"object": "event",
- "references": "network-traffic"
+ "references": "domain-name"
}
],
"sha256_ioc": [
From bc9e63bc625813e3a067664f52a0b4e709c99076 Mon Sep 17 00:00:00 2001
From: Danny Elliott
Date: Thu, 8 Dec 2022 11:56:38 -0400
Subject: [PATCH 06/30] update script to create sql database (#1228)
---
.../scripts/mysql_populate_script/README.md | 9 ++--
.../scripts/mysql_populate_script/data.csv | 28 ++++++-------
.../scripts/mysql_populate_script/setup.py | 7 +++-
.../mysql_populate_script/table_setup.py | 41 +++++++++++++++----
4 files changed, 58 insertions(+), 27 deletions(-)
diff --git a/stix_shifter/scripts/mysql_populate_script/README.md b/stix_shifter/scripts/mysql_populate_script/README.md
index c5d73dd1a..15f7854c1 100644
--- a/stix_shifter/scripts/mysql_populate_script/README.md
+++ b/stix_shifter/scripts/mysql_populate_script/README.md
@@ -1,16 +1,17 @@
# MySQL Table Setup
-A Python script to create and populate a MySQL table with sample data from a CSV file.
+A Python script that creates a MySQL database and populated table with sample data from a [CSV file](data.csv).
To run the script:
1. Edit the field names, data types, and data in the `data.csv` file.
2. Run the `setup.py` script with the following parameters:
- * Connection to the database with host, database name, user, and password
- * Name of the table you wish to create and populate
+ * Connection to the sql instance with host, database name, user, and password.
+ * Name of the taget database. If the databse already exists it will be dropped and recreated.
+ * Name of the table you wish to create and populate.
```bash
- python setup.py '{"host": "", "database": "", "user": "", "password": ""}' ""
+ python setup.py '{"host": "", "user": "", "password": ""}' "database_name" ""
```
For your populated table to be used with the [MySQL connector](https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/mysql), the [STIX mappings](https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/mysql/stix_translation/json) must match the table fields. See the stix-shifter [developer guide](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/develop-translation-module.md) for more information on STIX mappings.
diff --git a/stix_shifter/scripts/mysql_populate_script/data.csv b/stix_shifter/scripts/mysql_populate_script/data.csv
index 2e03d39ee..a1c1cbdf2 100644
--- a/stix_shifter/scripts/mysql_populate_script/data.csv
+++ b/stix_shifter/scripts/mysql_populate_script/data.csv
@@ -1,14 +1,14 @@
-source_ipaddr,dest_ipaddr,url,filename,sha256hash,md5hash,file_path,username,source_port,dest_port,protocol,entry_time,system_name,severity,magnitude
-varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),int,int,varchar(100),double,varchar(100),int,int
-192.168.16.4,213.213.142.5,www.example.org,photos.exe,2bc21ad4860422599ef29e6d23d354625a67a53d1ff8e09f7ce392ce7e779dc4,276134d96a0648c24505b455150cb41a,C:/PHOTOS,97bd1036example.org,143,8080,udp,1617123877,demo_system,8,5
-10.0.0.9,192.168.16.4,www.example.com,calendar.doc,a2c0dd1eeed012132907c1cc8dcca1f77a12c537d7d875f3627c440502f295c2,60f7ec355f60c768bc684ccf718d48d7,user/preferences/lib,root,143,8080,udp,1617123877,demo_system,2,1
-172.16.25.9,10.0.0.9,www.example.net,photos.exe,b0795d1f264efa26bf464612a95bba710c10d3de594d888b6282c48f15690459,276134d96a0648c24505b455150cb41a,usr/bin,root,143,8080,udp,1617123877,demo_system,7,4
-10.0.0.9,10.0.0.9,www.example.com,calendar.doc,d502e7541b1a79ba77a010634beb6eedd178f1110535bc73f96a50c891eed1ef,60f7ec355f60c768bc684ccf718d48d7,user/preferences/lib,1eeb5a46example.org,143,8080,udp,1617123877,demo_system,2,1
-192.168.16.4,10.0.0.9,www.example.com,appointment.xml,fe095939f684e9c3d3c5d9aa15436e1b1de9c22cee23afa8332e226560ea2b2f,9affc3c0175130f9ac80b086d7949291,C:/PHOTOS,root,143,8080,udp,1617123877,demo_system,6,5
-172.16.25.9,172.16.25.9,www.example.org,photos.exe,3be262c0c7a91818a3795a814cda5efaae0a759f77b8050921b5aea099093357,276134d96a0648c24505b455150cb41a,user/preferences/lib,15e6d6f7example.org,143,8080,udp,1617123877,demo_system,3,2
-10.0.0.9,213.213.142.5,www.example.net,calendar.doc,a8db77b872512df0fd15943a79efb4e16c745cd8122efaf948b3c56d463e4b70,60f7ec355f60c768bc684ccf718d48d7,user/preferences/lib,user,143,8080,udp,1617123877,demo_system,2,1
-192.168.16.4,10.0.0.9,www.example.com,calendar.doc,63fcbaa237eb8d9a3f32ecf850831fd283512b30ece26ee8bc43ec013edf2210,60f7ec355f60c768bc684ccf718d48d7,C:/PHOTOS,admin,143,8080,udp,1617123877,demo_system,6,5
-172.16.25.9,192.168.16.4,www.example.net,appointment.xml,e2df00798b677eaba24393c340913de955d16b0920af6e5a5f1d3a1b4f8669e5,9affc3c0175130f9ac80b086d7949291,C:/PHOTOS,user,143,8080,tcp,1617123877,demo_system,1,1
-10.0.0.9,192.168.16.4,www.example.net,photos.exe,efe833b6172b3eb4be1e73dfe56f589f7b1ad86493b8a1b3ec5f018fb037d7c6,276134d96a0648c24505b455150cb41a,C:/PHOTOS,root,143,8080,udp,1617123877,demo_system,4,3
-172.16.25.9,10.0.0.9,www.example.com,photos.exe,3be262c0c7a91818a3795a814cda5efaae0a759f77b8050921b5aea099093357,276134d96a0648c24505b455150cb41a,user/preferences/lib,admin,143,8080,tcp,1617123877,demo_system,6,4
-10.0.0.9,10.0.0.9,www.example.org,spreadsheet.doc,b0795d1f264efa26bf464612a95bba710c10d3de594d888b6282c48f15690459,0a556fbb7d3c184fad0a625afccd2b62,C:/PHOTOS,root,143,8080,udp,1617123877,demo_system,2,1
\ No newline at end of file
+source_ipaddr,dest_ipaddr,url,filename,sha256hash,md5hash,file_path,username,source_port,dest_port,protocol,entry_time,system_name,severity,magnitude,source_country,destination_country,email,rule_type,rule_name,rule_description
+varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),int,int,varchar(100),double,varchar(100),int,int,varchar(100),varchar(100),varchar(100),varchar(100),varchar(100),varchar(100)
+192.168.16.4,213.213.142.5,www.example.org,photos.exe,2bc21ad4860422599ef29e6d23d354625a67a53d1ff8e09f7ce392ce7e779dc4,276134d96a0648c24505b455150cb41a,C:/PHOTOS,97bd1036example.org,143,8080,udp,1617123877,demo_system,8,5,China,USA,97bd1036@example.org,alert,Failed Login,Failed login attempt
+10.0.0.9,192.168.16.4,www.example.com,calendar.doc,a2c0dd1eeed012132907c1cc8dcca1f77a12c537d7d875f3627c440502f295c2,60f7ec355f60c768bc684ccf718d48d7,user/preferences/lib,root,143,8080,udp,1617123877,demo_system,2,1,Russia,USA,info@example.net,alert,Failed Login,Failed login attempt
+172.16.25.9,10.0.0.9,www.example.net,photos.exe,b0795d1f264efa26bf464612a95bba710c10d3de594d888b6282c48f15690459,276134d96a0648c24505b455150cb41a,usr/bin,root,143,8080,udp,1617123877,demo_system,7,4,Germany,Russia,info@example.net,alert,Failed Login,Failed login attempt
+10.0.0.9,172.16.25.9,www.example.com,calendar.doc,d502e7541b1a79ba77a010634beb6eedd178f1110535bc73f96a50c891eed1ef,60f7ec355f60c768bc684ccf718d48d7,user/preferences/lib,1eeb5a46example.org,143,8080,udp,1617123877,demo_system,2,1,China,USA,1eeb5a46@example.org,alert,Failed Login,Failed login attempt
+192.168.16.4,10.0.0.9,www.example.com,appointment.xml,fe095939f684e9c3d3c5d9aa15436e1b1de9c22cee23afa8332e226560ea2b2f,9affc3c0175130f9ac80b086d7949291,C:/PHOTOS,root,143,8080,udp,1617123877,demo_system,6,5,Russia,Canada,info@example.net,threat,Suspecious file,Suspecious file
+172.16.25.9,10.0.0.9,www.example.org,photos.exe,3be262c0c7a91818a3795a814cda5efaae0a759f77b8050921b5aea099093357,276134d96a0648c24505b455150cb41a,user/preferences/lib,15e6d6f7example.org,143,8080,udp,1617123877,demo_system,3,2,USA,Germany,15e6d6f7@example.org,alert,Failed Login,Failed login attempt
+10.0.0.9,213.213.142.5,www.example.net,calendar.doc,a8db77b872512df0fd15943a79efb4e16c745cd8122efaf948b3c56d463e4b70,60f7ec355f60c768bc684ccf718d48d7,user/preferences/lib,user,143,8080,udp,1617123877,demo_system,2,1,Canada,Germany,info@example.net,alert,Failed Login,Failed login attempt
+192.168.16.4,10.0.0.9,www.example.com,calendar.doc,63fcbaa237eb8d9a3f32ecf850831fd283512b30ece26ee8bc43ec013edf2210,60f7ec355f60c768bc684ccf718d48d7,C:/PHOTOS,admin,143,8080,udp,1617123877,demo_system,6,5,Russia,Belgium,admin@example.com,policy,Admin Login,Admin login instance.
+172.16.25.9,192.168.16.4,www.example.net,appointment.xml,e2df00798b677eaba24393c340913de955d16b0920af6e5a5f1d3a1b4f8669e5,9affc3c0175130f9ac80b086d7949291,C:/PHOTOS,user,143,8080,tcp,1617123877,demo_system,1,1,USA,China,info@example.net,threat,Suspecious file,Suspecious file
+10.0.0.9,192.168.16.4,www.example.net,photos.exe,efe833b6172b3eb4be1e73dfe56f589f7b1ad86493b8a1b3ec5f018fb037d7c6,276134d96a0648c24505b455150cb41a,C:/PHOTOS,root,143,8080,udp,1617123877,demo_system,4,3,Belgium,Canada,info@example.net,alert,Failed Login,Failed login attempt
+172.16.25.9,10.0.0.9,www.example.com,photos.exe,3be262c0c7a91818a3795a814cda5efaae0a759f77b8050921b5aea099093357,276134d96a0648c24505b455150cb41a,user/preferences/lib,admin,143,8080,tcp,1617123877,demo_system,6,4,Russia,Belgium,admin@example.com,policy,Admin Login,Admin login instance.
+10.0.0.9,172.16.25.9,www.example.org,spreadsheet.doc,b0795d1f264efa26bf464612a95bba710c10d3de594d888b6282c48f15690459,0a556fbb7d3c184fad0a625afccd2b62,C:/PHOTOS,root,143,8080,udp,1617123877,demo_system,2,1,Germany,China,15e6d6f7@example.org,alert,Failed Login,Failed login attempt
\ No newline at end of file
diff --git a/stix_shifter/scripts/mysql_populate_script/setup.py b/stix_shifter/scripts/mysql_populate_script/setup.py
index 778a1718d..b2b26e88d 100644
--- a/stix_shifter/scripts/mysql_populate_script/setup.py
+++ b/stix_shifter/scripts/mysql_populate_script/setup.py
@@ -5,12 +5,15 @@
def main():
# Connection to the database in the form of '{"host": "", "database": "", "user": "", "password": ""}'
connection = sys.argv[1]
+ # Name of the target database. If the databse already exists it will be dropped and recreated.
+ database = sys.argv[2]
# Name of table you wish to create and populate
- table = sys.argv[2]
+ table = sys.argv[3]
# CSV file containing field names in the first row, data types in the second row, and associated data in subsequent rows.
data_file = open('data.csv')
- table_setup = TableSetup(connection, table, data_file)
+ table_setup = TableSetup(connection, database, table, data_file)
+ table_setup.create_database()
table_setup.drop_table()
table_setup.create_table()
table_setup.populate_table()
diff --git a/stix_shifter/scripts/mysql_populate_script/table_setup.py b/stix_shifter/scripts/mysql_populate_script/table_setup.py
index 629cfc239..bf5feb483 100644
--- a/stix_shifter/scripts/mysql_populate_script/table_setup.py
+++ b/stix_shifter/scripts/mysql_populate_script/table_setup.py
@@ -3,21 +3,30 @@
import json
import csv
+PORT = 3306
class TableSetup():
- def __init__(self, connection_params, table, data_file):
- self.connection_params = json.loads(connection_params)
+ def __init__(self, connection_params, database, table, data_file):
+ connection_params = json.loads(connection_params)
+ self.user = connection_params["user"]
+ self.password = connection_params["password"]
+ self.host = connection_params["host"]
+ self.database = database
self.table = table
self.csv_reader = csv.reader(data_file, delimiter=',')
self.csv_rows = []
self.fields_list = []
self.data_types_list = []
+ def __get_sql_connection(self):
+ return mysql.connector.connect(user=self.user, password=self.password,
+ host=self.host, port=PORT, auth_plugin='mysql_native_password')
+
def __get_db_connection(self):
- return mysql.connector.connect(user=self.connection_params["user"], password=self.connection_params["password"],
- host=self.connection_params["host"], database=self.connection_params["database"],
- port=3306, auth_plugin='mysql_native_password')
+ return mysql.connector.connect(user=self.user, password=self.password,
+ host=self.host, database=self.database,
+ port=PORT, auth_plugin='mysql_native_password')
def __handle_error(self, err):
if err.errno == errorcode.ER_ACCESS_DENIED_ERROR:
@@ -27,7 +36,24 @@ def __handle_error(self, err):
else:
print(err)
+ def create_database(self):
+ print("Creating database: {}".format(self.database))
+ try:
+ cnx = self.__get_sql_connection()
+ cursor = cnx.cursor()
+ sql = "DROP DATABASE IF EXISTS {}".format(self.database)
+ cursor.execute(sql)
+ sql = "CREATE DATABASE {}".format(self.database)
+ cursor.execute(sql)
+ except mysql.connector.Error as err:
+ self.__handle_error(err)
+ else:
+ cnx.close()
+ print("{} created".format(self.database))
+
+
def drop_table(self):
+ print("Dropping table: {}".format(self.table))
try:
cnx = self.__get_db_connection()
cursor = cnx.cursor()
@@ -37,6 +63,7 @@ def drop_table(self):
self.__handle_error(err)
else:
cnx.close()
+ print("{} dropped".format(self.table))
def create_table(self):
try:
@@ -52,7 +79,7 @@ def create_table(self):
fields_and_type += "{} {}, ".format(field, self.data_types_list[index])
fields_and_type = fields_and_type[:-2]
fields_and_type += ")"
- print("Creating table with the following fields: {}".format(self.fields_list))
+ print("Creating {} with the following fields: {}".format(self.table, self.fields_list))
sql = "CREATE TABLE {} {};".format(self.table, fields_and_type)
cursor.execute(sql)
except mysql.connector.Error as err:
@@ -61,10 +88,10 @@ def create_table(self):
cnx.close()
def populate_table(self):
+ print("Populating {} with data".format(self.table))
try:
cnx = self.__get_db_connection()
cursor = cnx.cursor()
- print("Populating table with data")
sql_insert_parameters = ("%s," * len(self.fields_list))[:-1]
for index, row in enumerate(self.csv_rows):
if index < 2:
From 833b6103cb6f4a6f5e4910fe559544ab7fefa62d Mon Sep 17 00:00:00 2001
From: Paul Coccoli
Date: Mon, 12 Dec 2022 09:59:23 -0500
Subject: [PATCH 07/30] elastic_ecs: add beats dialect (#1208)
---
.../elastic_ecs/entry_point.py | 15 +-
.../json/beats_from_stix_map.json | 545 ++++++++++++++++++
.../json/stix_2_1/beats_from_stix_map.json | 544 +++++++++++++++++
.../test_elastic_ecs_stix_to_query.py | 15 +
4 files changed, 1118 insertions(+), 1 deletion(-)
create mode 100644 stix_shifter_modules/elastic_ecs/stix_translation/json/beats_from_stix_map.json
create mode 100644 stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/beats_from_stix_map.json
diff --git a/stix_shifter_modules/elastic_ecs/entry_point.py b/stix_shifter_modules/elastic_ecs/entry_point.py
index 2c0db1e97..c9f1b3334 100644
--- a/stix_shifter_modules/elastic_ecs/entry_point.py
+++ b/stix_shifter_modules/elastic_ecs/entry_point.py
@@ -1,4 +1,7 @@
+import os
+
from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+from .stix_translation.query_translator import QueryTranslator
from .stix_translation.results_translator import ResultTranslator
@@ -11,5 +14,15 @@ def __init__(self, connection={}, configuration={}, options={}):
if connection:
self.setup_transmission_basic(connection, configuration)
+ basepath = os.path.dirname(__file__)
+ filepath = os.path.abspath(os.path.join(basepath, "stix_translation"))
+
dialect = 'default'
- self.setup_translation_simple(dialect_default=dialect, results_translator=ResultTranslator(options, dialect))
\ No newline at end of file
+ query_translator = QueryTranslator(options, dialect, filepath)
+ results_translator = ResultTranslator(options, dialect)
+ self.add_dialect(dialect, query_translator=query_translator, results_translator=results_translator, default_include=True, default=True)
+
+ dialect = 'beats'
+ query_translator = QueryTranslator(options, dialect, filepath)
+ results_translator = ResultTranslator(options, dialect)
+ self.add_dialect(dialect, query_translator=query_translator, results_translator=results_translator, default_include=False, default=False)
diff --git a/stix_shifter_modules/elastic_ecs/stix_translation/json/beats_from_stix_map.json b/stix_shifter_modules/elastic_ecs/stix_translation/json/beats_from_stix_map.json
new file mode 100644
index 000000000..7d7ba75c7
--- /dev/null
+++ b/stix_shifter_modules/elastic_ecs/stix_translation/json/beats_from_stix_map.json
@@ -0,0 +1,545 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": ["source.ip.keyword", "destination.ip.keyword", "client.ip", "server.ip", "host.ip.keyword", "dns.resolved_ip"]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": ["source.ip.keyword", "destination.ip.keyword", "client.ip", "server.ip", "host.ip.keyword", "dns.resolved_ip"]
+ }
+ },
+ "mac-addr": {
+ "fields": {
+ "value": ["source.mac", "destination.mac", "client.mac", "server.mac", "host.mac.keyword"]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_port": ["source.port", "client.port"],
+ "dst_port": ["destination.port", "server.port"],
+ "protocols[*]": ["network.transport.keyword", "network.type.keyword", "network.protocol.keyword"],
+ "src_ref.value": ["source.ip.keyword", "client.ip"],
+ "dst_ref.value": ["destination.ip.keyword", "server.ip"],
+ "src_byte_count": ["source.bytes", "client.bytes"],
+ "dst_byte_count": ["destination.bytes", "server.bytes"],
+ "src_packets": ["source.packets", "client.packets"],
+ "dst_packets": ["destination.packets", "server.packets"]
+ }
+ },
+ "x-ecs-network": {
+ "fields": {
+ "inner.vlan.id": ["network.inner.vlan.id"],
+ "inner.vlan.name": ["network.inner.vlan.name"],
+ "name": ["network.name"],
+ "application": ["network.application"],
+ "direction": ["network.direction.keyword"],
+ "forwarded_ip": ["network.forwarded_ip"],
+ "community_id": ["network.community_id.keyword"]
+ }
+ },
+ "artifact": {
+ "fields": {
+ "payload_bin": ["event.original"]
+ }
+ },
+ "file": {
+ "fields": {
+ "name": ["file.name", "file.path", "process.name.keyword", "process.executable.keyword", "process.parent.name.keyword", "process.parent.executable.keyword"],
+ "created": ["file.created"],
+ "size": ["file.size"],
+ "hashes.MD5": ["file.hash.md5"],
+ "hashes.'SHA-1'": ["file.hash.sha1"],
+ "hashes.'SHA-256'": ["file.hash.sha256"],
+ "hashes.'SHA-512'": ["file.hash.sha512"],
+ "parent_directory_ref.path": ["file.directory"]
+ }
+ },
+ "x-ecs-file": {
+ "fields": {
+ "accessed": ["file.accessed"],
+ "attributes": ["file.attributes"],
+ "ctime": ["file.ctime"],
+ "device": ["file.device"],
+ "drive_letter": ["file.drive_letter"],
+ "extension": ["file.extension"],
+ "gid": ["file.gid"],
+ "group": ["file.group"],
+ "inode": ["file.inode"],
+ "mime_type": ["file.mime_type"],
+ "mode": ["file.mode"],
+ "mtime": ["file.mtime"],
+ "owner": ["file.owner"],
+ "path": ["file.path"],
+ "target_path": ["file.target_path"],
+ "type": ["file.type"],
+ "uid": ["file.uid"],
+ "pe.company": ["file.pe.company"],
+ "pe.description": ["file.pe.description"],
+ "pe.file_version": ["file.pe.file_version"],
+ "pe.original_file_name": ["file.pe.original_file_name"],
+ "pe.product": ["file.pe.product"],
+ "code_signature.exists": ["file.code_signature.exists"],
+ "code_signature.status": ["file.code_signature.status"],
+ "code_signature.subject_name": ["file.code_signature.subject_name"],
+ "code_signature.trusted": ["file.code_signature.trusted"],
+ "code_signature.valid": ["file.code_signature.valid"]
+ }
+ },
+ "directory": {
+ "fields": {
+ "path": ["file.directory", "file.path"]
+ }
+ },
+ "user-account":{
+ "fields": {
+ "user_id": ["user.name.keyword", "user.id.keyword"],
+ "account_login": ["user.name.keyword"]
+ }
+ },
+ "x-ecs-user": {
+ "fields": {
+ "domain": ["user.domain.keyword"],
+ "full_name": ["user.full_name"],
+ "hash": ["user.hash"],
+ "id": ["user.id.keyword"],
+ "group_domain": ["user.group.domain"],
+ "group_id": ["user.group.id"],
+ "group_name": ["user.group.name"]
+ }
+ },
+ "process" : {
+ "fields": {
+ "command_line": ["process.command_line.keyword", "powershell.command.value"],
+ "created": ["process.start"],
+ "pid": ["process.pid", "process.ppid", "process.parent.pid", "process.parent.ppid"],
+ "name": ["process.name.keyword", "process.parent.name.keyword"],
+ "creator_user_ref.user_id": ["user.name.keyword"],
+ "parent_ref.pid": ["process.ppid", "process.parent.ppid"],
+ "parent_ref.name": ["process.parent.name.keyword"],
+ "binary_ref.name": ["process.executable.keyword", "process.parent.executable.keyword"],
+ "x_ttp_tags": ["tags"],
+ "x_unique_id": ["process.entity_id.keyword", "process.parent.entity_id.keyword"]
+ }
+ },
+ "x-ecs-process": {
+ "fields": {
+ "args": ["process.args.keyword"],
+ "args_count": ["process.args_count"],
+ "executable": ["process.executable.keyword"],
+ "exit_code": ["process.exit_code"],
+ "thread.id": ["process.thread.id"],
+ "thread.name": ["process.thread.name"],
+ "title": ["process.title.keyword"],
+ "uptime": ["process.uptime"],
+ "working_directory": ["process.working_directory.keyword"],
+ "parent.args": ["process.parent.args.keyword"],
+ "parent.args_count": ["process.parent.args_count"],
+ "parent.exit_code": ["process.parent.exit_code"],
+ "parent.pgid": ["process.parent.pgid"],
+ "parent.thread.id": ["process.parent.thread.id"],
+ "parent.thread.name": ["process.parent.thread.name"],
+ "parent.title": ["process.parent.title"],
+ "parent.uptime": ["process.parent.uptime"],
+ "parent.working_directory": ["process.parent.working_directory"],
+ "pe.company": ["process.pe.company.keyword"],
+ "pe.description": ["process.pe.description.keyword"],
+ "pe.file_version": ["process.pe.file_version.keyword"],
+ "pe.original_file_name": ["process.pe.original_file_name.keyword"],
+ "pe.product": ["process.pe.product.keyword"],
+ "code_signature.exists": ["process.code_signature.exists"],
+ "code_signature.status": ["process.code_signature.status"],
+ "code_signature.subject_name": ["process.code_signature.subject_name"],
+ "code_signature.trusted": ["process.code_signature.trusted"],
+ "code_signature.valid": ["process.code_signature.valid"],
+ "parent.code_signature.exists": ["process.parent.code_signature.exists"],
+ "parent.code_signature.status": ["process.parent.code_signature.status"],
+ "parent.code_signature.subject_name": ["process.parent.code_signature.subject_name"],
+ "parent.code_signature.trusted": ["process.parent.code_signature.trusted"],
+ "parent.code_signature.valid": ["process.parent.code_signature.valid"]
+ }
+ },
+ "url": {
+ "fields": {
+ "value": ["url.original"]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": ["url.domain", "dns.question.name", "dns.question.registered_domain", "host.hostname.keyword"]
+ }
+ },
+ "windows-registry-key": {
+ "fields": {
+ "key": ["registry.key"]
+ }
+ },
+ "software": {
+ "fields": {
+ "name": ["agent.name.keyword"]
+ }
+ },
+ "autonomous-system": {
+ "fields": {
+ "value": ["client.as.organization.name", "server.as.organization.name", "source.as.organization.name", "destination.as.organization.name"],
+ "number": ["client.as.number", "server.as.number", "source.as.number", "destination.as.number"]
+ }
+ },
+ "email-addr": {
+ "fields": {
+ "name": ["user.email"]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "action": ["event.action.keyword"],
+ "id": ["event.id"],
+ "category": ["event.category.keyword"],
+ "code": ["event.code"],
+ "created": ["event.created"],
+ "dataset": ["event.dataset"],
+ "duration": ["event.duration"],
+ "end": ["event.end"],
+ "hash": ["event.hash"],
+ "ingested": ["event.ingested"],
+ "kind": ["event.kind.keyword"],
+ "module": ["event.module.keyword"],
+ "outcome": ["event.outcome.keyword"],
+ "provider": ["event.provider.keyword"],
+ "risk_score": ["event.risk_score"],
+ "risk_score_norm": ["event.risk_score_norm"],
+ "sequence": ["event.sequence"],
+ "severity": ["event.severity"],
+ "start": ["event.start"],
+ "timezone": ["event.timezone"],
+ "type": ["event.type.keyword"],
+ "url": ["event.url"],
+ "original": ["message", "powershell.file.script_block_text.keyword"],
+ "process_ref.pid": ["process.pid"],
+ "process_ref.name": ["process.name.keyword"],
+ "process_ref.command_line": ["process.command_line.keyword", "powershell.command.value"],
+ "process_ref.binary_ref.name": ["file.name", "process.executable.keyword"],
+ "process_ref.parent_ref.pid": ["process.ppid", "process.parent.ppid"],
+ "process_ref.parent_ref.command_line": ["process.parent.command_line.keyword"],
+ "process_ref.creator_user_ref.user_id": ["user.name.keyword"],
+ "parent_process_ref.pid": ["process.ppid", "process.parent.ppid"],
+ "parent_process_ref.command_line": ["process.parent.command_line.keyword"],
+ "domain_ref.value": ["url.domain", "dns.question.name", "dns.question.registered_domain", "host.hostname.keyword"],
+ "file_ref.name": ["file.name"],
+ "host_ref.hostname": ["host.hostname.keyword"],
+ "host_ref.name": ["host.name.keyword"],
+ "registry_ref.key": ["registry.key", "registry.path"]
+ }
+ },
+ "x-ecs-cloud": {
+ "fields": {
+ "account.id": ["cloud.account.id"],
+ "availability_zone": ["cloud.availability_zone"],
+ "instance.id": ["cloud.instance.id"],
+ "instance.name": ["cloud.instance.name"],
+ "machine.type": ["cloud.machine.type"],
+ "provider": ["cloud.provider"],
+ "region": ["cloud.region"]
+ }
+ },
+ "x-ecs-container": {
+ "fields": {
+ "id": ["container.id"],
+ "image.name": ["container.image.name"],
+ "image.tag": ["container.image.tag"],
+ "labels": ["container.labels"],
+ "name": ["container.name"],
+ "runtime": ["container.runtime"]
+ }
+ },
+ "x-ecs-dll": {
+ "fields": {
+ "name": ["dll.name"],
+ "path": ["dll.path"],
+ "pe.company": ["dll.pe.company"],
+ "pe.description": ["dll.pe.description"],
+ "pe.file_version": ["dll.pe.file_version"],
+ "pe.original_file_name": ["dll.pe.original_file_name"],
+ "pe.product": ["dll.pe.product"],
+ "code_signature.exists": ["dll.code_signature.exists"],
+ "code_signature.status": ["dll.code_signature.status"],
+ "code_signature.subject_name": ["dll.code_signature.subject_name"],
+ "code_signature.trusted": ["dll.code_signature.trusted"],
+ "code_signature.valid": ["dll.code_signature.valid"]
+ }
+ },
+ "x-ecs-dns": {
+ "fields": {
+ "answers_class": ["dns.answers.class"],
+ "answers_data": ["dns.answers.data"],
+ "answers_name": ["dns.answers.name"],
+ "answers_ttl": ["dns.answers.ttl"],
+ "answers_type": ["dns.answers.type"],
+ "header_flags": ["dns.header_flags"],
+ "id": ["dns.id"],
+ "op_code": ["dns.op_code"],
+ "question_class": ["dns.question.class"],
+ "question_name": ["dns.question.name"],
+ "question_registered_domain": ["dns.question.registered_domain"],
+ "question_subdomain": ["dns.question.subdomain"],
+ "question_top_level_domain": ["dns.question.top_level_domain"],
+ "question_type": ["dns.question.type"],
+ "resolved_ip": ["dns.resolved_ip"],
+ "response_code": ["dns.response_code"],
+ "type": ["dns.type"]
+ }
+ },
+ "x-ecs": {
+ "fields": {
+ "version": ["ecs.version.keyword"]
+ }
+ },
+ "x-ecs-error": {
+ "fields": {
+ "code": ["error.code"],
+ "id": ["error.id"],
+ "message": ["error.message"],
+ "stack_trace": ["error.stack_trace"],
+ "type": ["error.type"]
+ }
+ },
+ "x-ecs-group": {
+ "fields": {
+ "domain": ["group.domain"],
+ "id": ["group.id"],
+ "name": ["group.name"]
+ }
+ },
+ "x-oca-asset": {
+ "fields": {
+ "architecture": ["host.architecture.keyword"],
+ "domain": ["host.domain"],
+ "hostname": ["host.hostname.keyword"],
+ "id": ["host.id.keyword"],
+ "ip": ["host.ip.keyword"],
+ "mac": ["host.mac.keyword"],
+ "name": ["host.name.keyword"],
+ "type": ["host.type"],
+ "uptime": ["host.uptime"],
+ "os.name": ["host.os.name.keyword"],
+ "os.platform": ["host.os.platform.keyword"],
+ "os.version": ["host.os.version.keyword"]
+ }
+ },
+ "x-ecs-http": {
+ "fields": {
+ "request_body_bytes": ["http.request.body.bytes"],
+ "request_body_content": ["http.request.body.content"],
+ "request_bytes": ["http.request.bytes"],
+ "request_method": ["http.request.method"],
+ "request_referrer": ["http.request.referrer"],
+ "response_body_bytes": ["http.response.body.bytes"],
+ "response_body_content": ["http.response.body.content"],
+ "response_bytes": ["http.response.bytes"],
+ "response_status_code": ["http.response.method"],
+ "version": ["http.version"]
+ }
+ },
+ "x-ecs-log": {
+ "fields": {
+ "level": ["log.level.keyword"],
+ "logger": ["log.logger"],
+ "origin_file_line": ["log.origin.file.line"],
+ "origin_file_name": ["log.origin.file.name"],
+ "origin_function": ["log.origin.function"],
+ "original": ["log.original"],
+ "syslog_facility_code": ["log.syslog.facility.code"],
+ "syslog_facility_name": ["log.syslog.facility.name"],
+ "syslog_priority": ["log.syslog.priority"],
+ "severity_syslog_code": ["log.syslog.severity.code"],
+ "severity_syslog_name": ["log.syslog.severity.name"]
+ }
+ },
+ "x-ecs-observer": {
+ "fields": {
+ "egress.zone": ["observer.egress.zone"],
+ "egress.interface.alias": ["observer.egress.interface.alias"],
+ "egress.interface.id": ["observer.egress.interface.id"],
+ "egress.interface.name": ["observer.egress.interface.name"],
+ "hostname": ["observer.hostname"],
+ "ingress.zone": ["observer.ingress.zone"],
+ "ingress.interface.alias": ["observer.ingress.interface.alias"],
+ "ingress.interface.id": ["observer.ingress.interface.id"],
+ "ingress.interface.name": ["observer.ingress.interface.name"],
+ "ip": ["observer.ip"],
+ "mac": ["observer.mac"],
+ "name": ["observer.name"],
+ "product": ["observer.product"],
+ "serial_number": ["observer.serial_number"],
+ "type": ["observer.type"],
+ "vendor": ["observer.vendor"],
+ "version": ["observer.version"],
+ "os.name": ["observer.os.name"],
+ "os.platform": ["observer.os.platform"],
+ "os.version": ["observer.os.version"]
+ }
+ },
+ "x-ecs-organization": {
+ "fields": {
+ "id": ["organization.id"],
+ "name": ["organization.name"]
+ }
+ },
+ "x-ecs-pe": {
+ "fields": {
+ "company": ["dll.pe.company", "process.pe.company.keyword", "file.pe.company"],
+ "description": ["dll.pe.description", "process.pe.description.keyword", "file.pe.description"],
+ "file_version": ["dll.pe.file_version", "process.pe.file_version.keyword", "file.pe.file_version"],
+ "original_file_name": ["dll.pe.original_file_name", "process.pe.original_file_name.keyword", "file.pe.original_file_name"],
+ "product": ["dll.pe.product", "process.pe.product.keyword", "file.pe.product"]
+ }
+ },
+ "x-ecs-related": {
+ "fields": {
+ "hash": ["related.hash.keyword"],
+ "ip": ["related.ip.keyword"],
+ "user": ["related.user.keyword"]
+ }
+ },
+ "x-ecs-rule": {
+ "fields": {
+ "author": ["rule.author"],
+ "category": ["rule.category"],
+ "description": ["rule.description"],
+ "id": ["rule.id"],
+ "license": ["rule.license"],
+ "name": ["rule.name"],
+ "reference": ["rule.reference"],
+ "ruleset": ["rule.ruleset"],
+ "uuid": ["rule.uuid"],
+ "version": ["rule.version"]
+ }
+ },
+ "x-ecs-service": {
+ "fields": {
+ "id": ["service.id"],
+ "name": ["service.name"],
+ "state": ["service.state"],
+ "type": ["service.type"],
+ "version": ["service.version"]
+ }
+ },
+ "x-ecs-threat": {
+ "fields": {
+ "framework": ["threat.framework"],
+ "tactic_id": ["threat.tactic.id"],
+ "tactic_name": ["threat.tactic.name"],
+ "tactic_reference": ["threat.tactic.reference"],
+ "technique_id": ["threat.technique.id"],
+ "technique_name": ["threat.technique.name"],
+ "technique_reference": ["threat.technique.reference"]
+ }
+ },
+ "x-ecs-trace": {
+ "fields": {
+ "id": ["trace.id"]
+ }
+ },
+ "x-ecs-transaction": {
+ "fields": {
+ "id": ["transaction.id"]
+ }
+ },
+ "x-ecs-user-agent": {
+ "fields": {
+ "name": ["user_agent.name"],
+ "original": ["user_agent.original"],
+ "version": ["user_agent.version"],
+ "device_name": ["user_agent.device.name"]
+ }
+ },
+ "x-ecs-vulnerability": {
+ "fields": {
+ "category": ["vulnerability.category"],
+ "classification": ["vulnerability.classification"],
+ "description": ["vulnerability.description"],
+ "enumeration": ["vulnerability.enumeration"],
+ "id": ["vulnerability.id"],
+ "reference": ["vulnerability.reference"],
+ "report_id": ["vulnerability.report_id"],
+ "severity": ["vulnerability.severity"],
+ "scanner_vendor": ["vulnerability.scanner.vendor"],
+ "score_base": ["vulnerability.score.base"],
+ "score_environmental": ["vulnerability.score.environmental"],
+ "score_temporal": ["vulnerability.score.temporal"],
+ "score_version": ["vulnerability.score.version"]
+ }
+ },
+ "x-ecs-source": {
+ "fields": {
+ "address": ["source.address"],
+ "domain": ["source.domain.keyword"],
+ "nat.ip": ["source.nat.ip"],
+ "nat.port": ["source.nat.port"],
+ "registered_domain": ["source.registered_domain"],
+ "top_level_domain": ["source.top_level_domain"],
+ "geo.city_name": ["source.geo.city_name"],
+ "geo.continent_name": ["source.geo.continent_name"],
+ "geo.country_iso_code": ["source.geo.country_iso_code"],
+ "geo.country_name": ["source.geo.country_name"],
+ "geo.location": ["source.geo.location"],
+ "geo.name": ["source.geo.name"],
+ "geo.region_iso_code": ["source.geo.region_iso_code"],
+ "geo.region_name": ["source.geo.region_name"]
+ }
+ },
+ "x-ecs-destination": {
+ "fields": {
+ "address": ["destination.address"],
+ "domain": ["destination.domain.keyword"],
+ "nat.ip": ["destination.nat.ip"],
+ "nat.port": ["destination.nat.port"],
+ "registered_domain": ["destination.registered_domain"],
+ "top_level_domain": ["destination.top_level_domain"],
+ "geo.city_name": ["destination.geo.city_name"],
+ "geo.continent_name": ["destination.geo.continent_name"],
+ "geo.country_iso_code": ["destination.geo.country_iso_code"],
+ "geo.country_name": ["destination.geo.country_name"],
+ "geo.location": ["destination.geo.location"],
+ "geo.name": ["destination.geo.name"],
+ "geo.region_iso_code": ["destination.geo.region_iso_code"],
+ "geo.region_name": ["destination.geo.region_name"]
+ }
+ },
+ "x-ecs-client": {
+ "fields": {
+ "address": ["client.address"],
+ "domain": ["client.domain"],
+ "nat.ip": ["client.nat.ip"],
+ "nat.port": ["client.nat.port"],
+ "registered_domain": ["client.registered_domain"],
+ "top_level_domain": ["client.top_level_domain"],
+ "geo.city_name": ["client.geo.city_name"],
+ "geo.continent_name": ["client.geo.continent_name"],
+ "geo.country_iso_code": ["client.geo.country_iso_code"],
+ "geo.country_name": ["client.geo.country_name"],
+ "geo.location": ["client.geo.location"],
+ "geo.name": ["client.geo.name"],
+ "geo.region_iso_code": ["client.geo.region_iso_code"],
+ "geo.region_name": ["client.geo.region_name"]
+ }
+ },
+ "x-ecs-server": {
+ "fields": {
+ "address": ["server.address"],
+ "domain": ["server.domain"],
+ "nat.ip": ["server.nat.ip"],
+ "nat.port": ["server.nat.port"],
+ "registered_domain": ["server.registered_domain"],
+ "top_level_domain": ["server.top_level_domain"],
+ "geo.city_name": ["server.geo.city_name"],
+ "geo.continent_name": ["server.geo.continent_name"],
+ "geo.country_iso_code": ["server.geo.country_iso_code"],
+ "geo.country_name": ["server.geo.country_name"],
+ "geo.location": ["server.geo.location"],
+ "geo.name": ["server.geo.name"],
+ "geo.region_iso_code": ["server.geo.region_iso_code"],
+ "geo.region_name": ["server.geo.region_name"]
+ }
+ }
+}
diff --git a/stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/beats_from_stix_map.json b/stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/beats_from_stix_map.json
new file mode 100644
index 000000000..22acc8ee8
--- /dev/null
+++ b/stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/beats_from_stix_map.json
@@ -0,0 +1,544 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": ["source.ip.keyword", "destination.ip.keyword", "client.ip", "server.ip", "host.ip.keyword", "dns.resolved_ip"]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": ["source.ip.keyword", "destination.ip.keyword", "client.ip", "server.ip", "host.ip.keyword", "dns.resolved_ip"]
+ }
+ },
+ "mac-addr": {
+ "fields": {
+ "value": ["source.mac", "destination.mac", "client.mac", "server.mac", "host.mac.keyword"]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_port": ["source.port", "client.port"],
+ "dst_port": ["destination.port", "server.port"],
+ "protocols[*]": ["network.transport.keyword", "network.type.keyword", "network.protocol.keyword"],
+ "src_ref.value": ["source.ip.keyword", "client.ip"],
+ "dst_ref.value": ["destination.ip.keyword", "server.ip"],
+ "src_byte_count": ["source.bytes", "client.bytes"],
+ "dst_byte_count": ["destination.bytes", "server.bytes"],
+ "src_packets": ["source.packets", "client.packets"],
+ "dst_packets": ["destination.packets", "server.packets"]
+ }
+ },
+ "x-ecs-network": {
+ "fields": {
+ "inner.vlan.vlan_id": ["network.inner.vlan.id"],
+ "inner.vlan.name": ["network.inner.vlan.name"],
+ "name": ["network.name"],
+ "application": ["network.application"],
+ "direction": ["network.direction.keyword"],
+ "forwarded_ip": ["network.forwarded_ip"],
+ "community_id": ["network.community_id.keyword"]
+ }
+ },
+ "artifact": {
+ "fields": {
+ "payload_bin": ["event.original"]
+ }
+ },
+ "file": {
+ "fields": {
+ "name": ["file.name", "file.path", "process.name.keyword", "process.executable.keyword", "process.parent.name.keyword", "process.parent.executable.keyword"],
+ "ctime": ["file.created"],
+ "size": ["file.size"],
+ "hashes.MD5": ["file.hash.md5"],
+ "hashes.'SHA-1'": ["file.hash.sha1"],
+ "hashes.'SHA-256'": ["file.hash.sha256"],
+ "hashes.'SHA-512'": ["file.hash.sha512"],
+ "parent_directory_ref.path": ["file.directory"]
+ }
+ },
+ "x-ecs-file": {
+ "fields": {
+ "accessed": ["file.accessed"],
+ "attributes": ["file.attributes"],
+ "ctime": ["file.ctime"],
+ "device": ["file.device"],
+ "drive_letter": ["file.drive_letter"],
+ "extension": ["file.extension"],
+ "gid": ["file.gid"],
+ "group": ["file.group"],
+ "inode": ["file.inode"],
+ "mime_type": ["file.mime_type"],
+ "mode": ["file.mode"],
+ "mtime": ["file.mtime"],
+ "owner": ["file.owner"],
+ "path": ["file.path"],
+ "target_path": ["file.target_path"],
+ "type": ["file.type"],
+ "uid": ["file.uid"],
+ "pe.company": ["file.pe.company"],
+ "pe.description": ["file.pe.description"],
+ "pe.file_version": ["file.pe.file_version"],
+ "pe.original_file_name": ["file.pe.original_file_name"],
+ "pe.product": ["file.pe.product"],
+ "code_signature.exists": ["file.code_signature.exists"],
+ "code_signature.status": ["file.code_signature.status"],
+ "code_signature.subject_name": ["file.code_signature.subject_name"],
+ "code_signature.trusted": ["file.code_signature.trusted"],
+ "code_signature.valid": ["file.code_signature.valid"]
+ }
+ },
+ "directory": {
+ "fields": {
+ "path": ["file.directory", "file.path"]
+ }
+ },
+ "user-account":{
+ "fields": {
+ "user_id": ["user.name.keyword", "user.id.keyword"],
+ "account_login": ["user.name.keyword"]
+ }
+ },
+ "x-ecs-user": {
+ "fields": {
+ "domain": ["user.domain.keyword"],
+ "full_name": ["user.full_name"],
+ "hash": ["user.hash"],
+ "user_id": ["user.id.keyword"],
+ "group_domain": ["user.group.domain"],
+ "group_id": ["user.group.id"],
+ "group_name": ["user.group.name"]
+ }
+ },
+ "process" : {
+ "fields": {
+ "command_line": ["process.command_line.keyword", "powershell.command.value"],
+ "created_time": ["process.start"],
+ "pid": ["process.pid", "process.ppid", "process.parent.pid", "process.parent.ppid"],
+ "creator_user_ref.user_id": ["user.name.keyword"],
+ "parent_ref.pid": ["process.ppid", "process.parent.ppid"],
+ "parent_ref.name": ["process.parent.name.keyword"],
+ "image_ref.name": ["process.executable.keyword", "process.parent.executable.keyword"],
+ "x_ttp_tags": ["tags"],
+ "x_unique_id": ["process.entity_id.keyword", "process.parent.entity_id.keyword"]
+ }
+ },
+ "x-ecs-process": {
+ "fields": {
+ "args": ["process.args.keyword"],
+ "args_count": ["process.args_count"],
+ "executable": ["process.executable.keyword"],
+ "exit_code": ["process.exit_code"],
+ "thread.thread_id": ["process.thread.id"],
+ "thread.name": ["process.thread.name"],
+ "title": ["process.title.keyword"],
+ "uptime": ["process.uptime"],
+ "working_directory": ["process.working_directory.keyword"],
+ "parent.args": ["process.parent.args.keyword"],
+ "parent.args_count": ["process.parent.args_count"],
+ "parent.exit_code": ["process.parent.exit_code"],
+ "parent.pgid": ["process.parent.pgid"],
+ "parent.thread.thread_id": ["process.parent.thread.id"],
+ "parent.thread.name": ["process.parent.thread.name"],
+ "parent.title": ["process.parent.title"],
+ "parent.uptime": ["process.parent.uptime"],
+ "parent.working_directory": ["process.parent.working_directory"],
+ "pe.company": ["process.pe.company.keyword"],
+ "pe.description": ["process.pe.description.keyword"],
+ "pe.file_version": ["process.pe.file_version.keyword"],
+ "pe.original_file_name": ["process.pe.original_file_name.keyword"],
+ "pe.product": ["process.pe.product.keyword"],
+ "code_signature.exists": ["process.code_signature.exists"],
+ "code_signature.status": ["process.code_signature.status"],
+ "code_signature.subject_name": ["process.code_signature.subject_name"],
+ "code_signature.trusted": ["process.code_signature.trusted"],
+ "code_signature.valid": ["process.code_signature.valid"],
+ "parent.code_signature.exists": ["process.parent.code_signature.exists"],
+ "parent.code_signature.status": ["process.parent.code_signature.status"],
+ "parent.code_signature.subject_name": ["process.parent.code_signature.subject_name"],
+ "parent.code_signature.trusted": ["process.parent.code_signature.trusted"],
+ "parent.code_signature.valid": ["process.parent.code_signature.valid"]
+ }
+ },
+ "url": {
+ "fields": {
+ "value": ["url.original"]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": ["url.domain", "dns.question.name", "dns.question.registered_domain", "host.hostname.keyword"]
+ }
+ },
+ "windows-registry-key": {
+ "fields": {
+ "key": ["registry.key"]
+ }
+ },
+ "software": {
+ "fields": {
+ "name": ["agent.name.keyword"]
+ }
+ },
+ "autonomous-system": {
+ "fields": {
+ "value": ["client.as.organization.name", "server.as.organization.name", "source.as.organization.name", "destination.as.organization.name"],
+ "number": ["client.as.number", "server.as.number", "source.as.number", "destination.as.number"]
+ }
+ },
+ "email-addr": {
+ "fields": {
+ "name": ["user.email"]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "action": ["event.action.keyword"],
+ "event_id": ["event.id"],
+ "category": ["event.category.keyword"],
+ "code": ["event.code"],
+ "created": ["event.created"],
+ "dataset": ["event.dataset"],
+ "duration": ["event.duration"],
+ "end": ["event.end"],
+ "hash": ["event.hash"],
+ "ingested": ["event.ingested"],
+ "kind": ["event.kind.keyword"],
+ "module": ["event.module.keyword"],
+ "outcome": ["event.outcome.keyword"],
+ "provider": ["event.provider.keyword"],
+ "risk_score": ["event.risk_score"],
+ "risk_score_norm": ["event.risk_score_norm"],
+ "sequence": ["event.sequence"],
+ "severity": ["event.severity"],
+ "start": ["event.start"],
+ "timezone": ["event.timezone"],
+ "type": ["event.type.keyword"],
+ "url": ["event.url"],
+ "original": ["message", "powershell.file.script_block_text.keyword"],
+ "process_ref.pid": ["process.pid"],
+ "process_ref.name": ["process.name.keyword"],
+ "process_ref.command_line": ["process.command_line.keyword", "powershell.command.value"],
+ "process_ref.image_ref.name": ["file.name", "process.executable.keyword"],
+ "process_ref.parent_ref.pid": ["process.ppid", "process.parent.ppid"],
+ "process_ref.parent_ref.command_line": ["process.parent.command_line.keyword"],
+ "process_ref.creator_user_ref.user_id": ["user.name.keyword"],
+ "parent_process_ref.pid": ["process.ppid", "process.parent.ppid"],
+ "parent_process_ref.command_line": ["process.parent.command_line.keyword"],
+ "domain_ref.value": ["url.domain", "dns.question.name", "dns.question.registered_domain", "host.hostname.keyword"],
+ "file_ref.name": ["file.name"],
+ "host_ref.hostname": ["host.hostname.keyword"],
+ "host_ref.name": ["host.name.keyword"],
+ "registry_ref.key": ["registry.key", "registry.path"]
+ }
+ },
+ "x-ecs-cloud": {
+ "fields": {
+ "account.account_id": ["cloud.account.id"],
+ "availability_zone": ["cloud.availability_zone"],
+ "instance.instance_id": ["cloud.instance.id"],
+ "instance.name": ["cloud.instance.name"],
+ "machine.type": ["cloud.machine.type"],
+ "provider": ["cloud.provider"],
+ "region": ["cloud.region"]
+ }
+ },
+ "x-ecs-container": {
+ "fields": {
+ "container_id": ["container.id"],
+ "image.name": ["container.image.name"],
+ "image.tag": ["container.image.tag"],
+ "labels": ["container.labels"],
+ "name": ["container.name"],
+ "runtime": ["container.runtime"]
+ }
+ },
+ "x-ecs-dll": {
+ "fields": {
+ "name": ["dll.name"],
+ "path": ["dll.path"],
+ "pe.company": ["dll.pe.company"],
+ "pe.description": ["dll.pe.description"],
+ "pe.file_version": ["dll.pe.file_version"],
+ "pe.original_file_name": ["dll.pe.original_file_name"],
+ "pe.product": ["dll.pe.product"],
+ "code_signature.exists": ["dll.code_signature.exists"],
+ "code_signature.status": ["dll.code_signature.status"],
+ "code_signature.subject_name": ["dll.code_signature.subject_name"],
+ "code_signature.trusted": ["dll.code_signature.trusted"],
+ "code_signature.valid": ["dll.code_signature.valid"]
+ }
+ },
+ "x-ecs-dns": {
+ "fields": {
+ "answers_class": ["dns.answers.class"],
+ "answers_data": ["dns.answers.data"],
+ "answers_name": ["dns.answers.name"],
+ "answers_ttl": ["dns.answers.ttl"],
+ "answers_type": ["dns.answers.type"],
+ "header_flags": ["dns.header_flags"],
+ "dns_id": ["dns.id"],
+ "op_code": ["dns.op_code"],
+ "question_class": ["dns.question.class"],
+ "question_name": ["dns.question.name"],
+ "question_registered_domain": ["dns.question.registered_domain"],
+ "question_subdomain": ["dns.question.subdomain"],
+ "question_top_level_domain": ["dns.question.top_level_domain"],
+ "question_type": ["dns.question.type"],
+ "resolved_ip": ["dns.resolved_ip"],
+ "response_code": ["dns.response_code"],
+ "type": ["dns.type"]
+ }
+ },
+ "x-ecs": {
+ "fields": {
+ "version": ["ecs.version.keyword"]
+ }
+ },
+ "x-ecs-error": {
+ "fields": {
+ "code": ["error.code"],
+ "error_id": ["error.id"],
+ "message": ["error.message"],
+ "stack_trace": ["error.stack_trace"],
+ "type": ["error.type"]
+ }
+ },
+ "x-ecs-group": {
+ "fields": {
+ "domain": ["group.domain"],
+ "group_id": ["group.id"],
+ "name": ["group.name"]
+ }
+ },
+ "x-oca-asset": {
+ "fields": {
+ "architecture": ["host.architecture.keyword"],
+ "domain": ["host.domain"],
+ "hostname": ["host.hostname.keyword"],
+ "asset_id": ["host.id.keyword"],
+ "ip": ["host.ip.keyword"],
+ "mac": ["host.mac.keyword"],
+ "name": ["host.name.keyword"],
+ "type": ["host.type"],
+ "uptime": ["host.uptime"],
+ "os.name": ["host.os.name.keyword"],
+ "os.platform": ["host.os.platform.keyword"],
+ "os.version": ["host.os.version.keyword"]
+ }
+ },
+ "x-ecs-http": {
+ "fields": {
+ "request_body_bytes": ["http.request.body.bytes"],
+ "request_body_content": ["http.request.body.content"],
+ "request_bytes": ["http.request.bytes"],
+ "request_method": ["http.request.method"],
+ "request_referrer": ["http.request.referrer"],
+ "response_body_bytes": ["http.response.body.bytes"],
+ "response_body_content": ["http.response.body.content"],
+ "response_bytes": ["http.response.bytes"],
+ "response_status_code": ["http.response.method"],
+ "version": ["http.version"]
+ }
+ },
+ "x-ecs-log": {
+ "fields": {
+ "level": ["log.level.keyword"],
+ "logger": ["log.logger"],
+ "origin_file_line": ["log.origin.file.line"],
+ "origin_file_name": ["log.origin.file.name"],
+ "origin_function": ["log.origin.function"],
+ "original": ["log.original"],
+ "syslog_facility_code": ["log.syslog.facility.code"],
+ "syslog_facility_name": ["log.syslog.facility.name"],
+ "syslog_priority": ["log.syslog.priority"],
+ "severity_syslog_code": ["log.syslog.severity.code"],
+ "severity_syslog_name": ["log.syslog.severity.name"]
+ }
+ },
+ "x-ecs-observer": {
+ "fields": {
+ "egress.zone": ["observer.egress.zone"],
+ "egress.interface.alias": ["observer.egress.interface.alias"],
+ "egress.interface.id": ["observer.egress.interface.id"],
+ "egress.interface.name": ["observer.egress.interface.name"],
+ "hostname": ["observer.hostname"],
+ "ingress.zone": ["observer.ingress.zone"],
+ "ingress.interface.alias": ["observer.ingress.interface.alias"],
+ "ingress.interface.id": ["observer.ingress.interface.id"],
+ "ingress.interface.name": ["observer.ingress.interface.name"],
+ "ip": ["observer.ip"],
+ "mac": ["observer.mac"],
+ "name": ["observer.name"],
+ "product": ["observer.product"],
+ "serial_number": ["observer.serial_number"],
+ "type": ["observer.type"],
+ "vendor": ["observer.vendor"],
+ "version": ["observer.version"],
+ "os.name": ["observer.os.name"],
+ "os.platform": ["observer.os.platform"],
+ "os.version": ["observer.os.version"]
+ }
+ },
+ "x-ecs-organization": {
+ "fields": {
+ "organization_id": ["organization.id"],
+ "name": ["organization.name"]
+ }
+ },
+ "x-ecs-pe": {
+ "fields": {
+ "company": ["dll.pe.company", "process.pe.company.keyword", "file.pe.company"],
+ "description": ["dll.pe.description", "process.pe.description.keyword", "file.pe.description"],
+ "file_version": ["dll.pe.file_version", "process.pe.file_version.keyword", "file.pe.file_version"],
+ "original_file_name": ["dll.pe.original_file_name", "process.pe.original_file_name.keyword", "file.pe.original_file_name"],
+ "product": ["dll.pe.product", "process.pe.product.keyword", "file.pe.product"]
+ }
+ },
+ "x-ecs-related": {
+ "fields": {
+ "hash": ["related.hash.keyword"],
+ "ip": ["related.ip.keyword"],
+ "user": ["related.user.keyword"]
+ }
+ },
+ "x-ecs-rule": {
+ "fields": {
+ "author": ["rule.author"],
+ "category": ["rule.category"],
+ "description": ["rule.description"],
+ "rule_id": ["rule.id"],
+ "license": ["rule.license"],
+ "name": ["rule.name"],
+ "reference": ["rule.reference"],
+ "ruleset": ["rule.ruleset"],
+ "uuid": ["rule.uuid"],
+ "version": ["rule.version"]
+ }
+ },
+ "x-ecs-service": {
+ "fields": {
+ "service_id": ["service.id"],
+ "name": ["service.name"],
+ "state": ["service.state"],
+ "type": ["service.type"],
+ "version": ["service.version"]
+ }
+ },
+ "x-ecs-threat": {
+ "fields": {
+ "framework": ["threat.framework"],
+ "tactic_id": ["threat.tactic.id"],
+ "tactic_name": ["threat.tactic.name"],
+ "tactic_reference": ["threat.tactic.reference"],
+ "technique_id": ["threat.technique.id"],
+ "technique_name": ["threat.technique.name"],
+ "technique_reference": ["threat.technique.reference"]
+ }
+ },
+ "x-ecs-trace": {
+ "fields": {
+ "trace_id": ["trace.id"]
+ }
+ },
+ "x-ecs-transaction": {
+ "fields": {
+ "transaction_id": ["transaction.id"]
+ }
+ },
+ "x-ecs-user-agent": {
+ "fields": {
+ "name": ["user_agent.name"],
+ "original": ["user_agent.original"],
+ "version": ["user_agent.version"],
+ "device_name": ["user_agent.device.name"]
+ }
+ },
+ "x-ecs-vulnerability": {
+ "fields": {
+ "category": ["vulnerability.category"],
+ "classification": ["vulnerability.classification"],
+ "description": ["vulnerability.description"],
+ "enumeration": ["vulnerability.enumeration"],
+ "vulnerability_id": ["vulnerability.id"],
+ "reference": ["vulnerability.reference"],
+ "report_id": ["vulnerability.report_id"],
+ "severity": ["vulnerability.severity"],
+ "scanner_vendor": ["vulnerability.scanner.vendor"],
+ "score_base": ["vulnerability.score.base"],
+ "score_environmental": ["vulnerability.score.environmental"],
+ "score_temporal": ["vulnerability.score.temporal"],
+ "score_version": ["vulnerability.score.version"]
+ }
+ },
+ "x-ecs-source": {
+ "fields": {
+ "address": ["source.address"],
+ "domain": ["source.domain.keyword"],
+ "nat.ip": ["source.nat.ip"],
+ "nat.port": ["source.nat.port"],
+ "registered_domain": ["source.registered_domain"],
+ "top_level_domain": ["source.top_level_domain"],
+ "geo.city_name": ["source.geo.city_name"],
+ "geo.continent_name": ["source.geo.continent_name"],
+ "geo.country_iso_code": ["source.geo.country_iso_code"],
+ "geo.country_name": ["source.geo.country_name"],
+ "geo.location": ["source.geo.location"],
+ "geo.name": ["source.geo.name"],
+ "geo.region_iso_code": ["source.geo.region_iso_code"],
+ "geo.region_name": ["source.geo.region_name"]
+ }
+ },
+ "x-ecs-destination": {
+ "fields": {
+ "address": ["destination.address"],
+ "domain": ["destination.domain.keyword"],
+ "nat.ip": ["destination.nat.ip"],
+ "nat.port": ["destination.nat.port"],
+ "registered_domain": ["destination.registered_domain"],
+ "top_level_domain": ["destination.top_level_domain"],
+ "geo.city_name": ["destination.geo.city_name"],
+ "geo.continent_name": ["destination.geo.continent_name"],
+ "geo.country_iso_code": ["destination.geo.country_iso_code"],
+ "geo.country_name": ["destination.geo.country_name"],
+ "geo.location": ["destination.geo.location"],
+ "geo.name": ["destination.geo.name"],
+ "geo.region_iso_code": ["destination.geo.region_iso_code"],
+ "geo.region_name": ["destination.geo.region_name"]
+ }
+ },
+ "x-ecs-client": {
+ "fields": {
+ "address": ["client.address"],
+ "domain": ["client.domain"],
+ "nat.ip": ["client.nat.ip"],
+ "nat.port": ["client.nat.port"],
+ "registered_domain": ["client.registered_domain"],
+ "top_level_domain": ["client.top_level_domain"],
+ "geo.city_name": ["client.geo.city_name"],
+ "geo.continent_name": ["client.geo.continent_name"],
+ "geo.country_iso_code": ["client.geo.country_iso_code"],
+ "geo.country_name": ["client.geo.country_name"],
+ "geo.location": ["client.geo.location"],
+ "geo.name": ["client.geo.name"],
+ "geo.region_iso_code": ["client.geo.region_iso_code"],
+ "geo.region_name": ["client.geo.region_name"]
+ }
+ },
+ "x-ecs-server": {
+ "fields": {
+ "address": ["server.address"],
+ "domain": ["server.domain"],
+ "nat.ip": ["server.nat.ip"],
+ "nat.port": ["server.nat.port"],
+ "registered_domain": ["server.registered_domain"],
+ "top_level_domain": ["server.top_level_domain"],
+ "geo.city_name": ["server.geo.city_name"],
+ "geo.continent_name": ["server.geo.continent_name"],
+ "geo.country_iso_code": ["server.geo.country_iso_code"],
+ "geo.country_name": ["server.geo.country_name"],
+ "geo.location": ["server.geo.location"],
+ "geo.name": ["server.geo.name"],
+ "geo.region_iso_code": ["server.geo.region_iso_code"],
+ "geo.region_name": ["server.geo.region_name"]
+ }
+ }
+}
diff --git a/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_stix_to_query.py b/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_stix_to_query.py
index eaefd8ae2..c119d7390 100644
--- a/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_stix_to_query.py
+++ b/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_stix_to_query.py
@@ -269,6 +269,13 @@ def test_match_operator(self):
test_query = ['event.original : /1*/']
_test_query_assertions(translated_query, test_query)
+ def test_match_operator_escaped(self):
+ stix_pattern = r"[process:name MATCHES 'cmd\\.exe']"
+ translated_query = translation.translate('elastic_ecs', 'query', '{}', stix_pattern)
+ translated_query['queries'] = _remove_timestamp_from_query(translated_query['queries'])
+ test_query = ['(process.name : /cmd\\.exe/ OR process.parent.name : /cmd\\.exe/)']
+ _test_query_assertions(translated_query, test_query)
+
def test_match_operator_with_backslash(self):
# STIX uses backslash as escape, so to match a literal . in RE you need double-backslash
stix_pattern = r"[process:name MATCHES '^cmd\\.exe .*']"
@@ -293,6 +300,14 @@ def test_match_operator_with_classes(self):
test_query = ['event.original : /a[a-zA-Z0-9_]b[0-9]c/']
_test_query_assertions(translated_query, test_query)
+ def test_match_operator_with_dialect(self):
+ # STIX uses backslash as escape, so to match a literal . in RE you need double-backslash
+ stix_pattern = r"[process:command_line MATCHES 'cmd\\.exe .*']"
+ translated_query = translation.translate('elastic_ecs:beats', 'query', '{}', stix_pattern)
+ translated_query['queries'] = _remove_timestamp_from_query(translated_query['queries'])
+ test_query = ['(process.command_line.keyword : /cmd\\.exe .*/ OR powershell.command.value : /cmd\\.exe .*/)']
+ _test_query_assertions(translated_query, test_query)
+
def test_like_operator(self):
stix_pattern = "[process:command_line LIKE 'cmd.exe /_ %']"
translated_query = translation.translate('elastic_ecs', 'query', '{}', stix_pattern)
From 183804a50f26805dcc981f261e225a70738989fc Mon Sep 17 00:00:00 2001
From: Danny Elliott
Date: Tue, 13 Dec 2022 14:00:30 -0400
Subject: [PATCH 08/30] Fix supported property exporter to handle from-STIX
fields not wrapped in a list (#1236)
---
.../connectors/crowdstrike_supported_stix.md | 6 +-
.../connectors/cybereason_supported_stix.md | 5 +-
.../ibm_security_verify_supported_stix.md | 15 ++-
.../connectors/splunk_supported_stix.md | 102 +++++++++---------
.../scripts/supported_property_exporter.py | 3 +-
5 files changed, 64 insertions(+), 67 deletions(-)
diff --git a/adapter-guide/connectors/crowdstrike_supported_stix.md b/adapter-guide/connectors/crowdstrike_supported_stix.md
index 9726e85b1..cacccfd50 100644
--- a/adapter-guide/connectors/crowdstrike_supported_stix.md
+++ b/adapter-guide/connectors/crowdstrike_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 11/04/22
+##### Updated on 12/13/22
## CrowdStrike Falcon
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -123,8 +123,6 @@
|
| | |
| mac-addr | value | mac_address |
|
| | |
-| network-traffic | dst_ref | domain_ioc |
-|
| | |
| process | binary_ref | filename |
| process | name | filename |
| process | binary_ref | filepath |
@@ -193,7 +191,7 @@
| x-oca-event | action | display_name |
| x-oca-event | outcome | description |
| x-oca-event | registry_ref | registry_key |
-| x-oca-event | network_ref | domain_ioc |
+| x-oca-event | domain_ref | domain_ioc |
| x-oca-event | file_ref | sha256_ioc |
| x-oca-event | file_ref | quarantined_file_sha256 |
| x-oca-event | file_ref | md5_ioc |
diff --git a/adapter-guide/connectors/cybereason_supported_stix.md b/adapter-guide/connectors/cybereason_supported_stix.md
index e8d961b09..69e918f8a 100644
--- a/adapter-guide/connectors/cybereason_supported_stix.md
+++ b/adapter-guide/connectors/cybereason_supported_stix.md
@@ -1,9 +1,9 @@
-##### Updated on 11/04/22
+##### Updated on 12/13/22
## Cybereason
### Supported STIX Operators
| STIX Operator | Data Source Operator |
|--|--|
-| AND | AND |
+| AND | OR |
| > | GreaterThan |
| >= | GreaterOrEqualsTo |
| < | LessThan |
@@ -13,6 +13,7 @@
| LIKE | ContainsIgnoreCase |
| IN | Equals |
| MATCHES | ContainsIgnoreCase |
+| OR | OR |
|
| |
### Searchable STIX objects and properties
| STIX Object and Property | Mapped Data Source Fields |
diff --git a/adapter-guide/connectors/ibm_security_verify_supported_stix.md b/adapter-guide/connectors/ibm_security_verify_supported_stix.md
index 4e03cf43b..e0ad23bf1 100644
--- a/adapter-guide/connectors/ibm_security_verify_supported_stix.md
+++ b/adapter-guide/connectors/ibm_security_verify_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 11/04/22
+##### Updated on 12/13/22
## IBM Security Verify
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -10,7 +10,7 @@
### Searchable STIX objects and properties
| STIX Object and Property | Mapped Data Source Fields |
|--|--|
-| **user-account**:user_id | data.user_id |
+| **user-account**:user_id | data.userid |
| **user-account**:account_login | data.username |
| **user-account**:account_type | data.sourcetype |
| **ipv4-addr**:value | data.origin |
@@ -24,7 +24,7 @@
| **x-oca-event**:ip_refs[*].value | ip |
| **x-oca-event**:domain_ref.value | tenantname |
| **x-oca-event**:user_ref | username |
-| **x-oca-event**:provider | ', I, B, M, , S, e, c, u, r, i, t, y, , V, e, r, i, f, y, , E, v, e, n, t, ' |
+| **x-oca-event**:provider | 'IBM Security Verify Event' |
| **x-oca-event**:extensions.'x-iam-ext'.subcategory | data.subtype |
| **x-oca-event**:extensions.'x-iam-ext'.realm | data.realm |
| **x-oca-event**:extensions.'x-iam-ext'.browser_agent | data.devicetype |
@@ -34,7 +34,6 @@
| **x-oca-event**:extensions.'x-iam-ext'.application_name | data.applicationname |
| **x-oca-event**:extensions.'x-iam-ext'.cause | data.cause |
| **x-oca-event**:extensions.'x-iam-ext'.target | data.target |
-| **x-oca-event**:extensions.'x-iam-ext'.deleted | data.deleted |
| **x-oca-event**:extensions.'x-iam-ext'.performedby_clientname | data.performedby_clientname |
| **x-oca-event**:extensions.'x-iam-ext'.performedby_realm | data.performedby_realm |
| **x-oca-event**:extensions.'x-iam-ext'.performedby_username | data.performedby_username |
@@ -44,8 +43,6 @@
| **x-oca-event**:extensions.'x-iam-ext'.continent_name | geoip.continent_name |
| **x-oca-event**:extensions.'x-iam-ext'.country_iso_code | geoip.country_iso_code |
| **x-oca-event**:extensions.'x-iam-ext'.country_name | geoip.country_name |
-| **x-oca-event**:extensions.x-iam-ext.location_lon | geoip.lon |
-| **x-oca-event**:extensions.'x-iam-ext'.location_lat | geoip.lat |
| **x-oca-event**:extensions.'x-iam-ext'.city_name | geoip.city_name |
| **x-oca-event**:extensions.'x-iam-ext'.policy_action | data.policy_action |
| **x-oca-event**:extensions.'x-iam-ext'.policy_name | data.policy_name |
@@ -65,14 +62,13 @@
|
| | |
| ipv4-addr | value | ip |
|
| | |
-| user-account | user_id | username |
| user-account | account_login | username |
-| user-account | account_type | username |
| user-account | user_id | userid |
+| user-account | account_type | sourcetype |
|
| | |
| x-oca-event | user_ref | username |
-| x-oca-event | module | servicename |
| x-oca-event | agent | sourcetype |
+| x-oca-event | module | servicename |
| x-oca-event | ip_refs | ip |
| x-oca-event | domain_ref | tenantname |
| x-oca-event | outcome | result |
@@ -112,4 +108,5 @@
| x-oca-event | extensions.x-iam-ext.mdm_customerid | billingid |
| x-oca-event | extensions.x-iam-ext.location_lat | lat |
| x-oca-event | extensions.x-iam-ext.location_lon | lon |
+| x-oca-event | extensions.x-iam-ext.add | add |
|
| | |
diff --git a/adapter-guide/connectors/splunk_supported_stix.md b/adapter-guide/connectors/splunk_supported_stix.md
index 20993dbd3..729569bdb 100644
--- a/adapter-guide/connectors/splunk_supported_stix.md
+++ b/adapter-guide/connectors/splunk_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 11/04/22
+##### Updated on 12/13/22
## Splunk Enterprise Security
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -42,61 +42,61 @@
| **x-oca-event**:registry_ref.key | ObjectName, RegistryKey |
| **x-oca-event**:user_ref.user_id | user |
| **x-oca-event**:url_ref.value | url |
-| **x-oca-asset**:hostname | h, o, s, t |
-| **directory**:path | f, i, l, e, _, p, a, t, h |
-| **directory**:created | f, i, l, e, _, c, r, e, a, t, e, _, t, i, m, e |
-| **directory**:modified | f, i, l, e, _, m, o, d, i, f, y, _, t, i, m, e |
+| **x-oca-asset**:hostname | host |
+| **directory**:path | file_path |
+| **directory**:created | file_create_time |
+| **directory**:modified | file_modify_time |
| **domain-name**:value | host, url |
-| **x-readable-payload**:value | _, r, a, w |
+| **x-readable-payload**:value | _raw |
| **email-addr**:value | src_user, recipient |
-| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.hashes.MD5 | f, i, l, e, _, h, a, s, h |
-| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.hashes.'SHA-1' | f, i, l, e, _, h, a, s, h |
-| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.hashes.'SHA-256' | f, i, l, e, _, h, a, s, h |
-| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.name | f, i, l, e, _, n, a, m, e |
-| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.size | f, i, l, e, _, s, i, z, e |
-| **email-message**:to_refs.[*].value | r, e, c, i, p, i, e, n, t |
-| **email-message**:cc_refs.[*].value | r, e, c, i, p, i, e, n, t |
-| **email-message**:bcc_refs.[*].value | r, e, c, i, p, i, e, n, t |
-| **email-message**:subject | s, u, b, j, e, c, t |
-| **email-message**:sender_ref.value | s, r, c, _, u, s, e, r |
-| **email-message**:from_ref.value | s, r, c, _, u, s, e, r |
-| **file**:hashes.MD5 | f, i, l, e, _, h, a, s, h |
-| **file**:hashes.'SHA-1' | f, i, l, e, _, h, a, s, h |
-| **file**:hashes.'SHA-256' | f, i, l, e, _, h, a, s, h |
-| **file**:name | f, i, l, e, _, n, a, m, e |
-| **file**:created | f, i, l, e, _, c, r, e, a, t, e, _, t, i, m, e |
-| **file**:modified | f, i, l, e, _, m, o, d, i, f, y, _, t, i, m, e |
-| **file**:parent_directory_ref.path | f, i, l, e, _, p, a, t, h |
-| **file**:size | f, i, l, e, _, s, i, z, e |
+| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.hashes.MD5 | file_hash |
+| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.hashes.'SHA-1' | file_hash |
+| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.hashes.'SHA-256' | file_hash |
+| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.name | file_name |
+| **email-message**:body_multipart.[*].'mime-part-type'.body_raw_ref.size | file_size |
+| **email-message**:to_refs.[*].value | recipient |
+| **email-message**:cc_refs.[*].value | recipient |
+| **email-message**:bcc_refs.[*].value | recipient |
+| **email-message**:subject | subject |
+| **email-message**:sender_ref.value | src_user |
+| **email-message**:from_ref.value | src_user |
+| **file**:hashes.MD5 | file_hash |
+| **file**:hashes.'SHA-1' | file_hash |
+| **file**:hashes.'SHA-256' | file_hash |
+| **file**:name | file_name |
+| **file**:created | file_create_time |
+| **file**:modified | file_modify_time |
+| **file**:parent_directory_ref.path | file_path |
+| **file**:size | file_size |
| **ipv4-addr**:value | src_ip, dest_ip |
| **ipv6-addr**:value | src_ipv6, dest_ipv6 |
| **mac-addr**:value | src_mac, dest_mac |
-| **network-traffic**:src_ref.value | s, r, c |
-| **network-traffic**:src_port | s, r, c, _, p, o, r, t |
-| **network-traffic**:dst_ref.value | d, e, s, t |
-| **network-traffic**:dst_port | d, e, s, t, _, p, o, r, t |
-| **network-traffic**:protocols[*] | p, r, o, t, o, c, o, l |
-| **network-traffic**:start | e, a, r, l, i, e, s, t |
-| **network-traffic**:end | l, a, t, e, s, t |
-| **process**:name | p, r, o, c, e, s, s, _, n, a, m, e |
-| **process**:command_line | p, r, o, c, e, s, s |
-| **process**:pid | p, i, d |
-| **process**:creator_user_ref.account_login | u, s, e, r |
-| **process**:binary_ref.parent_directory_ref.path | p, r, o, c, e, s, s, _, p, a, t, h |
-| **process**:binary_ref.name | p, r, o, c, e, s, s, _, e, x, e, c |
-| **url**:value | u, r, l |
-| **user-account**:user_id | u, s, e, r |
-| **windows-registry-key**:key | o, b, j, e, c, t |
-| **windows-registry-key**:values[*] | r, e, s, u, l, t |
-| **windows-registry-key**:creator_user_ref.account_login | u, s, e, r |
-| **x509-certificate**:hashes.'SHA-256' | s, s, l, _, h, a, s, h |
-| **x509-certificate**:hashes.'SHA-1' | s, s, l, _, h, a, s, h |
-| **x509-certificate**:version | s, s, l, _, v, e, r, s, i, o, n |
-| **x509-certificate**:serial_number | s, s, l, _, s, e, r, i, a, l |
-| **x509-certificate**:signature_algorithm | s, s, l, _, s, i, g, n, a, t, u, r, e, _, a, l, g, o, r, i, t, h, m |
-| **x509-certificate**:issuer | s, s, l, _, i, s, s, u, e, r |
-| **x509-certificate**:subject | s, s, l, _, s, u, b, j, e, c, t |
-| **x509-certificate**:subject_public_key_algorithm | s, s, l, _, p, u, b, l, i, c, k, e, y, _, a, l, g, o, r, i, t, h, m |
+| **network-traffic**:src_ref.value | src |
+| **network-traffic**:src_port | src_port |
+| **network-traffic**:dst_ref.value | dest |
+| **network-traffic**:dst_port | dest_port |
+| **network-traffic**:protocols[*] | protocol |
+| **network-traffic**:start | earliest |
+| **network-traffic**:end | latest |
+| **process**:name | process_name |
+| **process**:command_line | process |
+| **process**:pid | pid |
+| **process**:creator_user_ref.account_login | user |
+| **process**:binary_ref.parent_directory_ref.path | process_path |
+| **process**:binary_ref.name | process_exec |
+| **url**:value | url |
+| **user-account**:user_id | user |
+| **windows-registry-key**:key | object |
+| **windows-registry-key**:values[*] | result |
+| **windows-registry-key**:creator_user_ref.account_login | user |
+| **x509-certificate**:hashes.'SHA-256' | ssl_hash |
+| **x509-certificate**:hashes.'SHA-1' | ssl_hash |
+| **x509-certificate**:version | ssl_version |
+| **x509-certificate**:serial_number | ssl_serial |
+| **x509-certificate**:signature_algorithm | ssl_signature_algorithm |
+| **x509-certificate**:issuer | ssl_issuer |
+| **x509-certificate**:subject | ssl_subject |
+| **x509-certificate**:subject_public_key_algorithm | ssl_publickey_algorithm |
| **x-splunk**:log_source | source |
| **x-splunk**:log_source_type | _sourcetype |
| **x-splunk**:direction | Direction |
diff --git a/stix_shifter/scripts/supported_property_exporter.py b/stix_shifter/scripts/supported_property_exporter.py
index e0271b37f..99414debf 100644
--- a/stix_shifter/scripts/supported_property_exporter.py
+++ b/stix_shifter/scripts/supported_property_exporter.py
@@ -166,7 +166,8 @@ def __main__():
for stix_object_key, value in loaded_from_stix_json.items():
property_dictionary = value["fields"]
for s_property, fields_list in property_dictionary.items():
-
+ if not isinstance(fields_list, list):
+ fields_list = [fields_list]
orig_fields_list = []
if data_field_alias_mapping:
# TODO: Get real field name for QRadar
From 1a655ed91c35e887f069cc5571eae8c853c56f68 Mon Sep 17 00:00:00 2001
From: Md Azam
Date: Tue, 13 Dec 2022 17:56:12 -0400
Subject: [PATCH 09/30] Rename azure sentinel to Microsoft Graph Security
Connector (#1212)
---
.../azure_sentinel/{stix_translation => }/README.md | 6 +++---
.../azure_sentinel/configuration/config.json | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
rename stix_shifter_modules/azure_sentinel/{stix_translation => }/README.md (98%)
diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/README.md b/stix_shifter_modules/azure_sentinel/README.md
similarity index 98%
rename from stix_shifter_modules/azure_sentinel/stix_translation/README.md
rename to stix_shifter_modules/azure_sentinel/README.md
index 010f2d6c9..f85f65fef 100644
--- a/stix_shifter_modules/azure_sentinel/stix_translation/README.md
+++ b/stix_shifter_modules/azure_sentinel/README.md
@@ -1,11 +1,11 @@
-# Azure Sentinel Connector
+# Microsoft Graph Security Connector
### Data Source
-Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
+Microsoft Graph Security API enables fedarated search capabilities on all onboarded security providers. This connector can be used to search security alerts on the Microsoft security products.
##### Microsoft Graph API (v1.0)
List security alerts (GET call) https://graph.microsoft.com/v1.0/security/
-`Ref: https://docs.microsoft.com/en-us/graph/api/resources/alert?view=graph-rest-beta`
+`Ref: https://learn.microsoft.com/en-us/graph/api/resources/alert?view=graph-rest-1.0`
Query Parameter:
$filter (OData V4.0 support)
diff --git a/stix_shifter_modules/azure_sentinel/configuration/config.json b/stix_shifter_modules/azure_sentinel/configuration/config.json
index a07f2a0c2..f75070259 100644
--- a/stix_shifter_modules/azure_sentinel/configuration/config.json
+++ b/stix_shifter_modules/azure_sentinel/configuration/config.json
@@ -1,7 +1,7 @@
{
"connection": {
"type": {
- "displayName": "Microsoft Azure Sentinel",
+ "displayName": "Microsoft Graph Security",
"group": "azure"
},
"host": {
From 3af9a786db40c39a3145782c368f46048e428e52 Mon Sep 17 00:00:00 2001
From: Paul Coccoli
Date: Thu, 15 Dec 2022 19:53:52 -0500
Subject: [PATCH 10/30] splunk: use like, cidrmatch SPL functions for LIKE,
ISSUBSET operators (#1244)
---
.../splunk/stix_translation/encoders.py | 11 ++--
.../stix_translation/json/operators.json | 4 +-
.../stix_translation/query_constructor.py | 51 ++++++++++++++-----
.../test_splunk_stix_to_spl.py | 26 +++++++++-
4 files changed, 69 insertions(+), 23 deletions(-)
diff --git a/stix_shifter_modules/splunk/stix_translation/encoders.py b/stix_shifter_modules/splunk/stix_translation/encoders.py
index 4e6a5dfcd..b6deca6f0 100644
--- a/stix_shifter_modules/splunk/stix_translation/encoders.py
+++ b/stix_shifter_modules/splunk/stix_translation/encoders.py
@@ -1,5 +1,3 @@
-import re
-
def simple(value):
if isinstance(value, str):
return "\"{}\"".format(value)
@@ -7,9 +5,7 @@ def simple(value):
return value
def like(field, value):
- encoded_value = re.escape(value).replace("\\%", ".*").replace("_", ".")
-
- return "match({}, \"^{}$\")".format(field, encoded_value)
+ return "like({}, \"{}\")".format(field, value)
def set(field, value):
values = [str(simple(v)) for v in value.values]
@@ -17,6 +13,7 @@ def set(field, value):
return "{} IN ({})".format(field, ', '.join(values))
def matches(field, value):
- encoded_value = value.replace("\\", "\\\\") # Splunk needs backslashes encoded in searches
+ return "match({}, \"{}\")".format(field, value)
- return "match({}, \"{}\")".format(field, encoded_value)
+def subset(field, value):
+ return "cidrmatch(\"{}\", {})".format(value, field)
diff --git a/stix_shifter_modules/splunk/stix_translation/json/operators.json b/stix_shifter_modules/splunk/stix_translation/json/operators.json
index 9998e6c6d..83eb45ba6 100644
--- a/stix_shifter_modules/splunk/stix_translation/json/operators.json
+++ b/stix_shifter_modules/splunk/stix_translation/json/operators.json
@@ -10,8 +10,8 @@
"ComparisonComparators.Matches": "encoders.matches",
"ComparisonExpressionOperators.And": "AND",
"ComparisonExpressionOperators.Or": "OR",
- "ComparisonComparators.IsSubSet": "=",
+ "ComparisonComparators.IsSubSet": "encoders.subset",
"ObservationOperators.And": "{expr1} OR {expr2}",
"ObservationOperators.Or": "{expr1} OR {expr2}",
"ObservationOperators.FollowedBy": "latest=[search {expr2} | append [makeresults 1 | eval _time=0] | head 1 | return $_time] | where {expr1}"
-}
\ No newline at end of file
+}
diff --git a/stix_shifter_modules/splunk/stix_translation/query_constructor.py b/stix_shifter_modules/splunk/stix_translation/query_constructor.py
index e51ba6607..0c59513ce 100644
--- a/stix_shifter_modules/splunk/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/splunk/stix_translation/query_constructor.py
@@ -22,6 +22,10 @@ def stix_strptime(date_string):
return datetime.strptime(date_string, stix_date_format_secs)
+def _needs_where_command(translated_query_str):
+ return bool(re.search(r'(like|match)\(', translated_query_str))
+
+
class SplunkSearchTranslator:
""" The core translator class. Instances should not be re-used """
@@ -80,21 +84,35 @@ def translate(self, expression, qualifier=None):
latest_dt = latest_obj.strftime(splunk_date_format)
# prepare splunk SPL query
- if earliest and latest:
- return '{query_string} earliest="{earliest}" latest="{latest}"'.format(query_string=translated_query_str,
- earliest=earliest_dt,
- latest=latest_dt)
- elif earliest:
- return '{query_string} earliest="{earliest}"'.format(query_string=translated_query_str,
- earliest=earliest_dt)
- elif latest:
- return '{query_string} latest="{latest}"'.format(query_string=translated_query_str,
- latest=latest_dt)
+ if _needs_where_command(translated_query_str):
+ if earliest and latest:
+ return 'earliest="{earliest}" latest="{latest}" | where {query_string}'.format(query_string=translated_query_str,
+ earliest=earliest_dt,
+ latest=latest_dt)
+ elif earliest:
+ return 'earliest="{earliest}" | where {query_string}'.format(query_string=translated_query_str,
+ earliest=earliest_dt)
+ elif latest:
+ return 'latest="{latest}" | where {query_string}'.format(query_string=translated_query_str,
+ latest=latest_dt)
+ else:
+ raise NotImplementedError("Qualifier type not implemented")
else:
- raise NotImplementedError("Qualifier type not implemented")
+ if earliest and latest:
+ return '{query_string} earliest="{earliest}" latest="{latest}"'.format(query_string=translated_query_str,
+ earliest=earliest_dt,
+ latest=latest_dt)
+ elif earliest:
+ return '{query_string} earliest="{earliest}"'.format(query_string=translated_query_str,
+ earliest=earliest_dt)
+ elif latest:
+ return '{query_string} latest="{latest}"'.format(query_string=translated_query_str,
+ latest=latest_dt)
+ else:
+ raise NotImplementedError("Qualifier type not implemented")
else:
# Setting time_range value if START and STOP qualifiers are absent.
- return '{query_string}'.format(query_string=translated_query_str)
+ return translated_query_str
elif isinstance(expression, CombinedObservationExpression):
combined_expr_format_string = self.comparator_lookup[str(expression.operator)]
@@ -182,6 +200,8 @@ def _build_comparison(self, expression, object_scoping, field_mapping):
comparison = encoders.set(field_mapping, expression.value)
elif comparator == "encoders.matches":
comparison = encoders.matches(field_mapping, expression.value)
+ elif comparator == "encoders.subset":
+ comparison = encoders.subset(field_mapping, expression.value)
else:
comparison = "{} {} {}".format(
field_mapping,
@@ -236,7 +256,12 @@ def translate_pattern(pattern: Pattern, data_model_mapping, search_key, options)
translated_query = f'index={index} {translated_query}'
if not has_earliest_latest:
- translated_query += ' earliest="{earliest}" | head {result_limit}'.format(earliest=time_range, result_limit=result_limit)
+ if _needs_where_command(translated_query):
+ translated_query = 'earliest="{earliest}" | where {qry} | head {result_limit}'.format(qry=translated_query,
+ earliest=time_range,
+ result_limit=result_limit)
+ else:
+ translated_query += ' earliest="{earliest}" | head {result_limit}'.format(earliest=time_range, result_limit=result_limit)
elif has_earliest_latest:
translated_query += ' | head {result_limit}'.format(result_limit=result_limit)
diff --git a/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py b/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
index 98cf2800c..cd170b178 100644
--- a/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
+++ b/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
@@ -223,7 +223,7 @@ def test_start_stop_qualifiers_seconds(self):
def test_issubset_operator(self):
stix_pattern = "[ipv4-addr:value ISSUBSET '198.51.100.0/24']"
query = translation.translate('splunk', 'query', '{}', stix_pattern)
- queries = f'search ((src_ip = "198.51.100.0/24") OR (dest_ip = "198.51.100.0/24")) earliest="-5minutes" | head 10000 | fields {fields}'
+ queries = f'search earliest="-5minutes" | where ((cidrmatch("198.51.100.0/24", src_ip)) OR (cidrmatch("198.51.100.0/24", dest_ip))) | head 10000 | fields {fields}'
_test_query_assertions(query, queries)
def test_custom_time_limit_and_result_count(self):
@@ -325,6 +325,30 @@ def test_ipv4_query_in_operator(self):
queries = f'search ((src_ip IN ("192.168.122.83", "192.168.122.84")) OR (dest_ip IN ("192.168.122.83", "192.168.122.84"))) earliest="-5minutes" | head 10000 | fields {fields}'
_test_query_assertions(query, queries)
+ def test_like(self):
+ stix_pattern = "[file:name LIKE 'x_.%']"
+ query = translation.translate('splunk', 'query', '{}', stix_pattern)
+ queries = f'search earliest="-5minutes" | where (like(file_name, "x_.%")) | head 10000 | fields {fields}'
+ _test_query_assertions(query, queries)
+
+ def test_like_or_equal(self):
+ stix_pattern = "[file:name LIKE 'x_.%' OR file:name = 'y1.exe']"
+ query = translation.translate('splunk', 'query', '{}', stix_pattern)
+ queries = f'search earliest="-5minutes" | where ((file_name = "y1.exe") OR (like(file_name, "x_.%"))) | head 10000 | fields {fields}'
+ _test_query_assertions(query, queries)
+
+ def test_match(self):
+ stix_pattern = r"[file:name MATCHES '^x.\\..*$']"
+ query = translation.translate('splunk', 'query', '{}', stix_pattern)
+ queries = f'search earliest="-5minutes" | where (match(file_name, "^x.\\..*$")) | head 10000 | fields {fields}'
+ _test_query_assertions(query, queries)
+
+ def test_match_or_equal(self):
+ stix_pattern = r"[file:name MATCHES '^x.\\..*$' OR file:name = 'y1.exe']"
+ query = translation.translate('splunk', 'query', '{}', stix_pattern)
+ queries = f'search earliest="-5minutes" | where ((file_name = "y1.exe") OR (match(file_name, "^x.\\..*$"))) | head 10000 | fields {fields}'
+ _test_query_assertions(query, queries)
+
if __name__ == '__main__':
unittest.main()
From 18462dde02397948c53df76fc150391bba31b67c Mon Sep 17 00:00:00 2001
From: Danny Elliott
Date: Tue, 3 Jan 2023 11:17:16 -0400
Subject: [PATCH 11/30] mapping fixes for splunk (#1239)
---
.../stix_translation/json/from_stix_map.json | 26 +-
.../json/stix_2_1/from_stix_map.json | 63 ++-
.../json/stix_2_1/to_stix_map.json | 400 +++++++++++++++---
.../test_splunk_stix_to_spl.py | 6 +-
4 files changed, 409 insertions(+), 86 deletions(-)
diff --git a/stix_shifter_modules/splunk/stix_translation/json/from_stix_map.json b/stix_shifter_modules/splunk/stix_translation/json/from_stix_map.json
index 57ffd1e59..c174a356e 100644
--- a/stix_shifter_modules/splunk/stix_translation/json/from_stix_map.json
+++ b/stix_shifter_modules/splunk/stix_translation/json/from_stix_map.json
@@ -35,7 +35,7 @@
"directory": {
"cim_type": "endpoint",
"fields": {
- "path": "file_path",
+ "path": ["file_path", "process_path", "parent_process_path"],
"created": "file_create_time",
"modified": "file_modify_time"
}
@@ -43,10 +43,7 @@
"domain-name": {
"cim_type": "flow",
"fields": {
- "value": [
- "host",
- "url"
- ]
+ "value": ["host", "url"]
}
},
"x-readable-payload": {
@@ -58,10 +55,7 @@
"email-addr": {
"cim_type": "email",
"fields": {
- "value": [
- "src_user",
- "recipient"
- ]
+ "value": ["src_user", "recipient"]
}
},
"email-message": {
@@ -123,9 +117,9 @@
"network-traffic": {
"cim_type": "network",
"fields": {
- "src_ref.value": "src",
+ "src_ref.value": ["src_ip"],
"src_port": "src_port",
- "dst_ref.value": "dest",
+ "dst_ref.value": ["dest_ip"],
"dst_port": "dest_port",
"protocols[*]": "protocol",
"start": "earliest",
@@ -135,10 +129,11 @@
"process": {
"cim_type": "process",
"fields": {
- "name": "process_name",
- "command_line": "process",
- "pid": "pid",
+ "name": ["process_name", "parent_process_name"],
+ "command_line": ["process", "parent_process"],
+ "pid": ["process_id", "parent_process_id"],
"creator_user_ref.account_login": "user",
+ "creator_user_ref.user_login": "user",
"binary_ref.parent_directory_ref.path": "process_path",
"binary_ref.name": "process_exec"
}
@@ -152,7 +147,8 @@
"user-account": {
"cim_type": "authentication",
"fields": {
- "user_id": "user"
+ "user_id": "user",
+ "account_login": "user"
}
},
"windows-registry-key": {
diff --git a/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/from_stix_map.json
index 23b3bf1a4..261aeda1f 100644
--- a/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/from_stix_map.json
+++ b/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/from_stix_map.json
@@ -1,8 +1,41 @@
{
+ "x-oca-event": {
+ "cim_type": "alert",
+ "fields": {
+ "code": ["signature_id"],
+ "action": ["signature"],
+ "outcome": ["result"],
+ "module": ["source"],
+ "created": ["_time"],
+ "process_ref.command_line": ["process"],
+ "process_ref.image_ref.name": ["process_exec"],
+ "process_ref.parent_ref.command_line": ["parent_process"],
+ "process_ref.creator_user_ref.user_id": ["process_user"],
+ "process_ref.name": ["process_name"],
+ "process_ref.pid": ["process_id"],
+ "parent_process_ref.command_line": ["parent_process"],
+ "parent_process_ref.image_ref.name": ["parent_process_exec"],
+ "parent_process_ref.pid": ["parent_process_id"],
+ "parent_process_ref.name": ["parent_process_name"],
+ "domain_ref.value": ["url", "url_domain"],
+ "file_ref.name": ["file_name"],
+ "host_ref.hostname": ["host"],
+ "host_ref.ip_refs[*].value": ["src_ip"],
+ "registry_ref.key": ["ObjectName", "RegistryKey"],
+ "user_ref.user_id": ["user"],
+ "url_ref.value": ["url"]
+ }
+ },
+ "x-oca-asset": {
+ "cim_type": "host",
+ "fields": {
+ "hostname": "host"
+ }
+ },
"directory": {
"cim_type": "endpoint",
"fields": {
- "path": "file_path",
+ "path": ["file_path", "process_path", "parent_process_path"],
"ctime": "file_create_time",
"mtime": "file_modify_time"
}
@@ -10,10 +43,7 @@
"domain-name": {
"cim_type": "flow",
"fields": {
- "value": [
- "host",
- "url"
- ]
+ "value": ["host", "url"]
}
},
"x-readable-payload": {
@@ -25,10 +55,7 @@
"email-addr": {
"cim_type": "email",
"fields": {
- "value": [
- "src_user",
- "recipient"
- ]
+ "value": ["src_user", "recipient"]
}
},
"email-message": {
@@ -53,7 +80,7 @@
"hashes.MD5": "file_hash",
"hashes.'SHA-1'": "file_hash",
"hashes.'SHA-256'": "file_hash",
- "name": ["file_name", "process"],
+ "name": "file_name",
"ctime": "file_create_time",
"mtime": "file_modify_time",
"parent_directory_ref.path": "file_path",
@@ -90,9 +117,9 @@
"network-traffic": {
"cim_type": "network",
"fields": {
- "src_ref.value": "src",
+ "src_ref.value": ["src_ip"],
"src_port": "src_port",
- "dst_ref.value": "src",
+ "dst_ref.value": ["dest_ip"],
"dst_port": "dest_port",
"protocols[*]": "protocol",
"start": "earliest",
@@ -102,10 +129,13 @@
"process": {
"cim_type": "process",
"fields": {
- "pid": "pid",
+ "x_name": ["process_name", "parent_process_name"],
+ "command_line": ["process", "parent_process"],
+ "pid": ["process_id", "parent_process_id"],
"creator_user_ref.account_login": "user",
- "image_ref.parent_directory_ref.path": "file_path",
- "image_ref.name": ["file_name", "process"]
+ "creator_user_ref.user_login": "user",
+ "image_ref.parent_directory_ref.path": "process_path",
+ "image_ref.name": "process_exec"
}
},
"url": {
@@ -117,7 +147,8 @@
"user-account": {
"cim_type": "authentication",
"fields": {
- "user_id": "user"
+ "user_id": "user",
+ "account_login": "user"
}
},
"windows-registry-key": {
diff --git a/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/to_stix_map.json
index 0a8236e4c..a47100e65 100644
--- a/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/to_stix_map.json
+++ b/stix_shifter_modules/splunk/stix_translation/json/stix_2_1/to_stix_map.json
@@ -4,11 +4,18 @@
"cybox": false,
"transformer": "ToInteger"
},
- "_raw": {
- "key": "artifact.payload_bin",
- "transformer": "ToBase64",
- "object": "artifact"
- },
+ "_raw": [
+ {
+ "key": "artifact.payload_bin",
+ "object": "artifact",
+ "transformer": "ToBase64"
+ },
+ {
+ "key": "x-oca-event.original_ref",
+ "object": "event",
+ "references": "artifact"
+ }
+ ],
"mime_type_raw": {
"key": "artifact.mime_type",
"object": "artifact"
@@ -26,6 +33,26 @@
"key": "network-traffic.dst_ref",
"object": "network-traffic",
"references": "dst_ip"
+ },
+ {
+ "key": "x-oca-event.ip_refs",
+ "object": "event",
+ "references": [
+ "dst_ip"
+ ],
+ "group": true
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
}
],
"src_ip": [
@@ -41,23 +68,85 @@
"key": "network-traffic.src_ref",
"object": "network-traffic",
"references": "src_ip"
+ },
+ {
+ "key": "x-oca-event.ip_refs",
+ "object": "event",
+ "references": [
+ "src_ip"
+ ],
+ "group": true
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
+ }
+ ],
+ "dest_port": [
+ {
+ "key": "network-traffic.dst_port",
+ "object": "network-traffic",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
+ }
+ ],
+ "src_port": [
+ {
+ "key": "network-traffic.src_port",
+ "object": "network-traffic",
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
+ }
+ ],
+ "protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "network-traffic",
+ "transformer": "ToLowercaseArray"
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
}
],
- "dest_port": {
- "key": "network-traffic.dst_port",
- "object": "network-traffic",
- "transformer": "ToInteger"
- },
- "src_port": {
- "key": "network-traffic.src_port",
- "object": "network-traffic",
- "transformer": "ToInteger"
- },
- "protocol": {
- "key": "network-traffic.protocols",
- "object": "network-traffic",
- "transformer": "ToLowercaseArray"
- },
"_time": [
{
"key": "first_observed",
@@ -68,6 +157,11 @@
"key": "last_observed",
"transformer": "SplunkToTimestamp",
"cybox": false
+ },
+ {
+ "key": "x-oca-event.created",
+ "transformer": "SplunkToTimestamp",
+ "object": "event"
}
],
"user": [
@@ -82,14 +176,14 @@
{
"key": "user-account.user_id",
"object": "authentication"
+ },
+ {
+ "key": "x-oca-event.user_ref",
+ "object": "event",
+ "references": "authentication"
}
],
"process_user": [
- {
- "key": "windows-registry-key.creator_user_ref",
- "object": "windows-registry-key",
- "references": "authentication"
- },
{
"key": "process.creator_user_ref",
"object": "process",
@@ -130,10 +224,122 @@
"key": "x509-certificate.subject_public_key_algorithm",
"object": "certificate"
},
- "process_id": {
- "key": "process.pid",
+ "process_id": [
+ {
+ "key": "process.pid",
+ "object": "process"
+ },
+ {
+ "key": "x-oca-event.process_ref",
+ "object": "event",
+ "references": "process"
+ }
+ ],
+ "process_name": [
+ {
+ "key": "process.x_name",
+ "object": "process"
+ },
+ {
+ "key": "x-oca-event.process_ref",
+ "object": "event",
+ "references": "process"
+ }
+ ],
+ "process": {
+ "key": "process.command_line",
"object": "process"
},
+ "process_exec": [
+ {
+ "key": "file.name",
+ "object": "process-exec"
+ },
+ {
+ "key": "process.object_ref",
+ "object": "process",
+ "references": "process-exec"
+ },
+ {
+ "key": "x-oca-event.file_ref",
+ "object": "event",
+ "references": "process-exec"
+ }
+ ],
+ "process_hash": {
+ "key": "file.hashes",
+ "object": "process-exec",
+ "transformer": "SplunkHash"
+ },
+ "process_path": [
+ {
+ "key": "directory.path",
+ "object": "process-path"
+ },
+ {
+ "key": "file.parent_directory_ref",
+ "object": "process-exec",
+ "references": "process-path"
+ }
+ ],
+ "parent_process_id": [
+ {
+ "key": "process.pid",
+ "object": "parent-process"
+ },
+ {
+ "key": "x-oca-event.parent_process_ref",
+ "object": "event",
+ "references": "parent-process"
+ },
+ {
+ "key": "process.parent_ref",
+ "object": "process",
+ "references": "parent-process"
+ }
+ ],
+ "parent_process_name": [
+ {
+ "key": "process.x_name",
+ "object": "parent-process"
+ },
+ {
+ "key": "x-oca-event.parent_process_ref",
+ "object": "event",
+ "references": "parent-process"
+ },
+ {
+ "key": "process.parent_ref",
+ "object": "process",
+ "references": "parent-process"
+ }
+ ],
+ "parent_process": {
+ "key": "process.command_line",
+ "object": "parent-process"
+ },
+ "parent_process_exec": [
+ {
+ "key": "file.name",
+ "object": "parent-process-exec"
+ },
+ {
+ "key": "process.object_ref",
+ "object": "parent-process",
+ "references": "parent-process-exec"
+ }
+ ],
+ "parent_process_path": [
+ {
+ "key": "directory.path",
+ "object": "parent-process-path"
+ },
+ {
+ "key": "file.parent_directory_ref",
+ "object": "parent-process-exec",
+ "references": "parent-process-path"
+ }
+ ],
"file_path": [
{
"key": "directory.path",
@@ -143,11 +349,6 @@
"key": "file.parent_directory_ref",
"object": "file",
"references": "directory"
- },
- {
- "key": "process.image_ref",
- "object": "process",
- "references": "file"
}
],
"file_create_time": [
@@ -178,10 +379,17 @@
"key": "file.hashes.UNKNOWN",
"object": "file"
},
- "file_name": {
- "key": "file.name",
- "object": "file"
- },
+ "file_name": [
+ {
+ "key": "file.name",
+ "object": "file"
+ },
+ {
+ "key": "x-oca-event.file_ref",
+ "object": "event",
+ "references": "file"
+ }
+ ],
"file_size": {
"key": "file.size",
"object": "file"
@@ -194,12 +402,16 @@
{
"key": "ipv4-addr.resolves_to_refs",
"object": "src_ip",
- "references": ["src_mac"]
+ "references": [
+ "src_mac"
+ ]
},
{
"key": "ipv6-addr.resolves_to_refs",
"object": "src_ip",
- "references": ["src_mac"]
+ "references": [
+ "src_mac"
+ ]
}
],
"dest_mac": [
@@ -210,18 +422,29 @@
{
"key": "ipv4-addr.resolves_to_refs",
"object": "dst_ip",
- "references": ["dst_mac"]
+ "references": [
+ "dst_mac"
+ ]
},
{
"key": "ipv6-addr.resolves_to_refs",
"object": "dst_ip",
- "references": ["dst_mac"]
+ "references": [
+ "dst_mac"
+ ]
+ }
+ ],
+ "object_path": [
+ {
+ "key": "windows-registry-key.key",
+ "object": "windows-registry-key"
+ },
+ {
+ "key": "x-oca-event.registry_ref",
+ "object": "event",
+ "references": "windows-registry-key"
}
],
- "object_path": {
- "key": "windows-registry-key.key",
- "object": "windows-registry-key"
- },
"url": [
{
"key": "url.value",
@@ -257,16 +480,15 @@
"object": "email-message",
"transformer": "StringToBool"
},
- "source": [
+ "host": [
{
- "key": "x-splunk.log_source",
- "object": "x-splunk"
- }
- ],
- "_sourcetype": [
+ "key": "x-oca-asset.hostname",
+ "object": "host"
+ },
{
- "key": "x-splunk.log_source_type",
- "object": "x-splunk"
+ "key": "x-oca-event.host_ref",
+ "object": "event",
+ "references": "host"
}
],
"Direction": [
@@ -326,5 +548,79 @@
"key": "x-ibm-finding.severity",
"object": "x-ibm-finding"
}
+ ],
+ "source": {
+ "key": "x-oca-event.module",
+ "object": "event"
+ },
+ "description": {
+ "key": "x-oca-event.action",
+ "object": "event"
+ },
+ "signature": {
+ "key": "x-oca-event.action",
+ "object": "event"
+ },
+ "signature_id": {
+ "key": "x-oca-event.code",
+ "object": "event"
+ },
+ "result": {
+ "key": "x-oca-event.outcome",
+ "object": "event"
+ },
+ "query": [
+ {
+ "key": "domain-name.value",
+ "object": "domain"
+ },
+ {
+ "key": "network-traffic.extensions.dns-ext.question.domain_ref",
+ "object": "network-traffic",
+ "references": "domain"
+ },
+ {
+ "key": "x-oca-event.domain_ref",
+ "object": "event",
+ "references": "domain"
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
+ }
+ ],
+ "answer": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "resolved-ip"
+ },
+ {
+ "key": "network-traffic.extensions.dns-ext.resolved_ip_refs",
+ "object": "network-traffic",
+ "references": [
+ "resolved-ip"
+ ],
+ "group": true
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "network-traffic"
+ },
+ {
+ "key": "process.opened_connection_refs",
+ "object": "process",
+ "references": [
+ "network-traffic"
+ ]
+ }
]
}
diff --git a/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py b/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
index cd170b178..109ae1108 100644
--- a/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
+++ b/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
@@ -155,7 +155,7 @@ def test_risk_finding(self):
def test_dst_ref_queries(self):
stix_pattern = "[network-traffic:dst_ref.value = '192.168.122.83']"
query = translation.translate('splunk', 'query', '{}', stix_pattern)
- queries = f'search (dest = "192.168.122.83") earliest="-5minutes" | head 10000 | fields {fields}'
+ queries = f'search (dest_ip = "192.168.122.83") earliest="-5minutes" | head 10000 | fields {fields}'
_test_query_assertions(query, queries)
def test_port_queries(self):
@@ -310,13 +310,13 @@ def test_x_oca_event_missing_vals(self):
def test_proc_command_line_query(self):
stix_pattern = "[process:command_line = 'wmic.exe process call create calc']"
query = translation.translate('splunk', 'query', '{}', stix_pattern)
- queries = f'search (process = "wmic.exe process call create calc") earliest="-5minutes" | head 10000 | fields {fields}'
+ queries = f'search ((process = "wmic.exe process call create calc") OR (parent_process = "wmic.exe process call create calc")) earliest="-5minutes" | head 10000 | fields {fields}'
_test_query_assertions(query, queries)
def test_proc_name_query(self):
stix_pattern = "[process:name = 'wmic.exe']"
query = translation.translate('splunk', 'query', '{}', stix_pattern)
- queries = f'search (process_name = "wmic.exe") earliest="-5minutes" | head 10000 | fields {fields}'
+ queries = f'search ((process_name = "wmic.exe") OR (parent_process_name = "wmic.exe")) earliest="-5minutes" | head 10000 | fields {fields}'
_test_query_assertions(query, queries)
def test_ipv4_query_in_operator(self):
From 0666d0e9188661b7a772abb3147c451290b93555 Mon Sep 17 00:00:00 2001
From: Aviv Ron
Date: Tue, 3 Jan 2023 17:22:19 +0200
Subject: [PATCH 12/30] change all two lettered property names (#1251)
---
.../stix_translation/json/to_stix_map.json | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json b/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json
index 6740334d7..72faf0d5b 100644
--- a/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json
+++ b/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json
@@ -632,7 +632,7 @@
"object": "event"
},
"id": {
- "key": "x-oca-event.id",
+ "key": "x-oca-event.event_id",
"object": "event"
},
"category": {
@@ -1064,7 +1064,7 @@
},
"id": [
{
- "key": "x-ecs-user.id",
+ "key": "x-ecs-user.user_id",
"object": "x_user"
},
{
@@ -1152,7 +1152,7 @@
},
"container": {
"id": {
- "key": "x-ecs-container.id",
+ "key": "x-ecs-container.container_id",
"object": "container"
},
"image": {
@@ -1353,7 +1353,7 @@
"object": "error"
},
"id": {
- "key": "x-ecs-error.id",
+ "key": "x-ecs-error.error_id",
"object": "error"
},
"message": {
@@ -1526,7 +1526,7 @@
"object": "group"
},
"id": {
- "key": "x-ecs-group.id",
+ "key": "x-ecs-group.group_id",
"object": "group"
},
"name": {
@@ -1555,7 +1555,7 @@
}
],
"id": {
- "key": "x-oca-asset.id",
+ "key": "x-oca-asset.host_id",
"object": "host"
},
"ip": [
@@ -1953,7 +1953,7 @@
},
"organization": {
"id": {
- "key": "x-ecs-organization.id",
+ "key": "x-ecs-organization.organization_id",
"object": "organization"
},
"name": {
@@ -2046,7 +2046,7 @@
"object": "rule"
},
"id": {
- "key": "x-ecs-rule.id",
+ "key": "x-ecs-rule.rule_id",
"object": "rule"
},
"license": {
@@ -2076,7 +2076,7 @@
},
"service": {
"id": {
- "key": "x-ecs-service.id",
+ "key": "x-ecs-service.service_id",
"object": "service"
},
"name": {
@@ -2264,13 +2264,13 @@
},
"trace": {
"id": {
- "key": "x-ecs-trace.id",
+ "key": "x-ecs-trace.trace_id",
"object": "trace"
}
},
"transaction": {
"id": {
- "key": "x-ecs-transaction.id",
+ "key": "x-ecs-transaction.transaction_id",
"object": "transaction"
}
},
@@ -2312,7 +2312,7 @@
"object": "vulnerability"
},
"id": {
- "key": "x-ecs-vulnerability.id",
+ "key": "x-ecs-vulnerability.vulnerability_id",
"object": "vulnerability"
},
"reference": {
From 4581aed6e608c71f14b8656980aba332a739981b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 3 Jan 2023 12:01:06 -0400
Subject: [PATCH 13/30] Bump boto3 from 1.26.10 to 1.26.41 in /stix_shifter
(#1263)
Bumps [boto3](https://github.com/boto/boto3) from 1.26.10 to 1.26.41.
- [Release notes](https://github.com/boto/boto3/releases)
- [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst)
- [Commits](https://github.com/boto/boto3/compare/1.26.10...1.26.41)
---
updated-dependencies:
- dependency-name: boto3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot]
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Md Azam
---
stix_shifter/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stix_shifter/requirements.txt b/stix_shifter/requirements.txt
index 9991e1058..6cda4d131 100644
--- a/stix_shifter/requirements.txt
+++ b/stix_shifter/requirements.txt
@@ -1,6 +1,6 @@
adal==1.2.7
antlr4-python3-runtime==4.8
-boto3==1.26.10
+boto3==1.26.41
flask==2.2.2
pyOpenSSL==22.1.0
flatten_json==0.1.13
From 51c00a82a420fa59653f819ac12e051e23cddbe1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 4 Jan 2023 09:11:48 -0400
Subject: [PATCH 14/30] Bump json-fix from 0.5.0 to 0.5.1 in /stix_shifter
(#1196)
Bumps [json-fix](https://github.com/jeff-hykin/json_fix) from 0.5.0 to 0.5.1.
- [Release notes](https://github.com/jeff-hykin/json_fix/releases)
- [Commits](https://github.com/jeff-hykin/json_fix/compare/0.5.0...0.5.1)
---
updated-dependencies:
- dependency-name: json-fix
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot]
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
stix_shifter/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stix_shifter/requirements.txt b/stix_shifter/requirements.txt
index 6cda4d131..60e59f0c1 100644
--- a/stix_shifter/requirements.txt
+++ b/stix_shifter/requirements.txt
@@ -10,6 +10,6 @@ stix2-patterns==1.3.2
stix2-validator==3.0.2
xmltodict==0.13.0
jsonmerge==1.9.0
-json-fix==0.5.0
+json-fix==0.5.1
colorlog==6.7.0
stix2-matcher==3.0.0
\ No newline at end of file
From 689c5aff2346fbb36447f58f969ab16f0f2efa66 Mon Sep 17 00:00:00 2001
From: Paul Coccoli
Date: Fri, 6 Jan 2023 09:23:18 -0500
Subject: [PATCH 15/30] splunk: allow multiple, comma-separated index names in
the index option (#1271)
---
stix_shifter_modules/splunk/configuration/lang_en.json | 4 ++--
.../splunk/stix_translation/query_constructor.py | 4 +++-
.../tests/stix_translation/test_splunk_stix_to_spl.py | 9 ++++++++-
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/stix_shifter_modules/splunk/configuration/lang_en.json b/stix_shifter_modules/splunk/configuration/lang_en.json
index 6506020b1..da6b1359c 100644
--- a/stix_shifter_modules/splunk/configuration/lang_en.json
+++ b/stix_shifter_modules/splunk/configuration/lang_en.json
@@ -23,8 +23,8 @@
},
"options": {
"index": {
- "label": "Index Name",
- "description": "The name of the Splunk index to be queried by this connector."
+ "label": "Index Name(s)",
+ "description": "The (comma-separated) name(s) of the Splunk index (or indices) to be queried by this connector."
}
}
},
diff --git a/stix_shifter_modules/splunk/stix_translation/query_constructor.py b/stix_shifter_modules/splunk/stix_translation/query_constructor.py
index 0c59513ce..4d89b1f63 100644
--- a/stix_shifter_modules/splunk/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/splunk/stix_translation/query_constructor.py
@@ -253,7 +253,9 @@ def translate_pattern(pattern: Pattern, data_model_mapping, search_key, options)
fields += field
if index:
- translated_query = f'index={index} {translated_query}'
+ indices = [i.strip(' ') for i in index.split(',')]
+ index_cmd = ' OR '.join([f'index="{i}"' for i in indices])
+ translated_query = f'{index_cmd} {translated_query}'
if not has_earliest_latest:
if _needs_where_command(translated_query):
diff --git a/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py b/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
index 109ae1108..ecf5d3660 100644
--- a/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
+++ b/stix_shifter_modules/splunk/tests/stix_translation/test_splunk_stix_to_spl.py
@@ -237,7 +237,14 @@ def test_custom_index(self):
stix_pattern = "[ipv4-addr:value = '192.168.122.83']"
options = {"index": "my_index"}
query = translation.translate('splunk', 'query', '{}', stix_pattern, options)
- queries = f'search index=my_index ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83")) earliest="-5minutes" | head 10000 | fields {fields}'
+ queries = f'search index="my_index" ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83")) earliest="-5minutes" | head 10000 | fields {fields}'
+ _test_query_assertions(query, queries)
+
+ def test_custom_indices(self):
+ stix_pattern = "[ipv4-addr:value = '192.168.122.83']"
+ options = {"index": "i1, i2"}
+ query = translation.translate('splunk', 'query', '{}', stix_pattern, options)
+ queries = f'search index="i1" OR index="i2" ((src_ip = "192.168.122.83") OR (dest_ip = "192.168.122.83")) earliest="-5minutes" | head 10000 | fields {fields}'
_test_query_assertions(query, queries)
def test_custom_mapping(self):
From 7fe614dde93e3b9a097e96ffaa1fd821c66c1b6a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Jan 2023 10:06:22 -0400
Subject: [PATCH 16/30] Bump pyopenssl from 22.1.0 to 23.0.0 in /stix_shifter
(#1264)
Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 22.1.0 to 23.0.0.
- [Release notes](https://github.com/pyca/pyopenssl/releases)
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/pyopenssl/compare/22.1.0...23.0.0)
---
updated-dependencies:
- dependency-name: pyopenssl
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot]
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Md Azam
---
stix_shifter/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stix_shifter/requirements.txt b/stix_shifter/requirements.txt
index 60e59f0c1..6ca228037 100644
--- a/stix_shifter/requirements.txt
+++ b/stix_shifter/requirements.txt
@@ -2,7 +2,7 @@ adal==1.2.7
antlr4-python3-runtime==4.8
boto3==1.26.41
flask==2.2.2
-pyOpenSSL==22.1.0
+pyOpenSSL==23.0.0
flatten_json==0.1.13
python-dateutil==2.8.2
requests_toolbelt==0.10.1
From 0e35117e8e2a06fa6326deedde2689c909fabd55 Mon Sep 17 00:00:00 2001
From: thangaraj-ramesh <92723742+thangaraj-ramesh@users.noreply.github.com>
Date: Tue, 10 Jan 2023 16:59:53 +0000
Subject: [PATCH 17/30] Updated changes for the issue #1270 (#1272)
Updated the test cases with double backslash for Windows paths.
---
.../test_paloalto_json_to_stix.py | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_json_to_stix.py b/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_json_to_stix.py
index f1b6122fb..cd0d53f09 100644
--- a/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_json_to_stix.py
+++ b/stix_shifter_modules/paloalto/tests/stix_translation/test_paloalto_json_to_stix.py
@@ -81,10 +81,10 @@ def test_file_json_to_stix(self):
def test_process_json_to_stix(self):
""" to test process stix object properties """
- data = {'xdr_data': {'action_process_image_command_line': 'C:\Windows\system32\lsass.exe',
- 'actor_process_command_line': 'C:\Windows\system32\lsass.exe',
- 'causality_actor_process_command_line': 'C:\Windows\system32\lsass.exe',
- 'os_actor_process_command_line': 'C:\Windows\system32\lsass.exe',
+ data = {'xdr_data': {'action_process_image_command_line': 'C:\\Windows\\system32\\lsass.exe',
+ 'actor_process_command_line': 'C:\\Windows\\system32\\lsass.exe',
+ 'causality_actor_process_command_line': 'C:\\Windows\\system32\\lsass.exe',
+ 'os_actor_process_command_line': 'C:\\Windows\\system32\\lsass.exe',
'actor_process_file_create_time': '1631299512000',
'causality_actor_process_file_create_time': '1536995564723',
'os_actor_process_file_create_time': '1637334466002',
@@ -117,7 +117,7 @@ def test_process_json_to_stix(self):
assert process_obj['type'] == 'process'
assert process_obj['name'] == 'wevtutil.exe'
assert process_obj['pid'] == 6228
- assert process_obj['command_line'] == 'C:\Windows\system32\lsass.exe'
+ assert process_obj['command_line'] == 'C:\\Windows\\system32\\lsass.exe'
def test_network_traffic_json_to_stix(self):
"""to test network-traffic stix object properties"""
@@ -228,7 +228,7 @@ def test_domain_name_json_to_stix(self):
assert domain_obj['value'] == 'dl.delivery.mp.microsoft.com'
def test_windows_registry_key_json_to_stix(self):
- """to test windows registry stix object properties"""
+ """to test Windows registry stix object properties"""
data = {'xdr_data': {'action_registry_key_name': 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\terminpt'
'\\Enum',
@@ -251,7 +251,7 @@ def test_windows_registry_key_json_to_stix(self):
assert windows_obj is not None
assert windows_obj['type'] == 'windows-registry-key'
assert windows_obj['key'] == 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\terminpt\\Enum'
- assert windows_obj['values'] == [{'name':'Start'}]
+ assert windows_obj['values'] == [{'name': 'Start'}]
def test_url_json_to_stix(self):
"""to test url stix object properties"""
@@ -330,7 +330,7 @@ def test_custom_process_json_to_stix(self):
assert custom_process_obj['extensions']['x-paloalto-process']['signature_vendor'] == "Microsoft Corporation"
assert custom_process_obj['extensions']['x-paloalto-process']['signature_status'] == "SIGNED"
assert custom_process_obj['extensions']['x-paloalto-process']['execution_time'] == "2022-01-04T07:10:55.000Z"
- assert custom_process_obj['extensions']['x-paloalto-process']['is_native'] == False
+ assert custom_process_obj['extensions']['x-paloalto-process']['is_native'] is False
def test_asset_json_to_stix(self):
"""to test custom oca-asset stix object properties"""
@@ -360,7 +360,7 @@ def test_asset_json_to_stix(self):
assert asset_obj['extensions']['x-paloalto-agent']['content_version'] == "350-80787"
assert asset_obj['extensions']['x-paloalto-agent']['start_time'] == "2022-01-20T07:04:01.933Z"
assert asset_obj['extensions']['x-paloalto-agent']['os_sub_type'] == "Windows Server 2016"
- assert asset_obj['extensions']['x-paloalto-agent']['is_vdi'] == False
+ assert asset_obj['extensions']['x-paloalto-agent']['is_vdi'] is False
def test_evtlog_json_to_stix(self):
"""to test custom evtlog stix object properties"""
@@ -439,5 +439,5 @@ def test_custom_network_json_to_stix(self):
assert network_obj is not None
assert network_obj['extensions']['x-paloalto-network']['creation_time'] == '1975-03-21T11:12:13.729Z'
assert network_obj['extensions']['x-paloalto-network']['connection_id'] == "AdgAsdUgVlUAAAbYAAAAAA=="
- assert network_obj['extensions']['x-paloalto-network']['is_proxy'] == False
+ assert network_obj['extensions']['x-paloalto-network']['is_proxy'] is False
assert network_obj['extensions']['x-paloalto-network']['external_hostname'] == 'Windows 8'
From 7246cdf663416301c8fe91a4cbcba466063e3045 Mon Sep 17 00:00:00 2001
From: Paul Coccoli
Date: Tue, 10 Jan 2023 14:23:41 -0500
Subject: [PATCH 18/30] Use raw strings for regex (#1276)
---
.../src/json_to_stix/observable.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/stix_shifter_utils/stix_translation/src/json_to_stix/observable.py b/stix_shifter_utils/stix_translation/src/json_to_stix/observable.py
index a30da0417..39eef3212 100644
--- a/stix_shifter_utils/stix_translation/src/json_to_stix/observable.py
+++ b/stix_shifter_utils/stix_translation/src/json_to_stix/observable.py
@@ -1,11 +1,11 @@
REGEX = {
- 'date': '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(.\d+)?Z',
- 'ipv4': ('^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'), # noqa: E501
- 'ipv6': ('^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$'),
- 'mac': ('^(([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})|([0-9a-fA-F]{3}[\.]){3}([0-9a-fA-F]{3}))$'),
- 'ipv4_cidr': ('^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(([1-2][0-9])|(3[0-2])|[0-9])$'), # noqa: E501
- 'domain_name': ('^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(\.)?)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$'),
- 'ipv6_cidr': ('^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:' '[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|' '([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|' '[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%' '[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}' '[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/((1[0-2][0-8])|([1-9][0-9])|[0-9])$')
+ 'date': r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(.\d+)?Z',
+ 'ipv4': (r'^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'), # noqa: E501
+ 'ipv6': (r'^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$'),
+ 'mac': (r'^(([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})|([0-9a-fA-F]{3}[\.]){3}([0-9a-fA-F]{3}))$'),
+ 'ipv4_cidr': (r'^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(([1-2][0-9])|(3[0-2])|[0-9])$'), # noqa: E501
+ 'domain_name': (r'^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(\.)?)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$'),
+ 'ipv6_cidr': (r'^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:' r'[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|' r'([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|' r'[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%' r'[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}' r'[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/((1[0-2][0-8])|([1-9][0-9])|[0-9])$')
}
properties = {
From 214babdccb9d2f068fb5bff2a2654db4b7f455c1 Mon Sep 17 00:00:00 2001
From: Md Azam
Date: Tue, 10 Jan 2023 15:53:01 -0400
Subject: [PATCH 19/30] Update OCSF schema in Athena mappings (#1245)
---
.../json/ocsf_from_stix_map.json | 252 +-
.../stix_2_1/guardduty_from_stix_map.json | 77 +
.../json/stix_2_1/ocsf_from_stix_map.json | 820 +++++
.../json/stix_2_1/to_stix_map.json | 3100 +++++++++++++++++
.../json/stix_2_1/vpcflow_from_stix_map.json | 39 +
.../stix_translation/json/to_stix_map.json | 1961 ++++++++++-
.../test_aws_athena_json_to_stix.py | 2 +-
.../test_aws_athena_stix_to_query.py | 2 +-
8 files changed, 6103 insertions(+), 150 deletions(-)
create mode 100644 stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/guardduty_from_stix_map.json
create mode 100644 stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json
create mode 100644 stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json
create mode 100644 stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/vpcflow_from_stix_map.json
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json
index 2219e3df0..32e0c5c12 100644
--- a/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json
+++ b/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json
@@ -6,6 +6,91 @@
]
}
},
+ "file": {
+ "fields": {
+ "accessed": [
+ "file.accessed_time"
+ ],
+ "created": [
+ "file.created_time"
+ ],
+ "extensions.'x-ocsf-file-ext'.algorithm": [
+ "file.fingerprints.algorithm"
+ ],
+ "extensions.'x-ocsf-file-ext'.algorithm_id": [
+ "file.fingerprints.algorithm_id"
+ ],
+ "extensions.'x-ocsf-file-ext'.algorithm_value": [
+ "file.fingerprints.value"
+ ],
+ "extensions.'x-ocsf-file-ext'.attributes": [
+ "file.attributes"
+ ],
+ "extensions.'x-ocsf-file-ext'.company_name": [
+ "file.company_name"
+ ],
+ "extensions.'x-ocsf-file-ext'.confidentiality": [
+ "file.confidentiality"
+ ],
+ "extensions.'x-ocsf-file-ext'.confidentiality_id": [
+ "file.confidentiality_id"
+ ],
+ "extensions.'x-ocsf-file-ext'.description": [
+ "file.desc"
+ ],
+ "extensions.'x-ocsf-file-ext'.feature_name": [
+ "file.product.feature.name"
+ ],
+ "extensions.'x-ocsf-file-ext'.feature_uid": [
+ "file.product.feature.uid"
+ ],
+ "extensions.'x-ocsf-file-ext'.feature_version": [
+ "file.product.feature.version"
+ ],
+ "extensions.'x-ocsf-file-ext'.installed_path": [
+ "file.product.path"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_lang": [
+ "file.product.lang"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_name": [
+ "file.product.name"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_uid": [
+ "file.product.uid"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_vendor": [
+ "file.product.vendor_name"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_version": [
+ "file.product.version"
+ ],
+ "extensions.'x-ocsf-file-ext'.security_descriptor": [
+ "file.security_descriptor"
+ ],
+ "extensions.'x-ocsf-file-ext'.signature": [
+ "file.signature"
+ ],
+ "extensions.'x-ocsf-file-ext'.type": [
+ "file.type"
+ ],
+ "extensions.'x-ocsf-file-ext'.type_id": [
+ "file.type_id"
+ ],
+ "extensions.'x-ocsf-file-ext'.uid": [
+ "file.uid"
+ ],
+ "extensions.'x-ocsf-file-ext'.version": [
+ "file.version"
+ ],
+ "name": [
+ "file.name"
+ ],
+ "size": [
+ "file.size"
+ ]
+ }
+ },
"ipv4-addr": {
"fields": {
"value": [
@@ -77,6 +162,58 @@
]
}
},
+ "process": {
+ "fields": {
+ "binary_ref.name": [
+ "file.name"
+ ],
+ "command_line": [
+ "process.cmd_line"
+ ],
+ "created": [
+ "process.created_time"
+ ],
+ "extensions.'x-ocsf-process-ext'.integrity": [
+ "process.integrity"
+ ],
+ "extensions.'x-ocsf-process-ext'.integrity_id": [
+ "process.integrity_id"
+ ],
+ "extensions.'x-ocsf-process-ext'.is_system": [
+ "process.is_system"
+ ],
+ "extensions.'x-ocsf-process-ext'.lineage": [
+ "process.lineage"
+ ],
+ "extensions.'x-ocsf-process-ext'.loaded_modules": [
+ "process.sandbox"
+ ],
+ "extensions.'x-ocsf-process-ext'.terminated_time": [
+ "terminated_time"
+ ],
+ "extensions.'x-ocsf-process-ext'.tid": [
+ "process.tid"
+ ],
+ "x_unique_id": [
+ "process.uid"
+ ],
+ "extensions.'x-ocsf-process-ext'.xattributes": [
+ "process.xattributes"
+ ],
+ "mime_type": [
+ "mime_type"
+ ],
+ "extensions.'x-ocsf-process-ext'.modified_time": [
+ "process.modified_time"
+ ],
+ "name": [
+ "process.name"
+ ],
+ "pid": [
+ "process.pid"
+ ]
+ }
+ },
"software": {
"fields": {
"extension.product.feature_name": [
@@ -176,7 +313,8 @@
"x-ibm-finding": {
"fields": {
"alert_id": [
- "observables.type_id"
+ "observables.type_id",
+ "finding.uid"
],
"description": [
"observables.value"
@@ -194,7 +332,11 @@
"observables.type"
],
"name": [
- "observables.name"
+ "observables.name",
+ "finding.title"
+ ],
+ "types": [
+ "finding.types"
],
"severity": [
"severity_id"
@@ -203,10 +345,10 @@
"src_endpoint.ip"
],
"start": [
- "start_time"
+ "finding.created_time"
],
"time_observed": [
- "_time"
+ "finding.first_seen_time"
]
}
},
@@ -251,7 +393,8 @@
"x-oca-event": {
"fields": {
"action": [
- "activity"
+ "activity",
+ "activity_name"
],
"category": [
"category_name"
@@ -260,6 +403,9 @@
"activity_id",
"category_uid"
],
+ "confidence": [
+ "confidence"
+ ],
"created": [
"time"
],
@@ -393,6 +539,38 @@
]
}
},
+ "x-ibm-ttp-tagging": {
+ "fields": {
+ "name": [
+ "attack.technique.name"
+ ],
+ "extensions.'mitre-attack-ext'.tactic_name": [
+ "attack.tactics.name"
+ ],
+ "extensions.'mitre-attack-ext'.tactic_id": [
+ "attack.tactics.uid"
+ ],
+ "extensions.'mitre-attack-ext'.technique_id": [
+ "attack.technique.uid"
+ ],
+ "extensions.'mitre-attack-ext'.version": [
+ "attack.version"
+ ]
+ }
+ },
+ "x-ocsf-compliance": {
+ "fields": {
+ "requirements": [
+ "compliance.requirements"
+ ],
+ "status": [
+ "compliance.status"
+ ],
+ "status_detail": [
+ "compliance.status_detail"
+ ]
+ }
+ },
"x-ocsf-enrichments": {
"fields": {
"data": [
@@ -510,6 +688,70 @@
]
}
},
+ "x-ocsf-malware": {
+ "fields": {
+ "base_score": [
+ "malware.cves.cvss.base_score"
+ ],
+ "classification_ids": [
+ "malware.classification_ids"
+ ],
+ "classifications": [
+ "malware.classifications"
+ ],
+ "created_time": [
+ "malware.cves.created_time"
+ ],
+ "cwe_uid": [
+ "malware.cves.cwe_uid"
+ ],
+ "cwe_url": [
+ "malware.cves.cwe_url"
+ ],
+ "depth": [
+ "malware.cves.cvss.depth"
+ ],
+ "lang": [
+ "malware.cves.product.lang"
+ ],
+ "modified_time": [
+ "malware.cves.modified_time"
+ ],
+ "name": [
+ "malware.name"
+ ],
+ "overall_score": [
+ "malware.cves.cvss.overall_score"
+ ],
+ "path": [
+ "malware.path"
+ ],
+ "provider": [
+ "malware.provider"
+ ],
+ "severity": [
+ "malware.cves.cvss.severity"
+ ],
+ "type": [
+ "malware.cves.type"
+ ],
+ "uid": [
+ "malware.uid"
+ ],
+ "value": [
+ "malware.cves.product.value"
+ ],
+ "vector_string": [
+ "malware.cves.cvss.vector_string"
+ ],
+ "vendor_name": [
+ "malware.cves.product.vendor_name"
+ ],
+ "version": [
+ "malware.cves.cvss.version"
+ ]
+ }
+ },
"x-ocsf-metadata": {
"fields": {
"correlation_uid": [
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/guardduty_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/guardduty_from_stix_map.json
new file mode 100644
index 000000000..c373c6f2a
--- /dev/null
+++ b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/guardduty_from_stix_map.json
@@ -0,0 +1,77 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": ["eth0_private_ip", "eth1_private_ip", "public_ip", "remote_ip"],
+ "x_aws_interface_id": ["interface_id"],
+ "x_aws_remote_city_name": ["city_name"],
+ "x_aws_remote_country_name": ["country_name"]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": ["ipv6_address"],
+ "x_aws_interface_id": ["interface_id"]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_port": ["local_port"],
+ "dst_port": ["remote_port"],
+ "src_ref.value": ["eth0_private_ip"],
+ "dst_ref.value": ["remote_ip"],
+ "protocols[*]": ["protocol"]
+ }
+ },
+ "domain-name":{
+ "fields": {
+ "value": ["eth0_private_dns_name","eth1_private_dns_name", "public_dns_name", "dns_domain"]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "user_id": ["principal_id"],
+ "account_login": ["user_name"]
+ }
+ },
+ "x-aws-details": {
+ "fields": {
+ "account_id": ["accountid"],
+ "region": ["region"]
+ }
+ },
+ "x-aws-instance": {
+ "fields": {
+ "instance_id": ["instance_id"],
+ "image_id": ["image_id"],
+ "availability_zone": ["availability_zone"]
+ }
+ },
+ "x-aws-vpc": {
+ "fields": {
+ "vpc_id": ["vpc_id"],
+ "subnet_id": ["subnet_id"],
+ "security_group_name": ["security_group_name"],
+ "security_group_id": ["security_group_id"]
+ }
+ },
+ "x-aws-api": {
+ "fields": {
+ "access_key_id": ["access_key_id"],
+ "api": ["api"],
+ "api_service_name": ["api_service_name"]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "name": ["title"],
+ "finding_type": ["type"],
+ "description": ["description"],
+ "src_ip_ref.value": ["eth0_private_ip"],
+ "dst_ip_ref.value": ["remote_ip"],
+ "start": ["event_firstseen"],
+ "end": ["event_lastseen"],
+ "src_os_ref.value": ["platform"],
+ "dst_geolocation": ["country_name"]
+ }
+ }
+}
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json
new file mode 100644
index 000000000..95ecfd457
--- /dev/null
+++ b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json
@@ -0,0 +1,820 @@
+{
+ "email-addr": {
+ "fields": {
+ "value": [
+ "identity.user.email_addr"
+ ]
+ }
+ },
+ "file": {
+ "fields": {
+ "accessed": [
+ "file.atime"
+ ],
+ "ctime": [
+ "file.created_time"
+ ],
+ "extensions.'x-ocsf-file-ext'.algorithm": [
+ "file.fingerprints.algorithm"
+ ],
+ "extensions.'x-ocsf-file-ext'.algorithm_id": [
+ "file.fingerprints.algorithm_id"
+ ],
+ "extensions.'x-ocsf-file-ext'.algorithm_value": [
+ "file.fingerprints.value"
+ ],
+ "extensions.'x-ocsf-file-ext'.attributes": [
+ "file.attributes"
+ ],
+ "extensions.'x-ocsf-file-ext'.company_name": [
+ "file.company_name"
+ ],
+ "extensions.'x-ocsf-file-ext'.confidentiality": [
+ "file.confidentiality"
+ ],
+ "extensions.'x-ocsf-file-ext'.confidentiality_id": [
+ "file.confidentiality_id"
+ ],
+ "extensions.'x-ocsf-file-ext'.description": [
+ "file.desc"
+ ],
+ "extensions.'x-ocsf-file-ext'.feature_name": [
+ "file.product.feature.name"
+ ],
+ "extensions.'x-ocsf-file-ext'.feature_uid": [
+ "file.product.feature.uid"
+ ],
+ "extensions.'x-ocsf-file-ext'.feature_version": [
+ "file.product.feature.version"
+ ],
+ "extensions.'x-ocsf-file-ext'.installed_path": [
+ "file.product.path"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_lang": [
+ "file.product.lang"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_name": [
+ "file.product.name"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_uid": [
+ "file.product.uid"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_vendor": [
+ "file.product.vendor_name"
+ ],
+ "extensions.'x-ocsf-file-ext'.product_version": [
+ "file.product.version"
+ ],
+ "extensions.'x-ocsf-file-ext'.security_descriptor": [
+ "file.security_descriptor"
+ ],
+ "extensions.'x-ocsf-file-ext'.signature": [
+ "file.signature"
+ ],
+ "extensions.'x-ocsf-file-ext'.type": [
+ "file.type"
+ ],
+ "extensions.'x-ocsf-file-ext'.type_id": [
+ "file.type_id"
+ ],
+ "extensions.'x-ocsf-file-ext'.uid": [
+ "file.uid"
+ ],
+ "extensions.'x-ocsf-file-ext'.version": [
+ "file.version"
+ ],
+ "name": [
+ "file.name"
+ ],
+ "size": [
+ "file.size"
+ ]
+ }
+ },
+ "ipv4-addr": {
+ "fields": {
+ "value": [
+ "dst_endpoint.ip",
+ "src_endpoint.ip"
+ ]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": [
+ "dst_endpoint.ip",
+ "src_endpoint.ip"
+ ]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "dst_byte_count": [
+ "traffic.bytes_in"
+ ],
+ "dst_packets": [
+ "traffic.packets_in"
+ ],
+ "dst_port": [
+ "dst_endpoint.port"
+ ],
+ "dst_ref.value": [
+ "dst_endpoint.ip"
+ ],
+ "extensions.'x-network-ext'.boundary": [
+ "connection_info.boundary"
+ ],
+ "extensions.'x-network-ext'.boundary_id": [
+ "connection_info.boundary_id"
+ ],
+ "extensions.'x-network-ext'.bytes": [
+ "traffic.bytes"
+ ],
+ "extensions.'x-network-ext'.direction": [
+ "connection_info.direction"
+ ],
+ "extensions.'x-network-ext'.direction_id": [
+ "connection_info.direction_id"
+ ],
+ "extensions.'x-network-ext'.packets": [
+ "traffic.packets"
+ ],
+ "extensions.'x-network-ext'.protocol_ver": [
+ "connection_info.protocol_ver"
+ ],
+ "extensions.'x-network-ext'.tcp_flags": [
+ "connection_info.tcp_flags"
+ ],
+ "protocols[*]": [
+ "connection_info.protocol_num"
+ ],
+ "src_byte_count": [
+ "traffic.bytes_out"
+ ],
+ "src_packets": [
+ "traffic.packets_out"
+ ],
+ "src_port": [
+ "src_endpoint.port"
+ ],
+ "src_ref.value": [
+ "src_endpoint.ip"
+ ]
+ }
+ },
+ "process": {
+ "fields": {
+ "image_ref.name": [
+ "file.name"
+ ],
+ "command_line": [
+ "process.cmd_line"
+ ],
+ "created_time": [
+ "process.created_time"
+ ],
+ "extensions.'x-ocsf-process-ext'.integrity": [
+ "process.integrity"
+ ],
+ "extensions.'x-ocsf-process-ext'.integrity_id": [
+ "process.integrity_id"
+ ],
+ "extensions.'x-ocsf-process-ext'.is_system": [
+ "process.is_system"
+ ],
+ "extensions.'x-ocsf-process-ext'.lineage": [
+ "process.lineage"
+ ],
+ "extensions.'x-ocsf-process-ext'.loaded_modules": [
+ "process.sandbox"
+ ],
+ "extensions.'x-ocsf-process-ext'.terminated_time": [
+ "terminated_time"
+ ],
+ "extensions.'x-ocsf-process-ext'.tid": [
+ "process.tid"
+ ],
+ "x_unique_id": [
+ "process.uid"
+ ],
+ "extensions.'x-ocsf-process-ext'.xattributes": [
+ "process.xattributes"
+ ],
+ "mime_type": [
+ "mime_type"
+ ],
+ "extensions.'x-ocsf-process-ext'.modified_time": [
+ "process.modified_time"
+ ],
+ "x_name": [
+ "process.name"
+ ],
+ "pid": [
+ "process.pid"
+ ]
+ }
+ },
+ "software": {
+ "fields": {
+ "extension.product.feature_name": [
+ "metadata.product.feature.name"
+ ],
+ "extension.product.feature_uid": [
+ "metadata.product.feature.uid"
+ ],
+ "extension.product.feature_version": [
+ "metadata.product.feature.version"
+ ],
+ "extension.product.path": [
+ "metadata.product.path"
+ ],
+ "extension.product.uid": [
+ "metadata.product.uid"
+ ],
+ "languages": [
+ "metadata.product.lang"
+ ],
+ "name": [
+ "metadata.product.name"
+ ],
+ "vendor": [
+ "metadata.product.vendor_name"
+ ],
+ "version": [
+ "metadata.product.version"
+ ]
+ }
+ },
+ "url": {
+ "fields": {
+ "value": [
+ "http_request.url"
+ ]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "account_type": [
+ "identity.user.account_type"
+ ],
+ "display_name": [
+ "identity.user.name"
+ ],
+ "extensions.'aws-account-ext'.account_type_id": [
+ "identity.user.account_type_id"
+ ],
+ "extensions.'aws-account-ext'.credential_uid": [
+ "identity.user.credential_uid"
+ ],
+ "extensions.'aws-account-ext'.domain": [
+ "identity.user.domain"
+ ],
+ "extensions.'aws-account-ext'.group_desc": [
+ "identity.user.groups.desc"
+ ],
+ "extensions.'aws-account-ext'.group_name": [
+ "identity.user.groups.name"
+ ],
+ "extensions.'aws-account-ext'.group_privileges": [
+ "identity.user.groups.privileges"
+ ],
+ "extensions.'aws-account-ext'.group_type": [
+ "identity.user.groups.type"
+ ],
+ "extensions.'aws-account-ext'.group_uid": [
+ "identity.user.groups.uid"
+ ],
+ "extensions.'aws-account-ext'.org_uid": [
+ "identity.user.org_uid"
+ ],
+ "extensions.'aws-account-ext'.session_uid": [
+ "identity.user.session_uid"
+ ],
+ "extensions.'aws-account-ext'.session_uuid": [
+ "identity.user.session_uuid"
+ ],
+ "extensions.'aws-account-ext'.type": [
+ "identity.user.type"
+ ],
+ "extensions.'aws-account-ext'.type_id": [
+ "identity.user.type_id"
+ ],
+ "extensions.'aws-account-ext'.uid": [
+ "identity.user.uid"
+ ],
+ "extensions.'aws-account-ext'.uuid": [
+ "identity.user.uuid"
+ ],
+ "user_id": [
+ "identity.user.account_uid"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "alert_id": [
+ "observables.type_id",
+ "finding.uid"
+ ],
+ "description": [
+ "observables.value"
+ ],
+ "dst_ip_ref.value": [
+ "dst_endpoint.ip"
+ ],
+ "end": [
+ "end_time"
+ ],
+ "event_count": [
+ "count"
+ ],
+ "finding_type": [
+ "observables.type"
+ ],
+ "name": [
+ "observables.name",
+ "finding.title"
+ ],
+ "types": [
+ "finding.types"
+ ],
+ "severity": [
+ "severity_id"
+ ],
+ "src_ip_ref.value": [
+ "src_endpoint.ip"
+ ],
+ "start": [
+ "finding.created_time"
+ ],
+ "time_observed": [
+ "finding.first_seen_time"
+ ]
+ }
+ },
+ "x-oca-asset": {
+ "fields": {
+ "extensions.'x-dst-endpoint'.instance_uid": [
+ "dst_endpoint.instance_uid"
+ ],
+ "extensions.'x-dst-endpoint'.interface_uid": [
+ "dst_endpoint.interface_uid"
+ ],
+ "extensions.'x-dst-endpoint'.subnet_uid": [
+ "dst_endpoint.subnet_uid"
+ ],
+ "extensions.'x-dst-endpoint'.svc_name": [
+ "dst_endpoint.svc_name"
+ ],
+ "extensions.'x-dst-endpoint'.vpc_uid": [
+ "dst_endpoint.vpc_uid"
+ ],
+ "extensions.'x-src-endpoint'.instance_uid": [
+ "src_endpoint.instance_uid"
+ ],
+ "extensions.'x-src-endpoint'.interface_uid": [
+ "src_endpoint.interface_uid"
+ ],
+ "extensions.'x-src-endpoint'.subnet_uid": [
+ "src_endpoint.subnet_uid"
+ ],
+ "extensions.'x-src-endpoint'.svc_name": [
+ "src_endpoint.svc_name"
+ ],
+ "extensions.'x-src-endpoint'.vpc_uid": [
+ "src_endpoint.vpc_uid"
+ ],
+ "name": [
+ "dst_endpoint.name",
+ "src_endpoint.name"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "action": [
+ "activity",
+ "activity_name"
+ ],
+ "category": [
+ "category_name"
+ ],
+ "code": [
+ "activity_id",
+ "category_uid"
+ ],
+ "confidence": [
+ "confidence"
+ ],
+ "created": [
+ "time"
+ ],
+ "duration": [
+ "duration"
+ ],
+ "extensions.'x-cloud-api'.class_uid": [
+ "class_uid"
+ ],
+ "module": [
+ "class_name"
+ ],
+ "network_ref.dst_ref.value": [
+ "dst_endpoint.ip"
+ ],
+ "network_ref.src_ref.value": [
+ "dst_endpoint.ip"
+ ],
+ "timezone": [
+ "timezone_offset"
+ ]
+ }
+ },
+ "x-ocsf-cloud": {
+ "fields": {
+ "account_type": [
+ "cloud.account_type"
+ ],
+ "account_type_id": [
+ "cloud.account_type_id"
+ ],
+ "account_uid": [
+ "cloud.account_uid"
+ ],
+ "api_version": [
+ "api.version"
+ ],
+ "message": [
+ "message"
+ ],
+ "operation": [
+ "api.operation"
+ ],
+ "org_uid": [
+ "cloud.org_uid"
+ ],
+ "profiles": [
+ "profiles"
+ ],
+ "project_uid": [
+ "cloud.project_uid"
+ ],
+ "provider": [
+ "cloud.provider"
+ ],
+ "raw_data": [
+ "raw_data"
+ ],
+ "ref_event_code": [
+ "ref_event_code"
+ ],
+ "ref_event_name": [
+ "ref_event_name"
+ ],
+ "ref_event_uid": [
+ "ref_event_uid"
+ ],
+ "ref_time": [
+ "ref_time"
+ ],
+ "region": [
+ "cloud.region"
+ ],
+ "request_flags": [
+ "api.request.flags"
+ ],
+ "request_uid": [
+ "api.request.uid"
+ ],
+ "resource_uid": [
+ "cloud.resource_uid"
+ ],
+ "response_code": [
+ "api.response.code"
+ ],
+ "response_error": [
+ "api.response.error"
+ ],
+ "response_error_message": [
+ "api.response.error_message"
+ ],
+ "response_flags": [
+ "api.response.flags"
+ ],
+ "response_message": [
+ "api.response.message"
+ ],
+ "service_labels": [
+ "api.service.labels"
+ ],
+ "service_name": [
+ "api.service.name"
+ ],
+ "service_uid": [
+ "api.service.uid",
+ "api.service.version"
+ ],
+ "severity": [
+ "severity"
+ ],
+ "status": [
+ "status"
+ ],
+ "status_code": [
+ "status_code"
+ ],
+ "status_detail": [
+ "status_detail"
+ ],
+ "status_id": [
+ "status_id"
+ ],
+ "type_name": [
+ "type_name"
+ ],
+ "type_uid": [
+ "type_uid"
+ ],
+ "zone": [
+ "cloud.zone"
+ ]
+ }
+ },
+ "x-ibm-ttp-tagging": {
+ "fields": {
+ "name": [
+ "attack.technique.name"
+ ],
+ "extensions.'mitre-attack-ext'.tactic_name": [
+ "attack.tactics.name"
+ ],
+ "extensions.'mitre-attack-ext'.tactic_id": [
+ "attack.tactics.uid"
+ ],
+ "extensions.'mitre-attack-ext'.technique_id": [
+ "attack.technique.uid"
+ ],
+ "extensions.'mitre-attack-ext'.version": [
+ "attack.version"
+ ]
+ }
+ },
+ "x-ocsf-compliance": {
+ "fields": {
+ "requirements": [
+ "compliance.requirements"
+ ],
+ "status": [
+ "compliance.status"
+ ],
+ "status_detail": [
+ "compliance.status_detail"
+ ]
+ }
+ },
+ "x-ocsf-enrichments": {
+ "fields": {
+ "data": [
+ "enrichments.data"
+ ],
+ "name": [
+ "enrichments.name"
+ ],
+ "provider": [
+ "enrichments.provider"
+ ],
+ "type": [
+ "enrichments.type"
+ ],
+ "value": [
+ "enrichments.value"
+ ]
+ }
+ },
+ "x-ocsf-http-request": {
+ "fields": {
+ "http_headers_name": [
+ "http_request.http_headers.name"
+ ],
+ "http_headers_value": [
+ "http_request.http_headers.value"
+ ],
+ "http_method": [
+ "http_request.http_method"
+ ],
+ "prefix": [
+ "http_request.prefix"
+ ],
+ "referrer": [
+ "http_request.referrer"
+ ],
+ "uid": [
+ "http_request.uid"
+ ],
+ "user_agent": [
+ "http_request.user_agent"
+ ],
+ "value": [
+ "http_request.args"
+ ],
+ "version": [
+ "http_request.version"
+ ],
+ "x_forwarded_for": [
+ "http_request.x_forwarded_for"
+ ]
+ }
+ },
+ "x-ocsf-identity": {
+ "fields": {
+ "authorizations.decision": [
+ "identity.authorizations.decision"
+ ],
+ "authorizations.name": [
+ "identity.authorizations.policy.name"
+ ],
+ "authorizations.policy_desc": [
+ "identity.authorizations.policy.desc"
+ ],
+ "authorizations.policy_group_desc": [
+ "identity.authorizations.policy.group.desc"
+ ],
+ "authorizations.policy_group_namee": [
+ "identity.authorizations.policy.group.name"
+ ],
+ "authorizations.policy_group_privileges": [
+ "identity.authorizations.policy.group.privileges"
+ ],
+ "authorizations.policy_group_type": [
+ "identity.authorizations.policy.group.type"
+ ],
+ "authorizations.policy_group_uid": [
+ "identity.authorizations.policy.group.uid"
+ ],
+ "authorizations.uid": [
+ "identity.authorizations.policy.uid"
+ ],
+ "authorizations.version": [
+ "identity.authorizations.policy.version"
+ ],
+ "idp.name": [
+ "identity.idp.name"
+ ],
+ "idp.uid": [
+ "identity.idp.uid"
+ ],
+ "invoked_by": [
+ "identity.invoked_by"
+ ],
+ "message": [
+ "identity.message"
+ ],
+ "session.created_time": [
+ "identity.session.created_time"
+ ],
+ "session.credential_uid": [
+ "identity.session.credential_uid"
+ ],
+ "session.expiration_time": [
+ "identity.session.expiration_time"
+ ],
+ "session.issuer": [
+ "identity.session.issuer"
+ ],
+ "session.mfa": [
+ "identity.session.mfa"
+ ],
+ "session.uid": [
+ "identity.session.uid"
+ ]
+ }
+ },
+ "x-ocsf-malware": {
+ "fields": {
+ "base_score": [
+ "malware.cves.cvss.base_score"
+ ],
+ "classification_ids": [
+ "malware.classification_ids"
+ ],
+ "classifications": [
+ "malware.classifications"
+ ],
+ "created_time": [
+ "malware.cves.created_time"
+ ],
+ "cwe_uid": [
+ "malware.cves.cwe_uid"
+ ],
+ "cwe_url": [
+ "malware.cves.cwe_url"
+ ],
+ "depth": [
+ "malware.cves.cvss.depth"
+ ],
+ "lang": [
+ "malware.cves.product.lang"
+ ],
+ "modified_time": [
+ "malware.cves.modified_time"
+ ],
+ "name": [
+ "malware.name"
+ ],
+ "overall_score": [
+ "malware.cves.cvss.overall_score"
+ ],
+ "path": [
+ "malware.path"
+ ],
+ "provider": [
+ "malware.provider"
+ ],
+ "severity": [
+ "malware.cves.cvss.severity"
+ ],
+ "type": [
+ "malware.cves.type"
+ ],
+ "uid": [
+ "malware.uid"
+ ],
+ "value": [
+ "malware.cves.product.value"
+ ],
+ "vector_string": [
+ "malware.cves.cvss.vector_string"
+ ],
+ "vendor_name": [
+ "malware.cves.product.vendor_name"
+ ],
+ "version": [
+ "malware.cves.cvss.version"
+ ]
+ }
+ },
+ "x-ocsf-metadata": {
+ "fields": {
+ "correlation_uid": [
+ "metadata.correlation_uid"
+ ],
+ "labels": [
+ "metadata.labels"
+ ],
+ "logged_time": [
+ "metadata.logged_time"
+ ],
+ "modified_time": [
+ "metadata.modified_time"
+ ],
+ "processed_time": [
+ "metadata.processed_time"
+ ],
+ "sequence": [
+ "metadata.sequence"
+ ],
+ "uid": [
+ "metadata.uid"
+ ],
+ "version": [
+ "metadata.version"
+ ]
+ }
+ },
+ "x-ocsf-resources": {
+ "fields": {
+ "account_uid": [
+ "resources.account_uid"
+ ],
+ "cloud_partition": [
+ "resources.cloud_partition"
+ ],
+ "criticality": [
+ "resources.criticality"
+ ],
+ "details": [
+ "resources.details"
+ ],
+ "group_name": [
+ "resources.group_name"
+ ],
+ "labels": [
+ "resources.labels"
+ ],
+ "name": [
+ "resources.name"
+ ],
+ "owner": [
+ "resources.owner"
+ ],
+ "region": [
+ "resources.region"
+ ],
+ "type": [
+ "resources.type"
+ ],
+ "uid": [
+ "resources.uid"
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json
new file mode 100644
index 000000000..0c184915b
--- /dev/null
+++ b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json
@@ -0,0 +1,3100 @@
+{
+ "ocsf": {
+ "_time": [
+ {
+ "key": "first_observed",
+ "cybox": false,
+ "transformer": "EpochToTimestamp"
+ },
+ {
+ "key": "last_observed",
+ "cybox": false,
+ "transformer": "EpochToTimestamp"
+ },
+ {
+ "key": "x-ibm-finding.time_observed",
+ "object": "ibm_finding",
+ "transformer": "EpochToTimestamp"
+ }
+ ],
+ "activity": {
+ "key": "x-oca-event.action",
+ "object": "x_oca_event"
+ },
+ "activity_id": {
+ "key": "x-oca-event.code",
+ "object": "x_oca_event",
+ "transformer": "ToInteger"
+ },
+ "activity_name": {
+ "key": "x-oca-event.action",
+ "object": "x_oca_event"
+ },
+ "api": {
+ "operation": {
+ "key": "x-ocsf-cloud.operation",
+ "object": "ocsf_cloud_api"
+ },
+ "request": {
+ "flags": {
+ "key": "x-ocsf-cloud.request_flags",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToLowercaseArray"
+ },
+ "uid": {
+ "key": "x-ocsf-cloud.request_uid",
+ "object": "ocsf_cloud_api"
+ }
+ },
+ "response": {
+ "code": {
+ "key": "x-ocsf-cloud.response_code",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToInteger"
+ },
+ "error": {
+ "key": "x-ocsf-cloud.response_error",
+ "object": "ocsf_cloud_api"
+ },
+ "error_message": {
+ "key": "x-ocsf-cloud.response_error_message",
+ "object": "ocsf_cloud_api"
+ },
+ "flags": {
+ "key": "x-ocsf-cloud.response_flags",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToLowercaseArray"
+ },
+ "message": {
+ "key": "x-ocsf-cloud.response_message",
+ "object": "ocsf_cloud_api"
+ }
+ },
+ "service": {
+ "labels": {
+ "key": "x-ocsf-cloud.service_labels",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToLowercaseArray"
+ },
+ "name": {
+ "key": "x-ocsf-cloud.service_name",
+ "object": "ocsf_cloud_api"
+ },
+ "uid": {
+ "key": "x-ocsf-cloud.service_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "version": {
+ "key": "x-ocsf-cloud.service_uid",
+ "object": "ocsf_cloud_api"
+ }
+ },
+ "version": {
+ "key": "x-ocsf-cloud.api_version",
+ "object": "ocsf_cloud_api"
+ }
+ },
+ "attacks": {
+ "tactics": {
+ "name": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_name",
+ "object": "ttp-tagging"
+ },
+ "uid": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_id",
+ "object": "ttp-tagging"
+ }
+ },
+ "technique": {
+ "name": [
+ {
+ "key": "x-ibm-ttp-tagging.name",
+ "object": "ttp-tagging"
+ },
+ {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name",
+ "object": "ttp-tagging"
+ },
+ {
+ "key": "x-ibm-finding.ttp_tagging_refs",
+ "object": "ibm_finding",
+ "references": [
+ "ttp-tagging"
+ ]
+ }
+ ],
+ "uid": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_id",
+ "object": "ttp-tagging"
+ }
+ },
+ "version": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.versoin",
+ "object": "ttp-tagging"
+ }
+ },
+ "category_name": {
+ "key": "x-oca-event.category",
+ "object": "x_oca_event"
+ },
+ "category_uid": {
+ "key": "x-oca-event.code",
+ "object": "x_oca_event",
+ "transformer": "ToInteger"
+ },
+ "class_name": {
+ "key": "x-oca-event.module",
+ "object": "x_oca_event"
+ },
+ "class_uid": {
+ "key": "x-oca-event.extensions.x-cloud-api.class_uid",
+ "object": "x_oca_event",
+ "transformer": "ToInteger"
+ },
+ "cloud": {
+ "account_type": {
+ "key": "x-ocsf-cloud.account_type",
+ "object": "ocsf_cloud_api"
+ },
+ "account_type_id": {
+ "key": "x-ocsf-cloud.account_type_id",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToInteger"
+ },
+ "account_uid": {
+ "key": "x-ocsf-cloud.account_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "org_uid": {
+ "key": "x-ocsf-cloud.org_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "project_uid": {
+ "key": "x-ocsf-cloud.project_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "provider": {
+ "key": "x-ocsf-cloud.provider",
+ "object": "ocsf_cloud_api"
+ },
+ "region": {
+ "key": "x-ocsf-cloud.region",
+ "object": "ocsf_cloud_api"
+ },
+ "resource_uid": {
+ "key": "x-ocsf-cloud.resource_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "zone": {
+ "key": "x-ocsf-cloud.zone",
+ "object": "ocsf_cloud_api"
+ }
+ },
+ "compliance": {
+ "requirements": {
+ "key": "x-ocsf-compliance.requirements",
+ "object": "compliance"
+ },
+ "status": {
+ "key": "x-ocsf-compliance.status",
+ "object": "compliance"
+ },
+ "status_detail": {
+ "key": "x-ocsf-compliance.status_detail",
+ "object": "compliance"
+ }
+ },
+ "confidence": {
+ "key": "x-oca-event.confidence",
+ "object": "x-oca-event"
+ },
+ "count": [
+ {
+ "key": "number_observed",
+ "cybox": false,
+ "transformer": "ToInteger"
+ },
+ {
+ "key": "x-ibm-finding.event_count",
+ "transformer": "ToInteger",
+ "object": "ibm_finding"
+ }
+ ],
+ "data": {
+ "key": "x-oca-event.extensions.x-ocsf-data.data",
+ "object": "x-oca-event"
+ },
+ "duration": {
+ "key": "x-oca-event.duration",
+ "object": "x_oca_event",
+ "transformer": "ToInteger"
+ },
+ "end_time": [
+ {
+ "key": "x-ibm-finding.end",
+ "object": "ibm_finding",
+ "transformer": "EpochToTimestamp"
+ },
+ {
+ "key": "last_observed",
+ "cybox": false,
+ "transformer": "EpochToTimestamp"
+ }
+ ],
+ "enrichments": {
+ "data": {
+ "key": "x-ocsf-enrichments.data",
+ "object": "enrichments"
+ },
+ "name": {
+ "key": "x-ocsf-enrichments.name",
+ "object": "enrichments"
+ },
+ "provider": {
+ "key": "x-ocsf-enrichments.provider",
+ "object": "enrichments"
+ },
+ "type": {
+ "key": "x-ocsf-enrichments.type",
+ "object": "enrichments"
+ },
+ "value": {
+ "key": "x-ocsf-enrichments.value",
+ "object": "enrichments"
+ }
+ },
+ "finding": {
+ "created_time": {
+ "key": "x-ibm-finding.start",
+ "object": "ibm_finding"
+ },
+ "desc": {
+ "key": "x-ibm-finding.description",
+ "object": "ibm_finding"
+ },
+ "first_seen_time": {
+ "key": "x-ibm-finding.time_observed",
+ "object": "ibm_finding"
+ },
+ "last_seen_time": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.last_seen_time",
+ "object": "ibm_finding"
+ },
+ "modified_time": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.modified_time",
+ "object": "ibm_finding"
+ },
+ "product_uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.product_uid",
+ "object": "ibm_finding"
+ },
+ "related_events": {
+ "product_uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.product_uid",
+ "object": "ibm_finding"
+ },
+ "type": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.type",
+ "object": "ibm_finding"
+ },
+ "type_uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.type_uid",
+ "object": "ibm_finding"
+ },
+ "uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.uid",
+ "object": "ibm_finding"
+ }
+ },
+ "remediation": {
+ "desc": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.remediation_desc",
+ "object": "ibm_finding"
+ },
+ "kb_articles": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.remediation_kb_articles",
+ "object": "ibm_finding"
+ }
+ },
+ "src_url": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.src_url",
+ "object": "ibm_finding"
+ },
+ "supporting_data": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.upporting_data",
+ "object": "ibm_finding"
+ },
+ "title": {
+ "key": "x-ibm-finding.name",
+ "object": "ibm_finding"
+ },
+ "types": {
+ "key": "x-ibm-finding.types",
+ "object": "ibm_finding"
+ },
+ "uid": {
+ "key": "x-ibm-finding.alert_id",
+ "object": "ibm_finding"
+ }
+ },
+ "http_request": {
+ "args": {
+ "key": "x-ocsf-http-request.value",
+ "object": "http_request"
+ },
+ "http_headers": {
+ "name": {
+ "key": "x-ocsf-http-request.http_headers_name",
+ "object": "ocsf_cloud_api"
+ },
+ "value": {
+ "key": "x-ocsf-http-request.http_headers_value",
+ "object": "http_request"
+ }
+ },
+ "http_method": {
+ "key": "x-ocsf-http-request.http_method",
+ "object": "http_request"
+ },
+ "prefix": {
+ "key": "x-ocsf-http-request.prefix",
+ "object": "http_request"
+ },
+ "referrer": {
+ "key": "x-ocsf-http-request.referrer",
+ "object": "http_request"
+ },
+ "uid": {
+ "key": "x-ocsf-http-request.uid",
+ "object": "http_request"
+ },
+ "url": {
+ "key": "url.value",
+ "object": "url"
+ },
+ "user_agent": {
+ "key": "x-ocsf-http-request.user_agent",
+ "object": "http_request"
+ },
+ "version": {
+ "key": "x-ocsf-http-request.version",
+ "object": "http_request"
+ },
+ "x_forwarded_for": {
+ "key": "x-ocsf-http-request.x_forwarded_for",
+ "object": "http_request"
+ }
+ },
+ "identity": {
+ "authorizations": {
+ "decision": {
+ "key": "x-ocsf-identity.authorizations.decision",
+ "object": "x-ocsf-identity"
+ },
+ "policy": {
+ "desc": {
+ "key": "x-ocsf-identity.authorizations.policy_desc",
+ "object": "x-ocsf-identity"
+ },
+ "group": {
+ "desc": {
+ "key": "x-ocsf-identity.authorizations.policy_group_desc",
+ "object": "x-ocsf-identity"
+ },
+ "name": {
+ "key": "x-ocsf-identity.authorizations.policy_group_namee",
+ "object": "x-ocsf-identity"
+ },
+ "privileges": {
+ "key": "x-ocsf-identity.authorizations.policy_group_privileges",
+ "object": "x-ocsf-identity"
+ },
+ "type": {
+ "key": "x-ocsf-identity.authorizations.policy_group_type",
+ "object": "x-ocsf-identity"
+ },
+ "uid": {
+ "key": "x-ocsf-identity.authorizations.policy_group_uid",
+ "object": "x-ocsf-identity"
+ }
+ },
+ "name": {
+ "key": "x-ocsf-identity.authorizations.name",
+ "object": "x-ocsf-identity"
+ },
+ "uid": {
+ "key": "x-ocsf-identity.authorizations.uid",
+ "object": "x-ocsf-identity"
+ },
+ "version": {
+ "key": "x-ocsf-identity.authorizations.version",
+ "object": "x-ocsf-identity"
+ }
+ }
+ },
+ "idp": {
+ "name": {
+ "key": "x-ocsf-identity.idp.name",
+ "object": "x-ocsf-identity"
+ },
+ "uid": {
+ "key": "x-ocsf-identity.idp.uid",
+ "object": "x-ocsf-identity"
+ }
+ },
+ "invoked_by": {
+ "key": "x-ocsf-identity.invoked_by",
+ "object": "x-ocsf-identity"
+ },
+ "message": {
+ "key": "x-ocsf-identity.message",
+ "object": "x-ocsf-identity"
+ },
+ "session": {
+ "created_time": {
+ "key": "x-ocsf-identity.session.created_time",
+ "object": "x-ocsf-identity"
+ },
+ "credential_uid": {
+ "key": "x-ocsf-identity.session.credential_uid",
+ "object": "x-ocsf-identity"
+ },
+ "expiration_time": {
+ "key": "x-ocsf-identity.session.expiration_time",
+ "object": "x-ocsf-identity"
+ },
+ "issuer": {
+ "key": "x-ocsf-identity.session.issuer",
+ "object": "x-ocsf-identity"
+ },
+ "mfa": {
+ "key": "x-ocsf-identity.session.mfa",
+ "object": "x-ocsf-identity"
+ },
+ "uid": {
+ "key": "x-ocsf-identity.session.uid",
+ "object": "x-ocsf-identity"
+ }
+ },
+ "user": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "user"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.aws-account-ext.account_type_id",
+ "object": "user",
+ "transformer": "ToInteger"
+ },
+ "account_uid": {
+ "key": "user-account.user_id",
+ "object": "user"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.aws-account-ext.credential_uid",
+ "object": "user"
+ },
+ "domain": {
+ "key": "user-account.extensions.aws-account-ext.domain",
+ "object": "user"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "email_addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.aws-account-ext.group_desc",
+ "object": "user"
+ },
+ "name": {
+ "key": "user-account.extensions.aws-account-ext.group_name",
+ "object": "user"
+ },
+ "privileges": {
+ "key": "user-account.extensions.aws-account-ext.group_privileges",
+ "object": "user"
+ },
+ "type": {
+ "key": "user-account.extensions.aws-account-ext.group_type",
+ "object": "user"
+ },
+ "uid": {
+ "key": "user-account.extensions.aws-account-ext.group_uid",
+ "object": "user"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "user"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.aws-account-ext.org_uid",
+ "object": "user"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.aws-account-ext.session_uid",
+ "object": "user"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.aws-account-ext.session_uuid",
+ "object": "user"
+ },
+ "type": {
+ "key": "user-account.extensions.aws-account-ext.type",
+ "object": "user"
+ },
+ "type_id": {
+ "key": "user-account.extensions.aws-account-ext.type_id",
+ "object": "user",
+ "transformer": "ToInteger"
+ },
+ "uid": {
+ "key": "user-account.extensions.aws-account-ext.uid",
+ "object": "user"
+ },
+ "uuid": {
+ "key": "user-account.extensions.aws-account-ext.uuid",
+ "object": "user"
+ }
+ }
+ },
+ "malware": {
+ "classification_ids": {
+ "key": "x-ocsf-malware.classification_ids",
+ "object": "malware"
+ },
+ "classifications": {
+ "key": "x-ocsf-malware.classifications",
+ "object": "malware"
+ },
+ "cves": {
+ "created_time": {
+ "key": "x-ocsf-malware.created_time",
+ "object": "malware"
+ },
+ "cvss": {
+ "base_score": {
+ "key": "x-ocsf-malware.base_score",
+ "object": "malware"
+ },
+ "depth": {
+ "key": "x-ocsf-malware.depth",
+ "object": "malware"
+ },
+ "metrics": {
+ "name": {
+ "key": "x-ocsf-malware.name",
+ "object": "malware"
+ },
+ "value": {
+ "key": "x-ocsf-malware.value",
+ "object": "malware"
+ }
+ },
+ "overall_score": {
+ "key": "x-ocsf-malware.overall_score",
+ "object": "malware"
+ },
+ "severity": {
+ "key": "x-ocsf-malware.severity",
+ "object": "malware"
+ },
+ "vector_string": {
+ "key": "x-ocsf-malware.vector_string",
+ "object": "malware"
+ },
+ "version": {
+ "key": "x-ocsf-malware.version",
+ "object": "malware"
+ }
+ },
+ "cwe_uid": {
+ "key": "x-ocsf-malware.cwe_uid",
+ "object": "malware"
+ },
+ "cwe_url": {
+ "key": "x-ocsf-malware.cwe_url",
+ "object": "malware"
+ },
+ "modified_time": {
+ "key": "x-ocsf-malware.modified_time",
+ "object": "malware"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "malware-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "malware-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "malware-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "malware-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "malware-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "malware-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "malware-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "malware-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "malware-software"
+ }
+ },
+ "type": {
+ "key": "x-ocsf-malware.type",
+ "object": "malware"
+ },
+ "uid": {
+ "key": "x-ocsf-malware.uid",
+ "object": "malware"
+ }
+ },
+ "name": {
+ "key": "x-ocsf-malware.name",
+ "object": "malware"
+ },
+ "path": {
+ "key": "x-ocsf-malware.path",
+ "object": "malware"
+ },
+ "provider": {
+ "key": "x-ocsf-malware.provider",
+ "object": "malware"
+ },
+ "uid": {
+ "key": "x-ocsf-malware.uid",
+ "object": "malware"
+ }
+ },
+ "message": {
+ "key": "x-ocsf-cloud.message",
+ "object": "ocsf_cloud_api"
+ },
+ "metadata": {
+ "correlation_uid": {
+ "key": "x-ocsf-metadata.correlation_uid",
+ "object": "metadata"
+ },
+ "labels": {
+ "key": "x-ocsf-metadata.labels",
+ "object": "metadata"
+ },
+ "logged_time": {
+ "key": "x-ocsf-metadata.logged_time",
+ "object": "metadata"
+ },
+ "modified_time": {
+ "key": "x-ocsf-metadata.modified_time",
+ "object": "metadata"
+ },
+ "processed_time": {
+ "key": "x-ocsf-metadata.processed_time",
+ "object": "metadata"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "metadata-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "metadata-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "metadata-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "metadata-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "metadata-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "metadata-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "metadata-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "metadata-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "metadata-software"
+ }
+ },
+ "sequence": {
+ "key": "x-ocsf-metadata.sequence",
+ "object": "metadata",
+ "transformer": "ToInteger"
+ },
+ "uid": {
+ "key": "x-ocsf-metadata.uid",
+ "object": "metadata"
+ },
+ "version": {
+ "key": "x-ocsf-metadata.version",
+ "object": "metadata"
+ }
+ },
+ "observables": {
+ "name": [
+ {
+ "key": "x-ibm-observables.name",
+ "object": "observables"
+ },
+ {
+ "key": "x-ibm-finding.ioc_refs",
+ "object": "ibm_finding",
+ "references": [
+ "observables"
+ ]
+ }
+ ],
+ "type": {
+ "key": "x-ibm-observables.finding_type",
+ "object": "observables"
+ },
+ "type_id": {
+ "key": "x-ibm-observables.alert_id",
+ "object": "observables",
+ "transformer": "ToInteger"
+ },
+ "value": {
+ "key": "x-ibm-observables.description",
+ "object": "observables"
+ }
+ },
+ "process": {
+ "cmd_line": {
+ "key": "process.command_line",
+ "object": "process"
+ },
+ "created_time": {
+ "key": "process.created_time",
+ "object": "process"
+ },
+ "file": {
+ "accessed_time": {
+ "key": "file.atime",
+ "object": "file"
+ },
+ "accessor": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "accessor-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "accessor-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "accessor-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "accessor-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "accessor-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "accessor-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "accessor-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "accessor-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "accessor-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "accessor-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "accessor-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "accessor-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "accessor-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "accessor-user-account"
+ }
+ },
+ "attributes": {
+ "key": "file.extensions.x-ocsf-file-ext.attributes",
+ "object": "file"
+ },
+ "company_name": {
+ "key": "file.extensions.x-ocsf-file-ext.company_name",
+ "object": "file"
+ },
+ "confidentiality": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality",
+ "object": "file"
+ },
+ "confidentiality_id": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality_id",
+ "object": "file"
+ },
+ "created_time": {
+ "key": "file.ctime",
+ "object": "file"
+ },
+ "creator": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "creator-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "creator-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "creator-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "creator-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "creator-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "creator-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "creator-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "creator-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "creator-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "creator-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "creator-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "creator-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "creator-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "creator-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "creator-user-account"
+ }
+ },
+ "desc": {
+ "key": "file.extensions.x-ocsf-file-ext.description",
+ "object": "file"
+ },
+ "fingerprints": {
+ "algorithm": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm",
+ "object": "file"
+ },
+ "algorithm_id": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_id",
+ "object": "file"
+ },
+ "value": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_value",
+ "object": "file"
+ }
+ },
+ "is_system": {
+ "key": "process.extensions.x-ocsf-process-ext.is_system",
+ "object": "process"
+ },
+ "mime_type": {
+ "key": "process.mime_type",
+ "object": "process"
+ },
+ "modified_time": {
+ "key": "process.extensions.x-ocsf-process-ext.modified_time",
+ "object": "process"
+ },
+ "modifier": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "modifier-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "modifier-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "modifier-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "modifier-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "modifier-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "modifier-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "modifier-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "modifier-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "modifier-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "modifier-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "modifier-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "modifier-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "modifier-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "modifier-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "modifier-user-account"
+ }
+ },
+ "name": [
+ {
+ "key": "file.name",
+ "object": "file"
+ },
+ {
+ "key": "process.image_ref",
+ "object": "process",
+ "references": "file"
+ }
+ ],
+ "owner": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "owner-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "owner-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "owner-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "owner-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "owner-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "owner-user-account"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "owner-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "owner-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "owner-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "owner-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "owner-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "owner-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "owner-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "owner-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "owner-user-account"
+ }
+ },
+ "parent_folder": [
+ {
+ "key": "directory.path",
+ "object": "directory"
+ },
+ {
+ "key": "file.parent_directory_ref",
+ "object": "file",
+ "references": "directory"
+ }
+ ],
+ "path": {
+ "key": "file.extensions.x-ocsf-file-ext.path",
+ "object": "file"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "file1-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "file1-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "file1-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "file1-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "file1-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "file1-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "file1-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "file1-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "file1-software"
+ }
+ },
+ "security_descriptor": {
+ "key": "file.extensions.x-ocsf-file-ext.security_descriptor",
+ "object": "file"
+ },
+ "signature": {
+ "key": "file.extensions.x-ocsf-file-ext.signature",
+ "object": "file"
+ },
+ "size": {
+ "key": "file.size",
+ "object": "file"
+ },
+ "type": {
+ "key": "file.extensions.x-ocsf-file-ext.type",
+ "object": "file"
+ },
+ "type_id": {
+ "key": "file.extensions.x-ocsf-file-ext.type_id",
+ "object": "file"
+ },
+ "uid": {
+ "key": "file.extensions.x-ocsf-file-ext.uid",
+ "object": "file"
+ },
+ "version": {
+ "key": "file.extensions.x-ocsf-file-ext.version",
+ "object": "file"
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "process"
+ }
+ },
+ "integrity": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity",
+ "object": "process"
+ },
+ "integrity_id": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity_id",
+ "object": "process"
+ },
+ "lineage": {
+ "key": "process.extensions.x-ocsf-process-ext.lineage",
+ "object": "process"
+ },
+ "loaded_modules": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "process"
+ },
+ "name": {
+ "key": "process.x_name",
+ "object": "process"
+ },
+ "parent-process": {
+ "cmd_line": {
+ "key": "process.command_line",
+ "object": "parent-process"
+ },
+ "created_time": {
+ "key": "process.created",
+ "object": "parent-process"
+ },
+ "file": {
+ "accessed_time": {
+ "key": "file.atime",
+ "object": "parent-file"
+ },
+ "accessor": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-accessor-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-accessor-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-accessor-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-accessor-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-accessor-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-accessor-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-accessor-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-accessor-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-accessor-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-accessor-user-account"
+ }
+ },
+ "attributes": {
+ "key": "file.extensions.x-ocsf-file-ext.attributes",
+ "object": "parent-file"
+ },
+ "company_name": {
+ "key": "file.extensions.x-ocsf-file-ext.company_name",
+ "object": "parent-file"
+ },
+ "confidentiality": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality",
+ "object": "parent-file"
+ },
+ "confidentiality_id": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality_id",
+ "object": "parent-file"
+ },
+ "created_time": {
+ "key": "file.ctime",
+ "object": "parent-file"
+ },
+ "creator": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-creator-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-creator-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-creator-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-creator-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-creator-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-creator-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-creator-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-creator-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-creator-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-creator-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-creator-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-creator-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-creator-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-creator-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-creator-user-account"
+ }
+ },
+ "desc": {
+ "key": "file.extensions.x-ocsf-file-ext.description",
+ "object": "parent-file"
+ },
+ "fingerprints": {
+ "algorithm": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm",
+ "object": "parent-file"
+ },
+ "algorithm_id": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_id",
+ "object": "parent-file"
+ },
+ "value": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_value",
+ "object": "parent-file"
+ }
+ },
+ "is_system": {
+ "key": "process.extensions.x-ocsf-process-ext.is_system",
+ "object": "parent-process"
+ },
+ "mime_type": {
+ "key": "process.mime_type",
+ "object": "parent-process"
+ },
+ "modified_time": {
+ "key": "process.extensions.x-ocsf-process-ext.modified_time",
+ "object": "parent-process"
+ },
+ "modifier": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-modifier-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-modifier-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-modifier-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-modifier-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-modifier-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-modifier-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-modifier-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-modifier-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-modifier-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-modifier-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-modifier-user-account"
+ }
+ },
+ "name": [
+ {
+ "key": "file.name",
+ "object": "parent-file"
+ },
+ {
+ "key": "process.image_ref",
+ "object": "parent-process",
+ "references": "parent-file"
+ }
+ ],
+ "owner": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-owner-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-owner-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-owner-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-owner-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-owner-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-owner-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-owner-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-owner-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-owner-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-owner-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-owner-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-owner-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-owner-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-owner-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-owner-user-account"
+ }
+ },
+ "parent_folder": [
+ {
+ "key": "directory.path",
+ "object": "parent-directory"
+ },
+ {
+ "key": "file.parent_directory_ref",
+ "object": "parent-file",
+ "references": "parent-directory"
+ }
+ ],
+ "path": {
+ "key": "file.extensions.x-ocsf-file-ext.path",
+ "object": "parent-file"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "file-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "file-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "file-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "file-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "file-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "file-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "file-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "file-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "file-software"
+ }
+ },
+ "security_descriptor": {
+ "key": "file.extensions.x-ocsf-file-ext.security_descriptor",
+ "object": "parent-file"
+ },
+ "signature": {
+ "key": "file.extensions.x-ocsf-file-ext.signature",
+ "object": "parent-file"
+ },
+ "size": {
+ "key": "file.size",
+ "object": "parent-file"
+ },
+ "type": {
+ "key": "file.extensions.x-ocsf-file-ext.type",
+ "object": "parent-file"
+ },
+ "type_id": {
+ "key": "file.extensions.x-ocsf-file-ext.type_id",
+ "object": "parent-file"
+ },
+ "uid": {
+ "key": "file.extensions.x-ocsf-file-ext.uid",
+ "object": "parent-file"
+ },
+ "version": {
+ "key": "file.extensions.x-ocsf-file-ext.version",
+ "object": "parent-file"
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "parent-process"
+ }
+ },
+ "integrity": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity",
+ "object": "parent-process"
+ },
+ "integrity_id": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity_id",
+ "object": "parent-process"
+ },
+ "lineage": {
+ "key": "process.extensions.x-ocsf-process-ext.lineage",
+ "object": "parent-process"
+ },
+ "loaded_modules": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "parent-process"
+ },
+ "name": {
+ "key": "process.extensions.x-ocsf-process-ext.name",
+ "object": "parent-process"
+ },
+ "pid": [
+ {
+ "key": "process.pid",
+ "object": "parent-process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": "parent-process",
+ "references": ["process"]
+ }
+ ],
+ "sandbox": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "parent-process"
+ },
+ "terminated_time": {
+ "key": "process.extensions.x-ocsf-process-ext.terminated_time",
+ "object": "parent-process"
+ },
+ "tid": {
+ "key": "process.extensions.x-ocsf-process-ext.tid",
+ "object": "parent-process"
+ },
+ "uid": {
+ "key": "process.x_unique_id",
+ "object": "parent-process"
+ },
+ "user": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-process-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-process-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-process-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-process-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-process-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-process-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-process-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-process-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-process-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-process-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-process-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-process-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-process-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-process-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-process-user-account"
+ },
+ "uid": [
+ {
+ "key": "user-account.user_id",
+ "object": "parent-process-user-account"
+ },
+ {
+ "key": "user-account.creator_user_ref",
+ "object": "parent-process",
+ "references": "process-user-account"
+ }
+ ],
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-process-user-account"
+ }
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "parent-process"
+ }
+ },
+ "pid": [
+ {
+ "key": "process.pid",
+ "object": "process"
+ },
+ {
+ "key": "process.parent_ref",
+ "object": "process",
+ "references": ["parent-process"]
+ }
+ ],
+ "sandbox": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "process"
+ },
+ "terminated_time": {
+ "key": "process.extensions.x-ocsf-process-ext.terminated_time",
+ "object": "process"
+ },
+ "tid": {
+ "key": "process.x_unique_id",
+ "object": "process"
+ },
+ "uid": {
+ "key": "process.extensions.x-ocsf-process-ext.uid",
+ "object": "process"
+ },
+ "user": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "process-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "process-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "process-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "process-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "process-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "process-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "process-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "process-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "process-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "process-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "process-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "process-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "process-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "process-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "process-user-account"
+ },
+ "uid": [
+ {
+ "key": "user-account.user_id",
+ "object": "process-user-account"
+ },
+ {
+ "key": "user-account.creator_user_ref",
+ "object": "process",
+ "references": "process-user-account"
+ }
+ ],
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "process-user-account"
+ }
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "process"
+ }
+ },
+ "profiles": {
+ "key": "x-ocsf-cloud.profiles",
+ "object": "ocsf_cloud_api"
+ },
+ "raw_data": {
+ "key": "x-ocsf-cloud.raw_data",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_event_code": {
+ "key": "x-ocsf-cloud.ref_event_code",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_event_name": {
+ "key": "x-ocsf-cloud.ref_event_name",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_event_uid": {
+ "key": "x-ocsf-cloud.ref_event_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_time": {
+ "key": "x-ocsf-cloud.ref_time",
+ "object": "ocsf_cloud_api"
+ },
+ "resources": {
+ "account_uid": [
+ {
+ "key": "x-ocsf-resources.account_uid",
+ "object": "resources"
+ },
+ {
+ "key": "x-ocsf-resources.cloud_api_ref",
+ "object": "resources",
+ "references": "ocsf_cloud_api"
+ }
+ ],
+ "cloud_partition": {
+ "key": "x-ocsf-resources.cloud_partition",
+ "object": "resources"
+ },
+ "criticality": {
+ "key": "x-ocsf-resources.criticality",
+ "object": "resources"
+ },
+ "details": {
+ "key": "x-ocsf-resources.details",
+ "object": "resources"
+ },
+ "group_name": {
+ "key": "x-ocsf-resources.group_name",
+ "object": "resources"
+ },
+ "labels": {
+ "key": "x-ocsf-resources.labels",
+ "object": "resources"
+ },
+ "name": {
+ "key": "x-ocsf-resources.name",
+ "object": "resources"
+ },
+ "owner": {
+ "key": "x-ocsf-resources.owner",
+ "object": "resources"
+ },
+ "region": {
+ "key": "x-ocsf-resources.region",
+ "object": "resources"
+ },
+ "type": {
+ "key": "x-ocsf-resources.type",
+ "object": "resources"
+ },
+ "uid": {
+ "key": "x-ocsf-resources.uid",
+ "object": "resources"
+ }
+ },
+ "severity": {
+ "key": "x-ocsf-cloud.severity",
+ "object": "ocsf_cloud_api"
+ },
+ "severity_id": {
+ "key": "x-ibm-finding.severity",
+ "object": "ibm_finding",
+ "transformer": "ToInteger"
+ },
+ "src_endpoint": {
+ "port": {
+ "key": "network-traffic.src_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ },
+ "svc_name": {
+ "key": "x-oca-asset.extensions.x-src-endpoint.svc_name",
+ "object": "asset"
+ },
+ "ip": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip",
+ "transformer": "CheckIPv4"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ip",
+ "transformer": "CheckIPv6"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "src_ip"
+ },
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "ibm_finding",
+ "references": "src_ip"
+ },
+ {
+ "key": "x-oca-asset.ip_refs",
+ "object": "host",
+ "references": [
+ "src_ip"
+ ],
+ "group": true
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "nt"
+ }
+ ],
+ "intermediate_ips": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ipv4",
+ "unwrap": true,
+ "transformer": "FilterIPv4List"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ipv6",
+ "unwrap": true,
+ "transformer": "FilterIPv6List"
+ },
+ {
+ "key": "x-oca-asset.ip_refs",
+ "object": "asset",
+ "references": [
+ "src_ipv4",
+ "src_ipv6"
+ ],
+ "unwrap": true
+ }
+ ],
+ "interface_uid": {
+ "key": "x-oca-asset.extensions.x-src-endpoint.interface_uid",
+ "object": "asset"
+ },
+ "vpc_uid": {
+ "key": "x-oca-asset.extensions.x-src-endpoint.vpc_uid",
+ "object": "asset"
+ },
+ "instance_uid": {
+ "key": "x-oca-asset.extensions.x-src-endpoint.instance_uid",
+ "object": "asset"
+ },
+ "subnet_uid": {
+ "key": "x-oca-asset.extensions.x-src-endpoint.subnet_uid",
+ "object": "asset"
+ },
+ "name": {
+ "key": "x-oca-asset.name",
+ "object": "asset"
+ }
+ },
+ "dst_endpoint": {
+ "port": {
+ "key": "network-traffic.dst_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ },
+ "svc_name": {
+ "key": "x-oca-asset.extensions.x-dst-endpoint.svc_name",
+ "object": "asset"
+ },
+ "ip": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip",
+ "transformer": "CheckIPv4"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "dst_ip",
+ "transformer": "CheckIPv6"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "ibm_finding",
+ "references": "dst_ip"
+ },
+ {
+ "key": "x-oca-asset.ip_refs",
+ "object": "host",
+ "references": [
+ "dst_ip"
+ ],
+ "group": true
+ },
+ {
+ "key": "x-oca-event.network_ref",
+ "object": "event",
+ "references": "nt"
+ }
+ ],
+ "intermediate_ips": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ipv4",
+ "unwrap": true,
+ "transformer": "FilterIPv4List"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "dst_ipv6",
+ "unwrap": true,
+ "transformer": "FilterIPv6List"
+ },
+ {
+ "key": "x-oca-asset.ip_refs",
+ "object": "asset",
+ "references": [
+ "dst_ipv4",
+ "dst_ipv6"
+ ],
+ "unwrap": true
+ }
+ ],
+ "interface_uid": {
+ "key": "x-oca-asset.extensions.x-dst-endpoint.interface_uid",
+ "object": "asset"
+ },
+ "vpc_uid": {
+ "key": "x-oca-asset.extensions.x-dst-endpoint.vpc_uid",
+ "object": "asset"
+ },
+ "instance_uid": {
+ "key": "x-oca-asset.extensions.x-dst-endpoint.instance_uid",
+ "object": "asset"
+ },
+ "subnet_uid": {
+ "key": "x-oca-asset.extensions.x-dst-endpoint.subnet_uid",
+ "object": "asset"
+ },
+ "name": {
+ "key": "x-oca-asset.name",
+ "object": "asset"
+ }
+ },
+ "connection_info": {
+ "protocol_num": {
+ "key": "network-traffic.protocol",
+ "object": "nt",
+ "transformer": "ProtocolNumToName"
+ },
+ "protocol_name": {
+ "key": "network-traffic.protocol",
+ "object": "nt"
+ },
+ "tcp_flags": {
+ "key": "network-traffic.extensions.x-network-ext.tcp_flags",
+ "object": "nt"
+ },
+ "protocol_ver": {
+ "key": "network-traffic.extensions.x-network-ext.protocol_ver",
+ "object": "nt"
+ },
+ "direction": {
+ "key": "network-traffic.extensions.x-network-ext.direction",
+ "object": "nt"
+ },
+ "boundary_id": {
+ "key": "network-traffic.extensions.x-network-ext.boundary_id",
+ "object": "nt"
+ },
+ "boundary": {
+ "key": "network-traffic.extensions.x-network-ext.boundary",
+ "object": "nt"
+ },
+ "direction_id": {
+ "key": "network-traffic.extensions.x-network-ext.direction_id",
+ "object": "nt"
+ }
+ },
+ "traffic": {
+ "packets_in": {
+ "key": "network-traffic.dst_packets",
+ "object": "nt"
+ },
+ "packets_out": {
+ "key": "network-traffic.src_packets",
+ "object": "nt"
+ },
+ "packets": {
+ "key": "network-traffic.extensions.x-network-ext.packets",
+ "object": "nt"
+ },
+ "bytes_in": {
+ "key": "network-traffic.dst_byte_count",
+ "object": "nt"
+ },
+ "bytes_out": {
+ "key": "network-traffic.src_byte_count",
+ "object": "nt"
+ },
+ "bytes": {
+ "key": "network-traffic.extensions.x-network-ext.bytes",
+ "object": "nt"
+ }
+ },
+ "start_time": [
+ {
+ "key": "x-ibm-finding.start",
+ "object": "ibm_finding",
+ "transformer": "EpochToTimestamp"
+ },
+ {
+ "key": "first_observed",
+ "cybox": false,
+ "transformer": "EpochToTimestamp"
+ }
+ ],
+ "status": {
+ "key": "x-ocsf-cloud.status",
+ "object": "ocsf_cloud_api"
+ },
+ "status_code": {
+ "key": "x-ocsf-cloud.status_code",
+ "object": "ocsf_cloud_api"
+ },
+ "status_detail": {
+ "key": "x-ocsf-cloud.status_detail",
+ "object": "ocsf_cloud_api"
+ },
+ "status_id": {
+ "key": "x-ocsf-cloud.status_id",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToInteger"
+ },
+ "time": {
+ "key": "x-oca-event.created",
+ "object": "x_oca_event"
+ },
+ "timezone_offset": {
+ "key": "x-oca-event.timezone",
+ "object": "x_oca_event",
+ "transformer": "ToInteger"
+ },
+ "type_name": {
+ "key": "x-ocsf-cloud.type_name",
+ "object": "ocsf_cloud_api"
+ },
+ "type_uid": {
+ "key": "x-ocsf-cloud.type_uid",
+ "object": "ocsf_cloud_api",
+ "transformer": "ToInteger"
+ },
+ "vulnerabilities": {
+ "cve": {
+ "created_time": {
+ "key": "x-ocsf-vulnerabilities.created_time",
+ "object": "vulnerabilities"
+ },
+ "cvss": {
+ "base_score": {
+ "key": "x-ocsf-vulnerabilities.base_score",
+ "object": "vulnerabilities"
+ },
+ "depth": {
+ "key": "x-ocsf-vulnerabilities.depth",
+ "object": "vulnerabilities"
+ },
+ "metrics": {
+ "name": {
+ "key": "x-ocsf-vulnerabilities.name",
+ "object": "vulnerabilities"
+ },
+ "value": {
+ "key": "x-ocsf-vulnerabilities.value",
+ "object": "vulnerabilities"
+ }
+ },
+ "overall_score": {
+ "key": "x-ocsf-vulnerabilities.overall_score",
+ "object": "vulnerabilities"
+ },
+ "severity": {
+ "key": "x-ocsf-vulnerabilities.severity",
+ "object": "vulnerabilities"
+ },
+ "vector_string": {
+ "key": "x-ocsf-vulnerabilities.vector_string",
+ "object": "vulnerabilities"
+ },
+ "version": {
+ "key": "x-ocsf-vulnerabilities.version",
+ "object": "vulnerabilities"
+ }
+ },
+ "cwe_uid": {
+ "key": "x-ocsf-vulnerabilities.cwe_uid",
+ "object": "vulnerabilities"
+ },
+ "cwe_url": {
+ "key": "x-ocsf-vulnerabilities.cwe_url",
+ "object": "vulnerabilities"
+ },
+ "modified_time": {
+ "key": "x-ocsf-vulnerabilities.modified_time",
+ "object": "vulnerabilities"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "vulnerabilities-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "vulnerabilities-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "vulnerabilities-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "vulnerabilities-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "vulnerabilities-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "vulnerabilities-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "vulnerabilities-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "vulnerabilities-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "vulnerabilities-software"
+ }
+ },
+ "type": {
+ "key": "x-ocsf-vulnerabilities.type",
+ "object": "vulnerabilities"
+ },
+ "uid": {
+ "key": "x-ocsf-vulnerabilities.uid",
+ "object": "vulnerabilities"
+ }
+ },
+ "desc": {
+ "key": "x-ocsf-vulnerabilities.desc",
+ "object": "vulnerabilities"
+ },
+ "kb_articles": {
+ "key": "x-ocsf-vulnerabilities.kb_articles",
+ "object": "vulnerabilities"
+ },
+ "packages": {
+ "architecture": {
+ "key": "x-ocsf-vulnerabilities.packages_architecture",
+ "object": "vulnerabilities"
+ },
+ "epoch": {
+ "key": "x-ocsf-vulnerabilities.packages_epoch",
+ "object": "vulnerabilities"
+ },
+ "license": {
+ "key": "x-ocsf-vulnerabilities.packages_license",
+ "object": "vulnerabilities"
+ },
+ "name": {
+ "key": "x-ocsf-vulnerabilities.packages_name",
+ "object": "vulnerabilities"
+ },
+ "release": {
+ "key": "x-ocsf-vulnerabilities.packages_release",
+ "object": "vulnerabilities"
+ },
+ "version": {
+ "key": "x-ocsf-vulnerabilities.packages_version",
+ "object": "vulnerabilities"
+ }
+ },
+ "references": {
+ "key": "x-ocsf-vulnerabilities.references",
+ "object": "vulnerabilities"
+ },
+ "related_vulnerabilities": {
+ "key": "x-ocsf-vulnerabilities.related_vulnerabilities",
+ "object": "vulnerabilities"
+ },
+ "severity": {
+ "key": "x-ocsf-vulnerabilities.severity",
+ "object": "vulnerabilities"
+ },
+ "title": {
+ "key": "x-ocsf-vulnerabilities.title",
+ "object": "vulnerabilities"
+ },
+ "vendor_name": {
+ "key": "x-ocsf-vulnerabilities.vendor_name",
+ "object": "vulnerabilities"
+ }
+ }
+ },
+ "vpcflow": {
+ "sourceaddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "src_ip"
+ },
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "ibm_finding",
+ "references": "src_ip"
+ },
+ {
+ "key": "ipv4-addr.x_aws_interface_id",
+ "object": "src_ip",
+ "ds_key": "interfaceid",
+ "cybox": false
+ },
+ {
+ "key": "ipv6-addr.x_aws_interface_id",
+ "object": "src_ip",
+ "ds_key": "interfaceid",
+ "cybox": false
+ }
+ ],
+ "destinationaddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "ibm_finding",
+ "references": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ],
+ "sourceport": [
+ {
+ "key": "network-traffic.src_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ }
+ ],
+ "destinationport": [
+ {
+ "key": "network-traffic.dst_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ }
+ ],
+ "protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ }
+ ],
+ "starttime": [
+ {
+ "key": "network-traffic.start",
+ "object": "nt",
+ "transformer": "EpochSecondsToTimestamp"
+ },
+ {
+ "key": "x-ibm-finding.start",
+ "object": "ibm_finding",
+ "transformer": "EpochSecondsToTimestamp"
+ },
+ {
+ "key": "first_observed",
+ "cybox": false,
+ "transformer": "EpochSecondsToTimestamp"
+ }
+ ],
+ "endtime": [
+ {
+ "key": "network-traffic.end",
+ "object": "nt",
+ "transformer": "EpochSecondsToTimestamp"
+ },
+ {
+ "key": "x-ibm-finding.end",
+ "object": "ibm_finding",
+ "transformer": "EpochSecondsToTimestamp"
+ },
+ {
+ "key": "last_observed",
+ "cybox": false,
+ "transformer": "EpochToTimestamp"
+ }
+ ],
+ "account": [
+ {
+ "key": "x-aws-details.account_id",
+ "object": "accountid"
+ }
+ ],
+ "action": {
+ "key": "x-ibm-finding.finding_type",
+ "object": "ibm_finding"
+ },
+ "name": {
+ "key": "x-ibm-finding.name",
+ "object": "ibm_finding"
+ }
+ },
+ "guardduty": {
+ "resource_instancedetails_networkinterfaces_0_privateipaddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "nc_private_ip1"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nc_nt",
+ "references": "nc_private_ip1"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "private_dns_name",
+ "references": [
+ "nc_private_ip1"
+ ]
+ },
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "ibm_finding",
+ "references": "nc_private_ip1"
+ },
+ {
+ "key": "ipv4-addr.x_aws_interface_id",
+ "object": "nc_private_ip1",
+ "ds_key": "resource_instancedetails_networkinterfaces_0_networkinterfaceid",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_ip_type",
+ "object": "nc_private_ip1",
+ "value": "private",
+ "cybox": false
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_0_ipv6addresses_0": [
+ {
+ "key": "ipv6-addr.value",
+ "object": "nc_ipv6_ip"
+ },
+ {
+ "key": "ipv6-addr.x_aws_interface_id",
+ "object": "nc_ipv6_ip",
+ "ds_key": "resource_instancedetails_networkinterfaces_0_networkinterfaceid",
+ "cybox": false
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_0_publicip": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "nc_public_ip"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "nc_public_name",
+ "references": [
+ "nc_public_ip"
+ ]
+ },
+ {
+ "key": "ipv4-addr.x_aws_interface_id",
+ "object": "nc_public_ip",
+ "ds_key": "resource_instancedetails_networkinterfaces_0_networkinterfaceid",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_ip_type",
+ "object": "nc_public_ip",
+ "value": "public",
+ "cybox": false
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_0_privatednsname": [
+ {
+ "key": "domain-name.value",
+ "object": "private_dns_name"
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_0_publicdnsname": [
+ {
+ "key": "domain-name.value",
+ "object": "nc_public_name"
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_1_privateipaddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "nc_private_ip2"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "nc_private_name2",
+ "references": [
+ "nc_private_ip2"
+ ]
+ },
+ {
+ "key": "ipv4-addr.x_aws_interface_id",
+ "object": "nc_private_ip2",
+ "ds_key": "resource_instancedetails_networkinterfaces_1_networkinterfaceid",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_ip_type",
+ "object": "nc_private_ip2",
+ "value": "private",
+ "cybox": false
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_1_privatednsname": [
+ {
+ "key": "domain-name.value",
+ "object": "nc_private_name2"
+ }
+ ],
+ "service_action_networkconnectionaction_remoteipdetails_ipaddressv4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "nc_remote_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nc_nt",
+ "references": "nc_remote_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "ibm_finding",
+ "references": "nc_remote_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_geolocation",
+ "object": "ibm_finding",
+ "ds_key": "service_action_networkconnectionaction_remoteipdetails_country_countryname",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_remote_city_name",
+ "object": "nc_remote_ip",
+ "ds_key": "service_action_networkconnectionaction_remoteipdetails_city_cityname",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_remote_country_name",
+ "object": "nc_remote_ip",
+ "ds_key": "service_action_networkconnectionaction_remoteipdetails_country_countryname",
+ "cybox": false
+ }
+ ],
+ "service_action_networkconnectionaction_localportdetails_port": [
+ {
+ "key": "network-traffic.src_port",
+ "object": "nc_nt",
+ "transformer": "ToInteger"
+ }
+ ],
+ "service_action_networkconnectionaction_remoteportdetails_port": [
+ {
+ "key": "network-traffic.dst_port",
+ "object": "nc_nt",
+ "transformer": "ToInteger"
+ }
+ ],
+ "service_action_networkconnectionaction_protocol": [
+ {
+ "key": "network-traffic.protocols",
+ "object": "nc_nt",
+ "transformer": "ToLowercaseArray"
+ }
+ ],
+ "resource_instancedetails_networkinterfaces_0_subnetid": {
+ "key": "x-aws-vpc.subnet_id",
+ "object": "vpc"
+ },
+ "resource_instancedetails_networkinterfaces_0_vpcid": {
+ "key": "x-aws-vpc.vpc_id",
+ "object": "vpc"
+ },
+ "resource_instancedetails_networkinterfaces_0_securitygroups_0_groupid": {
+ "key": "x-aws-vpc.security_group_id",
+ "object": "vpc"
+ },
+ "resource_instancedetails_networkinterfaces_0_securitygroups_0_groupname": {
+ "key": "x-aws-vpc.security_group_name",
+ "object": "vpc"
+ },
+ "resource_instancedetails_imageid": {
+ "key": "x-aws-instance.image_id",
+ "object": "instance"
+ },
+ "resource_instancedetails_instanceid": {
+ "key": "x-aws-instance.instance_id",
+ "object": "instance"
+ },
+ "resource_instancedetails_availabilityzone": {
+ "key": "x-aws-instance.availability_zone",
+ "object": "instance"
+ },
+ "portprobe_resource_instancedetails_networkinterfaces_0_privateipaddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "pp_private_ip1"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "private_dns_name",
+ "references": [
+ "pp_private_ip1"
+ ]
+ },
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "ibm_finding",
+ "references": "pp_private_ip1"
+ },
+ {
+ "key": "ipv4-addr.x_aws_interface_id",
+ "object": "pp_private_ip1",
+ "ds_key": "resource_instancedetails_networkinterfaces_0_networkinterfaceid",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_ip_type",
+ "object": "pp_private_ip1",
+ "value": "private",
+ "cybox": false
+ }
+ ],
+ "service_action_portprobeaction_portprobedetails_0_remoteipdetails_ipaddressv4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "pp_remote_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "ibm_finding",
+ "references": "pp_remote_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_geolocation",
+ "object": "ibm_finding",
+ "ds_key": "service_action_portprobeaction_portprobedetails_0_remoteipdetails_country_countryname",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_remote_city_name",
+ "object": "pp_remote_ip",
+ "ds_key": "service_action_portprobeaction_portprobedetails_0_remoteipdetails_city_cityname",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_remote_country_name",
+ "object": "pp_remote_ip",
+ "ds_key": "service_action_portprobeaction_portprobedetails_0_remoteipdetails_country_countryname",
+ "cybox": false
+ }
+ ],
+ "service_action_portprobeaction_portprobedetails_0_localportdetails_port": [
+ {
+ "key": "x-ibm-finding.probe_port",
+ "object": "ibm_finding"
+ }
+ ],
+ "service_action_awsapicallaction_remoteipdetails_ipaddressv4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "api_remote_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "ibm_finding",
+ "references": "api_remote_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_geolocation",
+ "object": "ibm_finding",
+ "ds_key": "service_action_awsapicallaction_remoteipdetails_country_countryname",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_remote_city_name",
+ "object": "api_remote_ip",
+ "ds_key": "service_action_awsapicallaction_remoteipdetails_city_cityname",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_remote_country_name",
+ "object": "api_remote_ip",
+ "ds_key": "service_action_awsapicallaction_remoteipdetails_country_countryname",
+ "cybox": false
+ }
+ ],
+ "resource_accesskeydetails_principalid": {
+ "key": "user-account.user_id",
+ "object": "api_user"
+ },
+ "resource_accesskeydetails_username": {
+ "key": "user-account.account_login",
+ "object": "api_user"
+ },
+ "resource_accesskeydetails_accesskeyid": {
+ "key": "x-aws-api.access_key_id",
+ "object": "api_details"
+ },
+ "service_action_awsapicallaction_api": {
+ "key": "x-aws-api.api",
+ "object": "api_details"
+ },
+ "service_action_awsapicallaction_servicename": {
+ "key": "x-aws-api.service_name",
+ "object": "api_details"
+ },
+ "dnsrequest_resource_instancedetails_networkinterfaces_0_privateipaddress": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dns_private_ip1"
+ },
+ {
+ "key": "domain-name.resolves_to_refs",
+ "object": "private_dns_name",
+ "references": [
+ "dns_private_ip1"
+ ]
+ },
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "ibm_finding",
+ "references": "dns_private_ip1"
+ },
+ {
+ "key": "ipv4-addr.x_aws_interface_id",
+ "object": "dns_private_ip1",
+ "ds_key": "resource_instancedetails_networkinterfaces_0_networkinterfaceid",
+ "cybox": false
+ },
+ {
+ "key": "ipv4-addr.x_aws_ip_type",
+ "object": "dns_private_ip1",
+ "value": "private",
+ "cybox": false
+ }
+ ],
+ "service_action_dnsrequestaction_domain": [
+ {
+ "key": "domain-name.value",
+ "object": "dns_domain_name"
+ }
+ ],
+ "accountid": {
+ "key": "x-aws-details.account_id",
+ "object": "aws_details"
+ },
+ "region": {
+ "key": "x-aws-details.region",
+ "object": "aws_details"
+ },
+ "severity": {
+ "key": "x-ibm-finding.severity",
+ "object": "ibm_finding"
+ },
+ "title": {
+ "key": "x-ibm-finding.name",
+ "object": "ibm_finding"
+ },
+ "type": {
+ "key": "x-ibm-finding.finding_type",
+ "object": "ibm_finding"
+ },
+ "description": {
+ "key": "x-ibm-finding.description",
+ "object": "ibm_finding"
+ },
+ "resource_instancedetails_platform": [
+ {
+ "key": "software.name",
+ "object": "software"
+ },
+ {
+ "key": "x-ibm-finding.src_os_ref",
+ "object": "ibm_finding",
+ "references": "software"
+ }
+ ],
+ "service_eventfirstseen": [
+ {
+ "key": "first_observed",
+ "cybox": false
+ },
+ {
+ "key": "x-ibm-finding.start",
+ "object": "ibm_finding"
+ }
+ ],
+ "service_eventlastseen": [
+ {
+ "key": "last_observed",
+ "cybox": false
+ },
+ {
+ "key": "x-ibm-finding.end",
+ "object": "ibm_finding"
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/vpcflow_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/vpcflow_from_stix_map.json
new file mode 100644
index 000000000..30312852f
--- /dev/null
+++ b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/vpcflow_from_stix_map.json
@@ -0,0 +1,39 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": ["sourceaddress", "destinationaddress"],
+ "x_aws_interface_id": ["interfaceId"]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": ["sourceaddress", "destinationaddress"],
+ "x_aws_interface_id": ["interfaceid"]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "src_port": ["sourceport"],
+ "dst_port": ["destinationport"],
+ "src_ref.value": ["sourceaddress"],
+ "dst_ref.value": ["destinationaddress"],
+ "protocols[*]": ["protocol"],
+ "start": ["starttime"],
+ "end": ["endtime"]
+ }
+ },
+ "x-aws-details": {
+ "fields": {
+ "account_id": ["account"]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "finding_type": ["action"],
+ "src_ip_ref.value": ["sourceaddress"],
+ "dst_ip_ref.value": ["destinationaddress"],
+ "start": ["starttime"],
+ "end": ["endtime"]
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json
index d52e047a3..3755ea9de 100644
--- a/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json
+++ b/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json
@@ -26,6 +26,10 @@
"object": "x_oca_event",
"transformer": "ToInteger"
},
+ "activity_name": {
+ "key": "x-oca-event.action",
+ "object": "x_oca_event"
+ },
"api": {
"operation": {
"key": "x-ocsf-cloud.operation",
@@ -90,6 +94,45 @@
"object": "ocsf_cloud_api"
}
},
+ "attacks": {
+ "tactics": {
+ "name": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_name",
+ "object": "ttp-tagging"
+ },
+ "uid": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_id",
+ "object": "ttp-tagging"
+ }
+ },
+ "technique": {
+ "name": [
+ {
+ "key": "x-ibm-ttp-tagging.name",
+ "object": "ttp-tagging"
+ },
+ {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name",
+ "object": "ttp-tagging"
+ },
+ {
+ "key": "x-ibm-finding.ttp_tagging_refs",
+ "object": "ibm_finding",
+ "references": [
+ "ttp-tagging"
+ ]
+ }
+ ],
+ "uid": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_id",
+ "object": "ttp-tagging"
+ }
+ },
+ "version": {
+ "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.versoin",
+ "object": "ttp-tagging"
+ }
+ },
"category_name": {
"key": "x-oca-event.category",
"object": "x_oca_event"
@@ -147,6 +190,24 @@
"object": "ocsf_cloud_api"
}
},
+ "compliance": {
+ "requirements": {
+ "key": "x-ocsf-compliance.requirements",
+ "object": "compliance"
+ },
+ "status": {
+ "key": "x-ocsf-compliance.status",
+ "object": "compliance"
+ },
+ "status_detail": {
+ "key": "x-ocsf-compliance.status_detail",
+ "object": "compliance"
+ }
+ },
+ "confidence": {
+ "key": "x-oca-event.confidence",
+ "object": "x-oca-event"
+ },
"count": [
{
"key": "number_observed",
@@ -159,6 +220,10 @@
"object": "ibm_finding"
}
],
+ "data": {
+ "key": "x-oca-event.extensions.x-ocsf-data.data",
+ "object": "x-oca-event"
+ },
"duration": {
"key": "x-oca-event.duration",
"object": "x_oca_event",
@@ -198,6 +263,80 @@
"object": "enrichments"
}
},
+ "finding": {
+ "created_time": {
+ "key": "x-ibm-finding.start",
+ "object": "ibm_finding"
+ },
+ "desc": {
+ "key": "x-ibm-finding.description",
+ "object": "ibm_finding"
+ },
+ "first_seen_time": {
+ "key": "x-ibm-finding.time_observed",
+ "object": "ibm_finding"
+ },
+ "last_seen_time": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.last_seen_time",
+ "object": "ibm_finding"
+ },
+ "modified_time": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.modified_time",
+ "object": "ibm_finding"
+ },
+ "product_uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.product_uid",
+ "object": "ibm_finding"
+ },
+ "related_events": {
+ "product_uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.product_uid",
+ "object": "ibm_finding"
+ },
+ "type": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.type",
+ "object": "ibm_finding"
+ },
+ "type_uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.type_uid",
+ "object": "ibm_finding"
+ },
+ "uid": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.uid",
+ "object": "ibm_finding"
+ }
+ },
+ "remediation": {
+ "desc": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.remediation_desc",
+ "object": "ibm_finding"
+ },
+ "kb_articles": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.remediation_kb_articles",
+ "object": "ibm_finding"
+ }
+ },
+ "src_url": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.src_url",
+ "object": "ibm_finding"
+ },
+ "supporting_data": {
+ "key": "x-ibm-finding.extensions.x-ocsf-findings.upporting_data",
+ "object": "ibm_finding"
+ },
+ "title": {
+ "key": "x-ibm-finding.name",
+ "object": "ibm_finding"
+ },
+ "types": {
+ "key": "x-ibm-finding.types",
+ "object": "ibm_finding"
+ },
+ "uid": {
+ "key": "x-ibm-finding.alert_id",
+ "object": "ibm_finding"
+ }
+ },
"http_request": {
"args": {
"key": "x-ocsf-http-request.value",
@@ -420,6 +559,134 @@
}
}
},
+ "malware": {
+ "classification_ids": {
+ "key": "x-ocsf-malware.classification_ids",
+ "object": "malware"
+ },
+ "classifications": {
+ "key": "x-ocsf-malware.classifications",
+ "object": "malware"
+ },
+ "cves": {
+ "created_time": {
+ "key": "x-ocsf-malware.created_time",
+ "object": "malware"
+ },
+ "cvss": {
+ "base_score": {
+ "key": "x-ocsf-malware.base_score",
+ "object": "malware"
+ },
+ "depth": {
+ "key": "x-ocsf-malware.depth",
+ "object": "malware"
+ },
+ "metrics": {
+ "name": {
+ "key": "x-ocsf-malware.name",
+ "object": "malware"
+ },
+ "value": {
+ "key": "x-ocsf-malware.value",
+ "object": "malware"
+ }
+ },
+ "overall_score": {
+ "key": "x-ocsf-malware.overall_score",
+ "object": "malware"
+ },
+ "severity": {
+ "key": "x-ocsf-malware.severity",
+ "object": "malware"
+ },
+ "vector_string": {
+ "key": "x-ocsf-malware.vector_string",
+ "object": "malware"
+ },
+ "version": {
+ "key": "x-ocsf-malware.version",
+ "object": "malware"
+ }
+ },
+ "cwe_uid": {
+ "key": "x-ocsf-malware.cwe_uid",
+ "object": "malware"
+ },
+ "cwe_url": {
+ "key": "x-ocsf-malware.cwe_url",
+ "object": "malware"
+ },
+ "modified_time": {
+ "key": "x-ocsf-malware.modified_time",
+ "object": "malware"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "malware-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "malware-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "malware-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "malware-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "malware-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "malware-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "malware-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "malware-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "malware-software"
+ }
+ },
+ "type": {
+ "key": "x-ocsf-malware.type",
+ "object": "malware"
+ },
+ "uid": {
+ "key": "x-ocsf-malware.uid",
+ "object": "malware"
+ }
+ },
+ "name": {
+ "key": "x-ocsf-malware.name",
+ "object": "malware"
+ },
+ "path": {
+ "key": "x-ocsf-malware.path",
+ "object": "malware"
+ },
+ "provider": {
+ "key": "x-ocsf-malware.provider",
+ "object": "malware"
+ },
+ "uid": {
+ "key": "x-ocsf-malware.uid",
+ "object": "malware"
+ }
+ },
"message": {
"key": "x-ocsf-cloud.message",
"object": "ocsf_cloud_api"
@@ -448,41 +715,41 @@
"product": {
"feature": {
"name": {
- "key": "software.extension.product.feature_name",
- "object": "software"
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "metadata-software"
},
"uid": {
- "key": "software.extension.product.feature_uid",
- "object": "software"
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "metadata-software"
},
"version": {
- "key": "software.extension.product.feature_version",
- "object": "software"
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "metadata-software"
}
},
"lang": {
"key": "software.languages",
- "object": "software"
+ "object": "metadata-software"
},
"name": {
"key": "software.name",
- "object": "software"
+ "object": "metadata-software"
},
"path": {
- "key": "software.extension.product.path",
- "object": "software"
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "metadata-software"
},
"uid": {
- "key": "software.extension.product.uid",
- "object": "software"
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "metadata-software"
},
"vendor_name": {
"key": "software.vendor",
- "object": "software"
+ "object": "metadata-software"
},
"version": {
"key": "software.version",
- "object": "software"
+ "object": "metadata-software"
}
},
"sequence": {
@@ -500,139 +767,1396 @@
}
},
"observables": {
- "name": {
- "key": "x-ibm-finding.name",
- "object": "ibm_finding"
- },
- "type": {
- "key": "x-ibm-finding.finding_type",
- "object": "ibm_finding"
- },
- "type_id": {
- "key": "x-ibm-finding.alert_id",
- "object": "ibm_finding",
- "transformer": "ToInteger"
- },
- "value": {
- "key": "x-ibm-finding.description",
- "object": "ibm_finding"
- }
- },
- "profiles": {
- "key": "x-ocsf-cloud.profiles",
- "object": "ocsf_cloud_api"
- },
- "raw_data": {
- "key": "x-ocsf-cloud.raw_data",
- "object": "ocsf_cloud_api"
- },
- "ref_event_code": {
- "key": "x-ocsf-cloud.ref_event_code",
- "object": "ocsf_cloud_api"
- },
- "ref_event_name": {
- "key": "x-ocsf-cloud.ref_event_name",
- "object": "ocsf_cloud_api"
- },
- "ref_event_uid": {
- "key": "x-ocsf-cloud.ref_event_uid",
- "object": "ocsf_cloud_api"
- },
- "ref_time": {
- "key": "x-ocsf-cloud.ref_time",
- "object": "ocsf_cloud_api"
- },
- "resources": {
- "account_uid": [
+ "name": [
{
- "key": "x-ocsf-resources.account_uid",
- "object": "resources"
+ "key": "x-ibm-observables.name",
+ "object": "observables"
},
{
- "key": "x-ocsf-resources.cloud_api_ref",
- "object": "resources",
- "references": "ocsf_cloud_api"
+ "key": "x-ibm-finding.ioc_refs",
+ "object": "ibm_finding",
+ "references": [
+ "observables"
+ ]
}
],
- "cloud_partition": {
- "key": "x-ocsf-resources.cloud_partition",
- "object": "resources"
- },
- "criticality": {
- "key": "x-ocsf-resources.criticality",
- "object": "resources"
- },
- "details": {
- "key": "x-ocsf-resources.details",
- "object": "resources"
- },
- "group_name": {
- "key": "x-ocsf-resources.group_name",
- "object": "resources"
- },
- "labels": {
- "key": "x-ocsf-resources.labels",
- "object": "resources"
- },
- "name": {
- "key": "x-ocsf-resources.name",
- "object": "resources"
- },
- "owner": {
- "key": "x-ocsf-resources.owner",
- "object": "resources"
- },
- "region": {
- "key": "x-ocsf-resources.region",
- "object": "resources"
- },
"type": {
- "key": "x-ocsf-resources.type",
- "object": "resources"
+ "key": "x-ibm-observables.finding_type",
+ "object": "observables"
},
- "uid": {
- "key": "x-ocsf-resources.uid",
- "object": "resources"
- }
- },
- "severity": {
- "key": "x-ocsf-cloud.severity",
- "object": "ocsf_cloud_api"
- },
- "severity_id": {
- "key": "x-ibm-finding.severity",
- "object": "ibm_finding",
- "transformer": "ToInteger"
- },
- "src_endpoint": {
- "port": {
- "key": "network-traffic.src_port",
- "object": "nt",
+ "type_id": {
+ "key": "x-ibm-observables.alert_id",
+ "object": "observables",
"transformer": "ToInteger"
},
- "svc_name": {
- "key": "x-oca-asset.extensions.x-src-endpoint.svc_name",
- "object": "asset"
- },
- "ip": [
- {
- "key": "ipv4-addr.value",
- "object": "src_ip",
- "transformer": "CheckIPv4"
+ "value": {
+ "key": "x-ibm-observables.description",
+ "object": "observables"
+ }
+ },
+ "process": {
+ "cmd_line": {
+ "key": "process.command_line",
+ "object": "process"
+ },
+ "created_time": {
+ "key": "process.created",
+ "object": "process"
+ },
+ "file": {
+ "accessed_time": {
+ "key": "file.accessed",
+ "object": "file"
},
- {
- "key": "ipv6-addr.value",
- "object": "src_ip",
- "transformer": "CheckIPv6"
+ "accessor": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "accessor-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "accessor-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "accessor-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "accessor-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "accessor-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "accessor-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "accessor-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "accessor-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "accessor-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "accessor-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "accessor-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "accessor-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "accessor-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "accessor-user-account"
+ }
},
- {
+ "attributes": {
+ "key": "file.extensions.x-ocsf-file-ext.attributes",
+ "object": "file"
+ },
+ "company_name": {
+ "key": "file.extensions.x-ocsf-file-ext.company_name",
+ "object": "file"
+ },
+ "confidentiality": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality",
+ "object": "file"
+ },
+ "confidentiality_id": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality_id",
+ "object": "file"
+ },
+ "created_time": {
+ "key": "file.created",
+ "object": "file"
+ },
+ "creator": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "creator-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "creator-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "creator-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "creator-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "creator-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "creator-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "creator-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "creator-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "creator-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "creator-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "creator-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "creator-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "creator-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "creator-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "creator-user-account"
+ }
+ },
+ "desc": {
+ "key": "file.extensions.x-ocsf-file-ext.description",
+ "object": "file"
+ },
+ "fingerprints": {
+ "algorithm": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm",
+ "object": "file"
+ },
+ "algorithm_id": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_id",
+ "object": "file"
+ },
+ "value": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_value",
+ "object": "file"
+ }
+ },
+ "is_system": {
+ "key": "process.extensions.x-ocsf-process-ext.is_system",
+ "object": "process"
+ },
+ "mime_type": {
+ "key": "process.mime_type",
+ "object": "process"
+ },
+ "modified_time": {
+ "key": "process.extensions.x-ocsf-process-ext.modified_time",
+ "object": "process"
+ },
+ "modifier": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "modifier-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "modifier-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "modifier-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "modifier-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "modifier-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "modifier-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "modifier-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "modifier-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "modifier-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "modifier-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "modifier-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "modifier-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "modifier-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "modifier-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "modifier-user-account"
+ }
+ },
+ "name": [
+ {
+ "key": "file.name",
+ "object": "file"
+ },
+ {
+ "key": "process.binary_ref",
+ "object": "process",
+ "references": "file"
+ }
+ ],
+ "owner": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "owner-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "owner-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "owner-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "owner-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "owner-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "owner-user-account"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "owner-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "owner-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "owner-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "owner-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "owner-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "owner-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "owner-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "owner-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "owner-user-account"
+ }
+ },
+ "parent_folder": [
+ {
+ "key": "directory.path",
+ "object": "directory"
+ },
+ {
+ "key": "file.parent_directory_ref",
+ "object": "file",
+ "references": "directory"
+ }
+ ],
+ "path": {
+ "key": "file.extensions.x-ocsf-file-ext.path",
+ "object": "file"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "file1-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "file1-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "file1-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "file1-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "file1-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "file1-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "file1-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "file1-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "file1-software"
+ }
+ },
+ "security_descriptor": {
+ "key": "file.extensions.x-ocsf-file-ext.security_descriptor",
+ "object": "file"
+ },
+ "signature": {
+ "key": "file.extensions.x-ocsf-file-ext.signature",
+ "object": "file"
+ },
+ "size": {
+ "key": "file.size",
+ "object": "file"
+ },
+ "type": {
+ "key": "file.extensions.x-ocsf-file-ext.type",
+ "object": "file"
+ },
+ "type_id": {
+ "key": "file.extensions.x-ocsf-file-ext.type_id",
+ "object": "file"
+ },
+ "uid": {
+ "key": "file.extensions.x-ocsf-file-ext.uid",
+ "object": "file"
+ },
+ "version": {
+ "key": "file.extensions.x-ocsf-file-ext.version",
+ "object": "file"
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "process"
+ }
+ },
+ "integrity": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity",
+ "object": "process"
+ },
+ "integrity_id": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity_id",
+ "object": "process"
+ },
+ "lineage": {
+ "key": "process.extensions.x-ocsf-process-ext.lineage",
+ "object": "process"
+ },
+ "loaded_modules": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "process"
+ },
+ "name": {
+ "key": "process.name",
+ "object": "process"
+ },
+ "parent-process": {
+ "cmd_line": {
+ "key": "process.command_line",
+ "object": "parent-process"
+ },
+ "created_time": {
+ "key": "process.created",
+ "object": "parent-process"
+ },
+ "file": {
+ "accessed_time": {
+ "key": "file.accessed",
+ "object": "parent-file"
+ },
+ "accessor": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-accessor-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-accessor-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-accessor-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-accessor-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-accessor-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-accessor-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-accessor-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-accessor-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-accessor-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-accessor-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-accessor-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-accessor-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-accessor-user-account"
+ }
+ },
+ "attributes": {
+ "key": "file.extensions.x-ocsf-file-ext.attributes",
+ "object": "parent-file"
+ },
+ "company_name": {
+ "key": "file.extensions.x-ocsf-file-ext.company_name",
+ "object": "parent-file"
+ },
+ "confidentiality": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality",
+ "object": "parent-file"
+ },
+ "confidentiality_id": {
+ "key": "file.extensions.x-ocsf-file-ext.confidentiality_id",
+ "object": "parent-file"
+ },
+ "created_time": {
+ "key": "file.created",
+ "object": "parent-file"
+ },
+ "creator": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-creator-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-creator-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-creator-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-creator-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-creator-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-creator-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-creator-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-creator-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-creator-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-creator-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-creator-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-creator-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-creator-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-creator-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-creator-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-creator-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-creator-user-account"
+ }
+ },
+ "desc": {
+ "key": "file.extensions.x-ocsf-file-ext.description",
+ "object": "parent-file"
+ },
+ "fingerprints": {
+ "algorithm": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm",
+ "object": "parent-file"
+ },
+ "algorithm_id": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_id",
+ "object": "parent-file"
+ },
+ "value": {
+ "key": "file.extensions.x-ocsf-file-ext.algorithm_value",
+ "object": "parent-file"
+ }
+ },
+ "is_system": {
+ "key": "process.extensions.x-ocsf-process-ext.is_system",
+ "object": "parent-process"
+ },
+ "mime_type": {
+ "key": "process.mime_type",
+ "object": "parent-process"
+ },
+ "modified_time": {
+ "key": "process.extensions.x-ocsf-process-ext.modified_time",
+ "object": "parent-process"
+ },
+ "modifier": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-modifier-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-modifier-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-modifier-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-modifier-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-modifier-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-modifier-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-modifier-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-modifier-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-modifier-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-modifier-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-modifier-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-modifier-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-modifier-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-modifier-user-account"
+ }
+ },
+ "name": [
+ {
+ "key": "file.name",
+ "object": "parent-file"
+ },
+ {
+ "key": "process.binary_ref",
+ "object": "parent-process",
+ "references": "parent-file"
+ }
+ ],
+ "owner": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-owner-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-owner-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-owner-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-owner-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-owner-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-owner-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-owner-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-owner-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-owner-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-owner-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-owner-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-owner-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-owner-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-owner-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-owner-user-account"
+ },
+ "uid": {
+ "key": "user-account.user_id",
+ "object": "parent-owner-user-account"
+ },
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-owner-user-account"
+ }
+ },
+ "parent_folder": [
+ {
+ "key": "directory.path",
+ "object": "parent-directory"
+ },
+ {
+ "key": "file.parent_directory_ref",
+ "object": "parent-file",
+ "references": "parent-directory"
+ }
+ ],
+ "path": {
+ "key": "file.extensions.x-ocsf-file-ext.path",
+ "object": "parent-file"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "file-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "file-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "file-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "file-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "file-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "file-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "file-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "file-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "file-software"
+ }
+ },
+ "security_descriptor": {
+ "key": "file.extensions.x-ocsf-file-ext.security_descriptor",
+ "object": "parent-file"
+ },
+ "signature": {
+ "key": "file.extensions.x-ocsf-file-ext.signature",
+ "object": "parent-file"
+ },
+ "size": {
+ "key": "file.size",
+ "object": "parent-file"
+ },
+ "type": {
+ "key": "file.extensions.x-ocsf-file-ext.type",
+ "object": "parent-file"
+ },
+ "type_id": {
+ "key": "file.extensions.x-ocsf-file-ext.type_id",
+ "object": "parent-file"
+ },
+ "uid": {
+ "key": "file.extensions.x-ocsf-file-ext.uid",
+ "object": "parent-file"
+ },
+ "version": {
+ "key": "file.extensions.x-ocsf-file-ext.version",
+ "object": "parent-file"
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "parent-process"
+ }
+ },
+ "integrity": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity",
+ "object": "parent-process"
+ },
+ "integrity_id": {
+ "key": "process.extensions.x-ocsf-process-ext.integrity_id",
+ "object": "parent-process"
+ },
+ "lineage": {
+ "key": "process.extensions.x-ocsf-process-ext.lineage",
+ "object": "parent-process"
+ },
+ "loaded_modules": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "parent-process"
+ },
+ "name": {
+ "key": "process.name",
+ "object": "parent-process"
+ },
+ "pid": [
+ {
+ "key": "process.pid",
+ "object": "parent-process"
+ },
+ {
+ "key": "process.child_refs",
+ "object": "parent-process",
+ "references": [
+ "process"
+ ]
+ }
+ ],
+ "sandbox": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "parent-process"
+ },
+ "terminated_time": {
+ "key": "process.extensions.x-ocsf-process-ext.terminated_time",
+ "object": "parent-process"
+ },
+ "tid": {
+ "key": "process.extensions.x-ocsf-process-ext.tid",
+ "object": "parent-process"
+ },
+ "uid": {
+ "key": "process.x_unique_id",
+ "object": "parent-process"
+ },
+ "user": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "parent-process-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "parent-process-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "parent-process-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "parent-process-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "parent-process-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "parent-process-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "parent-process-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "parent-process-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "parent-process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "parent-process-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "parent-process-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "parent-process-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "parent-process-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "parent-process-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "parent-process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "parent-process-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "parent-process-user-account"
+ },
+ "uid": [
+ {
+ "key": "user-account.user_id",
+ "object": "parent-process-user-account"
+ },
+ {
+ "key": "user-account.creator_user_ref",
+ "object": "parent-process",
+ "references": "process-user-account"
+ }
+ ],
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "parent-process-user-account"
+ }
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "parent-process"
+ }
+ },
+ "pid": [
+ {
+ "key": "process.pid",
+ "object": "process"
+ },
+ {
+ "key": "process.parent_ref",
+ "object": "process",
+ "references": [
+ "parent-process"
+ ]
+ }
+ ],
+ "sandbox": {
+ "key": "process.extensions.x-ocsf-process-ext.loaded_modules",
+ "object": "process"
+ },
+ "terminated_time": {
+ "key": "process.extensions.x-ocsf-process-ext.terminated_time",
+ "object": "process"
+ },
+ "tid": {
+ "key": "process.extensions.x-ocsf-process-ext.tid",
+ "object": "process"
+ },
+ "uid": {
+ "key": "process.x_unique_id",
+ "object": "process"
+ },
+ "user": {
+ "account_type": {
+ "key": "user-account.account_type",
+ "object": "process-user-account"
+ },
+ "account_type_id": {
+ "key": "user-account.extensions.x-accessor-ext.account_type_id",
+ "object": "process-user-account"
+ },
+ "account_uid": {
+ "key": "user-account.extensions.x-accessor-ext.account_uid",
+ "object": "process-user-account"
+ },
+ "credential_uid": {
+ "key": "user-account.extensions.x-accessor-ext.credential_uid",
+ "object": "process-user-account"
+ },
+ "domain": {
+ "key": "user-account.extensions.x-accessor-ext.domain",
+ "object": "process-user-account"
+ },
+ "email_addr": {
+ "key": "email-addr.value",
+ "object": "process-email-addr"
+ },
+ "groups": {
+ "desc": {
+ "key": "user-account.extensions.x-accessor-ext.group_desc",
+ "object": "process-user-account"
+ },
+ "name": {
+ "key": "user-account.extensions.x-accessor-ext.group_name",
+ "object": "process-user-account"
+ },
+ "privileges": {
+ "key": "user-account.extensions.x-accessor-ext.group_privileges",
+ "object": "process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.group_type",
+ "object": "process-user-account"
+ },
+ "uid": {
+ "key": "user-account.extensions.x-accessor-ext.group_uid",
+ "object": "process-user-account"
+ }
+ },
+ "name": {
+ "key": "user-account.display_name",
+ "object": "process-user-account"
+ },
+ "org_uid": {
+ "key": "user-account.extensions.x-accessor-ext.org_uid",
+ "object": "process-user-account"
+ },
+ "session_uid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uid",
+ "object": "process-user-account"
+ },
+ "session_uuid": {
+ "key": "user-account.extensions.x-accessor-ext.session_uuid",
+ "object": "process-user-account"
+ },
+ "type": {
+ "key": "user-account.extensions.x-accessor-ext.type",
+ "object": "process-user-account"
+ },
+ "type_id": {
+ "key": "user-account.extensions.x-accessor-ext.type_id",
+ "object": "process-user-account"
+ },
+ "uid": [
+ {
+ "key": "user-account.user_id",
+ "object": "process-user-account"
+ },
+ {
+ "key": "user-account.creator_user_ref",
+ "object": "process",
+ "references": "process-user-account"
+ }
+ ],
+ "uuid": {
+ "key": "user-account.extensions.x-accessor-ext.uuid",
+ "object": "process-user-account"
+ }
+ },
+ "xattributes": {
+ "key": "process.extensions.x-ocsf-process-ext.xattributes",
+ "object": "process"
+ }
+ },
+ "profiles": {
+ "key": "x-ocsf-cloud.profiles",
+ "object": "ocsf_cloud_api"
+ },
+ "raw_data": {
+ "key": "x-ocsf-cloud.raw_data",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_event_code": {
+ "key": "x-ocsf-cloud.ref_event_code",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_event_name": {
+ "key": "x-ocsf-cloud.ref_event_name",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_event_uid": {
+ "key": "x-ocsf-cloud.ref_event_uid",
+ "object": "ocsf_cloud_api"
+ },
+ "ref_time": {
+ "key": "x-ocsf-cloud.ref_time",
+ "object": "ocsf_cloud_api"
+ },
+ "resources": {
+ "account_uid": [
+ {
+ "key": "x-ocsf-resources.account_uid",
+ "object": "resources"
+ },
+ {
+ "key": "x-ocsf-resources.cloud_api_ref",
+ "object": "resources",
+ "references": "ocsf_cloud_api"
+ }
+ ],
+ "cloud_partition": {
+ "key": "x-ocsf-resources.cloud_partition",
+ "object": "resources"
+ },
+ "criticality": {
+ "key": "x-ocsf-resources.criticality",
+ "object": "resources"
+ },
+ "details": {
+ "key": "x-ocsf-resources.details",
+ "object": "resources"
+ },
+ "group_name": {
+ "key": "x-ocsf-resources.group_name",
+ "object": "resources"
+ },
+ "labels": {
+ "key": "x-ocsf-resources.labels",
+ "object": "resources"
+ },
+ "name": {
+ "key": "x-ocsf-resources.name",
+ "object": "resources"
+ },
+ "owner": {
+ "key": "x-ocsf-resources.owner",
+ "object": "resources"
+ },
+ "region": {
+ "key": "x-ocsf-resources.region",
+ "object": "resources"
+ },
+ "type": {
+ "key": "x-ocsf-resources.type",
+ "object": "resources"
+ },
+ "uid": {
+ "key": "x-ocsf-resources.uid",
+ "object": "resources"
+ }
+ },
+ "severity": {
+ "key": "x-ocsf-cloud.severity",
+ "object": "ocsf_cloud_api"
+ },
+ "severity_id": {
+ "key": "x-ibm-finding.severity",
+ "object": "ibm_finding",
+ "transformer": "ToInteger"
+ },
+ "src_endpoint": {
+ "port": {
+ "key": "network-traffic.src_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ },
+ "svc_name": {
+ "key": "x-oca-asset.extensions.x-src-endpoint.svc_name",
+ "object": "asset"
+ },
+ "ip": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip",
+ "transformer": "CheckIPv4"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ip",
+ "transformer": "CheckIPv6"
+ },
+ {
"key": "network-traffic.src_ref",
"object": "nt",
"references": "src_ip"
},
{
"key": "x-ibm-finding.src_ip_ref",
- "object": "finding",
+ "object": "ibm_finding",
"references": "src_ip"
},
{
@@ -721,7 +2245,7 @@
},
{
"key": "x-ibm-finding.dst_ip_ref",
- "object": "finding",
+ "object": "ibm_finding",
"references": "dst_ip"
},
{
@@ -843,18 +2367,11 @@
"object": "nt"
}
},
- "start_time": [
- {
- "key": "x-ibm-finding.start",
- "object": "ibm_finding",
- "transformer": "EpochToTimestamp"
- },
- {
- "key": "first_observed",
- "cybox": false,
- "transformer": "EpochToTimestamp"
- }
- ],
+ "start_time": {
+ "key": "first_observed",
+ "cybox": false,
+ "transformer": "EpochToTimestamp"
+ },
"status": {
"key": "x-ocsf-cloud.status",
"object": "ocsf_cloud_api"
@@ -889,6 +2406,164 @@
"key": "x-ocsf-cloud.type_uid",
"object": "ocsf_cloud_api",
"transformer": "ToInteger"
+ },
+ "vulnerabilities": {
+ "cve": {
+ "created_time": {
+ "key": "x-ocsf-vulnerabilities.created_time",
+ "object": "vulnerabilities"
+ },
+ "cvss": {
+ "base_score": {
+ "key": "x-ocsf-vulnerabilities.base_score",
+ "object": "vulnerabilities"
+ },
+ "depth": {
+ "key": "x-ocsf-vulnerabilities.depth",
+ "object": "vulnerabilities"
+ },
+ "metrics": {
+ "name": {
+ "key": "x-ocsf-vulnerabilities.name",
+ "object": "vulnerabilities"
+ },
+ "value": {
+ "key": "x-ocsf-vulnerabilities.value",
+ "object": "vulnerabilities"
+ }
+ },
+ "overall_score": {
+ "key": "x-ocsf-vulnerabilities.overall_score",
+ "object": "vulnerabilities"
+ },
+ "severity": {
+ "key": "x-ocsf-vulnerabilities.severity",
+ "object": "vulnerabilities"
+ },
+ "vector_string": {
+ "key": "x-ocsf-vulnerabilities.vector_string",
+ "object": "vulnerabilities"
+ },
+ "version": {
+ "key": "x-ocsf-vulnerabilities.version",
+ "object": "vulnerabilities"
+ }
+ },
+ "cwe_uid": {
+ "key": "x-ocsf-vulnerabilities.cwe_uid",
+ "object": "vulnerabilities"
+ },
+ "cwe_url": {
+ "key": "x-ocsf-vulnerabilities.cwe_url",
+ "object": "vulnerabilities"
+ },
+ "modified_time": {
+ "key": "x-ocsf-vulnerabilities.modified_time",
+ "object": "vulnerabilities"
+ },
+ "product": {
+ "feature": {
+ "name": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_name",
+ "object": "vulnerabilities-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_uid",
+ "object": "vulnerabilities-software"
+ },
+ "version": {
+ "key": "software.extensions.x-ocsf-product-ext.feature_version",
+ "object": "vulnerabilities-software"
+ }
+ },
+ "lang": {
+ "key": "software.languages",
+ "object": "vulnerabilities-software"
+ },
+ "name": {
+ "key": "software.name",
+ "object": "vulnerabilities-software"
+ },
+ "path": {
+ "key": "software.extensions.x-ocsf-product-ext.installed_path",
+ "object": "vulnerabilities-software"
+ },
+ "uid": {
+ "key": "software.extensions.x-ocsf-product-ext.product_uid",
+ "object": "vulnerabilities-software"
+ },
+ "vendor_name": {
+ "key": "software.vendor",
+ "object": "vulnerabilities-software"
+ },
+ "version": {
+ "key": "software.version",
+ "object": "vulnerabilities-software"
+ }
+ },
+ "type": {
+ "key": "x-ocsf-vulnerabilities.type",
+ "object": "vulnerabilities"
+ },
+ "uid": {
+ "key": "x-ocsf-vulnerabilities.uid",
+ "object": "vulnerabilities"
+ }
+ },
+ "desc": {
+ "key": "x-ocsf-vulnerabilities.desc",
+ "object": "vulnerabilities"
+ },
+ "kb_articles": {
+ "key": "x-ocsf-vulnerabilities.kb_articles",
+ "object": "vulnerabilities"
+ },
+ "packages": {
+ "architecture": {
+ "key": "x-ocsf-vulnerabilities.packages_architecture",
+ "object": "vulnerabilities"
+ },
+ "epoch": {
+ "key": "x-ocsf-vulnerabilities.packages_epoch",
+ "object": "vulnerabilities"
+ },
+ "license": {
+ "key": "x-ocsf-vulnerabilities.packages_license",
+ "object": "vulnerabilities"
+ },
+ "name": {
+ "key": "x-ocsf-vulnerabilities.packages_name",
+ "object": "vulnerabilities"
+ },
+ "release": {
+ "key": "x-ocsf-vulnerabilities.packages_release",
+ "object": "vulnerabilities"
+ },
+ "version": {
+ "key": "x-ocsf-vulnerabilities.packages_version",
+ "object": "vulnerabilities"
+ }
+ },
+ "references": {
+ "key": "x-ocsf-vulnerabilities.references",
+ "object": "vulnerabilities"
+ },
+ "related_vulnerabilities": {
+ "key": "x-ocsf-vulnerabilities.related_vulnerabilities",
+ "object": "vulnerabilities"
+ },
+ "severity": {
+ "key": "x-ocsf-vulnerabilities.severity",
+ "object": "vulnerabilities"
+ },
+ "title": {
+ "key": "x-ocsf-vulnerabilities.title",
+ "object": "vulnerabilities"
+ },
+ "vendor_name": {
+ "key": "x-ocsf-vulnerabilities.vendor_name",
+ "object": "vulnerabilities"
+ }
}
},
"vpcflow": {
diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py
index 57a86c25f..dfdb19853 100644
--- a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py
+++ b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py
@@ -492,6 +492,6 @@ def test_ocsf_translation_prop(self):
x_ibm_finding = TestAwsResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding')
assert x_ibm_finding is not None, 'x-ibm-finding object type not found'
- assert x_ibm_finding.keys() == {'type', 'time_observed', 'severity'}
+ assert x_ibm_finding.keys() == {'type', 'time_observed','src_ip_ref', 'severity'}
assert x_ibm_finding['time_observed'] == '2020-10-07T08:08:37.000Z'
assert x_ibm_finding['severity'] == 0
diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py
index d43702db2..0cd15a874 100644
--- a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py
+++ b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py
@@ -248,7 +248,7 @@ def test_ibm_finding_start_exp(self):
"vpcflow": "(CAST(starttime AS varchar) = '1600769351' AND start BETWEEN 1588322590 AND 1604054590)"
},
{
- "ocsf": "(CAST(start_time AS varchar) = '1600769351' AND time BETWEEN 1588322590000 AND 1604054590000)"
+ "ocsf": "(CAST(finding.created_time AS varchar) = '1600769351' AND time BETWEEN 1588322590000 AND 1604054590000)"
}
]
self._test_query_assertions(query, queries)
From 88a2af6ab55f5e1804a80e4cbc13f2f4e5bbcc97 Mon Sep 17 00:00:00 2001
From: thangaraj-ramesh <92723742+thangaraj-ramesh@users.noreply.github.com>
Date: Tue, 10 Jan 2023 20:07:00 +0000
Subject: [PATCH 20/30] Updated code to handle maximum query length limitation
in darktrace. (#1259)
* Updated code to handle maximum query length limitation in darktrace.
---
stix_shifter_modules/darktrace/README.md | 1 +
.../darktrace/requirements.txt | 1 +
.../stix_translation/query_constructor.py | 252 +++++++++-
.../test_darktrace_stix_to_query.py | 439 ++++++++++++++++++
4 files changed, 690 insertions(+), 3 deletions(-)
create mode 100644 stix_shifter_modules/darktrace/requirements.txt
diff --git a/stix_shifter_modules/darktrace/README.md b/stix_shifter_modules/darktrace/README.md
index 34d025a6a..06ff87fe7 100644
--- a/stix_shifter_modules/darktrace/README.md
+++ b/stix_shifter_modules/darktrace/README.md
@@ -865,3 +865,4 @@ ping
### Observations
- Darktrace does not support >= and <=, so the same is achieved by < and > operators by increasing and decreasing the corresponding values.
- Query will return those records in the specified timeframe which satisfy the applied search filters. If there are no records in the given timeframe, search filter won't be applied and "Invalid parameter" error will be returned.
+- It is observed that Darktrace API returns 'timed out' error if translated query string length is more than MAX_QUERY_LENGTH. To avoid this error, query is split at 'OR' conditions and multiple requests are made to darktrace to get the result. However, the part of query joined by 'AND' operator won't be split and 'timed out' error is returned if the length of that part is beyond MAX_QUERY_LENGTH.
\ No newline at end of file
diff --git a/stix_shifter_modules/darktrace/requirements.txt b/stix_shifter_modules/darktrace/requirements.txt
new file mode 100644
index 000000000..367c5e196
--- /dev/null
+++ b/stix_shifter_modules/darktrace/requirements.txt
@@ -0,0 +1 @@
+pyparsing==3.0.9
diff --git a/stix_shifter_modules/darktrace/stix_translation/query_constructor.py b/stix_shifter_modules/darktrace/stix_translation/query_constructor.py
index 589492d0b..f74e2d72c 100644
--- a/stix_shifter_modules/darktrace/stix_translation/query_constructor.py
+++ b/stix_shifter_modules/darktrace/stix_translation/query_constructor.py
@@ -1,6 +1,7 @@
import json
import re
from os import path
+from pyparsing import nestedExpr, White
from datetime import datetime, timedelta
from stix_shifter_utils.utils import logger
from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, \
@@ -12,6 +13,8 @@
STOP_TIME = datetime.utcnow()
CONFIG_MAP_PATH = "json/config_map.json"
DEFAULT_LIMIT = 10000
+MAX_QUERY_LENGTH = 2400
+TIMESTAMP_LENGTH = 80
class FileNotFoundException(Exception):
@@ -338,10 +341,22 @@ def parse_expression(self, pattern: Pattern):
if self.options['result_limit'] > DEFAULT_LIMIT:
self.options['result_limit'] = DEFAULT_LIMIT
- query = {"search": darktrace_query, "fields": [],
- "timeframe": "custom", "time": {"from": start, "to": stop}, "size": self.options['result_limit']}
+ darktrace_queries = []
- self.qualified_queries.append(query)
+ # Query length exceed the max query limit will split the query
+ if len(darktrace_query) > MAX_QUERY_LENGTH:
+ obj = QuerySeparator()
+ darktrace_queries = obj.split_query(darktrace_query)
+
+ # change single query into list
+ if darktrace_query and not darktrace_queries:
+ darktrace_queries = [darktrace_query]
+
+ for darktrace_query in darktrace_queries:
+ query = {"search": darktrace_query, "fields": [],
+ "timeframe": "custom", "time": {"from": start, "to": stop}, "size": self.options['result_limit']}
+
+ self.qualified_queries.append(query)
def translate_pattern(pattern: Pattern, data_model_mapping, options):
@@ -355,3 +370,234 @@ def translate_pattern(pattern: Pattern, data_model_mapping, options):
translated_query_strings = QueryStringPatternTranslator(pattern, data_model_mapping, options)
queries = translated_query_strings.qualified_queries
return queries
+
+
+class QuerySeparator:
+ """
+ split the translated query based on query length
+ """
+
+ def split_query(self, query):
+ """
+ split the query based on query length limit.
+ Between two statements if OR is present it will split if AND is present it wont split.
+ param query: str
+ return queries: list
+ """
+ try:
+ queries = []
+ # Based on brackets converting the translated query into nested list
+ parsed_query = nestedExpr(opener="(", closer=")", ignoreExpr=White('')).parseString(query).asList()
+ parsed_query = parsed_query[0]
+
+ # Check valid parsing
+ if len(parsed_query) != 3:
+ return [query]
+
+ # process the each statement its need to split as separate query or not
+ statement_1 = self.split_sub_query(parsed_query[0])
+ statement_2 = self.split_sub_query(parsed_query[2])
+ operator = parsed_query[1]
+
+ if str(statement_1).count('Unable to split') or str(statement_2).count('Unable to split'):
+ return [query]
+
+ # statement is greater than query length limit and it was split.
+ if isinstance(statement_1, list) or isinstance(statement_2, list):
+
+ # Try to combine the split query
+ statement_1 = self.combine_list_query(statement_1)
+ statement_2 = self.combine_list_query(statement_2)
+
+ # AND operator is processed if only its contains timestamp then will attach the timestamp in each query
+ queries = self.attach_timestamp(statement_1, statement_2, operator)
+
+ if str(queries).count('Unable to split'):
+ return [query]
+
+ # statements are lesser than query length limit and it wont split.
+ elif statement_1 and statement_2:
+ combined_statement = statement_1 + ' ' + operator + ' ' + statement_2
+ if len(combined_statement) > MAX_QUERY_LENGTH:
+ if operator == 'AND':
+ queries.append(query)
+ else:
+ queries.append(statement_1)
+ queries.append(statement_2)
+ else:
+ queries.append(combined_statement)
+ else:
+ queries.append(query)
+
+ return queries
+ except Exception as e:
+ logger.info("Unable to split the query. Error occurred {}".format(str(e)))
+ return [query]
+
+ def split_sub_query(self, parsed_query):
+ """
+ Iterate the query from list and based on operator separate the query or combine the query.
+ param query: str
+ return queries: list or str
+ """
+
+ # iterate other than IN operator
+ if len(parsed_query) == 3:
+ statement_1 = parsed_query[0]
+ statement_2 = parsed_query[2]
+ operator = parsed_query[1]
+ queries = []
+ query_list = [statement_1, statement_2]
+ for index, statement in enumerate(query_list, start=0):
+ if any(isinstance(i, list) for i in statement):
+ statement = self.split_sub_query(statement)
+ elif isinstance(statement, list):
+ statement = ' '.join(map(str, statement))
+ if statement and len(statement) > MAX_QUERY_LENGTH:
+ statement = self.split_query_and_or_operator(statement)
+
+ if index == 0:
+ statement_1 = statement
+ else:
+ statement_2 = statement
+
+ if isinstance(statement_1, list) or isinstance(statement_2, list):
+ queries = self.attach_timestamp(statement_1, statement_2, operator)
+ return queries
+
+ combined_query = '(' + statement_1 + ') ' + operator + ' (' + statement_2 + ')'
+
+ if len(combined_query) > MAX_QUERY_LENGTH:
+ queries.append(statement_1)
+ queries.append(statement_2)
+ return queries
+ return combined_query
+ elif any(isinstance(i, list) for i in parsed_query):
+ # iterate for IN operator
+ return self.handle_translated_in_operator(parsed_query)
+ elif isinstance(parsed_query, list):
+ combined_query = '(' + ' '.join(map(str, parsed_query)) + ')'
+ if len(combined_query) > MAX_QUERY_LENGTH:
+ combined_query = self.split_query_and_or_operator(combined_query)
+ return combined_query
+ else:
+ return '(' + parsed_query + ')'
+
+ @staticmethod
+ def split_query_and_or_operator(parsed_query, query_len=MAX_QUERY_LENGTH):
+ """ Split the query based on AND/OR operator.
+ param query: str, MAX_QUERY_LENGTH: int
+ return queries: list or str """
+ start = 0
+ index = 0
+ result = []
+ combined_query = ''
+
+ while index < len(parsed_query):
+ if 'OR' in parsed_query[index:len(parsed_query)]:
+ index = parsed_query[index:len(parsed_query)].index('OR')
+ index = start + index + 2
+ elif 'AND' in parsed_query[index:len(parsed_query)]:
+ index = parsed_query[index:len(parsed_query)].index('AND')
+ index = start + index + 3
+ else:
+ index = len(parsed_query)
+ if len(combined_query + parsed_query[start: index]) > query_len:
+ if combined_query:
+ result.append('(' + combined_query.rstrip('OR').rstrip('AND') + ')')
+ if parsed_query[start: index]:
+ result.append('(' + parsed_query[start: index].lstrip('(').rstrip(')') + ')')
+ else:
+ combined_query += parsed_query[start: index]
+ combined_query = combined_query.lstrip('(').rstrip(')')
+ result.append('(' + combined_query + ')')
+ break
+ if len(combined_query + parsed_query[start: index]) > query_len and combined_query:
+ query = combined_query.rstrip('OR').rstrip('AND')
+ query = query.lstrip('(').rstrip(')').rstrip("'").rstrip(",")
+ if query:
+ result.append('(' + query + ')')
+ combined_query = ''
+ combined_query += parsed_query[start: index]
+ start = index
+ return result
+
+ @staticmethod
+ def combine_list_query(query_list):
+ """ Combine the query from list.
+ param query: list, return queries: list """
+
+ query = ''
+ queries = []
+
+ # exit the process for invalid arguments
+ if isinstance(query_list, str) or len(query_list) == 1:
+ return query_list
+
+ for index, each_query in enumerate(query_list, start=0):
+ if not query:
+ query = each_query
+ continue
+
+ combined_query = query + ' OR ' + each_query
+ if len(combined_query) > MAX_QUERY_LENGTH:
+ queries.append(query)
+ query = each_query
+ if len(query_list) - 1 == index:
+ queries.append(query)
+ continue
+
+ query = combined_query
+
+ if len(query_list) - 1 == index:
+ queries.append(query)
+ continue
+
+ return queries
+
+ @staticmethod
+ def attach_timestamp(statement_1, statement_2, operator):
+ """Attach the timestamp in query"""
+ queries = []
+
+ if operator == 'AND':
+ if statement_2.count('@fields.epochdate') == 2 \
+ and len(statement_2) < TIMESTAMP_LENGTH:
+ if not (statement_2.count('(') and statement_2.count(')')):
+ statement_2 = '(' + statement_2 + ')'
+ queries = ['(' + row + ') AND ' + statement_2 for row in statement_1]
+ else:
+ return 'Unable to split'
+
+ if operator == 'OR':
+ queries += statement_1 if isinstance(statement_1, list) else [statement_1]
+ queries += statement_2 if isinstance(statement_2, list) else [statement_2]
+
+ return queries
+
+ def handle_translated_in_operator(self, parsed_query):
+ """ Process the translated query having IN operator in STIX pattern.
+ Params Query: List, return Query: List """
+ query = ''
+ queries = []
+ for row in parsed_query:
+ if isinstance(row, str):
+ query += row + ' '
+ elif isinstance(row, list):
+
+ combined_query = '(' + ' '.join(map(str, row)) + ')'
+
+ if combined_query.count('NOT') and any(isinstance(i, list) for i in row):
+ combined_query = self.split_sub_query(row)
+
+ query = query.lstrip('OR').lstrip('AND')
+
+ if isinstance(combined_query, list):
+ queries += [query + value for value in combined_query]
+ elif isinstance(combined_query, str) and len(combined_query) > MAX_QUERY_LENGTH:
+ separated = self.split_query_and_or_operator(combined_query, MAX_QUERY_LENGTH - len(query))
+ queries += [query + value for value in separated]
+ else:
+ queries += [query + combined_query]
+ query = ''
+ return queries
diff --git a/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py b/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py
index 1bcf2a75f..ba23eed01 100644
--- a/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py
+++ b/stix_shifter_modules/darktrace/test/stix_translation/test_darktrace_stix_to_query.py
@@ -667,3 +667,442 @@ def test_qualifier_without_milliseconds(self):
"size": 10000
}]
self._test_query_assertions(actual_query, expected_query)
+
+ def test_large_query(self):
+ stix_pattern = "[file:hashes.'SHA-256' NOT IN (" \
+ "'b6c7f878b44c0a074d53e8fec9b65c7dd70844bb67524ff541f17d3d754889ec'," \
+ "'519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1'," \
+ "'48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668'," \
+ "'16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2'," \
+ "'a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab'," \
+ "'35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad'," \
+ "'1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3'," \
+ "'70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b'," \
+ "'90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff'," \
+ "'b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b'," \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb'," \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7'," \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6'," \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105'," \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa'," \
+ "'93d7e24385c204fd2afcab10087273d9526d935045c6139c6f709d46bbae6d3b'," \
+ "'91954c768c896dc028ae54c11a85def47bb7b83dbfccd3a731d38f141ca9243f'," \
+ "'36f517b8125abdd3b03c22d0ea2b6cd9ef9e9e70bc4193a3889156f472d42873'," \
+ "'3c1a4c5fa844b69e410e80200829e51c44bc469b0071008ef899e41218a60719'," \
+ "'3c1a4c5fa844b69e410e80200829e51c44bc469b0071008ef899e41218a60719'," \
+ "'b6c7f878b44c0a074d53e8fec9b65c7dd70844bb67524ff541f17d3d754889ec'," \
+ "'519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1'," \
+ "'48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668'," \
+ "'16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2'," \
+ "'a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab'," \
+ "'35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad'," \
+ "'1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3'," \
+ "'70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b'," \
+ "'90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff'," \
+ "'b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b'," \
+ "'35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad'," \
+ "'1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3'," \
+ "'70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b'," \
+ "'90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff'," \
+ "'b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b'," \
+ "'519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1'," \
+ "'48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668'," \
+ "'16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2'," \
+ "'a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab'," \
+ "'35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad'," \
+ "'1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3')] START " \
+ "t'2022-11-22T21:41:58.000Z' STOP t'2022-11-22T22:41:58.000Z' "
+ actual_query = translation.translate('darktrace', 'query', '{}', stix_pattern)
+ actual_query['queries'] = _remove_timestamp_from_query(actual_query['queries'])
+ expected_query = [
+ {
+ "search": "(@fields.sha256_file_hash:* AND NOT @fields.sha256_file_hash: ("
+ "\"b6c7f878b44c0a074d53e8fec9b65c7dd70844bb67524ff541f17d3d754889ec\" OR "
+ "\"519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1\" OR "
+ "\"48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668\" OR "
+ "\"16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2\" OR "
+ "\"a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\" OR "
+ "\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" OR "
+ "\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "\"93d7e24385c204fd2afcab10087273d9526d935045c6139c6f709d46bbae6d3b\" OR "
+ "\"91954c768c896dc028ae54c11a85def47bb7b83dbfccd3a731d38f141ca9243f\" OR "
+ "\"36f517b8125abdd3b03c22d0ea2b6cd9ef9e9e70bc4193a3889156f472d42873\" OR "
+ "\"3c1a4c5fa844b69e410e80200829e51c44bc469b0071008ef899e41218a60719\" OR "
+ "\"3c1a4c5fa844b69e410e80200829e51c44bc469b0071008ef899e41218a60719\" OR "
+ "\"b6c7f878b44c0a074d53e8fec9b65c7dd70844bb67524ff541f17d3d754889ec\" OR "
+ "\"519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1\" OR "
+ "\"48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668\" OR "
+ "\"16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2\" OR "
+ "\"a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\" OR "
+ "\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" OR "
+ "\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\" OR "
+ "\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" )) AND ("
+ "@fields.epochdate :>1669153318.0 AND @fields.epochdate :<1669156918.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-11-22T21:41:58.000000Z",
+ "to": "2022-11-22T22:41:58.000000Z"
+ },
+ "size": 10000
+ },
+ {
+ "search": "(@fields.sha256_file_hash:* AND NOT @fields.sha256_file_hash: ( "
+ "\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "\"519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1\" OR "
+ "\"48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668\" OR "
+ "\"16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2\" OR "
+ "\"a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\")) AND ("
+ "@fields.epochdate :>1669153318.0 AND @fields.epochdate :<1669156918.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-11-22T21:41:58.000000Z",
+ "to": "2022-11-22T22:41:58.000000Z"
+ },
+ "size": 10000
+ },
+ {
+ "search": "(@fields.sha256:* AND NOT @fields.sha256: ("
+ "\"b6c7f878b44c0a074d53e8fec9b65c7dd70844bb67524ff541f17d3d754889ec\" OR "
+ "\"519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1\" OR "
+ "\"48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668\" OR "
+ "\"16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2\" OR "
+ "\"a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\" OR "
+ "\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" OR "
+ "\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "\"93d7e24385c204fd2afcab10087273d9526d935045c6139c6f709d46bbae6d3b\" OR "
+ "\"91954c768c896dc028ae54c11a85def47bb7b83dbfccd3a731d38f141ca9243f\" OR "
+ "\"36f517b8125abdd3b03c22d0ea2b6cd9ef9e9e70bc4193a3889156f472d42873\" OR "
+ "\"3c1a4c5fa844b69e410e80200829e51c44bc469b0071008ef899e41218a60719\" OR "
+ "\"3c1a4c5fa844b69e410e80200829e51c44bc469b0071008ef899e41218a60719\" OR "
+ "\"b6c7f878b44c0a074d53e8fec9b65c7dd70844bb67524ff541f17d3d754889ec\" OR "
+ "\"519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1\" OR "
+ "\"48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668\" OR "
+ "\"16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2\" OR "
+ "\"a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\" OR "
+ "\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" OR "
+ "\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\" OR "
+ "\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" )) AND ("
+ "@fields.epochdate :>1669153318.0 AND @fields.epochdate :<1669156918.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-11-22T21:41:58.000000Z",
+ "to": "2022-11-22T22:41:58.000000Z"
+ },
+ "size": 10000
+ },
+ {
+ "search": "(@fields.sha256:* AND NOT @fields.sha256: ( "
+ "\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "\"519af7038bf8685fbfb228267b5be4c5926970c46af9dcd7d9de456143c816b1\" OR "
+ "\"48b48ac4edc40b006f9016ddce39dfbe2f1036338373b6f322795ba06455c668\" OR "
+ "\"16c48e52a529ce58bd2e8205c9196d64500b6a4304d8e70040ddb4b1b020bcd2\" OR "
+ "\"a4cb8126909f81262142bc478e15e43b5a3253cd3ad9d084e979f7b50d39f6ab\" OR "
+ "\"35e243527f5464134e99684437dffa3d88ba54462eacd9179bd11cd8032657ad\" OR "
+ "\"1fe7cce7969a0fcee49b03769520c5d61348a08fbf4bcd5a2611bf4afa32eca3\")) AND ("
+ "@fields.epochdate :>1669153318.0 AND @fields.epochdate :<1669156918.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-11-22T21:41:58.000000Z",
+ "to": "2022-11-22T22:41:58.000000Z"
+ },
+ "size": 10000
+ }
+ ]
+
+ expected_query = _remove_timestamp_from_query(expected_query)
+ self._test_query_assertions(actual_query, expected_query)
+
+ def test_split_query_contains_only_or(self):
+ stix_pattern = "[(network-traffic:dst_port=3389 OR network-traffic:dst_port=2001 OR " \
+ "network-traffic:dst_port=3001 OR network-traffic:dst_port=3388 OR " \
+ "network-traffic:dst_port=2004 OR network-traffic:dst_port=3004 OR " \
+ "network-traffic:dst_port=3388 OR network-traffic:dst_port=2005 OR " \
+ "network-traffic:dst_port=3009 OR network-traffic:dst_port=3389 OR " \
+ "network-traffic:dst_port=2001 OR network-traffic:dst_port=3002 OR " \
+ "network-traffic:dst_port=3389 OR network-traffic:dst_port=2003 OR " \
+ "network-traffic:dst_port=3006 OR network-traffic:dst_port=3389 OR " \
+ "network-traffic:dst_port=2000 OR network-traffic:dst_port=3004 OR " \
+ "network-traffic:dst_port=3381 OR network-traffic:dst_port=2008 OR " \
+ "network-traffic:dst_port=3000 OR network-traffic:dst_port=3389 OR " \
+ "network-traffic:dst_port=2000) OR (file:hashes.'SHA-256' = " \
+ "'70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b' OR file:hashes.'SHA-256' = " \
+ "'90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff' OR file:hashes.'SHA-256' = " \
+ "'b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b' OR file:hashes.'SHA-256' = " \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb' OR file:hashes.'SHA-256' = " \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7' OR file:hashes.'SHA-256' = " \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6' OR file:hashes.'SHA-256' = " \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105' OR file:hashes.'SHA-256' = " \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa' OR file:hashes.'SHA-256' = " \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb' OR file:hashes.'SHA-256' = " \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7' OR file:hashes.'SHA-256' = " \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6' OR file:hashes.'SHA-256' = " \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105' OR file:hashes.'SHA-256' = " \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa' OR file:hashes.'SHA-256' = " \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6' OR file:hashes.'SHA-256' = " \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105' OR file:hashes.'SHA-256' = " \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa' OR file:hashes.'SHA-256' = " \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb' OR file:hashes.'SHA-256' = " \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7')] START " \
+ "t'2022-10-01T21:41:58.000Z' STOP t'2022-12-19T22:41:58.000Z' "
+ actual_query = translation.translate('darktrace', 'query', '{}', stix_pattern)
+ actual_query['queries'] = _remove_timestamp_from_query(actual_query['queries'])
+ expected_query = [
+ {
+ "search": "(@fields.sha256_file_hash"
+ ":\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256:\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256_file_hash"
+ ":\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256:\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256_file_hash"
+ ":\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256:\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256_file_hash"
+ ":\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256:\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256_file_hash"
+ ":\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "@fields.sha256:\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\") AND ("
+ "@fields.epochdate :>1664660518.0 AND @fields.epochdate :<1671489718.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-10-01T21:41:58.000000Z",
+ "to": "2022-12-19T22:41:58.000000Z"
+ },
+ "size": 10000
+ },
+ {
+ "search": "((@fields.sha256_file_hash"
+ ":\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256:\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256:\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "@fields.sha256:\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256:\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256:\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256:\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256:\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "@fields.sha256:\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256:\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256:\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "@fields.sha256:\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "@fields.sha256:\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\") OR ("
+ "@fields.sha256_file_hash"
+ ":\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" OR "
+ "@fields.sha256:\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b"
+ "\"))))))))))))) AND (@fields.epochdate :>1664660518.0 AND @fields.epochdate "
+ ":<1671489718.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-10-01T21:41:58.000000Z",
+ "to": "2022-12-19T22:41:58.000000Z"
+ },
+ "size": 10000
+ },
+ {
+ "search": "((@fields.dest_port:2000 OR @fields.dst_p:2000) OR ((@fields.dest_port:3389 OR "
+ "@fields.dst_p:3389) OR ((@fields.dest_port:3000 OR @fields.dst_p:3000) OR (("
+ "@fields.dest_port:2008 OR @fields.dst_p:2008) OR ((@fields.dest_port:3381 OR "
+ "@fields.dst_p:3381) OR ((@fields.dest_port:3004 OR @fields.dst_p:3004) OR (("
+ "@fields.dest_port:2000 OR @fields.dst_p:2000) OR ((@fields.dest_port:3389 OR "
+ "@fields.dst_p:3389) OR ((@fields.dest_port:3006 OR @fields.dst_p:3006) OR (("
+ "@fields.dest_port:2003 OR @fields.dst_p:2003) OR ((@fields.dest_port:3389 OR "
+ "@fields.dst_p:3389) OR ((@fields.dest_port:3002 OR @fields.dst_p:3002) OR (("
+ "@fields.dest_port:2001 OR @fields.dst_p:2001) OR ((@fields.dest_port:3389 OR "
+ "@fields.dst_p:3389) OR ((@fields.dest_port:3009 OR @fields.dst_p:3009) OR (("
+ "@fields.dest_port:2005 OR @fields.dst_p:2005) OR ((@fields.dest_port:3388 OR "
+ "@fields.dst_p:3388) OR ((@fields.dest_port:3004 OR @fields.dst_p:3004) OR (("
+ "@fields.dest_port:2004 OR @fields.dst_p:2004) OR ((@fields.dest_port:3388 OR "
+ "@fields.dst_p:3388) OR ((@fields.dest_port:3001 OR @fields.dst_p:3001) OR (("
+ "@fields.dest_port:2001 OR @fields.dst_p:2001) OR (@fields.dest_port:3389 OR "
+ "@fields.dst_p:3389))))))))))))))))))))))) AND (@fields.epochdate :>1664660518.0 AND "
+ "@fields.epochdate :<1671489718.0)",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-10-01T21:41:58.000000Z",
+ "to": "2022-12-19T22:41:58.000000Z"
+ },
+ "size": 10000
+ }
+ ]
+
+ expected_query = _remove_timestamp_from_query(expected_query)
+ self._test_query_assertions(actual_query, expected_query)
+
+ def test_split_query_contains_and(self):
+ stix_pattern = "[(network-traffic:dst_port=3389 OR network-traffic:dst_port=2001 OR " \
+ "network-traffic:dst_port=3001 OR network-traffic:dst_port=3388 OR " \
+ "network-traffic:dst_port=2004 OR network-traffic:dst_port=3004 OR " \
+ "network-traffic:dst_port=3388 OR network-traffic:dst_port=2005 OR " \
+ "network-traffic:dst_port=3009 OR network-traffic:dst_port=3389 OR " \
+ "network-traffic:dst_port=2001 OR network-traffic:dst_port=3002 OR " \
+ "network-traffic:dst_port=3389 OR network-traffic:dst_port=2003 OR " \
+ "network-traffic:dst_port=3006 OR network-traffic:dst_port=3389 OR " \
+ "network-traffic:dst_port=2000 OR network-traffic:dst_port=3004 OR " \
+ "network-traffic:dst_port=3381 OR network-traffic:dst_port=2008 OR " \
+ "network-traffic:dst_port=3000 OR network-traffic:dst_port=3389 OR " \
+ "network-traffic:dst_port=2000) AND (file:hashes.'SHA-256' = " \
+ "'70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b' OR file:hashes.'SHA-256' = " \
+ "'90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff' OR file:hashes.'SHA-256' = " \
+ "'b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b' OR file:hashes.'SHA-256' = " \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb' OR file:hashes.'SHA-256' = " \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7' OR file:hashes.'SHA-256' = " \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6' OR file:hashes.'SHA-256' = " \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105' OR file:hashes.'SHA-256' = " \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa' OR file:hashes.'SHA-256' = " \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb' OR file:hashes.'SHA-256' = " \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7' OR file:hashes.'SHA-256' = " \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6' OR file:hashes.'SHA-256' = " \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105' OR file:hashes.'SHA-256' = " \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa' OR file:hashes.'SHA-256' = " \
+ "'237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6' OR file:hashes.'SHA-256' = " \
+ "'b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105' OR file:hashes.'SHA-256' = " \
+ "'9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa' OR file:hashes.'SHA-256' = " \
+ "'70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb' OR file:hashes.'SHA-256' = " \
+ "'bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7')] START " \
+ "t'2022-10-01T21:41:58.000Z' STOP t'2022-12-19T22:41:58.000Z' "
+ actual_query = translation.translate('darktrace', 'query', '{}', stix_pattern)
+ actual_query['queries'] = _remove_timestamp_from_query(actual_query['queries'])
+ expected_query = [
+ {
+ "search": "((((@fields.sha256_file_hash"
+ ":\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256:\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256:\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256:\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256:\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "@fields.sha256:\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256:\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256:\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "@fields.sha256:\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256:\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256:\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\" OR "
+ "@fields.sha256:\"9cd41ee1fa8156e1ff393ee969da8f14d6c5768d951bea57ac3be444df3416fa\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\" OR "
+ "@fields.sha256:\"b81edcbf1a0b56d0f401dcfe4a6ae4d293663b42f120e60579353b6aa86bb105\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\" OR "
+ "@fields.sha256:\"237364314fcd23e9fe153a7233564d337b3f8f4357ce10fed75e21d8546a33b6\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\" OR "
+ "@fields.sha256:\"bf09447beddf7dacb84c8d44ce2e9cd6fd89237059ce82cb4bea70439ee1acd7\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\" OR "
+ "@fields.sha256:\"70370930eb70c6e6c3c13879251ebff88060a1d129cd2d30c0cf940896b27bcb\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\" OR "
+ "@fields.sha256:\"b950de924595b49bc861cae1ddd2b05f0e2f5ba1bae6c10b2a0ff27a30557e5b\") OR (("
+ "@fields.sha256_file_hash"
+ ":\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\" OR "
+ "@fields.sha256:\"90470fb5d16be01e8d2bc54488cebfc9ac0ea704c20068b17c1e7199c161efff\") OR ("
+ "@fields.sha256_file_hash"
+ ":\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b\" OR "
+ "@fields.sha256:\"70ae98e4f3aa5f4518d62a1b4eb631728bd7a167d8f3ca42f0dba0ae8e41786b"
+ "\")))))))))))))))))) AND ((@fields.dest_port:2000 OR @fields.dst_p:2000) OR (("
+ "@fields.dest_port:3389 OR @fields.dst_p:3389) OR ((@fields.dest_port:3000 OR "
+ "@fields.dst_p:3000) OR ((@fields.dest_port:2008 OR @fields.dst_p:2008) OR (("
+ "@fields.dest_port:3381 OR @fields.dst_p:3381) OR ((@fields.dest_port:3004 OR "
+ "@fields.dst_p:3004) OR ((@fields.dest_port:2000 OR @fields.dst_p:2000) OR (("
+ "@fields.dest_port:3389 OR @fields.dst_p:3389) OR ((@fields.dest_port:3006 OR "
+ "@fields.dst_p:3006) OR ((@fields.dest_port:2003 OR @fields.dst_p:2003) OR (("
+ "@fields.dest_port:3389 OR @fields.dst_p:3389) OR ((@fields.dest_port:3002 OR "
+ "@fields.dst_p:3002) OR ((@fields.dest_port:2001 OR @fields.dst_p:2001) OR (("
+ "@fields.dest_port:3389 OR @fields.dst_p:3389) OR ((@fields.dest_port:3009 OR "
+ "@fields.dst_p:3009) OR ((@fields.dest_port:2005 OR @fields.dst_p:2005) OR (("
+ "@fields.dest_port:3388 OR @fields.dst_p:3388) OR ((@fields.dest_port:3004 OR "
+ "@fields.dst_p:3004) OR ((@fields.dest_port:2004 OR @fields.dst_p:2004) OR (("
+ "@fields.dest_port:3388 OR @fields.dst_p:3388) OR ((@fields.dest_port:3001 OR "
+ "@fields.dst_p:3001) OR ((@fields.dest_port:2001 OR @fields.dst_p:2001) OR ("
+ "@fields.dest_port:3389 OR @fields.dst_p:3389)))))))))))))))))))))))) AND ("
+ "@fields.epochdate :>1664660518.0 AND @fields.epochdate :<1671489718.0))",
+ "fields": [],
+ "timeframe": "custom",
+ "time": {
+ "from": "2022-10-01T21:41:58.000000Z",
+ "to": "2022-12-19T22:41:58.000000Z"
+ },
+ "size": 10000
+ }
+ ]
+
+ expected_query = _remove_timestamp_from_query(expected_query)
+ self._test_query_assertions(actual_query, expected_query)
From 98650c33689727817ff34d50729a4d8383f5b463 Mon Sep 17 00:00:00 2001
From: Md Azam
Date: Thu, 12 Jan 2023 11:22:50 -0400
Subject: [PATCH 21/30] Add log analytics API support to azure sentinel
connector (#1214)
---
requirements-dev.txt | 2 +-
.../azure_log_analytics/README.md | 59 +++
.../azure_log_analytics/__init__.py | 0
.../configuration/config.json | 49 +++
.../configuration/lang_en.json | 44 +++
.../azure_log_analytics/entry_point.py | 19 +
.../azure_log_analytics/requirements.txt | 3 +
.../stix_translation/__init__.py | 0
.../json/SecurityAlert_from_stix_map.json | 83 ++++
.../json/SecurityEvent_from_stix_map.json | 168 ++++++++
.../json/SecurityIncident_from_stix_map.json | 79 ++++
.../stix_translation/json/operators.json | 9 +
.../stix_2_1/SecurityAlert_from_stix_map.json | 83 ++++
.../stix_2_1/SecurityEvent_from_stix_map.json | 171 ++++++++
.../SecurityIncident_from_stix_map.json | 79 ++++
.../json/stix_2_1/to_stix_map.json | 368 ++++++++++++++++++
.../stix_translation/json/to_stix_map.json | 362 +++++++++++++++++
.../stix_translation/query_constructor.py | 353 +++++++++++++++++
.../stix_translation/query_translator.py | 27 ++
.../stix_translation/results_translator.py | 4 +
.../stix_transmission/__init__.py | 0
.../stix_transmission/api_client.py | 60 +++
.../stix_transmission/connector.py | 88 +++++
.../stix_transmission/error_mapper.py | 68 ++++
...ure_sentinel_log_analytics_json_to_stix.py | 345 ++++++++++++++++
...re_sentinel_log_analytics_stix_to_query.py | 183 +++++++++
.../test_azure_sentinel_log_analytics.py | 221 +++++++++++
27 files changed, 2926 insertions(+), 1 deletion(-)
create mode 100644 stix_shifter_modules/azure_log_analytics/README.md
create mode 100644 stix_shifter_modules/azure_log_analytics/__init__.py
create mode 100644 stix_shifter_modules/azure_log_analytics/configuration/config.json
create mode 100644 stix_shifter_modules/azure_log_analytics/configuration/lang_en.json
create mode 100644 stix_shifter_modules/azure_log_analytics/entry_point.py
create mode 100644 stix_shifter_modules/azure_log_analytics/requirements.txt
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/__init__.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityAlert_from_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityEvent_from_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityIncident_from_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/operators.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityAlert_from_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityEvent_from_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityIncident_from_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/to_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/json/to_stix_map.json
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/query_constructor.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/query_translator.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_translation/results_translator.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_transmission/__init__.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_transmission/api_client.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_transmission/connector.py
create mode 100644 stix_shifter_modules/azure_log_analytics/stix_transmission/error_mapper.py
create mode 100644 stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_json_to_stix.py
create mode 100644 stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_stix_to_query.py
create mode 100644 stix_shifter_modules/azure_log_analytics/tests/stix_transmission/test_azure_sentinel_log_analytics.py
diff --git a/requirements-dev.txt b/requirements-dev.txt
index dc982c34e..affd8fcd3 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -14,6 +14,6 @@ pyflakes==1.6.0
pylint==2.15.5
pytest==7.2.0
pytest-cov==4.0.0
-six==1.11.0
+six==1.12.0
wrapt==1.14.1
requests_mock==1.7.0
diff --git a/stix_shifter_modules/azure_log_analytics/README.md b/stix_shifter_modules/azure_log_analytics/README.md
new file mode 100644
index 000000000..de7d61a14
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/README.md
@@ -0,0 +1,59 @@
+# Azure Log Analytics Connector
+
+## Data Source
+Microsoft Azure Log Analytics is a tool to run queries on data collected by different Azure services. A Log Analytics workspace needs to be created to collect logs from Azure services. The connector can run Kusto Query Language (KQL) queries to search logs in the workspace.
+
+## API and Logs
+
+Currently, [Log Analytics REST API](https://learn.microsoft.com/en-us/rest/api/loganalytics/) has been used to search three types of Azure Sentinel logs:
+
+1. Security Alert
+2. Security Events
+3. Security Incidents
+
+Therefore, three dialects has been set in the from_stix mapping file. More data tables will be supported in future.
+
+Azure SDK for Python is used in order to make API calls to Log Analytics API. Mainly two libraries are used:
+
+1. [Azure Identity library](https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python)
+ - It mainly enables the Azure SDK clients to authenticate with AAD
+2. [Azure Monitor Query client library](https://learn.microsoft.com/en-us/python/api/overview/azure/monitor-query-readme?view=azure-python)
+ - It provides functions to run quries on the logs availabe in Azure Sentinel
+ - [Kusto Query Language (KQL)](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/) has been used as a query language to run search using this client.
+
+### Format for calling stix-shifter from the command line
+
+python main.py `` `` `` ``
+
+### Example I - Converting from STIX patterns to KQL (STIX attributes)
+STIX to KQL field mapping is defined in `_from_stix_map.json`
+
+This example input pattern:
+
+`translate azure_log_analytics query ‘{}’ "[process:name = 'svchost.exe'] START t'2019-01-01T08:43:10Z' STOP t'2019-12-31T08:43:10Z'"`
+
+Returns the following translated query:
+
+```
+{
+ "queries": [
+ "SecurityEvent | where (IpAddress == '1.1.1.1') and (TimeGenerated between (datetime(2019-01-01T08:43:10Z) .. datetime(2019-12-31T08:43:10Z)))"
+ ]
+}
+```
+
+### Example II - Converting from STIX patterns to KQL Custom STIX attributes)
+
+This example input pattern:
+
+`translate azure_log_analytics query ‘{}’ "[x-ibm-finding:name = 'Microsoft-Windows-Security-Auditing'] START t'2019-01-01T08:43:10Z' STOP t'2019-12-31T08:43:10Z'"`
+
+Returns the following translated queries:
+```
+{
+ "queries": [
+ "SecurityEvent | where (EventSourceName == 'Microsoft-Windows-Security-Auditing') and (TimeGenerated between (datetime(2019-01-01T08:43:10Z) .. datetime(2019-12-31T08:43:10Z)))",
+ "SecurityIncident | where (IncidentName == 'Microsoft-Windows-Security-Auditing') and (TimeGenerated between (datetime(2019-01-01T08:43:10Z) .. datetime(2019-12-31T08:43:10Z)))",
+ "SecurityAlert | where (AlertName == 'Microsoft-Windows-Security-Auditing') and (TimeGenerated between (datetime(2019-01-01T08:43:10Z) .. datetime(2019-12-31T08:43:10Z)))"
+ ]
+}```
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/__init__.py b/stix_shifter_modules/azure_log_analytics/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/stix_shifter_modules/azure_log_analytics/configuration/config.json b/stix_shifter_modules/azure_log_analytics/configuration/config.json
new file mode 100644
index 000000000..087083bcc
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/configuration/config.json
@@ -0,0 +1,49 @@
+{
+ "connection": {
+ "type": {
+ "displayName": "Azure Log Analytics",
+ "group": "azure"
+ },
+ "host": {
+ "type": "text",
+ "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_:/\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9_:/\\-]*[A-Za-z0-9])$",
+ "default": "api.loganalytics.io"
+ },
+ "port": {
+ "type": "number",
+ "default": 443,
+ "min": 1,
+ "max": 65535
+ },
+ "help": {
+ "type": "link",
+ "default": "data-sources-sentinel.html"
+ },
+ "sni": {
+ "type": "text",
+ "optional": true
+ },
+ "workspaceId": {
+ "type": "text",
+ "optional": true
+ },
+ "selfSignedCert": {
+ "type": "password",
+ "optional": true
+ }
+ },
+ "configuration": {
+ "auth": {
+ "type": "fields",
+ "tenant": {
+ "type": "password"
+ },
+ "clientId": {
+ "type": "password"
+ },
+ "clientSecret": {
+ "type": "password"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/configuration/lang_en.json b/stix_shifter_modules/azure_log_analytics/configuration/lang_en.json
new file mode 100644
index 000000000..d3cae8b73
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/configuration/lang_en.json
@@ -0,0 +1,44 @@
+{
+ "connection": {
+ "host": {
+ "label": "Management IP address or Hostname",
+ "description": "Specify the IP address or hostname of the data source"
+ },
+ "port": {
+ "label": "Host Port",
+ "description": "Set the port number that is associated with the Host name or IP"
+ },
+ "help": {
+ "label": "Need additional help?",
+ "description": "More details on the data source setting can be found in the specified link"
+ },
+ "selfSignedCert": {
+ "label": "Microsoft Azure Sentinel Certificate",
+ "description": "Use SSL certificate for Microsoft Azure Sentinel."
+ },
+ "sni": {
+ "label": "Server Name Indicator",
+ "description": "The Server Name Indicator (SNI) enables a separate hostname to be provided for SSL authentication."
+ },
+ "workpaceId": {
+ "label": "Log Analytics Workspace ID",
+ "description": "ID of the Azure Log Analytics workspace"
+ }
+ },
+ "configuration": {
+ "auth": {
+ "tenant": {
+ "label": "Tenant ID",
+ "description": "Tenant ID of Azure Active directory Application with access to the Log Analytics Workspace"
+ },
+ "clientId": {
+ "label": "Client Id",
+ "description": "Client ID of Azure Active directory Application with access to the Log Analytics Workspace"
+ },
+ "clientSecret": {
+ "label": "Client Secret",
+ "description": "Client Secret of Azure Active directory Application with access to the Log Analytics Workspace"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/entry_point.py b/stix_shifter_modules/azure_log_analytics/entry_point.py
new file mode 100644
index 000000000..1ae8225d9
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/entry_point.py
@@ -0,0 +1,19 @@
+import os
+import importlib
+from .stix_translation.query_translator import QueryTranslator
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+from stix_shifter_utils.modules.base.stix_transmission.base_connector import BaseConnector
+from stix_shifter_utils.stix_translation.src.json_to_stix.json_to_stix import JSONToStix
+
+
+class EntryPoint(BaseEntryPoint):
+
+ def __init__(self, connection={}, configuration={}, options={}):
+ super().__init__(connection, configuration, options)
+ self.set_async(False)
+
+ if connection:
+ self.setup_transmission_basic(connection, configuration)
+
+ self.setup_translation_simple(dialect_default='SecurityAlert')
+
diff --git a/stix_shifter_modules/azure_log_analytics/requirements.txt b/stix_shifter_modules/azure_log_analytics/requirements.txt
new file mode 100644
index 000000000..509719db4
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/requirements.txt
@@ -0,0 +1,3 @@
+azure-identity==1.12.0
+azure-monitor-query==1.0.2
+pandas==1.5.2
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/__init__.py b/stix_shifter_modules/azure_log_analytics/stix_translation/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityAlert_from_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityAlert_from_stix_map.json
new file mode 100644
index 000000000..2267777c1
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityAlert_from_stix_map.json
@@ -0,0 +1,83 @@
+{
+ "x-ibm-finding": {
+ "fields": {
+ "start": [
+ "StartTime",
+ "TimeGenerated"
+ ],
+ "end": [
+ "EndTime",
+ "ProcessingEndTime"
+ ],
+ "name": [
+ "AlertName"
+ ],
+ "time_observed": [
+ "TimeGenerated",
+ "EventTime"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "created": [
+ "TimeGenerated"
+ ],
+ "provider": [
+ "ProviderName"
+ ],
+ "domain_ref": [
+ "DomainName"
+ ]
+ }
+ },
+ "x-azure-security-alert": {
+ "fields": {
+ "tenant_id": [
+ "TenantId"
+ ],
+ "subscription_id": [
+ "WorkspaceSubscriptionId"
+ ],
+ "resourceId": [
+ "_ResourceId"
+ ],
+ "alert_severity": [
+ "AlertSeverity"
+ ],
+ "description": [
+ "Description"
+ ],
+ "product_name": [
+ "ProductName"
+ ],
+ "vendor_name": [
+ "VendorName"
+ ],
+ "system_alertid": [
+ "SystemAlertId"
+ ],
+ "status": [
+ "Status"
+ ],
+ "extented_properties": [
+ "ExtentedProperties"
+ ],
+ "confidence_level": [
+ "ConfidenceLevel"
+ ],
+ "entities": [
+ "Entities"
+ ],
+ "display_name": [
+ "DisplayName"
+ ],
+ "workspace_resource_group": [
+ "WorkspaceResourceGroup"
+ ],
+ "compromised_entity": [
+ "CompromisedEntity"
+ ]
+ }
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityEvent_from_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityEvent_from_stix_map.json
new file mode 100644
index 000000000..2eb1a944c
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityEvent_from_stix_map.json
@@ -0,0 +1,168 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": [
+ "IpAddress"
+ ]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": [
+ "TargetDomainName"
+ ]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "account_login": [
+ "TargetUserName"
+ ]
+ }
+ },
+ "directory": {
+ "fields": {
+ "path": [
+ "HomeDirectory",
+ "HomePath"
+ ]
+ }
+ },
+ "file": {
+ "fields": {
+ "path": [
+ "FilePath"
+ ],
+ "hashes.'SHA-256'": ["FileHash"],
+ "hashes.MD5": ["FileHash"],
+ "hashes.'SHA-1'": ["FileHash"]
+ }
+ },
+ "process": {
+ "fields": {
+ "name": [
+ "ProcessName",
+ "LogonProcessName"
+ ],
+ "parent_ref.name": [
+ "ParentProcessName"
+ ],
+ "command_line": [
+ "CommandLine"
+ ],
+ "pid": [
+ "ProcessId"
+ ]
+ }
+ },
+ "url": {
+ "fields": {
+ "value": [
+ "QuarantineHelpURL"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "start": [
+ "TimeGenerated"
+ ],
+ "end": [
+ "PreviousTime"
+ ],
+ "name": [
+ "EventSourceName"
+ ],
+ "time_observed": [
+ "TimeGenerated"
+ ],
+ "src_ip_ref": [
+ "IpAddress"
+ ],
+ "dst_ip_ref": [
+ "ClientIPAddress"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "created": [
+ "TimeGenerated"
+ ],
+ "code": [
+ "EventID"
+ ],
+ "provider": [
+ "Account"
+ ],
+ "url_ref": [
+ "QuarantineHelpURL"
+ ],
+ "process_ref": [
+ "ProcessName"
+ ],
+ "file_ref.hash": [
+ "FileHash"
+ ],
+ "file_ref.path": [
+ "FilePath"
+ ],
+ "file_ref.service": [
+ "ServiceFileName"
+ ],
+ "parent_process_ref": [
+ "ParentProcessName"
+ ],
+ "ip_refs.ip": [
+ "IpAddress"
+ ],
+ "ip_refs.clientIp": [
+ "ClientIPAddress"
+ ]
+ }
+ },
+ "x-azure-security-event": {
+ "fields": {
+ "title": [
+ "Title"
+ ],
+ "text": [
+ "Description",
+ "DeviceDescription"
+ ],
+ "device_name": [
+ "DeviceId"
+ ],
+ "source": [
+ "SourceSystem"
+ ],
+ "alert_type": [
+ "AlertName"
+ ],
+ "activity": [
+ "Activity"
+ ],
+ "computer": [
+ "Computer"
+ ],
+ "event_data": [
+ "EventData"
+ ],
+ "service_name": [
+ "ServiceName"
+ ],
+ "task": [
+ "Task"
+ ],
+ "user_parameter": [
+ "UserParameter"
+ ],
+ "member_name": [
+ "MemberName"
+ ],
+ "requester": [
+ "Requester"
+ ]
+ }
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityIncident_from_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityIncident_from_stix_map.json
new file mode 100644
index 000000000..e843b2d73
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/SecurityIncident_from_stix_map.json
@@ -0,0 +1,79 @@
+{
+ "url": {
+ "fields": {
+ "value": [
+ "IncidentUrl"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "start": [
+ "FirstActivityTime",
+ "FirstModifiedTime",
+ "TimeGenerated"
+ ],
+ "end": [
+ "ClosedTime",
+ "LastActivityTime",
+ "LastModifiedTime"
+ ],
+ "name": [
+ "IncidentName"
+ ],
+ "time_observed": [
+ "TimeGenerated"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "created": [
+ "CreatedTime"
+ ],
+ "provider": [
+ "ProviderName"
+ ],
+ "url_ref": [
+ "IncidentUrl"
+ ],
+ "domain_ref": [
+ "DomainName"
+ ]
+ }
+ },
+ "x-azure-security-incident": {
+ "fields": {
+ "incident_name": [
+ "IncidentName"
+ ],
+ "severity": [
+ "Severity"
+ ],
+ "owner": [
+ "Owner"
+ ],
+ "additional_data": [
+ "AdditionalData"
+ ],
+ "alertids": [
+ "AlertIds"
+ ],
+ "comments": [
+ "Comments"
+ ],
+ "description": [
+ "Description"
+ ],
+ "labels": [
+ "Labels"
+ ],
+ "modified_by": [
+ "ModifiedBy"
+ ],
+ "classification": [
+ "Classification"
+ ]
+ }
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/operators.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/operators.json
new file mode 100644
index 000000000..421432d83
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/operators.json
@@ -0,0 +1,9 @@
+{
+ "ComparisonExpressionOperators.And": "and",
+ "ComparisonExpressionOperators.Or": "or",
+ "ComparisonComparators.Equal": "==",
+ "ComparisonComparators.NotEqual": "!=",
+ "ComparisonComparators.In": "in",
+ "ComparisonComparators.Matches": "contains",
+ "ComparisonComparators.Like": "startswith, endswith"
+}
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityAlert_from_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityAlert_from_stix_map.json
new file mode 100644
index 000000000..071f087df
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityAlert_from_stix_map.json
@@ -0,0 +1,83 @@
+{
+ "x-ibm-finding": {
+ "fields": {
+ "start": [
+ "StartTime",
+ "TimeGenerated"
+ ],
+ "end": [
+ "EndTime",
+ "ProcessingEndTime"
+ ],
+ "name": [
+ "AlertName"
+ ],
+ "time_observed": [
+ "TimeGenerated",
+ "EventTime"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "created": [
+ "TimeGenerated"
+ ],
+ "provider": [
+ "ProviderName"
+ ],
+ "domain_ref": [
+ "DomainName"
+ ]
+ }
+ },
+ "x-msazure-sentinel-alert": {
+ "fields": {
+ "tenant_id": [
+ "TenantId"
+ ],
+ "subscription_id": [
+ "WorkspaceSubscriptionId"
+ ],
+ "resourceId": [
+ "_ResourceId"
+ ],
+ "alert_severity": [
+ "AlertSeverity"
+ ],
+ "description": [
+ "Description"
+ ],
+ "product_name": [
+ "ProductName"
+ ],
+ "vendor_name": [
+ "VendorName"
+ ],
+ "system_alertid": [
+ "SystemAlertId"
+ ],
+ "status": [
+ "Status"
+ ],
+ "extented_properties": [
+ "ExtentedProperties"
+ ],
+ "confidence_level": [
+ "ConfidenceLevel"
+ ],
+ "entities": [
+ "Entities"
+ ],
+ "display_name": [
+ "DisplayName"
+ ],
+ "workspace_resource_group": [
+ "WorkspaceResourceGroup"
+ ],
+ "compromised_entity": [
+ "CompromisedEntity"
+ ]
+ }
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityEvent_from_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityEvent_from_stix_map.json
new file mode 100644
index 000000000..d513e6fb9
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityEvent_from_stix_map.json
@@ -0,0 +1,171 @@
+{
+ "ipv4-addr": {
+ "fields": {
+ "value": [
+ "IpAddress"
+ ]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": [
+ "TargetDomainName"
+ ]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "account_login": [
+ "TargetUserName"
+ ]
+ }
+ },
+ "directory": {
+ "fields": {
+ "path": [
+ "HomeDirectory",
+ "HomePath"
+ ]
+ }
+ },
+ "file": {
+ "fields": {
+ "path": [
+ "FilePath"
+ ],
+ "hashes": [
+ "FileHash"
+ ]
+ }
+ },
+ "process": {
+ "fields": {
+ "name": [
+ "ProcessName",
+ "LogonProcessName"
+ ],
+ "parent_ref.name": [
+ "ParentProcessName"
+ ],
+ "command_line": [
+ "CommandLine"
+ ],
+ "pid": [
+ "ProcessId"
+ ]
+ }
+ },
+ "url": {
+ "fields": {
+ "value": [
+ "QuarantineHelpURL"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "start": [
+ "TimeGenerated"
+ ],
+ "end": [
+ "PreviousTime"
+ ],
+ "code": [
+ "EventID"
+ ],
+ "name": [
+ "EventSourceName"
+ ],
+ "time_observed": [
+ "TimeGenerated"
+ ],
+ "src_ip_ref": [
+ "IpAddress"
+ ],
+ "dst_ip_ref": [
+ "ClientIPAddress"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "created": [
+ "TimeGenerated"
+ ],
+ "code": [
+ "EventID"
+ ],
+ "provider": [
+ "Account"
+ ],
+ "url_ref": [
+ "QuarantineHelpURL"
+ ],
+ "process_ref": [
+ "ProcessName"
+ ],
+ "file_ref.hash": [
+ "FileHash"
+ ],
+ "file_ref.path": [
+ "FilePath"
+ ],
+ "file_ref.service": [
+ "ServiceFileName"
+ ],
+ "parent_process_ref": [
+ "ParentProcessName"
+ ],
+ "ip_refs.ip": [
+ "IpAddress"
+ ],
+ "ip_refs.clientIp": [
+ "ClientIPAddress"
+ ]
+ }
+ },
+ "x-msazure-sentinel-event": {
+ "fields": {
+ "title": [
+ "Title"
+ ],
+ "text": [
+ "Description",
+ "DeviceDescription"
+ ],
+ "device_name": [
+ "DeviceId"
+ ],
+ "source": [
+ "SourceSystem"
+ ],
+ "alert_type": [
+ "AlertName"
+ ],
+ "activity": [
+ "Activity"
+ ],
+ "computer": [
+ "Computer"
+ ],
+ "event_data": [
+ "EventData"
+ ],
+ "service_name": [
+ "ServiceName"
+ ],
+ "task": [
+ "Task"
+ ],
+ "user_parameter": [
+ "UserParameter"
+ ],
+ "member_name": [
+ "MemberName"
+ ],
+ "requester": [
+ "Requester"
+ ]
+ }
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityIncident_from_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityIncident_from_stix_map.json
new file mode 100644
index 000000000..2f0d76e09
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/SecurityIncident_from_stix_map.json
@@ -0,0 +1,79 @@
+{
+ "url": {
+ "fields": {
+ "value": [
+ "IncidentUrl"
+ ]
+ }
+ },
+ "x-ibm-finding": {
+ "fields": {
+ "start": [
+ "FirstActivityTime",
+ "FirstModifiedTime",
+ "TimeGenerated"
+ ],
+ "end": [
+ "ClosedTime",
+ "LastActivityTime",
+ "LastModifiedTime"
+ ],
+ "name": [
+ "IncidentName"
+ ],
+ "time_observed": [
+ "TimeGenerated"
+ ]
+ }
+ },
+ "x-oca-event": {
+ "fields": {
+ "created": [
+ "CreatedTime"
+ ],
+ "provider": [
+ "ProviderName"
+ ],
+ "url_ref": [
+ "IncidentUrl"
+ ],
+ "domain_ref": [
+ "DomainName"
+ ]
+ }
+ },
+ "x-msazure-sentinel-incident": {
+ "fields": {
+ "incident_name": [
+ "IncidentName"
+ ],
+ "severity": [
+ "Severity"
+ ],
+ "owner": [
+ "Owner"
+ ],
+ "additional_data": [
+ "AdditionalData"
+ ],
+ "alertids": [
+ "AlertIds"
+ ],
+ "comments": [
+ "Comments"
+ ],
+ "description": [
+ "Description"
+ ],
+ "labels": [
+ "Labels"
+ ],
+ "modified_by": [
+ "ModifiedBy"
+ ],
+ "classification": [
+ "Classification"
+ ]
+ }
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/to_stix_map.json
new file mode 100644
index 000000000..bef4dd249
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/stix_2_1/to_stix_map.json
@@ -0,0 +1,368 @@
+{
+ "EventSourceName": {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ "AlertName": [
+ {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ {
+ "key": "x-azure-security-event.alert_type",
+ "object": "msevent"
+ }
+ ],
+ "IncidentName": [
+ {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ {
+ "key": "x-azure-security-incident.incident_name",
+ "object": "incident"
+ }
+ ],
+ "TimeGenerated": [
+ {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ {
+ "key": "x-oca-event.created",
+ "object": "event"
+ },
+ {
+ "key": "x-ibm-finding.time_observed",
+ "object": "finding"
+ }
+ ],
+ "EventTime": {
+ "key": "x-ibm-finding.time_observed",
+ "object": "finding"
+ },
+ "PreviousTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "ProviderName": {
+ "key": "x-oca-event.provider",
+ "object": "event"
+ },
+ "EventID": [
+ {
+ "key": "x-ibm-finding.code",
+ "object": "finding"
+ },
+ {
+ "key": "x-oca-event.code",
+ "object": "event"
+ }
+ ],
+ "IpAddress": [
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "finding"
+ },
+ {
+ "key": "ipv4-addr.value",
+ "object": "ipv4-addr"
+ },
+ {
+ "key": "x-oca-event.ip_refs",
+ "object": "event"
+ }
+ ],
+ "ClientIPAddress": [
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "finding"
+ },
+ {
+ "key": "x-oca-event.ip_refs.clientIp",
+ "object": "event"
+ }
+ ],
+ "StartTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "EndTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "ProcessingEndTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "FirstActivityTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "FirstModifiedTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "ClosedTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "LastActivityTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "LastModifiedTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "CreatedTime": {
+ "key": "x-oca-event.created",
+ "object": "event"
+ },
+ "Account": {
+ "key": "x-oca-event.provider",
+ "object": "event"
+ },
+ "QuarantineHelpURL": [
+ {
+ "key": "x-oca-event.url_ref",
+ "object": "event"
+ },
+ {
+ "key": "url.name",
+ "object": "url"
+ }
+ ],
+ "IncidentUrl": [
+ {
+ "key": "x-oca-event.url_ref",
+ "object": "event"
+ },
+ {
+ "key": "url.name",
+ "object": "url"
+ }
+ ],
+ "ProcessName": [
+ {
+ "key": "process.name",
+ "object": "process"
+ },
+ {
+ "key": "x-oca-event.process_ref",
+ "object": "event"
+ }
+ ],
+ "CommandLine": {
+ "key": "process.command_line",
+ "object": "process"
+ },
+ "ProcessId": {
+ "key": "process.pid",
+ "object": "process"
+ },
+ "ParentProcessName": [
+ {
+ "key": "process.parent_ref",
+ "object": "process"
+ },
+ {
+ "key": "x-oca-event.parent_process_ref",
+ "object": "event"
+ }
+ ],
+ "FilePath": [
+ {
+ "key": "file.path",
+ "object": "file"
+ },
+ {
+ "key": "x-oca-event.file_ref.path",
+ "object": "file"
+ }
+ ],
+ "FileHash": [
+ {
+ "key": "file.hashes",
+ "object": "event"
+ },
+ {
+ "key": "x-oca-event.file_ref.path",
+ "object": "event"
+ }
+ ],
+ "ServiceFileName": {
+ "key": "x-oca-event.file_ref.service",
+ "object": "event"
+ },
+ "HomeDirectory": {
+ "key": "directory.path",
+ "object": "directory"
+ },
+ "HomePath": {
+ "key": "directory.path",
+ "object": "directory"
+ },
+ "TargetDomainName": {
+ "key": "domain-name.value",
+ "object": "domain-name"
+ },
+ "TargetUserName": {
+ "key": "user-account.account_login",
+ "object": "user-account"
+ },
+ "TenantId": {
+ "key": "x-azure-security-alert.tenant_id",
+ "object": "alert"
+ },
+ "WorkspaceSubscriptionId": {
+ "key": "x-azure-security-alert.subscription_id",
+ "object": "alert"
+ },
+ "_ResourceId": {
+ "key": "x-azure-security-alert.resourceId",
+ "object": "alert"
+ },
+ "AlertSeverity": {
+ "key": "x-azure-security-alert.alert_severity",
+ "object": "alert"
+ },
+ "Description": [
+ {
+ "key": "x-azure-security-alert.description",
+ "object": "alert"
+ },
+ {
+ "key": "x-azure-security-event.description",
+ "object": "msevent"
+ }
+ ],
+ "ProductName": {
+ "key": "x-azure-security-alert.product_name",
+ "object": "alert"
+ },
+ "VendorName": {
+ "key": "x-azure-security-alert.vendor_name",
+ "object": "alert"
+ },
+ "SystemAlertId": {
+ "key": "x-azure-security-alert.cloudAppStates.system_alertid",
+ "object": "alert"
+ },
+ "Status": {
+ "key": "x-azure-security-alert.status",
+ "object": "alert"
+ },
+ "ExtentedProperties": {
+ "key": "x-azure-security-alert.extented_properties",
+ "object": "alert"
+ },
+ "ConfidenceLevel": {
+ "key": "x-azure-security-alert.confidence_level",
+ "object": "alert"
+ },
+ "Entities": {
+ "key": "x-azure-security-alert.entities",
+ "object": "alert"
+ },
+ "DisplayName": {
+ "key": "x-azure-security-alert.display_name",
+ "object": "alert"
+ },
+ "WorkspaceResourceGroup": {
+ "key": "x-azure-security-alert.workspace_resource_group",
+ "object": "alert"
+ },
+ "CompromisedEntity": {
+ "key": "x-azure-security-alert.compromised_entity",
+ "object": "alert"
+ },
+ "eventId": {
+ "key": "x-azure-security-event.event_id",
+ "object": "msevent"
+ },
+ "Title": {
+ "key": "x-azure-security-event.title",
+ "object": "msevent"
+ },
+ "DeviceDescription": {
+ "key": "x-azure-security-event.text",
+ "object": "msevent"
+ },
+ "DeviceId": {
+ "key": "x-azure-security-event.device_name",
+ "object": "msevent"
+ },
+ "SourceSystem": {
+ "key": "x-azure-security-event.source",
+ "object": "msevent"
+ },
+ "Activity": {
+ "key": "x-azure-security-event.activity",
+ "object": "msevent"
+ },
+ "Computer": {
+ "key": "x-azure-security-event.computer",
+ "object": "msevent"
+ },
+ "EventData": {
+ "key": "x-azure-security-event.event_data",
+ "object": "msevent"
+ },
+ "LogonProcessName": {
+ "key": "process.name",
+ "object": "process"
+ },
+ "ServiceName": {
+ "key": "x-azure-security-event.service_name",
+ "object": "msevent"
+ },
+ "Task": {
+ "key": "x-azure-security-event.task",
+ "object": "msevent"
+ },
+ "UserParameter": {
+ "key": "x-azure-security-event.user_parameter",
+ "object": "msevent"
+ },
+ "MemberName": {
+ "key": "x-azure-security-event.member_name",
+ "object": "msevent"
+ },
+ "Requester": {
+ "key": "x-azure-security-event.requester",
+ "object": "msevent"
+ },
+ "Severity": {
+ "key": "x-azure-security-incident.severity",
+ "object": "incident"
+ },
+ "Owner": {
+ "key": "x-azure-security-incident.owner",
+ "object": "incident"
+ },
+ "AdditionalData": {
+ "key": "x-azure-security-incident.additional_data",
+ "object": "incident"
+ },
+ "AlertIds": {
+ "key": "x-azure-security-incident.alertids",
+ "object": "incident"
+ },
+ "Comments": {
+ "key": "x-azure-security-incident.comments",
+ "object": "incident"
+ },
+ "Description__incident": {
+ "key": "x-azure-security-incident.description",
+ "object": "incident"
+ },
+ "Labels": {
+ "key": "x-azure-security-incident.labels",
+ "object": "incident"
+ },
+ "ModifiedBy": {
+ "key": "x-azure-security-incident.modified_by",
+ "object": "incident"
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_log_analytics/stix_translation/json/to_stix_map.json
new file mode 100644
index 000000000..b60ce846a
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/json/to_stix_map.json
@@ -0,0 +1,362 @@
+{
+ "EventSourceName": {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ "AlertName": [
+ {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ {
+ "key": "x-azure-security-event.alert_type",
+ "object": "msevent"
+ }
+ ],
+ "IncidentName": [
+ {
+ "key": "x-ibm-finding.name",
+ "object": "finding"
+ },
+ {
+ "key": "x-azure-security-incident.incident_name",
+ "object": "incident"
+ }
+ ],
+ "TimeGenerated": [
+ {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ {
+ "key": "x-oca-event.created",
+ "object": "event"
+ },
+ {
+ "key": "x-ibm-finding.time_observed",
+ "object": "finding"
+ }
+ ],
+ "EventTime": {
+ "key": "x-ibm-finding.time_observed",
+ "object": "finding"
+ },
+ "PreviousTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "ProviderName": {
+ "key": "x-oca-event.provider",
+ "object": "event"
+ },
+ "EventID": {
+ "key": "x-oca-event.code",
+ "object": "event"
+ },
+ "IpAddress": [
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "finding"
+ },
+ {
+ "key": "ipv4-addr.value",
+ "object": "ipv4-addr"
+ },
+ {
+ "key": "x-oca-event.ip_refs",
+ "object": "event"
+ }
+ ],
+ "ClientIPAddress": [
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "finding"
+ },
+ {
+ "key": "x-oca-event.ip_refs.clientIp",
+ "object": "event"
+ }
+ ],
+ "StartTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "EndTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "ProcessingEndTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "FirstActivityTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "FirstModifiedTime": {
+ "key": "x-ibm-finding.start",
+ "object": "finding"
+ },
+ "ClosedTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "LastActivityTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "LastModifiedTime": {
+ "key": "x-ibm-finding.end",
+ "object": "finding"
+ },
+ "CreatedTime": {
+ "key": "x-oca-event.created",
+ "object": "event"
+ },
+ "Account": {
+ "key": "x-oca-event.provider",
+ "object": "event"
+ },
+ "QuarantineHelpURL": [
+ {
+ "key": "x-oca-event.url_ref",
+ "object": "event"
+ },
+ {
+ "key": "url.name",
+ "object": "url"
+ }
+ ],
+ "IncidentUrl": [
+ {
+ "key": "x-oca-event.url_ref",
+ "object": "event"
+ },
+ {
+ "key": "url.name",
+ "object": "url"
+ }
+ ],
+ "ProcessName": [
+ {
+ "key": "process.name",
+ "object": "process"
+ },
+ {
+ "key": "x-oca-event.process_ref",
+ "object": "event"
+ }
+ ],
+ "CommandLine": {
+ "key": "process.command_line",
+ "object": "process"
+ },
+ "ProcessId": {
+ "key": "process.pid",
+ "object": "process"
+ },
+ "ParentProcessName": [
+ {
+ "key": "process.parent_ref",
+ "object": "process"
+ },
+ {
+ "key": "x-oca-event.parent_process_ref",
+ "object": "event"
+ }
+ ],
+ "FilePath": [
+ {
+ "key": "file.path",
+ "object": "file"
+ },
+ {
+ "key": "x-oca-event.file_ref.path",
+ "object": "file"
+ }
+ ],
+ "FileHash": [
+ {
+ "key": "file.hashes",
+ "object": "event"
+ },
+ {
+ "key": "x-oca-event.file_ref.path",
+ "object": "event"
+ }
+ ],
+ "ServiceFileName": {
+ "key": "x-oca-event.file_ref.service",
+ "object": "event"
+ },
+ "HomeDirectory": {
+ "key": "directory.path",
+ "object": "directory"
+ },
+ "HomePath": {
+ "key": "directory.path",
+ "object": "directory"
+ },
+ "TargetDomainName": {
+ "key": "domain-name.value",
+ "object": "domain-name"
+ },
+ "TargetUserName": {
+ "key": "user-account.account_login",
+ "object": "user-account"
+ },
+ "TenantId": {
+ "key": "x-azure-security-alert.tenant_id",
+ "object": "alert"
+ },
+ "WorkspaceSubscriptionId": {
+ "key": "x-azure-security-alert.subscription_id",
+ "object": "alert"
+ },
+ "_ResourceId": {
+ "key": "x-azure-security-alert.resourceId",
+ "object": "alert"
+ },
+ "AlertSeverity": {
+ "key": "x-azure-security-alert.alert_severity",
+ "object": "alert"
+ },
+ "Description": [
+ {
+ "key": "x-azure-security-alert.description",
+ "object": "alert"
+ },
+ {
+ "key": "x-azure-security-event.description",
+ "object": "msevent"
+ }
+ ],
+ "ProductName": {
+ "key": "x-azure-security-alert.product_name",
+ "object": "alert"
+ },
+ "VendorName": {
+ "key": "x-azure-security-alert.vendor_name",
+ "object": "alert"
+ },
+ "SystemAlertId": {
+ "key": "x-azure-security-alert.cloudAppStates.system_alertid",
+ "object": "alert"
+ },
+ "Status": {
+ "key": "x-azure-security-alert.status",
+ "object": "alert"
+ },
+ "ExtentedProperties": {
+ "key": "x-azure-security-alert.extented_properties",
+ "object": "alert"
+ },
+ "ConfidenceLevel": {
+ "key": "x-azure-security-alert.confidence_level",
+ "object": "alert"
+ },
+ "Entities": {
+ "key": "x-azure-security-alert.entities",
+ "object": "alert"
+ },
+ "DisplayName": {
+ "key": "x-azure-security-alert.display_name",
+ "object": "alert"
+ },
+ "WorkspaceResourceGroup": {
+ "key": "x-azure-security-alert.workspace_resource_group",
+ "object": "alert"
+ },
+ "CompromisedEntity": {
+ "key": "x-azure-security-alert.compromised_entity",
+ "object": "alert"
+ },
+ "eventId": {
+ "key": "x-azure-security-event.event_id",
+ "object": "msevent"
+ },
+ "Title": {
+ "key": "x-azure-security-event.title",
+ "object": "msevent"
+ },
+ "DeviceDescription": {
+ "key": "x-azure-security-event.text",
+ "object": "msevent"
+ },
+ "DeviceId": {
+ "key": "x-oca-asset.device_id",
+ "object": "asset"
+ },
+ "SourceSystem": {
+ "key": "x-azure-security-event.source",
+ "object": "msevent"
+ },
+ "Activity": {
+ "key": "x-azure-security-event.activity",
+ "object": "msevent"
+ },
+ "Computer": {
+ "key": "x-azure-security-event.computer",
+ "object": "msevent"
+ },
+ "EventData": {
+ "key": "x-azure-security-event.event_data",
+ "object": "msevent"
+ },
+ "LogonProcessName": {
+ "key": "process.name",
+ "object": "process"
+ },
+ "ServiceName": {
+ "key": "x-azure-security-event.service_name",
+ "object": "msevent"
+ },
+ "Task": {
+ "key": "x-azure-security-event.task",
+ "object": "msevent"
+ },
+ "UserParameter": {
+ "key": "x-azure-security-event.user_parameter",
+ "object": "msevent"
+ },
+ "MemberName": {
+ "key": "x-azure-security-event.member_name",
+ "object": "msevent"
+ },
+ "Requester": {
+ "key": "x-azure-security-event.requester",
+ "object": "msevent"
+ },
+ "Severity": {
+ "key": "x-azure-security-incident.severity",
+ "object": "incident"
+ },
+ "Owner": {
+ "key": "x-azure-security-incident.owner",
+ "object": "incident"
+ },
+ "AdditionalData": {
+ "key": "x-azure-security-incident.additional_data",
+ "object": "incident"
+ },
+ "AlertIds": {
+ "key": "x-azure-security-incident.alertids",
+ "object": "incident"
+ },
+ "Comments": {
+ "key": "x-azure-security-incident.comments",
+ "object": "incident"
+ },
+ "Description__incident": {
+ "key": "x-azure-security-incident.description",
+ "object": "incident"
+ },
+ "Labels": {
+ "key": "x-azure-security-incident.labels",
+ "object": "incident"
+ },
+ "ModifiedBy": {
+ "key": "x-azure-security-incident.modified_by",
+ "object": "incident"
+ }
+}
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/query_constructor.py b/stix_shifter_modules/azure_log_analytics/stix_translation/query_constructor.py
new file mode 100644
index 000000000..1c2c3eebd
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/query_constructor.py
@@ -0,0 +1,353 @@
+from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, \
+ ComparisonExpression, ComparisonExpressionOperators, ComparisonComparators, Pattern, CombinedComparisonExpression, \
+ CombinedObservationExpression
+from stix_shifter_utils.stix_translation.src.patterns.errors import SearchFeatureNotSupportedError
+from datetime import datetime, timedelta
+import re
+
+START_STOP_PATTERN = r"(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z)"
+
+
+class QueryStringPatternTranslator:
+ COUNTER = 0
+
+ # comparator lookup for implementing negation operator
+ negated_comparator_lookup = {
+ ComparisonComparators.GreaterThan: "le",
+ ComparisonComparators.GreaterThanOrEqual: "lt",
+ ComparisonComparators.LessThan: "ge",
+ ComparisonComparators.LessThanOrEqual: "gt",
+ ComparisonComparators.Equal: "ne",
+ ComparisonComparators.NotEqual: "eq",
+ ComparisonComparators.In: "ne"
+ }
+
+ def __init__(self, pattern: Pattern, data_model_mapper, time_range):
+ self.dmm = data_model_mapper
+ self.comparator_lookup = self.dmm.map_comparator()
+ self._time_range = time_range
+ self.pattern = pattern
+
+ # List of queries for each observation
+ self.final_query_list = []
+ # Translated query string without any qualifiers
+ self.translated = self.parse_expression(pattern)
+
+ @staticmethod
+ def _format_set(value) -> list:
+ """
+ Formatting list of values in the event of IN operation
+ :param value: str
+ :return: list
+ """
+ value_list = value.values
+ format_list = []
+ for item in value_list:
+ format_list.append('\'{}\''.format(item))
+ return format_list
+
+ @staticmethod
+ def _format_match(value) -> str:
+ """
+ Formatting value in the event of MATCHES operation
+ encapsulating the value inside regex keyword
+ :param value: str
+ :return: str
+ """
+ return '\'{}\''.format(value)
+
+ @staticmethod
+ def _format_equality(value) -> str:
+ """
+ Formatting value in the event of equality operation
+ :param value: str
+ :return: str
+ """
+ return '\'{}\''.format(value)
+
+ @staticmethod
+ def _format_like(value) -> str:
+ """
+ Formatting value in the event of LIKE operation
+ :param value: str
+ :return: str
+ """
+ return '\'{}\''.format(value)
+
+ @staticmethod
+ def _escape_value(value) -> str:
+ """
+ Formats and replaces backslashes and single quoted parenthesis
+ :param value: str
+ :return: str
+ """
+ if isinstance(value, str):
+ return '{}'.format(value.replace('\\', '\\\\').replace('\"', '\\"').replace('(', '\\(').replace(')', '\\)'))
+ else:
+ return value
+
+ @staticmethod
+ def _format_value_without_quotes(value):
+ """
+ Formats and replaces values with escape character into value without quotes
+ :param value: str
+ :return: str
+ """
+ values = []
+ if isinstance(value, list):
+ for each in value:
+ values.append('{}'.format(each.replace('\'', '')))
+ value = values
+ else:
+ value = value.replace('\'', '')
+ return value
+
+ @staticmethod
+ def _format_value_to_lower_case(value):
+ """
+ Formats and replaces values with escape character into value without quotes
+ :param value: str
+ :return: str
+ """
+ values = []
+ if isinstance(value, list):
+ for each in value:
+ values.append('{}'.format(each).lower())
+ value = values
+ else:
+ value = value.lower()
+ return value
+
+ @staticmethod
+ def _parse_mapped_fields(self, expression, value, comparator, stix_field, mapped_fields_array, counter):
+ """
+ Mapping the stix object property with their corresponding property in sentinel odata query
+ from_stix_map.json will be used for mapping
+ :param expression: expression object, ANTLR parsed expression object
+ :param value: str
+ :param comparator: str
+ :param mapped_fields_array: list, Mapping available in from_stix_map.json
+ :return: str, whose part of the odata query for each value
+ """
+ comparison_string = ""
+ values = value
+ mapped_fields_count = len(mapped_fields_array)
+
+ def format_comparision_string(comparison_string, mapped_field, lambda_func):
+ # check for mapped_field that has '.' character -> example [fileStates.name,processes.name]
+ if '.' in mapped_field:
+ collection_attribute_array = mapped_field.split('.')
+ collection_name = collection_attribute_array[0]
+ attribute_nested_level = '/'.join(collection_attribute_array[1:])
+
+ attribute_expression = '({fn}/'.format(fn=lambda_func) + attribute_nested_level + ')'
+ # ip address in data source is like "sourceAddress": "IP: 92.63.194.101 [2]\r"
+ # to get ip address from data source using contains keyword ODATA query
+ if comparator == 'contains':
+ comparison_string += " and {collection_name}/any({fn}:{comparator}({attribute_expression}, " \
+ "{value})))".format(collection_name=collection_name, fn=lambda_func,
+ attribute_expression=attribute_expression,
+ comparator=comparator, value=value)
+ else:
+ comparison_string += " and {collection_name}/any({fn}:{attribute_expression} {comparator} " \
+ "{value}))".format(collection_name=collection_name, fn=lambda_func,
+ attribute_expression=attribute_expression,
+ comparator=comparator,
+ value=value)
+ else:
+ # check for mapped field that does not have '.' character -> example [azureTenantId,title]
+ if comparator == 'contains':
+ comparison_string += "{comparator}{mapped_field}, {value}".format(
+ mapped_field=mapped_field, comparator=comparator, value=value)
+ else:
+ comparison_string += "{mapped_field} {comparator} {value}".format(
+ mapped_field=mapped_field, comparator=comparator, value=value)
+ return comparison_string
+
+ # loop for custom logic to form IN operator related query
+ for mapped_field in mapped_fields_array:
+ lambda_func = 'query' + str(counter)
+
+ # for In operator, loop the format comparision string for each values in the list.
+ if expression.comparator == ComparisonComparators.In:
+ if isinstance(values, list):
+ values_count = len(values)
+ for value in values:
+ comparison_string = format_comparision_string(comparison_string, mapped_field, lambda_func)
+ if values_count > 1:
+ if expression.negated:
+ comparison_string += " and "
+ else:
+ comparison_string += " or "
+ values_count -= 1
+ # to form queries other than IN operator
+ else:
+ comparison_string = format_comparision_string(comparison_string, mapped_field, lambda_func)
+
+ if mapped_fields_count > 1:
+ if expression.negated:
+ comparison_string += " and "
+ else:
+ comparison_string += " or "
+ mapped_fields_count -= 1
+ return comparison_string
+
+ def _lookup_comparison_operator(self, expression_operator):
+ if str(expression_operator) not in self.comparator_lookup:
+ raise NotImplementedError(
+ "Comparison operator {} unsupported for Azure Sentinel adapter".format(expression_operator.name))
+ return self.comparator_lookup[str(expression_operator)]
+
+ @staticmethod
+ def _parse_time_range(qualifier, time_range):
+ """
+ :param qualifier: str, input time range i.e START t'2019-04-10T08:43:10.003Z' STOP t'2019-04-20T10:43:10.003Z'
+ :param time_range: int, value available from main.py in options variable
+ :return: str, format_string bound with time range provided
+ """
+ try:
+ compile_timestamp_regex = re.compile(START_STOP_PATTERN)
+ mapped_field = "TimeGenerated"
+ if qualifier and compile_timestamp_regex.search(qualifier):
+ time_range_iterator = compile_timestamp_regex.finditer(qualifier)
+ time_range_list = [each.group() for each in time_range_iterator]
+ else:
+ stop_time = datetime.utcnow()
+ start_time = stop_time - timedelta(hours=24)
+ converted_starttime = start_time.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
+ converted_stoptime = stop_time.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
+ time_range_list = [converted_starttime, converted_stoptime]
+
+ value = ('{mapped_field} between (datetime({start_time}) .. datetime({stop_time}))'
+ ).format(mapped_field=mapped_field, start_time=time_range_list[0],
+ stop_time=time_range_list[1])
+ format_string = '{value}'.format(value=value)
+ return format_string
+ except (KeyError, IndexError, TypeError) as e:
+ raise e
+
+ def _parse_expression(self, expression, qualifier=None) -> str:
+ """
+ Complete formation of native query from ANTLR expression object
+ :param expression: expression object, ANTLR parsed expression object
+ :param qualifier: str | None
+ :return: None or native query as the method call is recursive
+ """
+ if isinstance(expression, ComparisonExpression): # Base Case
+ # Resolve STIX Object Path to a field in the target Data Model
+ stix_object, stix_field = expression.object_path.split(':')
+ # Multiple data source fields may map to the same STIX Object
+ mapped_fields_array = self.dmm.map_field(stix_object, stix_field)
+ # Resolve the comparison symbol to use in the query string (usually just ':')
+ comparator = self._lookup_comparison_operator(expression.comparator)
+
+ # Some values are formatted differently based on how they're being compared
+ if expression.comparator == ComparisonComparators.Matches: # needs forward slashes
+ value = self._format_match(expression.value)
+ # should be (x, y, z, ...)
+ elif expression.comparator == ComparisonComparators.In:
+ value = self._format_set(expression.value)
+ elif expression.comparator == ComparisonComparators.Equal \
+ or expression.comparator == ComparisonComparators.NotEqual \
+ or expression.comparator == ComparisonComparators.GreaterThan \
+ or expression.comparator == ComparisonComparators.LessThan \
+ or expression.comparator == ComparisonComparators.GreaterThanOrEqual \
+ or expression.comparator == ComparisonComparators.LessThanOrEqual:
+ # Should be in single-quotes
+ value = self._format_equality(expression.value)
+ # '%' -> '*' wildcard, '_' -> '?' single wildcard
+ elif expression.comparator == ComparisonComparators.Like:
+ value = self._format_like(expression.value)
+ else:
+ value = self._escape_value(expression.value)
+
+ if expression.negated:
+ if expression.comparator in [ComparisonComparators.Like, ComparisonComparators.Matches]:
+ raise SearchFeatureNotSupportedError("'NOT' Operator is not supported for LIKE and MATCHES")
+ elif stix_object in ['ipv4-addr', 'ipv6-addr'] or stix_field in ['src_ref.value', 'dst_ref.value']:
+ raise SearchFeatureNotSupportedError("'NOT' Operator is not supported for IPV4 or IPV6 address")
+ comparator = self.negated_comparator_lookup.get(expression.comparator)
+
+ # to remove single quotes in specific field value
+ if stix_field in ['pid', 'parent_ref.pid', 'account_last_login']:
+ if expression.comparator in [ComparisonComparators.Like, ComparisonComparators.Matches]:
+ raise SearchFeatureNotSupportedError('"{operator}" operator is not supported for '
+ '"{stix_field}" attribute'
+ .format(operator=expression.comparator.name.upper(),
+ stix_field=stix_field))
+ value = self._format_value_without_quotes(value)
+
+ # COUNTER is used to form sequential lambda function names for OData4 queries per comparison observation
+ ''' eg. processes/any(query1:contains(tolower(query1/path), 'c:\\windows\\system32')) and
+ processes/any(query2:contains(tolower(query2/name), 'exe')) '''
+ self.COUNTER += 1
+
+ comparison_string = self._parse_mapped_fields(self, expression, value, comparator, stix_field,
+ mapped_fields_array, self.COUNTER)
+
+ if len(mapped_fields_array) > 1:
+ # More than one data source field maps to the STIX attribute, so group comparisons together.
+ grouped_comparison_string = "(" + comparison_string + ")"
+ comparison_string = grouped_comparison_string
+
+ return "{}".format(comparison_string)
+
+ elif isinstance(expression, CombinedComparisonExpression):
+ operator = self._lookup_comparison_operator(expression.operator)
+ expression_01 = self._parse_expression(expression.expr1)
+ expression_02 = self._parse_expression(expression.expr2)
+ if not expression_01 or not expression_02:
+ return ''
+ if isinstance(expression.expr1, CombinedComparisonExpression):
+ expression_01 = "({})".format(expression_01)
+ if isinstance(expression.expr2, CombinedComparisonExpression):
+ expression_02 = "({})".format(expression_02)
+ query_string = "{} {} {}".format(expression_01, operator, expression_02)
+ return "{}".format(query_string)
+ elif isinstance(expression, ObservationExpression):
+ parse_string = self._parse_expression(expression.comparison_expression)
+ time_string = self._parse_time_range(qualifier, self._time_range)
+ sentinel_query = "({}) and ({})".format(parse_string, time_string)
+ self.final_query_list.append(sentinel_query)
+ elif hasattr(expression, 'qualifier') and hasattr(expression, 'observation_expression'):
+ if isinstance(expression.observation_expression, CombinedObservationExpression):
+ self._parse_expression(expression.observation_expression.expr1, expression.qualifier)
+ self._parse_expression(expression.observation_expression.expr2, expression.qualifier)
+ else:
+ parse_string = self._parse_expression(expression.observation_expression.comparison_expression,
+ expression.qualifier)
+ time_string = self._parse_time_range(expression.qualifier, self._time_range)
+ sentinel_query = "({}) and ({})".format(parse_string, time_string)
+ self.final_query_list.append(sentinel_query)
+ elif isinstance(expression, CombinedObservationExpression):
+ self._parse_expression(expression.expr1, qualifier)
+ self._parse_expression(expression.expr2, qualifier)
+ elif isinstance(expression, Pattern):
+ return "{expr}".format(expr=self._parse_expression(expression.expression))
+ else:
+ raise RuntimeError("Unknown Recursion Case for expression={}, type(expression)={}".format(
+ expression, type(expression)))
+
+ def parse_expression(self, pattern: Pattern):
+ """
+ parse_expression --> Native query
+ :param pattern: expression object, ANTLR parsed expression object
+ :return:str, Odata filter query(native query)
+ """
+ return self._parse_expression(pattern)
+
+
+def translate_pattern(pattern: Pattern, data_model_mapping, options):
+ """
+ Conversion of expression object to translated query
+ :param pattern: expression object, ANTLR parsed expression object
+ :param data_model_mapping: DataMapper object, mapping object obtained by parsing from_stix_map.json
+ :param options: dict, contains 2 keys result_limit defaults to 10000, time_range defaults to 5
+ :return: str, translated query
+ """
+ dialect_name = data_model_mapping.dialect
+ # Query result limit and time range can be passed into the QueryStringPatternTranslator if supported by the DS
+ time_range = options['time_range']
+ query = QueryStringPatternTranslator(pattern, data_model_mapping, time_range)
+ translated_query = dialect_name + ' |' + " where " + ','.join(query.final_query_list)
+ return translated_query
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/query_translator.py b/stix_shifter_modules/azure_log_analytics/stix_translation/query_translator.py
new file mode 100644
index 000000000..d0af475cf
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/query_translator.py
@@ -0,0 +1,27 @@
+import logging
+
+from stix_shifter_utils.modules.base.stix_translation.base_query_translator import BaseQueryTranslator
+from . import query_constructor
+
+LOGGER = logging.getLogger(__name__)
+
+
+class QueryTranslator(BaseQueryTranslator):
+
+ def transform_antlr(self, data, antlr_parsing_object):
+ """
+ Transforms STIX pattern into a different query format. Based on a mapping file
+ :param antlr_parsing_object: Antlr parsing objects for the STIX pattern
+ :type antlr_parsing_object: object
+ :param mapping: The mapping file path to use as instructions on how to transform
+ the given STIX query into another format. This should default to something if one isn't passed in
+ :type mapping: str (filepath)
+ :return: transformed query string
+ :rtype: str
+ """
+
+ LOGGER.info("Converting STIX2 Pattern to data source query")
+
+ query_string = query_constructor.translate_pattern(
+ antlr_parsing_object, self, self.options)
+ return query_string
diff --git a/stix_shifter_modules/azure_log_analytics/stix_translation/results_translator.py b/stix_shifter_modules/azure_log_analytics/stix_translation/results_translator.py
new file mode 100644
index 000000000..366ba2971
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_translation/results_translator.py
@@ -0,0 +1,4 @@
+from stix_shifter_utils.stix_translation.src.json_to_stix.json_to_stix import JSONToStix
+
+class ResultsTranslator(JSONToStix):
+ pass
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/stix_transmission/__init__.py b/stix_shifter_modules/azure_log_analytics/stix_transmission/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/stix_shifter_modules/azure_log_analytics/stix_transmission/api_client.py b/stix_shifter_modules/azure_log_analytics/stix_transmission/api_client.py
new file mode 100644
index 000000000..81a132260
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_transmission/api_client.py
@@ -0,0 +1,60 @@
+from stix_shifter_utils.stix_transmission.utils.RestApiClient import RestApiClient
+from azure.monitor.query import LogsQueryClient
+from azure.identity import ClientSecretCredential
+from azure.core.exceptions import HttpResponseError
+import logging
+
+
+class APIClient:
+ """API Client to handle all calls."""
+
+ def __init__(self, connection, configuration):
+ """Initialization.
+ :param connection: dict, connection dict
+ :param configuration: dict,config dict"""
+ headers = dict()
+ self.workspace_id = connection.get('workspaceId')
+ self.host = connection.get('host')
+ self.timeout = connection['options'].get('timeout')
+ self.endpoint = 'v1/workspaces/{workspace_id}/query'.format(workspace_id=self.workspace_id)
+ logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy")
+ logger.setLevel(logging.WARNING)
+
+ self.credential = ClientSecretCredential(tenant_id=configuration["auth"]["tenant"],
+ client_id=configuration["auth"]["clientId"],
+ client_secret=configuration["auth"]["clientSecret"])
+
+ self.access_token = self.credential.get_token("https://{host}/.default".format(host=self.host))
+
+ headers['Authorization'] = "Bearer " + self.access_token.token
+
+ self.client = RestApiClient(self.host,
+ connection.get('port', None),
+ headers,
+ cert_verify=connection.get('selfSignedCert', True),
+ sni=connection.get('sni', None)
+ )
+
+ def ping_box(self):
+ """Ping the endpoint."""
+ return self.client.call_api(self.endpoint, 'GET', timeout=self.timeout)
+
+ def run_search(self, query_expression, start, stop, length):
+ """get the response from azure_sentinel endpoints
+ :param query_expression: str, search_id
+ :param length: int,length value
+ :return: response, json object"""
+ try:
+ client = LogsQueryClient(self.credential)
+ response = client.query_workspace(
+ workspace_id=self.workspace_id,
+ query=query_expression,
+ timespan=(start, stop)
+ )
+ return {'success': True, "response": response}
+ except HttpResponseError as er:
+ return {'success': False, "error": er.error}
+ except Exception as e:
+ return {'success': False, "error": e}
+
+
\ No newline at end of file
diff --git a/stix_shifter_modules/azure_log_analytics/stix_transmission/connector.py b/stix_shifter_modules/azure_log_analytics/stix_transmission/connector.py
new file mode 100644
index 000000000..a57f55ce3
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_transmission/connector.py
@@ -0,0 +1,88 @@
+import json
+from stix_shifter_utils.modules.base.stix_transmission.base_sync_connector import BaseSyncConnector
+from .api_client import APIClient
+from stix_shifter_utils.utils.error_response import ErrorResponder
+import pandas as pd
+from stix_shifter_utils.utils import logger
+from azure.monitor.query import LogsQueryStatus
+from azure.core.exceptions import ODataV4Format
+from datetime import datetime, timedelta
+import re
+
+
+class Connector(BaseSyncConnector):
+
+ def __init__(self, connection, configuration):
+ """Initialization.
+ :param connection: dict, connection dict
+ :param configuration: dict,config dict"""
+ self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
+ self.api_client = APIClient(connection, configuration)
+
+ def ping_connection(self):
+ """Ping the endpoint."""
+ return_obj = dict()
+ response = self.api_client.ping_box()
+ response_code = response.code
+ try:
+ response_dict = json.loads(response.read())
+ except:
+ response_dict = json.loads(response.bytes)
+
+ if 200 <= response_code < 300:
+ return_obj['success'] = True
+ elif response_code == 404:
+ error_dict = {"error": response_dict['error']['message'], "code": response_dict['error']['code']}
+ ErrorResponder.fill_error(return_obj, error_dict, ['error', 'message'], connector=self.connector)
+ else:
+ ErrorResponder.fill_error(return_obj, response_dict, ['error', 'message'], connector=self.connector)
+
+ return return_obj
+
+ def delete_query_connection(self, search_id):
+ """"delete_query_connection response
+ :param search_id: str, search_id"""
+ return {"success": True, "search_id": search_id}
+
+ def create_results_connection(self, query, offset, length):
+ """"built the response object
+ :param query: str, search_id
+ :param offset: int,offset value
+ :param length: int,length value"""
+ length = int(length)
+ offset = int(offset)
+ total_record = length + offset
+ return_obj = dict()
+ query = """{query} | limit {len}""".format(query=query, len=length)
+ matches = re.findall(r'(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+?Z)', query)
+ if matches:
+ stop_time = datetime.strptime(matches[1].replace('Z', ""), "%Y-%m-%dT%H:%M:%S.%f")
+ start_time = datetime.strptime(matches[0].replace('Z', ""), "%Y-%m-%dT%H:%M:%S.%f")
+ else:
+ stop_time = datetime.utcnow()
+ start_time = stop_time - timedelta(hours=24)
+
+ response = self.api_client.run_search(query, start_time, stop_time,
+ total_record)
+
+ if response["success"]:
+ if response["response"].status == LogsQueryStatus.PARTIAL:
+ error = response["response"].partial_error
+ data = response["response"].partial_data
+ self.logger.warn(error.message)
+ elif response["response"].status == LogsQueryStatus.SUCCESS:
+ data = response["response"].tables
+
+ for table in data:
+ df = pd.DataFrame(data=table.rows, columns=table.columns)
+ return_obj = {"success": True, "data": df.astype(str).to_dict(orient='records')}
+ return_obj['data'] = return_obj['data'][offset:total_record]
+
+ else:
+ if isinstance(response["error"], ODataV4Format):
+ response_dict = {"error": response["error"], "code": response["error"].code}
+ else:
+ response_dict = {"error": response["error"]}
+ ErrorResponder.fill_error(return_obj, response_dict, ['error', 'message'], connector=self.connector)
+ return return_obj
diff --git a/stix_shifter_modules/azure_log_analytics/stix_transmission/error_mapper.py b/stix_shifter_modules/azure_log_analytics/stix_transmission/error_mapper.py
new file mode 100644
index 000000000..6985c907e
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/stix_transmission/error_mapper.py
@@ -0,0 +1,68 @@
+""""Azure Sentinal connector specified error handling"""
+from stix_shifter_utils.utils.error_mapper_base import ErrorMapperBase
+from stix_shifter_utils.utils.error_response import ErrorCode
+from stix_shifter_utils.utils import logger
+
+ERROR_MAPPING = {
+ "json_parse_exception": ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR,
+ "HTTPSConnectionError": ErrorCode.TRANSMISSION_CONNECT,
+ "invalid_instance": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "invalid_request": ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ "invalid_client": ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ "unauthorized_client": ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ # Azure specific exception
+ "BadRequest": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "SyntaxError": ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR,
+ "InvalidAuthenticationToken": ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ "accessDenied": ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ "activityLimitReached": ErrorCode.TRANSMISSION_SEARCH_DOES_NOT_EXISTS,
+ "generalException": ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR,
+ "invalidRange": ErrorCode.TRANSMISSION_RESPONSE_EMPTY_RESULT,
+ "invalidRequest": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "itemNotFound": ErrorCode.TRANSMISSION_RESPONSE_EMPTY_RESULT,
+ "malwareDetected": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "nameAlreadyExists": ErrorCode.TRANSMISSION_QUERY_LOGICAL_ERROR,
+ "notAllowed": ErrorCode.TRANSMISSION_CONNECT,
+ "notSupported": ErrorCode.TRANSMISSION_CONNECT,
+ "resourceModified": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "resyncRequired": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "serviceNotAvailable": ErrorCode.TRANSMISSION_CONNECT,
+ "quotaLimitReached": ErrorCode.TRANSMISSION_SEARCH_DOES_NOT_EXISTS,
+ "unauthenticated": ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
+ "ResourceNotFound": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ # Azure SDK error
+ "BadArgumentError": ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR,
+ "WorkspaceNotFoundError": ErrorCode.TRANSMISSION_INVALID_PARAMETER,
+ "PathNotFoundError": ErrorCode.TRANSMISSION_INVALID_PARAMETER
+}
+
+
+class ErrorMapper:
+ """"ErrorMapper class"""
+ logger = logger.set_logger(__name__)
+ DEFAULT_ERROR = ErrorCode.TRANSMISSION_MODULE_DEFAULT_ERROR
+
+ @staticmethod
+ def set_error_code(json_data, return_obj):
+ """ms_atp transmit specified error
+ :param json_data: dict, error response of api_call
+ :param return_obj: dict, returns error and error code"""
+ error_type = ''
+
+ if isinstance(json_data, tuple):
+ error_type = 'HTTPSConnectionError'
+ else:
+ try:
+ error_type = json_data['code']
+ except Exception:
+ error_type = json_data['error']
+
+ error_code = ErrorMapper.DEFAULT_ERROR
+
+ if error_type in ERROR_MAPPING:
+ error_code = ERROR_MAPPING[error_type]
+
+ if error_code == ErrorMapper.DEFAULT_ERROR:
+ ErrorMapper.logger.debug("failed to map: " + str(json_data))
+
+ ErrorMapperBase.set_error_code(return_obj, error_code)
diff --git a/stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_json_to_stix.py b/stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_json_to_stix.py
new file mode 100644
index 000000000..e187ceade
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_json_to_stix.py
@@ -0,0 +1,345 @@
+import unittest
+from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator
+from stix_shifter_modules.azure_log_analytics.entry_point import EntryPoint
+from stix_shifter_utils.stix_translation.src.utils.transformer_utils import get_module_transformers
+
+MODULE = "azure_sentinel"
+options = {"api": "Log Analytics"}
+entry_point = EntryPoint(options=options)
+map_data = entry_point.get_results_translator().map_data
+data_source = {
+ "type": "identity",
+ "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
+ "name": "azure_sentinel",
+ "identity_class": "events"
+}
+
+DATA1 = {
+ 'TenantId': 'e00daaf8-d6a4-4410-b50b-f5ef61c9cb45',
+ 'WorkspaceSubscriptionId': 'dc26ff57-0597-4cc8-8092-aa5b929f8f39', 'category': 'SuspiciousSVCHOSTRareGroup',
+ 'TimeGenerated': '2022-05-24T11:22:29.003Z',
+ 'ProductName': 'Azure Sentinel', "EventID": "4625",
+ 'EventTime': '2022-05-24T14:27:36.370Z', 'AlertName': 'AlertLog',
+ 'AlertSeverity': 'Medium', 'Status': 'New', 'ProviderName': 'ASI Scheduled Alerts'}
+
+DATA2 = {
+ "TenantId": "e00daaf8-d6a4-4410-b50b-f5ef61c9cb45",
+ "TimeGenerated": "2022-05-25 12:04:38.070000+00:00",
+ "SourceSystem": "OpsManager",
+ "Account": "",
+ "AccountType": "",
+ "Computer": "GslabCP4S",
+ "EventSourceName": "Microsoft-Windows-Security-Auditing",
+ "Channel": "Security",
+ "Task": "1",
+ "Level": "0",
+ "EventID": "5379",
+ "Activity": "5379",
+ "PartitionKey": "",
+ "LogonProcessName": "Advapi ",
+ "ProcessId": "0x2c0",
+ "IpAddress": "80.66.76.145",
+ "TargetUserName": "GS-2530"
+}
+
+DATA3 = {
+ "TenantId": "e00daaf8-d6a4-4410-b50b-f5ef61c9cb45",
+ "TimeGenerated": "2022-05-07 12:27:10.171000+00:00",
+ "IncidentName": "919158c6-4c3f-4273-a730-a37f75622350",
+ "Title": "AlertLog",
+ "Description": "",
+ "Severity": "Medium",
+ "Status": "New",
+ "Classification": "",
+ "ClassificationComment": "",
+ "ClassificationReason": "",
+ "Owner": "{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null}",
+ "ProviderName": "Azure Sentinel",
+ "ProviderIncidentId": "1186",
+ "FirstActivityTime": "2022-05-07 11:46:36.502000+00:00",
+ "LastActivityTime": "2022-05-07 11:46:36.502000+00:00",
+ "FirstModifiedTime": "None",
+ "LastModifiedTime": "2022-05-07 12:27:10.171000+00:00",
+ "CreatedTime": "2022-05-07 12:27:10.171000+00:00",
+ "ClosedTime": "None",
+ "IncidentNumber": "1186",
+ "IncidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/dc26ff57-0597-4cc8-8092-aa5b929f8f39/resourceGroups/newresource/providers/Microsoft.OperationalInsights/workspaces/loganaly/providers/Microsoft.SecurityInsights/Incidents/919158c6-4c3f-4273-a730-a37f75622350",
+ "RelatedAnalyticRuleIds": "[\"9c4be437-b74c-440c-aa09-764367744a23\"]",
+ "AlertIds": "[\"17bbb3bd-00fb-73f0-573b-f2039bd3b5c5\"]",
+ "BookmarkIds": "[]",
+ "Comments": "[]",
+ "Labels": "[]",
+ "ModifiedBy": "Incident created from alert",
+ "SourceSystem": "Azure",
+ "Type": "SecurityIncident"
+}
+
+
+class TestAzureSentinelResultsToStix(unittest.TestCase):
+ """
+ class to perform unit test case for azure_sentinel translate results
+ """
+
+ @staticmethod
+ def get_first(itr, constraint):
+ """
+ return the obj in the itr if constraint is true
+ """
+ return next(
+ (obj for obj in itr if constraint(obj)),
+ None
+ )
+
+ @staticmethod
+ def get_first_of_type(itr, typ):
+ """
+ to check whether the object belongs to respective stix object
+ """
+ return TestAzureSentinelResultsToStix.get_first(itr, lambda o: isinstance(o, dict) and o.get('type') == typ)
+
+ @staticmethod
+ def test_common_prop():
+ """
+ to test the common stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA1], get_module_transformers(MODULE), options)
+ assert result_bundle['type'] == 'bundle'
+ result_bundle_objects = result_bundle['objects']
+
+ result_bundle_identity = result_bundle_objects[0]
+ assert result_bundle_identity['type'] == data_source['type']
+ assert result_bundle_identity['id'] == data_source['id']
+ assert result_bundle_identity['name'] == data_source['name']
+ assert result_bundle_identity['identity_class'] == data_source['identity_class']
+
+ observed_data = result_bundle_objects[1]
+ assert observed_data['id'] is not None
+ assert observed_data['type'] == "observed-data"
+ assert observed_data['created_by_ref'] == result_bundle_identity['id']
+
+ assert observed_data['modified'] is not None
+ assert observed_data['created'] is not None
+ assert observed_data['first_observed'] is not None
+ assert observed_data['last_observed'] is not None
+ assert observed_data['number_observed'] is not None
+
+ @staticmethod
+ def test_x_oca_x_ibm_property():
+ """
+ to test the oca-ibm stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA1], get_module_transformers(MODULE), options)
+ assert result_bundle['type'] == 'bundle'
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ # x_ibm_finding = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding')
+ x_oca_event = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-oca-event')
+ # assert x_ibm_finding['name'] == 'AlertLog'
+ assert x_oca_event['provider'] == 'ASI Scheduled Alerts'
+ assert x_oca_event['code'] == '4625'
+
+ @staticmethod
+ def test_x_alert_property():
+ """
+ to test the alert stix object properties
+ """
+ data = {
+ "TenantId": "e00daaf8-d6a4-4410-b50b-f5ef61c9cb45",
+ "TimeGenerated": "2022-05-04 16:47:08.560000+00:00",
+ "DisplayName": "AlertLog",
+ "AlertName": "AlertLog",
+ "AlertSeverity": "Medium",
+ 'EventTime': '2022-05-24T14:27:36.370Z',
+ "Description": "",
+ "ProviderName": "ASI Scheduled Alerts",
+ "VendorName": "Microsoft",
+ "VendorOriginalId": "f1303f5e-daae-407e-ab87-e1d8ec3651da",
+ "SystemAlertId": "50396c5f-2cb6-9d2f-e601-9f430bf17869",
+ "ResourceId": "",
+ "SourceComputerId": "",
+ "AlertType": "e00daaf8-d6a4-4410-b50b-f5ef61c9cb45_9c4be437-b74c-440c-aa09-764367744a23",
+ "ConfidenceLevel": "",
+ "ConfidenceScore": "None",
+ "IsIncident": "False",
+ "StartTime": "2022-05-04 16:08:32.180000+00:00",
+ "EndTime": "2022-05-04 16:08:32.180000+00:00",
+ "ProcessingEndTime": "2022-05-04 16:47:08.560000+00:00",
+ "RemediationSteps": "",
+ "Entities": "",
+ "SourceSystem": "Detection",
+ "WorkspaceSubscriptionId": "dc26ff57-0597-4cc8-8092-aa5b929f8f39",
+ "WorkspaceResourceGroup": "newresource",
+ "ExtendedLinks": "",
+ "ProductName": "Azure Sentinel",
+ "ProductComponentName": "Scheduled Alerts",
+ "AlertLink": "",
+ "Status": "New",
+ "CompromisedEntity": "",
+ "Tactics": "ResourceDevelopment",
+ "Techniques": "",
+ "Type": "SecurityAlert"
+ }
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [data], get_module_transformers(MODULE), options)
+ assert result_bundle['type'] == 'bundle'
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ x_msazure_sentinel_alert = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(),
+ 'x-azure-security-alert')
+
+ assert x_msazure_sentinel_alert is not None, 'Custom object type not found'
+ assert x_msazure_sentinel_alert['status'] == 'New'
+
+ @staticmethod
+ def test_x_incident_property():
+ """
+ to test incident stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA3], get_module_transformers(MODULE), options)
+ assert result_bundle['type'] == 'bundle'
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+ x_msazure_sentinel_incident = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(),
+ 'x-azure-security-incident')
+ assert x_msazure_sentinel_incident is not None, 'Custom object type not found'
+ assert x_msazure_sentinel_incident['incident_name'] == '919158c6-4c3f-4273-a730-a37f75622350'
+ assert x_msazure_sentinel_incident['severity'] == 'Medium'
+
+ @staticmethod
+ def test_x_event_property():
+ """
+ to test event stix object properties
+ """
+
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA2], get_module_transformers(MODULE), options)
+ assert result_bundle['type'] == 'bundle'
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ x_msazure_sentinel_event = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(),
+ 'x-azure-security-event')
+ assert x_msazure_sentinel_event is not None, 'Custom object type not found'
+ assert x_msazure_sentinel_event['computer'] == 'GslabCP4S'
+ assert x_msazure_sentinel_event['source'] == 'OpsManager'
+
+ @staticmethod
+ def test_process_json_to_stix():
+ """
+ to test process stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA2], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+ result_bundle_identity = result_bundle_objects[0]
+ assert result_bundle_identity['type'] == data_source['type']
+
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ process_obj = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'process')
+
+ assert process_obj is not None, 'process object type not found'
+ assert process_obj['name'] == 'Advapi '
+ assert process_obj['pid'] == '0x2c0'
+
+ @staticmethod
+ def test_ipv4_addr_json_to_stix():
+ """
+ to test ipv4 stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA2], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+ result_bundle_identity = result_bundle_objects[0]
+ assert result_bundle_identity['type'] == data_source['type']
+
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ ip_obj = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'ipv4-addr')
+
+ assert ip_obj is not None, 'ip object type not found'
+ assert ip_obj['value'] == '80.66.76.145'
+
+ @staticmethod
+ def test_url_json_to_stix():
+ """
+ to test url stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA3], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+ result_bundle_identity = result_bundle_objects[0]
+ assert result_bundle_identity['type'] == data_source['type']
+
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ url_obj = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'url')
+
+ assert url_obj is not None, 'url object type not found'
+ assert url_obj['name'] == 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/dc26ff57-0597-4cc8-8092-aa5b929f8f39/resourceGroups/newresource/providers/Microsoft.OperationalInsights/workspaces/loganaly/providers/Microsoft.SecurityInsights/Incidents/919158c6-4c3f-4273-a730-a37f75622350'
+
+ @staticmethod
+ def test_user_account_json_to_stix():
+ """
+ to test url stix object properties
+ """
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [DATA2], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+ result_bundle_identity = result_bundle_objects[0]
+ assert result_bundle_identity['type'] == data_source['type']
+
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+
+ user_obj = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'user-account')
+
+ assert user_obj is not None, 'user object type not found'
+ assert user_obj['account_login'] == 'GS-2530'
+
+ @staticmethod
+ def test_unmapped_attribute_with_mapped_attribute():
+ message = "\"GET /blog HTTP/1.1\" 200 2571"
+ data = {"message": message, "unmapped": "nothing to see here"}
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [data], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+ assert objects == {}
+ curr_obj = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'message')
+ assert (curr_obj is None), 'url object type not found'
+
+ @staticmethod
+ def test_unmapped_attribute_alone():
+ data = {"unmapped": "nothing to see here"}
+ result_bundle = json_to_stix_translator.convert_to_stix(
+ data_source, map_data, [data], get_module_transformers(MODULE), options)
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+ assert 'objects' in observed_data
+ objects = observed_data['objects']
+ assert objects == {}
diff --git a/stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_stix_to_query.py b/stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_stix_to_query.py
new file mode 100644
index 000000000..6726cfc9c
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/tests/stix_translation/test_azure_sentinel_log_analytics_stix_to_query.py
@@ -0,0 +1,183 @@
+import unittest
+import re
+import json
+from stix_shifter.stix_translation import stix_translation
+from stix_shifter_utils.utils.error_response import ErrorCode
+
+MODULE = "azure_log_analytics"
+translation = stix_translation.StixTranslation()
+
+
+def _remove_timestamp_from_query(queries):
+ pattern = r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z'
+ if isinstance(queries, list):
+ return [re.sub(pattern, "", query) for query in queries]
+ elif isinstance(queries, str):
+ return re.sub(pattern, "", queries)
+
+
+class TestStixtoQuery(unittest.TestCase, object):
+ def _test_query_assertions(self, query, queries):
+ """
+ to assert the each query in the list against expected result
+ """
+ self.assertIsInstance(query, dict)
+ self.assertIsInstance(query['queries'], list)
+ for index, each_query in enumerate(query.get('queries'), start=0):
+ self.assertEqual(each_query, queries[index])
+
+ def test_file_params_query(self):
+ stix_pattern = "[file:path = '/etc/path']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityEvent | where (FilePath == '/etc/path') and (TimeGenerated between "
+ "(datetime(2022-07-12T13:25:17.925Z) .. datetime(2022-07-13T13:25:17.925Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_process_params_query(self):
+ stix_pattern = "[process:name = 'Advapi ']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityEvent | where ((ProcessName == 'Advapi ' or LogonProcessName == 'Advapi ')) and "
+ "(TimeGenerated between (datetime(2022-07-12T14:08:35.514Z) .. datetime(2022-07-13T14:08:35.514Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_x_finding_params_query(self):
+ stix_pattern = "[x-ibm-finding:name = 'Microsoft-Windows-Security-Auditing']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = [
+ "SecurityEvent | where (EventSourceName == 'Microsoft-Windows-Security-Auditing') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:09:21.480Z) .. datetime(2022-07-13T14:09:21.480Z)))",
+ "SecurityIncident | where (IncidentName == 'Microsoft-Windows-Security-Auditing') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:09:21.481Z) .. datetime(2022-07-13T14:09:21.481Z)))",
+ "SecurityAlert | where (AlertName == 'Microsoft-Windows-Security-Auditing') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:09:21.479Z) .. datetime(2022-07-13T14:09:21.479Z)))"
+ ]
+ queries = _remove_timestamp_from_query(queries)
+ self.assertSetEqual(set(query['queries']), set(queries))
+
+ def test_x_oca_params_query(self):
+ stix_pattern = "[x-oca-event:code = '4625']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+ queries = ["SecurityEvent | where (EventID == '4625') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:14:24.165Z) .. datetime(2022-07-13T14:14:24.165Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_url_params_query(self):
+ stix_pattern = "[url:value = 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/dc26ff57-0597-4cc8-8092-aa5b929f8f39/resourceGroups/newresource/providers/Microsoft.OperationalInsights/workspaces/loganaly/providers/Microsoft.SecurityInsights/Incidents/919158c6-4c3f-4273-a730-a37f75622350']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = [
+ "SecurityEvent | where (QuarantineHelpURL == 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/dc26ff57-0597-4cc8-8092-aa5b929f8f39/resourceGroups/newresource/providers/Microsoft.OperationalInsights/workspaces/loganaly/providers/Microsoft.SecurityInsights/Incidents/919158c6-4c3f-4273-a730-a37f75622350') and (TimeGenerated between (datetime(2022-07-12T14:15:10.877Z) .. datetime(2022-07-13T14:15:10.877Z)))",
+ "SecurityIncident | where (IncidentUrl == 'https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/dc26ff57-0597-4cc8-8092-aa5b929f8f39/resourceGroups/newresource/providers/Microsoft.OperationalInsights/workspaces/loganaly/providers/Microsoft.SecurityInsights/Incidents/919158c6-4c3f-4273-a730-a37f75622350') and (TimeGenerated between (datetime(2022-07-12T14:15:10.878Z) .. datetime(2022-07-13T14:15:10.878Z)))"
+ ]
+
+ queries = _remove_timestamp_from_query(queries)
+ self.assertSetEqual(set(query['queries']), set(queries))
+
+ def test_domain_params_query(self):
+ stix_pattern = "[domain-name:value = 'GSLAB']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityEvent | where (TargetDomainName == 'GSLAB') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:16:12.975Z) .. datetime(2022-07-13T14:16:12.975Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_no_eq__query(self):
+ stix_pattern = "[ipv4-addr:value != '80.66.76.145']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityEvent | where (IpAddress != '80.66.76.145') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:16:50.268Z) .. datetime(2022-07-13T14:16:50.268Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_invalid_stix_pattern(self):
+ stix_pattern = "[not_a_valid_pattern]"
+ result = translation.translate(MODULE, 'query', '{}', stix_pattern, {'validate_pattern': 'true'})
+ assert False == result['success']
+ assert ErrorCode.TRANSLATION_STIX_VALIDATION.value == result['code']
+ assert stix_pattern[1:-1] in result['error']
+
+ def test_query_from_multiple_comparison_expressions_joined_by_AND(self):
+ stix_pattern = "[x-azure-security-alert:status = 'New' AND x-azure-security-alert:alert_severity= 'Medium']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ # Expect the STIX AND to convert to an AQL AND.
+ queries = ["SecurityAlert | where (AlertSeverity == 'Medium' and Status == 'New') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:17:34.629Z) .. datetime(2022-07-13T14:17:34.629Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_query_from_multiple_comparison_expressions_joined_by_OR(self):
+ stix_pattern = "[x-azure-security-alert:status = 'New' OR x-azure-security-alert:alert_severity= 'Medium']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ # Expect the STIX AND to convert to an AQL AND.
+ queries = ["SecurityAlert | where (AlertSeverity == 'Medium' or Status == 'New') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:18:24.375Z) .. datetime(2022-07-13T14:18:24.375Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_start_stop_qualifiers(self):
+ stix_pattern = "[ipv4-addr:value = '80.66.76.145'] START t'2022-05-20T12:24:01.009Z' STOP t'2022-05-28T12:54:01.009Z'"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+
+ queries = ["SecurityEvent | where (IpAddress == '80.66.76.145') and "
+ "(TimeGenerated between (datetime(2022-05-20T12:24:01.009Z) .. datetime(2022-05-28T12:54:01.009Z)))"]
+
+ self._test_query_assertions(query, queries)
+
+ def test_computer_query(self):
+ stix_pattern = "[x-azure-security-event:computer = 'GslabAzure']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityEvent | where (Computer == 'GslabAzure') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:21:28.147Z) .. datetime(2022-07-13T14:21:28.147Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_incident_name_query(self):
+ stix_pattern = "[x-azure-security-incident:incident_name = 'e1b1ea91-cd8d-4304-8689-bcb357e251f7']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityIncident | where (IncidentName == 'e1b1ea91-cd8d-4304-8689-bcb357e251f7') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:22:11.616Z) .. datetime(2022-07-13T14:22:11.616Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
+
+ def test_user_account_query(self):
+ stix_pattern = "[user-account:account_login = 'GS-2530']"
+ query = translation.translate(MODULE, 'query', '{}', stix_pattern)
+ query['queries'] = _remove_timestamp_from_query(query['queries'])
+
+ queries = ["SecurityEvent | where (TargetUserName == 'GS-2530') and "
+ "(TimeGenerated between (datetime(2022-07-12T14:22:45.070Z) .. datetime(2022-07-13T14:22:45.070Z)))"]
+
+ queries = _remove_timestamp_from_query(queries)
+ self._test_query_assertions(query, queries)
diff --git a/stix_shifter_modules/azure_log_analytics/tests/stix_transmission/test_azure_sentinel_log_analytics.py b/stix_shifter_modules/azure_log_analytics/tests/stix_transmission/test_azure_sentinel_log_analytics.py
new file mode 100644
index 000000000..0095a4e87
--- /dev/null
+++ b/stix_shifter_modules/azure_log_analytics/tests/stix_transmission/test_azure_sentinel_log_analytics.py
@@ -0,0 +1,221 @@
+from stix_shifter_modules.azure_log_analytics.entry_point import EntryPoint
+import unittest
+from unittest.mock import patch
+from stix_shifter.stix_transmission import stix_transmission
+from azure.core.exceptions import ODataV4Format
+
+
+class AzureSentinelMockResponse:
+ def __init__(self, response_code, obj):
+ self.code = response_code
+ self.object = obj
+
+ def read(self):
+ return self.object
+
+
+class MockToken:
+ token = "access_token123"
+
+
+class ClientSecretMockResponse:
+
+ @staticmethod
+ def get_token(scope):
+ return MockToken
+
+
+@patch('stix_shifter_modules.azure_log_analytics.stix_transmission.api_client.ClientSecretCredential')
+@patch('stix_shifter_modules.azure_log_analytics.stix_transmission.api_client.APIClient.__init__')
+class TestAzureSentinalConnection(unittest.TestCase, object):
+ def connection(self):
+ return {
+ "host": "host",
+ "port": 443,
+ "workspaceId": "abc12345"
+ }
+
+ def config(self):
+ return {
+ "auth": {
+ "tenant": "abc12345",
+ "clientId": "abc12345",
+ "clientSecret": "abc12345"
+ }
+ }
+
+ def test_is_async(self, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+ entry_point = EntryPoint(self.connection(), self.config())
+ check_async = entry_point.is_async()
+
+ assert check_async is False
+
+ @patch('stix_shifter_modules.azure_log_analytics.stix_transmission.api_client.APIClient.ping_box')
+ def test_ping_endpoint(self, mock_ping_response, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+ mocked_return_value = '["mock", "placeholder"]'
+
+ mock_ping_response.return_value = AzureSentinelMockResponse(200, mocked_return_value)
+ transmission = stix_transmission.StixTransmission('azure_log_analytics', self.connection(), self.config())
+ ping_response = transmission.ping()
+
+ assert ping_response is not None
+ assert ping_response['success']
+
+ @patch('stix_shifter_modules.azure_log_analytics.stix_transmission.api_client.APIClient.ping_box')
+ def test_ping_endpoint_exception(self, mock_ping_response, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+ mocked_return_value = """
+ {
+ "error": {
+ "message": "The workspace could not be found",
+ "code": "WorkspaceNotFoundError",
+ "correlationId": "a1bc1a2c-f975-180b-1243-111e17a11e1c"
+ }
+ }
+ """
+
+ mock_ping_response.return_value = AzureSentinelMockResponse(404, mocked_return_value)
+
+ transmission = stix_transmission.StixTransmission('azure_log_analytics', self.connection(), self.config())
+ ping_response = transmission.ping()
+ assert ping_response['success'] is False
+ assert ping_response[
+ 'error'] == "azure_log_analytics connector error => The workspace could not be found"
+ assert ping_response['code'] == "invalid_parameter"
+
+ def test_query_connection(self, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+
+ query = "SecurityEvent | where IpAddress == '80.66.76.145'"
+ transmission = stix_transmission.StixTransmission('azure_log_analytics', self.connection(), self.config())
+ query_response = transmission.query(query)
+
+ assert query_response is not None
+ assert query_response['success'] is True
+ assert 'search_id' in query_response
+ assert query_response['search_id'] == query
+
+ def test_status_query(self, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+
+ search_id = "SecurityEvent | where IpAddress == '80.66.76.145'"
+
+ entry_point = EntryPoint(self.connection(), self.config())
+ status_response = entry_point.create_status_connection(search_id)
+ assert status_response is not None
+ assert 'success' in status_response
+ assert status_response['success'] is True
+
+ @patch(
+ 'stix_shifter_modules.azure_log_analytics.stix_transmission.connector.Connector.create_results_connection')
+ def test_results_all_response(self, mock_results_response, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+ mocked_return_value = {
+ "success": True,
+ "data": [
+ {
+ "TenantId": "e00daaf8-d6a4-4410-b50b-f5ef61c9cb45",
+ "TimeGenerated": "2022-07-03 09:12:07.122000+00:00",
+ "DisplayName": "AlertLog",
+ "AlertName": "AlertLog",
+ "AlertSeverity": "Medium",
+ "Description": "",
+ "ProviderName": "ASI Scheduled Alerts",
+ "VendorName": "Microsoft",
+ "VendorOriginalId": "d38cf0b5-84bf-486d-8de3-26cc0a561be7",
+ "SystemAlertId": "6dfa10b7-7523-ecb0-646d-28ccf9c06772",
+ "ResourceId": "",
+ "SourceComputerId": "",
+ "AlertType": "e00daaf8-d6a4-4410-b50b-f5ef61c9cb45_9c4be437-b74c-440c-aa09-764367744a23",
+ "ConfidenceLevel": "",
+ "ConfidenceScore": "None",
+ "IsIncident": "False",
+ "StartTime": "2022-07-03 08:33:37.792000+00:00",
+ "EndTime": "2022-07-03 08:33:37.792000+00:00",
+ "ProcessingEndTime": "2022-07-03 09:12:06.758000+00:00",
+ "RemediationSteps": "",
+ "ExtendedProperties": "{\"Query Period\":\"00:05:00\",\"Trigger Operator\":\"GreaterThan\",\"Trigger Threshold\":\"0\",\"Correlation Id\":\"e00daaf8-d6a4-4410-b50b-f5ef61c9cb45_9c4be437-b74c-440c-aa09-764367744a23_637924344629201027\",\"Search Query Results Overall Count\":\"1\",\"Data Sources\":\"[\\\"loganaly\\\"]\",\"Query\":\"// might contain sensitive data\\nlet alertedEvent = datatable(compressedRec: string)\\n['eAGlVttu2zgQ/RXBL90Fylj3i99SJ9sGSNogNvqwdVGMyGEsVBcvKWXjBvn3HcqWLTtONnX8YEjknMMzw9HMPAy+LFBBnVXlZyhwMBq8g0Zk9YX8XNXn95mu9TvrusozvrSAG7OTwftdzFfIGwO8yriqdCXrk9Omnlcq+9WaDBcGnaEe7hMPV4TEd4l3mBPFRSkrVbQwyGn9lAzusno5qaFuNBlMGs4RBYonm52KgxZNqjuGQ8sdlvZuUFeN4vhRVc1itWTMuMoWRtWFoDXB3VDKIGJ2kETM5zxmsZ24DCBIEzeRsfQSwo0rpTCHDQwjIT3uxsyVMcECT7A4cl0mE5Ap8sTzfCN6DHmOiuwjmboSYptFjpcwPw6AJZByFvJAOL4TgLRhY3+xOBVCoV67OIYabyu1pLfV5fXWOm83G5+m0+sb/KdBXa/Q16qiC67pzuj9YTbI9LgqFnkGJcfxHPnP2WA0G/wFucbZ4P1soNZBu6x46y5tl02e045B6LpSukUkri9jcMjlMBXMT2PBEi+VLJEQohvyVMZpS9ilTIv69jCbrZeWZyizMluF1KyOzN9woaq7TKDSwxdzsIfWQ186ThoEHhO+i8xHD1icpMg8l4MX+hyEzw35++3hE6zfdv4OgR460gMpZMKEzemCuUkIP5KkQ0DoeBjZEO9J2MJvUKJCCm9PCGkoa0rsM9TZbUnXfUkJMZ1D+eXfktRdVQQlTeXtS46ZT3rDeITEHbKzTC9yWO5wnv5qFFoT5I0irdYHcmJegPr5Es9Xkm8Sq+MI7BPvxH42ODvnHXHT/+OAVcB9VjSFVUnLs6o2uJaeV00urBQt0YVfWFTOrCV9G5buFZFnD9v3klx8wclzKZHXW1V71XUPd6qNqIISpJ+5fVl6+JrC9upk3x6oh91lj+kN1Ycmy+uL8lmBO8H+PejB65qMLYoaNHlt/dF3eGS9xuE/nz1swqlMviWWzzJfgyIPyN/2FkcPjwetzk235GgeryqxVbJ2do/9/B6LdQ9bsX77/vi9rbbUfMu66w5tyV21htVmW1Ha1WM8NBQFVSG4xZbj2CGhJZpnNHYoPl/JmQ0eqVedG/HUootMm29nmtFpNRSmd7s2dVeb9HlTOx55wchxTxzften3txkD+gJWja47a0doNxLoITe9bxWbbUMcKgTRytNtPhwdqcfe+NEODEew9GezliNKnUCkQci8wOXMBzdgwB3OMOFOGGEA4KS9c6/XH3d/nLM2AThg+HT4O2T9+qGpvc4zqKFV74eeSG0umQtpSCCf2o9D7cdDO/JsCO3ICQg0xRJMXTNDlm0LABkzEYLPfN+xWRrYKZMBytDhCU/9FkFp8hFLEykUT1PFG3nRSZRsUmXSejFZ6hoLsm472H4G/RDrqWcwziErukGsfd7ubUer7dqnLq1XkOlygd0h3ahKyz/enBuP/wEakf8J']\\n| extend raw = todynamic(zlib_decompress_from_base64_string(compressedRec)) | evaluate bag_unpack(raw) | project-away compressedRec;\\nalertedEvent\",\"OriginalQuery\":\"union AzureActivity\\n\",\"Query Start Time UTC\":\"2022-07-03 08:31:02Z\",\"Query End Time UTC\":\"2022-07-03 08:36:02Z\",\"Analytic Rule Ids\":\"[\\\"9c4be437-b74c-440c-aa09-764367744a23\\\"]\",\"Event Grouping\":\"AlertPerEvent\",\"Analytic Rule Name\":\"AlertLog\",\"ProcessedBySentinel\":\"True\",\"Alert generation status\":\"Full alert created\"}",
+ "Entities": "",
+ "SourceSystem": "Detection",
+ "WorkspaceSubscriptionId": "dc26ff57-0597-4cc8-8092-aa5b929f8f39",
+ "WorkspaceResourceGroup": "newresource",
+ "ExtendedLinks": "",
+ "ProductName": "Azure Sentinel",
+ "ProductComponentName": "Scheduled Alerts",
+ "AlertLink": "",
+ "Status": "New",
+ "CompromisedEntity": "",
+ "Tactics": "ResourceDevelopment",
+ "Techniques": "",
+ "Type": "SecurityAlert"
+ }
+ ]
+ }
+ mock_results_response.return_value = mocked_return_value
+ offset = 0
+ length = 1
+ search_id = "SecurityAlert | where AlertName == 'AlertLog' | limit {len}".format(len=length)
+ entry_point = EntryPoint(self.connection(), self.config())
+ results_response = entry_point.create_results_connection(search_id, offset, length)
+
+ assert results_response is not None
+ assert results_response['success']
+ assert 'data' in results_response
+ assert results_response['data'] is not None
+
+ @patch(
+ 'stix_shifter_modules.azure_log_analytics.stix_transmission.connector.Connector.create_results_connection')
+ def test_results_all_response_empty(self, mock_results_response, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+ mocked_return_value = {
+ "success": True,
+ "data": []
+ }
+ mock_results_response.return_value = mocked_return_value
+ offset = 0
+ length = 1
+ search_id = "SecurityAlert | where AlertName == 'AlertLog' | limit {len}".format(len=length)
+ entry_point = EntryPoint(self.connection(), self.config())
+ results_response = entry_point.create_results_connection(search_id, offset, length)
+
+ assert 'success' in results_response
+ assert results_response['success'] is True
+ assert 'data' in results_response
+ assert len(results_response['data']) == 0
+
+ @patch('stix_shifter_modules.azure_log_analytics.stix_transmission.api_client.APIClient.run_search')
+ def test_results_response_exception(self, mock_results_response, mock_api_client, mock_generate_token):
+ mock_api_client.return_value = None
+ mock_generate_token.return_value = ClientSecretMockResponse
+ mocked_return_value = {
+ "code": "SyntaxError",
+ "message": "A recognition error occurred in the query.",
+ "innererror": {
+ "code": "SYN0002",
+ "message": "Query could not be parsed at \": \" on line [1,170]",
+ "line": 1,
+ "pos": 170,
+ "token": ":"
+ }
+ }
+
+
+ mock_results_response.return_value = {"success": False, "error": ODataV4Format(mocked_return_value)}
+
+ query = "'SecurityEvent | where InvalidField == 'test'"
+ offset = 0
+ length = 1
+ transmission = stix_transmission.StixTransmission('azure_log_analytics', self.connection(), self.config())
+ results_response = transmission.results(query, offset, length)
+
+ assert results_response['success'] is False
+ assert results_response['code'] == "invalid_query"
From 4e8fe1b26a3a9e553ffeac61e5c0134dbe488be3 Mon Sep 17 00:00:00 2001
From: Md Azam
Date: Mon, 16 Jan 2023 16:16:11 -0400
Subject: [PATCH 22/30] Instructions for the usage of custom mappings (#1274)
---
README.md | 4 +
adapter-guide/custom_mappings.md | 94 +++++++++++++++++++
adapter-guide/develop-configuration-json.md | 4 +-
.../alertflex/configuration/lang_en.json | 6 +-
.../arcsight/configuration/lang_en.json | 14 +--
.../async_template/configuration/lang_en.json | 6 +-
.../azure_sentinel/configuration/lang_en.json | 6 +-
.../bigfix/configuration/lang_en.json | 6 +-
.../carbonblack/configuration/lang_en.json | 6 +-
.../cbcloud/configuration/lang_en.json | 8 +-
.../crowdstrike/configuration/lang_en.json | 6 +-
.../cybereason/configuration/lang_en.json | 4 +-
.../darktrace/configuration/lang_en.json | 2 +-
.../datadog/configuration/lang_en.json | 2 +-
.../demo_template/configuration/lang_en.json | 6 +-
.../elastic_ecs/configuration/lang_en.json | 6 +-
.../error_test/configuration/lang_en.json | 2 +-
.../gcp_chronicle/configuration/lang_en.json | 2 +-
.../guardium/configuration/lang_en.json | 6 +-
.../configuration/lang_en.json | 4 +-
.../infoblox/configuration/lang_en.json | 6 +-
stix_shifter_modules/lang_en.json | 2 +-
.../msatp/configuration/lang_en.json | 6 +-
.../mysql/configuration/lang_en.json | 4 +-
.../paloalto/configuration/lang_en.json | 2 +-
.../proofpoint/configuration/lang_en.json | 6 +-
.../proxy/configuration/lang_en.json | 6 +-
.../qradar/configuration/lang_en.json | 6 +-
.../configuration/lang_en.json | 2 +-
.../reaqta/configuration/lang_en.json | 6 +-
.../reversinglabs/configuration/lang_en.json | 4 +-
.../rhacs/configuration/lang_en.json | 4 +-
.../secretserver/configuration/lang_en.json | 4 +-
.../configuration/lang_en.json | 2 +-
.../sentinelone/configuration/lang_en.json | 4 +-
.../splunk/configuration/lang_en.json | 6 +-
.../stix_bundle/configuration/lang_en.json | 2 +-
.../configuration/lang_en.json | 6 +-
.../configuration/lang_en.json | 6 +-
39 files changed, 188 insertions(+), 90 deletions(-)
create mode 100644 adapter-guide/custom_mappings.md
diff --git a/README.md b/README.md
index 5621b3f04..0836bc80e 100644
--- a/README.md
+++ b/README.md
@@ -91,7 +91,11 @@ response = translation.translate('', 'query', '{}', '
print(response)
```
+### Use of custom mappings
+If a connector has been installed using pip, the process for editing the STIX mappings is different than if you have pulled-down the project. When working locally, you can edit the mapping files directly. See the [mapping files for the MySQL connector](stix_shifter_modules/mysql/stix_translation/json) as an example. Editing the mapping files won't work if the connector has been installed with pip; the setup script of the stix-shifter package includes the mapppings inside `config.json`. This allows stix-shifter to injest custom mappings as part of the connector's configuration.
+
+Refer to [Use of custom mappings](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/custom_mappings.md) for more details on how to edit the mappings in the configuration.
## Contributing
diff --git a/adapter-guide/custom_mappings.md b/adapter-guide/custom_mappings.md
new file mode 100644
index 000000000..9590819f9
--- /dev/null
+++ b/adapter-guide/custom_mappings.md
@@ -0,0 +1,94 @@
+# Use of custom mappings
+
+Follow the below steps, if a user or threat hunter wants to use custom mapping after installing stix-shifter libraries:
+
+
+1. Go to the standard python library installation location. The installation path usually looks like this ***lib/pythonX.Y/site-packages*** or go to https://docs.python.org/3/install/ for more details on the python library installation based on your system.
+
+2. Go to the ***stix_shifter_modules*** folder and find the connector name that is installed.
+
+3. Inside the connector folder, go to the ***config.json*** file found under the ***stix_shifter_modules/\/configuration/*** directory.
+
+4. There is a `mapping` object nested inside the `options` JSON object. This includes all the mappings from the `from_stix` and `to_stix` mapping files. Here's an example of the `config.json` file:
+
+```
+{
+ "connection": {
+ "type": {
+ "displayName": "MySQL",
+ "group": "mysql",
+ "type": "connectorType"
+ },
+ "options": {
+ "mapping": {
+ "type": "json",
+ "optional": true,
+ "previous": "connection.mapping",
+ "default": {
+ "from_stix_map": {
+ "ipv4-addr": {
+ "fields": {
+ "value": [
+ "source_ipaddr",
+ "dest_ipaddr"
+ ]
+ }
+ },
+ "file": {
+ "fields": {
+ "name": [
+ "filename"
+ ]
+ }
+ }
+ },
+ "operators": {
+ "ComparisonExpressionOperators.And": "AND",
+ "ComparisonExpressionOperators.Or": "OR"
+ },
+ "to_stix_map": {
+ "source_ipaddr": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "src_ip"
+ }
+ ],
+ "dest_ipaddr": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "network-traffic.dst_ref",
+ "object": "nt",
+ "references": "dst_ip"
+ }
+ ]
+ }
+ }
+ }
+ }
+ },
+ "configuration": {
+ "auth": {
+ "type": "fields",
+ "username": {
+ "type": "password"
+ },
+ "password": {
+ "type": "password"
+ }
+ }
+ }
+}
+```
+
+
+5. You can change, update or use the existing custom mappings fields and save the file.
+
+6. The stix-shifter CLI commands should automatically pick up your custom mappings in the next command execution.
\ No newline at end of file
diff --git a/adapter-guide/develop-configuration-json.md b/adapter-guide/develop-configuration-json.md
index ff4854726..fd13e2eab 100644
--- a/adapter-guide/develop-configuration-json.md
+++ b/adapter-guide/develop-configuration-json.md
@@ -126,11 +126,11 @@ Below example json is the language translation file of the above QRadar config j
"host": {
"label": "Management IP address or Hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the host name or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/alertflex/configuration/lang_en.json b/stix_shifter_modules/alertflex/configuration/lang_en.json
index 22cd7a5f3..23ab6d075 100644
--- a/stix_shifter_modules/alertflex/configuration/lang_en.json
+++ b/stix_shifter_modules/alertflex/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the Alertflex controller"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Help",
diff --git a/stix_shifter_modules/arcsight/configuration/lang_en.json b/stix_shifter_modules/arcsight/configuration/lang_en.json
index e575884d3..45e361997 100644
--- a/stix_shifter_modules/arcsight/configuration/lang_en.json
+++ b/stix_shifter_modules/arcsight/configuration/lang_en.json
@@ -1,20 +1,20 @@
{
"connection": {
"host": {
- "label": "ArcSight Logger IP address or Hostname",
- "description": "Use IP address or Hostname of the ArcSight logger"
+ "label": "Management IP address or hostname",
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
"description": "More details on the datasource setting can be found in the specified link"
},
"selfSignedCert": {
- "label": "ArcSight logger Connection Certificate",
- "description": "Use self-signed SSL certificate and CA content(root and intermediate) of datasource"
+ "label": "Connection Certificate",
+ "description": "Use self-signed SSL certificate and CA content (root and intermediate) of datasource"
},
"sni": {
"label": "Server Name Indicator",
@@ -24,11 +24,11 @@
"configuration": {
"auth": {
"login": {
- "label": "ArcSight Logger Username",
+ "label": "Username",
"description": "ArcSight Logger user's login name with access to the search API"
},
"password": {
- "label": "ArcSight Logger Password",
+ "label": "Password",
"description": "ArcSight Logger user's password with access to the search API"
}
}
diff --git a/stix_shifter_modules/async_template/configuration/lang_en.json b/stix_shifter_modules/async_template/configuration/lang_en.json
index fa014b803..0dbef54a7 100644
--- a/stix_shifter_modules/async_template/configuration/lang_en.json
+++ b/stix_shifter_modules/async_template/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/azure_sentinel/configuration/lang_en.json b/stix_shifter_modules/azure_sentinel/configuration/lang_en.json
index 423dc77e2..596934035 100644
--- a/stix_shifter_modules/azure_sentinel/configuration/lang_en.json
+++ b/stix_shifter_modules/azure_sentinel/configuration/lang_en.json
@@ -1,12 +1,12 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "label": "Management IP address or hostname",
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/bigfix/configuration/lang_en.json b/stix_shifter_modules/bigfix/configuration/lang_en.json
index cb6834943..9b403d2eb 100644
--- a/stix_shifter_modules/bigfix/configuration/lang_en.json
+++ b/stix_shifter_modules/bigfix/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/carbonblack/configuration/lang_en.json b/stix_shifter_modules/carbonblack/configuration/lang_en.json
index faee6a471..8f46a767a 100644
--- a/stix_shifter_modules/carbonblack/configuration/lang_en.json
+++ b/stix_shifter_modules/carbonblack/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/cbcloud/configuration/lang_en.json b/stix_shifter_modules/cbcloud/configuration/lang_en.json
index fd6a23d39..963d827d5 100644
--- a/stix_shifter_modules/cbcloud/configuration/lang_en.json
+++ b/stix_shifter_modules/cbcloud/configuration/lang_en.json
@@ -1,17 +1,17 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the Carbon Black Cloud instance so that IBM Cloud Pak for Security can communicate with it."
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP."
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
- "description": "More details on the data source setting can be found in the specified link."
+ "description": "More details on the data source setting can be found in the specified link"
}
},
"configuration": {
diff --git a/stix_shifter_modules/crowdstrike/configuration/lang_en.json b/stix_shifter_modules/crowdstrike/configuration/lang_en.json
index f74c35c87..05390e792 100644
--- a/stix_shifter_modules/crowdstrike/configuration/lang_en.json
+++ b/stix_shifter_modules/crowdstrike/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/cybereason/configuration/lang_en.json b/stix_shifter_modules/cybereason/configuration/lang_en.json
index d66326680..55b81d5a1 100644
--- a/stix_shifter_modules/cybereason/configuration/lang_en.json
+++ b/stix_shifter_modules/cybereason/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
"description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/darktrace/configuration/lang_en.json b/stix_shifter_modules/darktrace/configuration/lang_en.json
index cb95009dc..361c2bf5d 100644
--- a/stix_shifter_modules/darktrace/configuration/lang_en.json
+++ b/stix_shifter_modules/darktrace/configuration/lang_en.json
@@ -1,7 +1,7 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"description": "Specify the IP address or hostname of the data source"
},
"help": {
diff --git a/stix_shifter_modules/datadog/configuration/lang_en.json b/stix_shifter_modules/datadog/configuration/lang_en.json
index a90fd0079..dbd1354a2 100644
--- a/stix_shifter_modules/datadog/configuration/lang_en.json
+++ b/stix_shifter_modules/datadog/configuration/lang_en.json
@@ -3,7 +3,7 @@
"site_url": {
"label": "Site URL",
"placeholder": "https://app.datadoghq.com",
- "description": "Specify the Site URL of the Datadog so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the Site URL of the datasource"
},
"selfSignedCert": {
"label": "Datadog Certificate",
diff --git a/stix_shifter_modules/demo_template/configuration/lang_en.json b/stix_shifter_modules/demo_template/configuration/lang_en.json
index f461827eb..0dbef54a7 100644
--- a/stix_shifter_modules/demo_template/configuration/lang_en.json
+++ b/stix_shifter_modules/demo_template/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that the Application can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/elastic_ecs/configuration/lang_en.json b/stix_shifter_modules/elastic_ecs/configuration/lang_en.json
index de01bde64..6187075f1 100644
--- a/stix_shifter_modules/elastic_ecs/configuration/lang_en.json
+++ b/stix_shifter_modules/elastic_ecs/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/error_test/configuration/lang_en.json b/stix_shifter_modules/error_test/configuration/lang_en.json
index 810b394b4..eb0affe9d 100644
--- a/stix_shifter_modules/error_test/configuration/lang_en.json
+++ b/stix_shifter_modules/error_test/configuration/lang_en.json
@@ -3,7 +3,7 @@
"url": {
"label": "Full URL of a stix-bundle file",
"placeholder": "https://url.to.stix_bundle.json.file",
- "description": "Specify the URL of the STIX Bundle JSON file so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the URL of the STIX Bundle JSON file"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json b/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json
index 71f2b9c67..253c6d882 100644
--- a/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json
+++ b/stix_shifter_modules/gcp_chronicle/configuration/lang_en.json
@@ -1,7 +1,7 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"description": "Specify the IP address or hostname of the data source"
},
"help": {
diff --git a/stix_shifter_modules/guardium/configuration/lang_en.json b/stix_shifter_modules/guardium/configuration/lang_en.json
index 34d9bda83..2d7c30fdd 100644
--- a/stix_shifter_modules/guardium/configuration/lang_en.json
+++ b/stix_shifter_modules/guardium/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/ibm_security_verify/configuration/lang_en.json b/stix_shifter_modules/ibm_security_verify/configuration/lang_en.json
index 9d1df265a..21be74222 100644
--- a/stix_shifter_modules/ibm_security_verify/configuration/lang_en.json
+++ b/stix_shifter_modules/ibm_security_verify/configuration/lang_en.json
@@ -1,9 +1,9 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.1",
- "description": "Specify the IBM Security verify IP address or Hostname."
+ "description": "Specify the data source IP address or hostname."
},
"port": {
"label": "Host Port",
diff --git a/stix_shifter_modules/infoblox/configuration/lang_en.json b/stix_shifter_modules/infoblox/configuration/lang_en.json
index 4b4442f92..970d71710 100644
--- a/stix_shifter_modules/infoblox/configuration/lang_en.json
+++ b/stix_shifter_modules/infoblox/configuration/lang_en.json
@@ -1,12 +1,12 @@
{
"connection": {
"host": {
- "label": "Infoblox IP address or Hostname",
- "description": "Specify the Infoblox IP address or Hostname."
+ "label": "Infoblox IP address or hostname",
+ "description": "Specify the Infoblox IP address or hostname."
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/lang_en.json b/stix_shifter_modules/lang_en.json
index ea17b1823..6e9af95b4 100644
--- a/stix_shifter_modules/lang_en.json
+++ b/stix_shifter_modules/lang_en.json
@@ -51,7 +51,7 @@
},
"concurrent": {
"label": "Concurrent Search Limit",
- "description": "The number of simultaneous connections that can be made between IBM Cloud Pak™ for Security and the data source. Valid input range is {{min}} to {{max}}."
+ "description": "The number of simultaneous connections that can be made to the data source. Valid input range is {{min}} to {{max}}."
}
}
},
diff --git a/stix_shifter_modules/msatp/configuration/lang_en.json b/stix_shifter_modules/msatp/configuration/lang_en.json
index a2d764a17..2dc33106d 100644
--- a/stix_shifter_modules/msatp/configuration/lang_en.json
+++ b/stix_shifter_modules/msatp/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/mysql/configuration/lang_en.json b/stix_shifter_modules/mysql/configuration/lang_en.json
index 3569a0a7c..7f11af1f4 100644
--- a/stix_shifter_modules/mysql/configuration/lang_en.json
+++ b/stix_shifter_modules/mysql/configuration/lang_en.json
@@ -1,9 +1,9 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
diff --git a/stix_shifter_modules/paloalto/configuration/lang_en.json b/stix_shifter_modules/paloalto/configuration/lang_en.json
index a47affc0b..867f16ccc 100644
--- a/stix_shifter_modules/paloalto/configuration/lang_en.json
+++ b/stix_shifter_modules/paloalto/configuration/lang_en.json
@@ -1,7 +1,7 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"description": "Specify the IP address or hostname of the data source"
},
"quota_threshold": {
diff --git a/stix_shifter_modules/proofpoint/configuration/lang_en.json b/stix_shifter_modules/proofpoint/configuration/lang_en.json
index 51e5541d5..7f4d13416 100755
--- a/stix_shifter_modules/proofpoint/configuration/lang_en.json
+++ b/stix_shifter_modules/proofpoint/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/proxy/configuration/lang_en.json b/stix_shifter_modules/proxy/configuration/lang_en.json
index 45eac7feb..2c7788250 100644
--- a/stix_shifter_modules/proxy/configuration/lang_en.json
+++ b/stix_shifter_modules/proxy/configuration/lang_en.json
@@ -6,13 +6,13 @@
},
"options": {
"proxy_host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the proxy so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the proxy"
},
"proxy_port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the proxy Host name or IP"
+ "description": "Set the port number that is associated with the proxy hostname or IP address"
},
"destination": {
"label": "Destinations",
diff --git a/stix_shifter_modules/qradar/configuration/lang_en.json b/stix_shifter_modules/qradar/configuration/lang_en.json
index 3ca98623c..411829f06 100644
--- a/stix_shifter_modules/qradar/configuration/lang_en.json
+++ b/stix_shifter_modules/qradar/configuration/lang_en.json
@@ -1,14 +1,14 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the QRadar management IP address or Hostname."
+ "description": "Management IP address or hostname"
},
"port": {
"label": "Host Port",
"placeholder": "443",
- "description": "Specify the associated port number of the data source."
+ "description": "Specify the associated port number of the data source"
},
"help": {
"label": "Need additional help?"
diff --git a/stix_shifter_modules/qradar_perf_test/configuration/lang_en.json b/stix_shifter_modules/qradar_perf_test/configuration/lang_en.json
index 0d57f90cd..7f2473e19 100644
--- a/stix_shifter_modules/qradar_perf_test/configuration/lang_en.json
+++ b/stix_shifter_modules/qradar_perf_test/configuration/lang_en.json
@@ -3,7 +3,7 @@
"url": {
"label": "Full URL of a raw response file",
"placeholder": "https://url.to.raw_events.json.file",
- "description": "Specify the URL of the raw response JSON file so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the URL of the raw response JSON file"
},
"help": {
"label": "Need additional help?"
diff --git a/stix_shifter_modules/reaqta/configuration/lang_en.json b/stix_shifter_modules/reaqta/configuration/lang_en.json
index 4693b379b..fd5f304a4 100644
--- a/stix_shifter_modules/reaqta/configuration/lang_en.json
+++ b/stix_shifter_modules/reaqta/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/reversinglabs/configuration/lang_en.json b/stix_shifter_modules/reversinglabs/configuration/lang_en.json
index c104c9963..dad30c8d1 100644
--- a/stix_shifter_modules/reversinglabs/configuration/lang_en.json
+++ b/stix_shifter_modules/reversinglabs/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "https://mundy.threatqtie.com",
"description": "Specify the OCP Cluster hostname or the XForce API host URL"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?"
diff --git a/stix_shifter_modules/rhacs/configuration/lang_en.json b/stix_shifter_modules/rhacs/configuration/lang_en.json
index 32cd234e1..fcf38dfa4 100644
--- a/stix_shifter_modules/rhacs/configuration/lang_en.json
+++ b/stix_shifter_modules/rhacs/configuration/lang_en.json
@@ -1,12 +1,12 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/secretserver/configuration/lang_en.json b/stix_shifter_modules/secretserver/configuration/lang_en.json
index aefa53aea..4e6c205d1 100644
--- a/stix_shifter_modules/secretserver/configuration/lang_en.json
+++ b/stix_shifter_modules/secretserver/configuration/lang_en.json
@@ -1,9 +1,9 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
diff --git a/stix_shifter_modules/security_advisor/configuration/lang_en.json b/stix_shifter_modules/security_advisor/configuration/lang_en.json
index a1de879da..dcb0aa385 100644
--- a/stix_shifter_modules/security_advisor/configuration/lang_en.json
+++ b/stix_shifter_modules/security_advisor/configuration/lang_en.json
@@ -2,7 +2,7 @@
"connection": {
"host": {
"label": "Host URL",
- "description": "Specify theHost URL of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the host URL of the data source"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/sentinelone/configuration/lang_en.json b/stix_shifter_modules/sentinelone/configuration/lang_en.json
index b00ad7f3c..cf550fcca 100644
--- a/stix_shifter_modules/sentinelone/configuration/lang_en.json
+++ b/stix_shifter_modules/sentinelone/configuration/lang_en.json
@@ -1,12 +1,12 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/splunk/configuration/lang_en.json b/stix_shifter_modules/splunk/configuration/lang_en.json
index da6b1359c..e1bd494b4 100644
--- a/stix_shifter_modules/splunk/configuration/lang_en.json
+++ b/stix_shifter_modules/splunk/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Host IP address or Hostname",
+ "label": "Host IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/stix_bundle/configuration/lang_en.json b/stix_shifter_modules/stix_bundle/configuration/lang_en.json
index 810b394b4..eb0affe9d 100644
--- a/stix_shifter_modules/stix_bundle/configuration/lang_en.json
+++ b/stix_shifter_modules/stix_bundle/configuration/lang_en.json
@@ -3,7 +3,7 @@
"url": {
"label": "Full URL of a stix-bundle file",
"placeholder": "https://url.to.stix_bundle.json.file",
- "description": "Specify the URL of the STIX Bundle JSON file so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the URL of the STIX Bundle JSON file"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/synchronous_template/configuration/lang_en.json b/stix_shifter_modules/synchronous_template/configuration/lang_en.json
index 957ffe21b..2ddbba388 100644
--- a/stix_shifter_modules/synchronous_template/configuration/lang_en.json
+++ b/stix_shifter_modules/synchronous_template/configuration/lang_en.json
@@ -1,13 +1,13 @@
{
"connection": {
"host": {
- "label": "Management IP address or Hostname",
+ "label": "Management IP address or hostname",
"placeholder": "192.168.1.10",
- "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+ "description": "Specify the IP address or hostname of the data source"
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
diff --git a/stix_shifter_modules/trendmicro_vision_one/configuration/lang_en.json b/stix_shifter_modules/trendmicro_vision_one/configuration/lang_en.json
index 0e91fb212..1c441491b 100644
--- a/stix_shifter_modules/trendmicro_vision_one/configuration/lang_en.json
+++ b/stix_shifter_modules/trendmicro_vision_one/configuration/lang_en.json
@@ -1,12 +1,12 @@
{
"connection": {
"host": {
- "label": "Trend Micro Vision One IP address or Hostname",
- "description": "Specify the Trend Micro Vision One IP address or Hostname."
+ "label": "Trend Micro Vision One IP address or hostname",
+ "description": "Specify the Trend Micro Vision One IP address or hostname."
},
"port": {
"label": "Host Port",
- "description": "Set the port number that is associated with the Host name or IP"
+ "description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
From c01dd22022868d048399ca7689e498faa63132a0 Mon Sep 17 00:00:00 2001
From: Danny Elliott
Date: Tue, 24 Jan 2023 10:11:13 -0400
Subject: [PATCH 23/30] Add default time range to STIX Bundle connector (#1288)
---
requirements-dev.txt | 1 +
.../stix_translation/query_translator.py | 14 +++++++-
.../test/test_stix_bundle_default_time.py | 36 +++++++++++++++++++
3 files changed, 50 insertions(+), 1 deletion(-)
create mode 100644 stix_shifter_modules/stix_bundle/test/test_stix_bundle_default_time.py
diff --git a/requirements-dev.txt b/requirements-dev.txt
index affd8fcd3..405f63ee4 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -17,3 +17,4 @@ pytest-cov==4.0.0
six==1.12.0
wrapt==1.14.1
requests_mock==1.7.0
+freezegun==1.2.2
diff --git a/stix_shifter_modules/stix_bundle/stix_translation/query_translator.py b/stix_shifter_modules/stix_bundle/stix_translation/query_translator.py
index 1a9830762..9219d836b 100644
--- a/stix_shifter_modules/stix_bundle/stix_translation/query_translator.py
+++ b/stix_shifter_modules/stix_bundle/stix_translation/query_translator.py
@@ -1,11 +1,23 @@
from stix_shifter_utils.modules.base.stix_translation.empty_query_translator import EmptyQueryTranslator
import re
+from datetime import datetime, timedelta
-START_STOP_PATTERN = "\s?START\s?t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d+)?Z'\sSTOP\s?t'\d{4}(-\d{2}){2}T(\d{2}:){2}\d{2}.\d{1,3}Z'\s?"
+START_STOP_PATTERN = r"\s?START\s?t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d{1,3})?Z'\sSTOP\s?t'\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d{1,3})?Z'\s?"
class QueryTranslator(EmptyQueryTranslator):
def transform_query(self, data):
+
+ time_range = self.options['time_range'] # Passed from global config
+
# Data is a STIX pattern.
+ if not re.search(START_STOP_PATTERN, data):
+ # add START STOP qualifier for last x minutes if none present
+ now = datetime.now()
+ timerange_delta = timedelta(minutes=time_range)
+ some_minutes_ago = now - timerange_delta
+ start_time = some_minutes_ago.strftime("START t'%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z'"
+ stop_time = now.strftime("STOP t'%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z'"
+ data = data + " " + start_time + " " + stop_time
return {'queries': [data]}
diff --git a/stix_shifter_modules/stix_bundle/test/test_stix_bundle_default_time.py b/stix_shifter_modules/stix_bundle/test/test_stix_bundle_default_time.py
new file mode 100644
index 000000000..e12974495
--- /dev/null
+++ b/stix_shifter_modules/stix_bundle/test/test_stix_bundle_default_time.py
@@ -0,0 +1,36 @@
+import unittest
+from stix_shifter.stix_translation import stix_translation
+from freezegun import freeze_time
+
+
+translation = stix_translation.StixTranslation()
+
+def _test_query_assertions(query, expected_query):
+ assert query['queries'] == [expected_query]
+
+def _translate_query(stix_pattern, options={}):
+ return translation.translate('stix_bundle', 'query', '{}', stix_pattern, options)
+
+class TestQueryTranslator(unittest.TestCase, object):
+
+ @freeze_time("2023-01-18 01:30:00")
+ def test_pattern_without_timestamps_with_default_range(self):
+ stix_pattern = "[ipv4-addr:value = '192.168.122.83']"
+ query = _translate_query(stix_pattern)
+ expected_query = "[ipv4-addr:value = '192.168.122.83'] START t'2023-01-18T01:25:00.000Z' STOP t'2023-01-18T01:30:00.000Z'"
+ _test_query_assertions(query, expected_query)
+
+ @freeze_time("2022-02-18 02:40:50")
+ def test_pattern_without_timestamps_with_custom_range(self):
+ stix_pattern = "[ipv4-addr:value = '192.168.122.83']"
+ options = {"time_range": 15}
+ query = _translate_query(stix_pattern, options)
+ expected_query = "[ipv4-addr:value = '192.168.122.83'] START t'2022-02-18T02:25:50.000Z' STOP t'2022-02-18T02:40:50.000Z'"
+ _test_query_assertions(query, expected_query)
+
+ def test_pattern_with_timestamps(self):
+ stix_pattern = "[ipv4-addr:value = '192.168.122.83'] START t'2019-03-28T12:24:01.009Z' STOP t'2019-03-28T12:54:01.009Z'"
+ query = _translate_query(stix_pattern)
+ expected_query = "[ipv4-addr:value = '192.168.122.83'] START t'2019-03-28T12:24:01.009Z' STOP t'2019-03-28T12:54:01.009Z'"
+ _test_query_assertions(query, expected_query)
+
From ddb6370e24969b6e1c73e66a1b80fb19d64954a8 Mon Sep 17 00:00:00 2001
From: Deepshikha Sinha <45089286+Deepshikha8514@users.noreply.github.com>
Date: Tue, 24 Jan 2023 19:49:59 +0530
Subject: [PATCH 24/30] Mapping updates for Guardium STIX 2.1 (#1102)
---
.../json/stix_2_1/qsearch_from_stix_map.json | 39 +++
.../json/stix_2_1/report_from_stix_map.json | 47 ++++
.../json/stix_2_1/to_stix_map.json | 256 ++++++++++++++++++
.../stix_translation/json/to_stix_map.json | 2 +-
4 files changed, 343 insertions(+), 1 deletion(-)
create mode 100644 stix_shifter_modules/guardium/stix_translation/json/stix_2_1/qsearch_from_stix_map.json
create mode 100644 stix_shifter_modules/guardium/stix_translation/json/stix_2_1/report_from_stix_map.json
create mode 100644 stix_shifter_modules/guardium/stix_translation/json/stix_2_1/to_stix_map.json
diff --git a/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/qsearch_from_stix_map.json b/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/qsearch_from_stix_map.json
new file mode 100644
index 000000000..7eb9dda5f
--- /dev/null
+++ b/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/qsearch_from_stix_map.json
@@ -0,0 +1,39 @@
+{
+ "x-ibm-finding": {
+ "fields": {
+ "finding_type": ["datacategory"],
+ "start": ["startTime"],
+ "end": ["endTime"],
+ "database_name": ["Database"],
+ "dst_device": ["Database"]
+ }
+ },
+ "ipv4-addr": {
+ "fields": {
+ "value": ["ClientIP", "Server"]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": ["ClientIP", "Server"]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "dst_ref.value": ["Server"],
+ "src_ref.value":["ClientIP"]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "user_id": ["DB User"],
+ "display_name": ["OS User"]
+ }
+ },
+ "x-guardium": {
+ "fields": {
+ "severity": ["Severity"]
+ }
+ }
+ }
+
diff --git a/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/report_from_stix_map.json b/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/report_from_stix_map.json
new file mode 100644
index 000000000..110cba976
--- /dev/null
+++ b/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/report_from_stix_map.json
@@ -0,0 +1,47 @@
+{
+"x-ibm-finding": {
+ "fields": {
+ "finding_type": ["datacategory"],
+ "start": ["QUERY_FROM_DATE"],
+ "end": ["QUERY_TO_DATE"],
+ "database_name": ["Database"],
+ "dst_device": ["Database"]
+ }
+ },
+ "ipv4-addr": {
+ "fields": {
+ "value": ["ServerIP"]
+ }
+ },
+ "ipv6-addr": {
+ "fields": {
+ "value": ["ServerIP"]
+ }
+ },
+ "network-traffic": {
+ "fields": {
+ "dst_ref.value": ["ServerIP"]
+ }
+ },
+ "user-account": {
+ "fields": {
+ "user_id": ["DBUser"],
+ "display_name": ["OSUser"]
+ }
+ },
+ "artifact": {
+ "fields": {
+ "payload_bin": ["Payload-dialect1"]
+ }
+ },
+ "domain-name": {
+ "fields": {
+ "value": ["DomainName-dialect1"]
+ }
+ },
+ "x-guardium": {
+ "fields": {
+ "severity":["Severity"]
+ }
+ }
+}
diff --git a/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/to_stix_map.json
new file mode 100644
index 000000000..7db6fd030
--- /dev/null
+++ b/stix_shifter_modules/guardium/stix_translation/json/stix_2_1/to_stix_map.json
@@ -0,0 +1,256 @@
+{
+ "DB User": [
+ {
+ "key": "user-account.user_id",
+ "object":"account"
+ },
+ {
+ "key": "x-ibm-finding.src_database_user_ref",
+ "object": "finding",
+ "references": "account"
+ }
+ ]
+ ,
+ "db_user": [
+ {
+ "key": "user-account.user_id",
+ "object":"account"
+ },
+ {
+ "key": "x-ibm-finding.src_database_user_ref",
+ "object": "finding",
+ "references": "account"
+ }
+ ]
+ ,
+ "OSUser": [
+ {
+ "key": "user-account.display_name",
+ "object":"account"
+ },
+ {
+ "key": "x-ibm-finding.src_os_user_ref",
+ "object": "account",
+ "references": "user_id"
+ }
+ ],
+ "LogSourceId": {
+ "key": "x-guardium.log_source_id"
+ },
+ "Magnitude": {
+ "key": "x-guardium.magnitude"
+ },
+ "SourceIpV4": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "network-traffic.src_ref",
+ "object": "nt",
+ "references": "src_ip"
+ }
+ ],
+ "client_ip": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "src_ip"
+ },
+ {
+ "key": "x-ibm-finding.src_ip_ref",
+ "object": "finding",
+ "references": "src_ip"
+ }
+ ],
+ "server": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "finding",
+ "references": "dst_ip"
+ }
+ ],
+ "Server IP": [
+ {
+ "key": "ipv4-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "ipv6-addr.value",
+ "object": "dst_ip"
+ },
+ {
+ "key": "x-ibm-finding.dst_ip_ref",
+ "object": "finding",
+ "references": "dst_ip"
+ }
+ ],
+ "db_type":[
+ {
+ "key":"software.name",
+ "object":"software"
+ },
+ {
+ "key":"x-ibm-finding.dst_application_ref",
+ "object":"finding",
+ "references":"software"
+ }
+ ],
+ "Server Type":[
+ {
+ "key":"software.name",
+ "object":"software"
+ },
+ {
+ "key":"x-ibm-finding.dst_application_ref",
+ "object":"finding",
+ "references":"software"
+ }
+ ],
+ "source_program":[
+ {
+ "key":"software.name",
+ "object":"source_software"
+ },
+ {
+ "key":"x-ibm-finding.src_application_ref",
+ "object":"finding",
+ "references":"source_software"
+ }
+ ],
+ "EventCount": {
+ "key": "number_observed",
+ "cybox": false,
+ "transformer": "ToInteger"
+ },
+ "timestamp": [
+ {
+ "key": "first_observed",
+ "transformer": "GuardiumToTimestamp",
+ "cybox": false
+ },
+ {
+ "key": "last_observed",
+ "transformer": "GuardiumToTimestamp",
+ "cybox": false
+ }
+ ],
+ "Create Date": [
+ {
+ "key": "first_observed",
+ "transformer": "GuardiumToTimestamp",
+ "cybox": false
+ }
+ ],
+ "Timestamp": [
+ {
+ "key": "last_observed",
+ "transformer": "GuardiumToTimestamp",
+ "cybox": false
+ }
+ ],
+ "Last updated": [
+ {
+ "key": "last_observed",
+ "transformer": "GuardiumToTimestamp",
+ "cybox": false
+ }
+ ],
+ "Url": {
+ "key": "url.value"
+ },
+ "FileName": {
+ "key": "file.name"
+ },
+ "Payload": {
+ "key": "artifact.payload_bin"
+ },
+ "DestinationPort": {
+ "key": "network-traffic.dst_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ },
+ "SourcePort": {
+ "key": "network-traffic.src_port",
+ "object": "nt",
+ "transformer": "ToInteger"
+ },
+ "NetworkProtocol": {
+ "key": "network-traffic.protocols",
+ "object": "nt",
+ "transformer": "ToLowercaseArray"
+ },
+ "DomainName": {
+ "key": "domain-name.value"
+ },
+ "Process": {
+ "Path": [
+ {
+ "object": "proc",
+ "key": "process.command_line"
+ }
+ ],
+ "Pid": [
+ {
+ "object": "proc",
+ "key": "process.pid"
+ }
+ ]
+ },
+ "violation":{
+ "key":"x-ibm-finding.name",
+ "object":"finding"
+ },
+ "Threat Category":{
+ "key":"x-ibm-finding.name",
+ "object":"finding"
+ },
+ "details":{
+ "key":"x-ibm-finding.details",
+ "object":"finding"
+ },
+ "database":{
+ "key":"x-ibm-finding.dst_device",
+ "object":"finding"
+ },
+ "Database":{
+ "key":"x-ibm-finding.dst_device",
+ "object":"finding"
+ },
+ "severity":[
+ {
+ "key":"x-guardium.severity",
+ "transformer": "GuardiumMapSeverity"},
+ {
+ "key":"x-ibm-finding.finding_type",
+ "object":"finding",
+ "transformer": "GuardiumQS"}
+ ],
+ "Severity":[
+ {
+ "key":"x-guardium.severity"},
+ {
+ "key":"x-ibm-finding.finding_type",
+ "object":"finding",
+ "transformer": "GuardiumRep"}
+ ],
+ "guardium_appliance":{
+ "key":"x-ibm-finding.source",
+ "object":"finding"
+ },
+ "Originating Unit":{
+ "key":"x-ibm-finding.source",
+ "object":"finding"
+ }
+}
diff --git a/stix_shifter_modules/guardium/stix_translation/json/to_stix_map.json b/stix_shifter_modules/guardium/stix_translation/json/to_stix_map.json
index 244646565..1c8648478 100644
--- a/stix_shifter_modules/guardium/stix_translation/json/to_stix_map.json
+++ b/stix_shifter_modules/guardium/stix_translation/json/to_stix_map.json
@@ -204,7 +204,7 @@
"Pid": [
{
"object": "proc",
- "key": "process.id"
+ "key": "process.pid"
}
]
},
From ede4a291a0d8079a0af94adc01cadc7aaa7aed53 Mon Sep 17 00:00:00 2001
From: thangaraj-ramesh <92723742+thangaraj-ramesh@users.noreply.github.com>
Date: Tue, 24 Jan 2023 14:37:02 +0000
Subject: [PATCH 25/30] Handle unknown auth exception in Sentinelone connector
---
.../stix_transmission/api_client.py | 12 ++++---
.../stix_transmission/delete_connector.py | 4 ++-
.../stix_transmission/ping_connector.py | 13 ++++---
.../stix_transmission/query_connector.py | 28 +++++++++++----
.../stix_transmission/results_connector.py | 34 +++++++++++++++----
.../stix_transmission/status_connector.py | 27 ++++++++++++---
.../test_sentinelone_stix_to_query.py | 2 +-
.../stix_transmission/test_sentinelone.py | 34 +++++++++++++++++++
8 files changed, 125 insertions(+), 29 deletions(-)
diff --git a/stix_shifter_modules/sentinelone/stix_transmission/api_client.py b/stix_shifter_modules/sentinelone/stix_transmission/api_client.py
index 2b69f95f1..aa9a6e1ef 100644
--- a/stix_shifter_modules/sentinelone/stix_transmission/api_client.py
+++ b/stix_shifter_modules/sentinelone/stix_transmission/api_client.py
@@ -27,7 +27,8 @@ def ping_datasource(self):
ping or check the system status
"""
endpoint = self.PING_STATUS
- return self.client.call_api(endpoint, 'GET', headers=self.client.headers, timeout=self.timeout)
+ return self.client.call_api(endpoint, 'GET', headers=self.client.headers,
+ timeout=self.timeout)
def create_search(self, query_expression):
"""
@@ -39,7 +40,8 @@ def create_search(self, query_expression):
endpoint = self.QUERY_ENDPOINT
data = query_expression
data = data.encode('utf-8')
- return self.client.call_api(endpoint, 'POST', headers=self.client.headers, data=data, timeout=self.timeout)
+ return self.client.call_api(endpoint, 'POST', headers=self.client.headers, data=data,
+ timeout=self.timeout)
def get_search_status(self, search_id):
"""
@@ -51,7 +53,8 @@ def get_search_status(self, search_id):
endpoint = self.QUERY_STATUS + "?queryId=" + search_id
params = {}
params['output'] = 'json'
- return self.client.call_api(endpoint, 'GET', headers=self.client.headers, urldata=params, timeout=self.timeout)
+ return self.client.call_api(endpoint, 'GET', headers=self.client.headers, urldata=params,
+ timeout=self.timeout)
def get_search_results(self, search_id, offset, length, nextcursor=None):
"""
@@ -69,7 +72,8 @@ def get_search_results(self, search_id, offset, length, nextcursor=None):
params = {}
params['output'] = 'json'
- return self.client.call_api(endpoint, 'GET', headers=self.client.headers, urldata=params, timeout=self.timeout)
+ return self.client.call_api(endpoint, 'GET', headers=self.client.headers, urldata=params,
+ timeout=self.timeout)
def delete_search(self, search_id):
"""
diff --git a/stix_shifter_modules/sentinelone/stix_transmission/delete_connector.py b/stix_shifter_modules/sentinelone/stix_transmission/delete_connector.py
index f292bbd88..8281674af 100644
--- a/stix_shifter_modules/sentinelone/stix_transmission/delete_connector.py
+++ b/stix_shifter_modules/sentinelone/stix_transmission/delete_connector.py
@@ -9,6 +9,7 @@ class DeleteConnector(BaseDeleteConnector):
def __init__(self, api_client):
self.api_client = api_client
self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
def delete_query_connection(self, search_id):
"""
@@ -31,5 +32,6 @@ def delete_query_connection(self, search_id):
response_dict['type'] = "unknown"
response_dict['message'] = ex
self.logger.error('error when delete request: %s', str(ex))
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
return return_obj
diff --git a/stix_shifter_modules/sentinelone/stix_transmission/ping_connector.py b/stix_shifter_modules/sentinelone/stix_transmission/ping_connector.py
index 8ca3a57c1..03226b808 100644
--- a/stix_shifter_modules/sentinelone/stix_transmission/ping_connector.py
+++ b/stix_shifter_modules/sentinelone/stix_transmission/ping_connector.py
@@ -12,6 +12,7 @@ class PingConnector(BasePingConnector):
def __init__(self, api_client):
self.api_client = api_client
self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
def ping_connection(self):
"""
@@ -26,7 +27,8 @@ def ping_connection(self):
except ConnectionError:
response_dict['type'] = "ConnectionError"
response_dict['message'] = "Invalid Host"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except Exception as ex:
if 'Max retries exceeded' in str(ex):
# sleep added due to limitation of 1 call a second for each user token
@@ -36,15 +38,18 @@ def ping_connection(self):
except ConnectionError:
response_dict['type'] = "ConnectionError"
response_dict['message'] = "Invalid Host"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except Exception as err:
self.logger.error('error when ping: %s', str(err))
response_dict['message'] = str(err)
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
return return_obj
else:
self.logger.error('error when ping: %s', str(ex))
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
return return_obj
def call_ping_datasource(self, return_obj, response_dict):
diff --git a/stix_shifter_modules/sentinelone/stix_transmission/query_connector.py b/stix_shifter_modules/sentinelone/stix_transmission/query_connector.py
index bb53c4acd..305fc086f 100644
--- a/stix_shifter_modules/sentinelone/stix_transmission/query_connector.py
+++ b/stix_shifter_modules/sentinelone/stix_transmission/query_connector.py
@@ -11,11 +11,15 @@ class BadRequestQueryError(Exception):
class LimitOutOfRangeError(Exception):
pass
+class AuthenticationError(Exception):
+ pass
+
class QueryConnector(BaseQueryConnector):
""" Query connector base class """
def __init__(self, api_client):
self.api_client = api_client
self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
def create_query_connection(self, query):
"""
@@ -43,7 +47,7 @@ def create_query_connection(self, query):
return_obj['success'] = False
response_code = response_dict.get("errors")[0].get("code")
if response_code == 4010010:
- return_obj['error'] = "Authentication failed"
+ raise AuthenticationError
elif response_code == 400:
return_obj['success'] = False
response_code = response_dict.get("errors")[0].get("code")
@@ -53,24 +57,34 @@ def create_query_connection(self, query):
if response_code == 4000010:
raise LimitOutOfRangeError
else:
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
+ except AuthenticationError:
+ response_dict['type'] = "AuthenticationError"
+ response_dict['message'] = "Invalid apitoken"
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except ConnectionError:
response_dict['type'] = "ConnectionError"
response_dict['message'] = "Invalid Host"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except LimitOutOfRangeError:
response_dict['type'] = "LimitOutOfRangeError"
response_dict['message'] = "Limit must be greater than or equal to 1 " \
"and less than or equal to 100000"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except BadRequestQueryError:
response_dict['type'] = "BadRequestQueryError"
response_dict['message'] = response_dict.get("errors")[0].get("detail")
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except Exception as ex:
response_dict['type'] = "unknown"
response_dict['message'] = ex
self.logger.error('error when creating search: %s', str(ex))
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
- return return_obj
\ No newline at end of file
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
+ return return_obj
diff --git a/stix_shifter_modules/sentinelone/stix_transmission/results_connector.py b/stix_shifter_modules/sentinelone/stix_transmission/results_connector.py
index fedfc41ce..d09a881d2 100644
--- a/stix_shifter_modules/sentinelone/stix_transmission/results_connector.py
+++ b/stix_shifter_modules/sentinelone/stix_transmission/results_connector.py
@@ -12,11 +12,15 @@ class LimitOutOfRangeError(Exception):
class QueryIdNotFoundError(Exception):
pass
+class AuthenticationError(Exception):
+ pass
+
class ResultsConnector(BaseResultsConnector):
"""ResultsConnector class"""
def __init__(self, api_client):
self.api_client = api_client
self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
def create_results_connection(self, search_id, offset, length):
"""
@@ -57,8 +61,14 @@ def create_results_connection(self, search_id, offset, length):
response_code = response_dict.get("errors")[0].get("code")
if response_code == 4040010:
raise QueryIdNotFoundError
+ elif response_code == 401:
+ return_obj['success'] = False
+ response_code = response_dict.get("errors")[0].get("code")
+ if response_code == 4010010:
+ raise AuthenticationError
else:
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
if response_dict.get("pagination"):
pagination_dict = response_dict.get("pagination")
@@ -94,24 +104,34 @@ def create_results_connection(self, search_id, offset, length):
if response_code == 4000010:
raise LimitOutOfRangeError
else:
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
-
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
+
+ except AuthenticationError:
+ response_dict['type'] = "AuthenticationError"
+ response_dict['message'] = "Invalid apitoken"
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except ConnectionError:
response_dict['type'] = "ConnectionError"
response_dict['message'] = "Invalid Host"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except LimitOutOfRangeError:
response_dict['type'] = "LimitOutOfRangeError"
response_dict['message'] = "Limit must be greater than or equals to 1 " \
"and less than equals to 1000"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except QueryIdNotFoundError:
response_dict['type'] = "QueryIdNotFoundError"
response_dict['message'] = "Could not find query id: " + search_id
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except Exception as ex:
self.logger.error('error in query result: %s', str(ex))
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
return return_obj
@staticmethod
diff --git a/stix_shifter_modules/sentinelone/stix_transmission/status_connector.py b/stix_shifter_modules/sentinelone/stix_transmission/status_connector.py
index 8a1330537..d4c2d7e1e 100644
--- a/stix_shifter_modules/sentinelone/stix_transmission/status_connector.py
+++ b/stix_shifter_modules/sentinelone/stix_transmission/status_connector.py
@@ -13,6 +13,9 @@ class InvalidResponseException(Exception):
class QueryIdNotFoundError(Exception):
pass
+class AuthenticationError(Exception):
+ pass
+
class StatusConnector(BaseStatusConnector):
"""
check query status class
@@ -20,6 +23,7 @@ class StatusConnector(BaseStatusConnector):
def __init__(self, api_client):
self.api_client = api_client
self.logger = logger.set_logger(__name__)
+ self.connector = __name__.split('.')[1]
def create_status_connection(self, search_id):
"""
@@ -51,23 +55,35 @@ def create_status_connection(self, search_id):
response_code = response_dict.get("errors")[0].get("code")
if response_code == 4040010:
raise QueryIdNotFoundError
+ elif response_code == 401:
+ return_obj['success'] = False
+ response_code = response_dict.get("errors")[0].get("code")
+ if response_code == 4010010:
+ raise AuthenticationError
else:
return_obj['success'] = False
- #ErrorResponder.fill_error(return_obj, response, ['message'])
raise InvalidResponseException
+ except AuthenticationError:
+ response_dict['type'] = "AuthenticationError"
+ response_dict['message'] = "Invalid apitoken"
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except InvalidResponseException:
response_dict['type'] = 'InvalidResponseException'
response_dict['message'] = 'InvalidResponse'
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except QueryIdNotFoundError:
response_dict['type'] = "QueryIdNotFoundError"
response_dict['message'] = "Could not find query id: " + search_id
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except ConnectionError:
response_dict['type'] = "ConnectionError"
response_dict['message'] = "Invalid Host"
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
except Exception as ex:
if 'Max retries exceeded' in str(ex):
#sleep added due to limitation of 1 call a second for each user token
@@ -79,5 +95,6 @@ def create_status_connection(self, search_id):
response_dict['type'] = "unknown"
response_dict['message'] = ex
self.logger.error('error when checking status: %s', str(ex))
- ErrorResponder.fill_error(return_obj, response_dict, ['message'])
+ ErrorResponder.fill_error(return_obj, response_dict, ['message'],
+ connector=self.connector)
return return_obj
diff --git a/stix_shifter_modules/sentinelone/tests/stix_translation/test_sentinelone_stix_to_query.py b/stix_shifter_modules/sentinelone/tests/stix_translation/test_sentinelone_stix_to_query.py
index f06d6c070..836671f86 100644
--- a/stix_shifter_modules/sentinelone/tests/stix_translation/test_sentinelone_stix_to_query.py
+++ b/stix_shifter_modules/sentinelone/tests/stix_translation/test_sentinelone_stix_to_query.py
@@ -441,7 +441,7 @@ def test_unmapped_attribute_handling_with_and(self):
def test_invalid_stix_pattern(self):
"""test to check invalid stix pattern"""
stix_pattern = "[not_a_valid_pattern]"
- result = translation.translate('cybereason', 'query', '{}', stix_pattern, {'validate_pattern': 'true'})
+ result = translation.translate('sentinelone', 'query', '{}', stix_pattern, {'validate_pattern': 'true'})
assert result['success'] is False
assert ErrorCode.TRANSLATION_STIX_VALIDATION.value == result['code']
assert stix_pattern[1:-1] in result['error']
diff --git a/stix_shifter_modules/sentinelone/tests/stix_transmission/test_sentinelone.py b/stix_shifter_modules/sentinelone/tests/stix_transmission/test_sentinelone.py
index 2770cf2bf..ec2d31709 100644
--- a/stix_shifter_modules/sentinelone/tests/stix_transmission/test_sentinelone.py
+++ b/stix_shifter_modules/sentinelone/tests/stix_transmission/test_sentinelone.py
@@ -104,6 +104,8 @@ def test_ping_endpoint_parseerror(self, mock_ping_source, mock_api_client):
assert ping_response is not None
assert ping_response['success'] is False
assert ping_response['error'] is not None
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -157,6 +159,8 @@ def test_search_query_error(self, mock_create_search, mock_api_client):
assert query_response is not None
assert query_response['success'] is False
assert query_response['error'] is not None
+ assert query_response['connector'] is not None
+ assert query_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -184,6 +188,8 @@ def test_search_query_limiterror(self, mock_create_search, mock_api_client):
assert query_response is not None
assert query_response['success'] is False
assert query_response['error'] is not None
+ assert query_response['connector'] is not None
+ assert query_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -210,6 +216,8 @@ def test_search_authentication_error(self, mock_create_search, mock_api_client):
assert query_response is not None
assert query_response['success'] is False
assert query_response['error'] is not None
+ assert query_response['connector'] is not None
+ assert query_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -572,6 +580,8 @@ def test_process_result_error(self, mock_results_response, mock_api_client):
assert results_response is not None
assert results_response['success'] is False
assert results_response['error'] is not None
+ assert results_response['connector'] is not None
+ assert results_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -596,6 +606,8 @@ def test_result_query_id_notfound_error(self, mock_results_response, mock_api_cl
assert results_response is not None
assert results_response['success'] is False
assert results_response['error'] is not None
+ assert results_response['connector'] is not None
+ assert results_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -621,6 +633,8 @@ def test_process_result_auth_error(self, mock_results_response, mock_api_client)
assert results_response is not None
assert results_response['success'] is False
assert results_response['error'] is not None
+ assert results_response['connector'] is not None
+ assert results_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -976,6 +990,8 @@ def test_multiobject_query_parseerror(self, mock_create_search, mock_api_client)
assert query_response is not None
assert query_response['success'] is False
assert query_response['error'] is not None
+ assert query_response['connector'] is not None
+ assert query_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -1305,6 +1321,8 @@ def test_multiobject_result_parseerror(self, mock_results_response, mock_api_cli
assert results_response is not None
assert results_response['success'] is False
assert results_response['error'] is not None
+ assert results_response['connector'] is not None
+ assert results_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -1371,6 +1389,8 @@ def test_search_status_notfound_error(self, mock_status_response, mock_api_clien
assert ping_response is not None
assert ping_response['success'] is False
assert ping_response['error'] is not None
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -1393,6 +1413,8 @@ def test_search_status_error(self, mock_status_response, mock_api_client):
assert ping_response is not None
assert ping_response['success'] is False
assert ping_response['error'] is not None
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -1415,6 +1437,8 @@ def test_search_status_auth_error(self, mock_status_response, mock_api_client):
assert ping_response is not None
assert ping_response['success'] is False
assert ping_response['error'] is not None
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -1474,6 +1498,8 @@ def test_ping_maxretried_error(self, mock_ping_source, mock_api_client):
assert ping_response is not None
assert ping_response['success'] is False
assert ping_response['error'] is not None
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_modules.sentinelone.stix_transmission.api_client'
'.APIClient.__init__')
@@ -1506,6 +1532,8 @@ def test_invalid_host_ping(self, mock_ping):
assert ping_response is not None
assert ping_response['success'] is False
assert "Invalid Host" in ping_response['error']
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_utils.stix_transmission.utils.RestApiClient.RestApiClient.call_api')
def test_invalid_host_status(self, mock_ping):
@@ -1517,6 +1545,8 @@ def test_invalid_host_status(self, mock_ping):
assert ping_response is not None
assert ping_response['success'] is False
assert "Invalid Host" in ping_response['error']
+ assert ping_response['connector'] is not None
+ assert ping_response['code'] is not None
@patch('stix_shifter_utils.stix_transmission.utils.RestApiClient.RestApiClient.call_api')
def test_invalid_host_query(self, mock_create_search):
@@ -1538,6 +1568,8 @@ def test_invalid_host_query(self, mock_create_search):
assert query_response is not None
assert query_response['success'] is False
assert "Invalid Host" in query_response['error']
+ assert query_response['connector'] is not None
+ assert query_response['code'] is not None
@patch('stix_shifter_utils.stix_transmission.utils.RestApiClient.RestApiClient.call_api')
def test_invalid_host_result(self, mock_result):
@@ -1557,3 +1589,5 @@ def test_invalid_host_result(self, mock_result):
assert results_response is not None
assert results_response['success'] is False
assert "Invalid Host" in results_response['error']
+ assert results_response['connector'] is not None
+ assert results_response['code'] is not None
From 11e7d57c22fe495ce9ddbfe753517aede274c2e3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 24 Jan 2023 10:42:00 -0400
Subject: [PATCH 26/30] Bump boto3 from 1.26.41 to 1.26.55 in /stix_shifter
(#1293)
---
stix_shifter/requirements.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stix_shifter/requirements.txt b/stix_shifter/requirements.txt
index 6ca228037..02bd17a10 100644
--- a/stix_shifter/requirements.txt
+++ b/stix_shifter/requirements.txt
@@ -1,6 +1,6 @@
adal==1.2.7
antlr4-python3-runtime==4.8
-boto3==1.26.41
+boto3==1.26.55
flask==2.2.2
pyOpenSSL==23.0.0
flatten_json==0.1.13
From a9e5b43db5e70a766f1814c95001c68f8b82073e Mon Sep 17 00:00:00 2001
From: Danny Elliott
Date: Tue, 24 Jan 2023 14:20:18 -0400
Subject: [PATCH 27/30] Table of mapping updates and 4.6.0 changelog (#1294)
---
CHANGELOG.md | 44 ++++
OVERVIEW.md | 4 +-
.../connectors/aws_athena_supported_stix.md | 248 ++++++++++++++++--
.../azure_log_analytics_supported_stix.md | 209 +++++++++++++++
.../azure_sentinel_supported_stix.md | 4 +-
.../connectors/elastic_ecs_supported_stix.md | 26 +-
.../connectors/guardium_supported_stix.md | 4 +-
.../connectors/splunk_supported_stix.md | 18 +-
adapter-guide/supported-mappings.md | 3 +-
.../scripts/supported_property_exporter.py | 8 +-
10 files changed, 519 insertions(+), 49 deletions(-)
create mode 100644 adapter-guide/connectors/azure_log_analytics_supported_stix.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 68c68455d..02f9e818a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,50 @@ We have started this changelogs from version 4.0.0. So, changes on previously re
### Dependency update:
*List the dependecy upgrade or downgrade.*
+--------------------------------------
+
+## 4.6.0 (2023-01-24)
+
+### Breaking changes:
+
+### Deprecations:
+
+### Changes:
+
+* Instructions for the usage of custom mappings [#1274](https://github.com/opencybersecurityalliance/stix-shifter/pull/1274)
+* Add log analytics API support to azure sentinel connector [#1214](https://github.com/opencybersecurityalliance/stix-shifter/pull/1214)
+* Update OCSF schema in Athena mappings [#1245](https://github.com/opencybersecurityalliance/stix-shifter/pull/1245)
+* splunk: allow multiple, comma-separated index names in the index option [#1271](https://github.com/opencybersecurityalliance/stix-shifter/pull/1271)
+* Rename azure sentinel to Microsoft Graph Security Connector [#1212](https://github.com/opencybersecurityalliance/stix-shifter/pull/1212)
+* elastic_ecs: add beats dialect [#1208](https://github.com/opencybersecurityalliance/stix-shifter/pull/1208)
+* update script to create sql database [#1228](https://github.com/opencybersecurityalliance/stix-shifter/pull/1228)
+* Test for START STOP timestamp format [#1218](https://github.com/opencybersecurityalliance/stix-shifter/pull/1218)
+* Updated RHACS connector to support self signed certificate authentication [#1174](https://github.com/opencybersecurityalliance/stix-shifter/pull/1174)
+
+### Fixes:
+
+* Mapping updates for Guardium STIX 2.1 [#1102](https://github.com/opencybersecurityalliance/stix-shifter/pull/1102)
+* Add default time range to STIX Bundle connector [#1288](https://github.com/opencybersecurityalliance/stix-shifter/pull/1288)
+* Updated code to handle maximum query length limitation in darktrace. [#1259](https://github.com/opencybersecurityalliance/stix-shifter/pull/1259)
+* Use raw strings for regex [#1276](https://github.com/opencybersecurityalliance/stix-shifter/pull/1276)
+* Updated changes for the issue #1270 [#1272](https://github.com/opencybersecurityalliance/stix-shifter/pull/1272)
+* change all two lettered property names [#1251](https://github.com/opencybersecurityalliance/stix-shifter/pull/1251)
+* mapping fixes for splunk [#1239](https://github.com/opencybersecurityalliance/stix-shifter/pull/1239)
+* splunk: use like, cidrmatch SPL functions for LIKE, ISSUBSET operators [#1244](https://github.com/opencybersecurityalliance/stix-shifter/pull/1244)
+* Fix supported property exporter to handle from-STIX fields not wrapped in a list [#1236](https://github.com/opencybersecurityalliance/stix-shifter/pull/1236)
+* fix domain_ioc mapping (removal of network_traffic ref) [#1226](https://github.com/opencybersecurityalliance/stix-shifter/pull/1226)
+* Updated cybereason code to fix the issue #1215 [#1224](https://github.com/opencybersecurityalliance/stix-shifter/pull/1224)
+* Darktrace timeout exception handled [#1210](https://github.com/opencybersecurityalliance/stix-shifter/pull/1210)
+* Aws athena ocsf fixes [#1182](https://github.com/opencybersecurityalliance/stix-shifter/pull/1182)
+* elastic_ecs: more fixes for LIKE and MATCHES [#1195](https://github.com/opencybersecurityalliance/stix-shifter/pull/1195)
+
+### Dependency update:
+
+* Bump boto3 from 1.26.41 to 1.26.55 in /stix_shifter [#1293](https://github.com/opencybersecurityalliance/stix-shifter/pull/1293)
+* Bump json-fix from 0.5.0 to 0.5.1 in /stix_shifter [#1196](https://github.com/opencybersecurityalliance/stix-shifter/pull/1196)
+* Bump pyopenssl from 22.1.0 to 23.0.0 in /stix_shifter [#1264](https://github.com/opencybersecurityalliance/stix-shifter/pull/1264)
+* Bump boto3 from 1.26.10 to 1.26.41 in /stix_shifter [#1263](https://github.com/opencybersecurityalliance/stix-shifter/pull/1263)
+
-------------------------------------
## 4.5.2 (2022-11-21)
diff --git a/OVERVIEW.md b/OVERVIEW.md
index d2970c56f..8048aa928 100644
--- a/OVERVIEW.md
+++ b/OVERVIEW.md
@@ -137,7 +137,7 @@ List updated: October 29, 2021
| [IBM Cloud Security Advisor](adapter-guide/connectors/security_advisor_supported_stix.md) | security_advisor | Default | IBM Cloud | Yes | Yes | Released |
| [Splunk Enterprise Security](adapter-guide/connectors/splunk_supported_stix.md) | splunk | Splunk CIM | IBM Security | Yes | Yes | Released |
| [Microsoft Defender for Endpoint](adapter-guide/connectors/msatp_supported_stix.md) | msatp | Default | IBM Security | Yes | Yes | Released |
-| [Microsoft Azure Sentinel](adapter-guide/connectors/azure_sentinel_supported_stix.md) | azure_sentinel | Default | IBM Security | Yes | Yes | Released |
+| [Microsoft Graph Security](adapter-guide/connectors/azure_sentinel_supported_stix.md) | azure_sentinel | Default | IBM Security | Yes | Yes | Released |
| [IBM Guardium Data Protection](adapter-guide/connectors/guardium_supported_stix.md) | guardium | Default | IBM Security | Yes | Yes | Released |
| [AWS CloudWatch Logs](adapter-guide/connectors/aws_cloud_watch_logs_supported_stix.md) | aws_cloud_watch_logs | Default | IBM Security | Yes | Yes | Released |
| [Amazon Athena](adapter-guide/connectors/aws_athena_supported_stix.md) | aws_athena | SQL | IBM Security | Yes | Yes | Released |
@@ -160,6 +160,8 @@ List updated: October 29, 2021
| [IBM Security Verify](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/ibm_security_verify_supported_stix.md) | ibm_security_verify | Default | IBM Security | Yes | Yes | Released |
| [Red Hat Advanced Cluster Security for Kubernetes (StackRox)](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/rhacs_supported_stix.md) | rhacs | Default | IBM Security | Yes | Yes | Released |
| [GCP Chronicle](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/gcp_chronicle_supported_stix.md) | gcp_chronicle | Default | IBM Security | Yes | Yes | Released |
+| [Azure Log Analytics](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/connectors/azure_log_analytics_supported_stix.md) | azure_log_analytics | Default | IBM Security | Yes | Yes | Released |
+
## How to use
diff --git a/adapter-guide/connectors/aws_athena_supported_stix.md b/adapter-guide/connectors/aws_athena_supported_stix.md
index 5f220c155..353cd55c5 100644
--- a/adapter-guide/connectors/aws_athena_supported_stix.md
+++ b/adapter-guide/connectors/aws_athena_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 11/09/22
+##### Updated on 01/24/23
## Amazon Athena
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -58,6 +58,33 @@
| STIX Object and Property | Mapped Data Source Fields |
|--|--|
| **email-addr**:value | identity.user.email_addr |
+| **file**:accessed | file.accessed_time |
+| **file**:created | file.created_time |
+| **file**:extensions.'x-ocsf-file-ext'.algorithm | file.fingerprints.algorithm |
+| **file**:extensions.'x-ocsf-file-ext'.algorithm_id | file.fingerprints.algorithm_id |
+| **file**:extensions.'x-ocsf-file-ext'.algorithm_value | file.fingerprints.value |
+| **file**:extensions.'x-ocsf-file-ext'.attributes | file.attributes |
+| **file**:extensions.'x-ocsf-file-ext'.company_name | file.company_name |
+| **file**:extensions.'x-ocsf-file-ext'.confidentiality | file.confidentiality |
+| **file**:extensions.'x-ocsf-file-ext'.confidentiality_id | file.confidentiality_id |
+| **file**:extensions.'x-ocsf-file-ext'.description | file.desc |
+| **file**:extensions.'x-ocsf-file-ext'.feature_name | file.product.feature.name |
+| **file**:extensions.'x-ocsf-file-ext'.feature_uid | file.product.feature.uid |
+| **file**:extensions.'x-ocsf-file-ext'.feature_version | file.product.feature.version |
+| **file**:extensions.'x-ocsf-file-ext'.installed_path | file.product.path |
+| **file**:extensions.'x-ocsf-file-ext'.product_lang | file.product.lang |
+| **file**:extensions.'x-ocsf-file-ext'.product_name | file.product.name |
+| **file**:extensions.'x-ocsf-file-ext'.product_uid | file.product.uid |
+| **file**:extensions.'x-ocsf-file-ext'.product_vendor | file.product.vendor_name |
+| **file**:extensions.'x-ocsf-file-ext'.product_version | file.product.version |
+| **file**:extensions.'x-ocsf-file-ext'.security_descriptor | file.security_descriptor |
+| **file**:extensions.'x-ocsf-file-ext'.signature | file.signature |
+| **file**:extensions.'x-ocsf-file-ext'.type | file.type |
+| **file**:extensions.'x-ocsf-file-ext'.type_id | file.type_id |
+| **file**:extensions.'x-ocsf-file-ext'.uid | file.uid |
+| **file**:extensions.'x-ocsf-file-ext'.version | file.version |
+| **file**:name | file.name |
+| **file**:size | file.size |
| **ipv4-addr**:value | dst_endpoint.ip, src_endpoint.ip |
| **ipv6-addr**:value | dst_endpoint.ip, src_endpoint.ip |
| **network-traffic**:dst_byte_count | traffic.bytes_in |
@@ -72,12 +99,27 @@
| **network-traffic**:extensions.'x-network-ext'.packets | traffic.packets |
| **network-traffic**:extensions.'x-network-ext'.protocol_ver | connection_info.protocol_ver |
| **network-traffic**:extensions.'x-network-ext'.tcp_flags | connection_info.tcp_flags |
-| **network-traffic**:protocol | connection_info.protocol_name |
| **network-traffic**:protocols[*] | connection_info.protocol_num |
| **network-traffic**:src_byte_count | traffic.bytes_out |
| **network-traffic**:src_packets | traffic.packets_out |
| **network-traffic**:src_port | src_endpoint.port |
| **network-traffic**:src_ref.value | src_endpoint.ip |
+| **process**:binary_ref.name | file.name |
+| **process**:command_line | process.cmd_line |
+| **process**:created | process.created_time |
+| **process**:extensions.'x-ocsf-process-ext'.integrity | process.integrity |
+| **process**:extensions.'x-ocsf-process-ext'.integrity_id | process.integrity_id |
+| **process**:extensions.'x-ocsf-process-ext'.is_system | process.is_system |
+| **process**:extensions.'x-ocsf-process-ext'.lineage | process.lineage |
+| **process**:extensions.'x-ocsf-process-ext'.loaded_modules | process.sandbox |
+| **process**:extensions.'x-ocsf-process-ext'.terminated_time | terminated_time |
+| **process**:extensions.'x-ocsf-process-ext'.tid | process.tid |
+| **process**:x_unique_id | process.uid |
+| **process**:extensions.'x-ocsf-process-ext'.xattributes | process.xattributes |
+| **process**:mime_type | mime_type |
+| **process**:extensions.'x-ocsf-process-ext'.modified_time | process.modified_time |
+| **process**:name | process.name |
+| **process**:pid | process.pid |
| **software**:extension.product.feature_name | metadata.product.feature.name |
| **software**:extension.product.feature_uid | metadata.product.feature.uid |
| **software**:extension.product.feature_version | metadata.product.feature.version |
@@ -106,17 +148,18 @@
| **user-account**:extensions.'aws-account-ext'.uid | identity.user.uid |
| **user-account**:extensions.'aws-account-ext'.uuid | identity.user.uuid |
| **user-account**:user_id | identity.user.account_uid |
-| **x-ibm-finding**:alert_id | observables.type_id |
+| **x-ibm-finding**:alert_id | observables.type_id, finding.uid |
| **x-ibm-finding**:description | observables.value |
| **x-ibm-finding**:dst_ip_ref.value | dst_endpoint.ip |
| **x-ibm-finding**:end | end_time |
| **x-ibm-finding**:event_count | count |
| **x-ibm-finding**:finding_type | observables.type |
-| **x-ibm-finding**:name | observables.name |
+| **x-ibm-finding**:name | observables.name, finding.title |
+| **x-ibm-finding**:types | finding.types |
| **x-ibm-finding**:severity | severity_id |
| **x-ibm-finding**:src_ip_ref.value | src_endpoint.ip |
-| **x-ibm-finding**:start | start_time |
-| **x-ibm-finding**:time_observed | _time |
+| **x-ibm-finding**:start | finding.created_time |
+| **x-ibm-finding**:time_observed | finding.first_seen_time |
| **x-oca-asset**:extensions.'x-dst-endpoint'.instance_uid | dst_endpoint.instance_uid |
| **x-oca-asset**:extensions.'x-dst-endpoint'.interface_uid | dst_endpoint.interface_uid |
| **x-oca-asset**:extensions.'x-dst-endpoint'.subnet_uid | dst_endpoint.subnet_uid |
@@ -127,11 +170,11 @@
| **x-oca-asset**:extensions.'x-src-endpoint'.subnet_uid | src_endpoint.subnet_uid |
| **x-oca-asset**:extensions.'x-src-endpoint'.svc_name | src_endpoint.svc_name |
| **x-oca-asset**:extensions.'x-src-endpoint'.vpc_uid | src_endpoint.vpc_uid |
-| **x-oca-asset**:ip_refs[*].value | dst_endpoint.ip, src_endpoint.ip |
| **x-oca-asset**:name | dst_endpoint.name, src_endpoint.name |
-| **x-oca-event**:action | activity |
+| **x-oca-event**:action | activity, activity_name |
| **x-oca-event**:category | category_name |
| **x-oca-event**:code | activity_id, category_uid |
+| **x-oca-event**:confidence | confidence |
| **x-oca-event**:created | time |
| **x-oca-event**:duration | duration |
| **x-oca-event**:extensions.'x-cloud-api'.class_uid | class_uid |
@@ -174,6 +217,14 @@
| **x-ocsf-cloud**:type_name | type_name |
| **x-ocsf-cloud**:type_uid | type_uid |
| **x-ocsf-cloud**:zone | cloud.zone |
+| **x-ibm-ttp-tagging**:name | attack.technique.name |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.tactic_name | attack.tactics.name |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.tactic_id | attack.tactics.uid |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.technique_id | attack.technique.uid |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.version | attack.version |
+| **x-ocsf-compliance**:requirements | compliance.requirements |
+| **x-ocsf-compliance**:status | compliance.status |
+| **x-ocsf-compliance**:status_detail | compliance.status_detail |
| **x-ocsf-enrichments**:data | enrichments.data |
| **x-ocsf-enrichments**:name | enrichments.name |
| **x-ocsf-enrichments**:provider | enrichments.provider |
@@ -209,6 +260,26 @@
| **x-ocsf-identity**:session.issuer | identity.session.issuer |
| **x-ocsf-identity**:session.mfa | identity.session.mfa |
| **x-ocsf-identity**:session.uid | identity.session.uid |
+| **x-ocsf-malware**:base_score | malware.cves.cvss.base_score |
+| **x-ocsf-malware**:classification_ids | malware.classification_ids |
+| **x-ocsf-malware**:classifications | malware.classifications |
+| **x-ocsf-malware**:created_time | malware.cves.created_time |
+| **x-ocsf-malware**:cwe_uid | malware.cves.cwe_uid |
+| **x-ocsf-malware**:cwe_url | malware.cves.cwe_url |
+| **x-ocsf-malware**:depth | malware.cves.cvss.depth |
+| **x-ocsf-malware**:lang | malware.cves.product.lang |
+| **x-ocsf-malware**:modified_time | malware.cves.modified_time |
+| **x-ocsf-malware**:name | malware.name |
+| **x-ocsf-malware**:overall_score | malware.cves.cvss.overall_score |
+| **x-ocsf-malware**:path | malware.path |
+| **x-ocsf-malware**:provider | malware.provider |
+| **x-ocsf-malware**:severity | malware.cves.cvss.severity |
+| **x-ocsf-malware**:type | malware.cves.type |
+| **x-ocsf-malware**:uid | malware.uid |
+| **x-ocsf-malware**:value | malware.cves.product.value |
+| **x-ocsf-malware**:vector_string | malware.cves.cvss.vector_string |
+| **x-ocsf-malware**:vendor_name | malware.cves.product.vendor_name |
+| **x-ocsf-malware**:version | malware.cves.cvss.version |
| **x-ocsf-metadata**:correlation_uid | metadata.correlation_uid |
| **x-ocsf-metadata**:labels | metadata.labels |
| **x-ocsf-metadata**:logged_time | metadata.logged_time |
@@ -253,6 +324,8 @@
### Supported STIX Objects and Properties for Query Results
| STIX Object | STIX Property | Data Source Field |
|--|--|--|
+| directory | path | parent_folder |
+|
| | |
| domain-name | resolves_to_refs | resource_instancedetails_networkinterfaces_0_privateipaddress |
| domain-name | resolves_to_refs | resource_instancedetails_networkinterfaces_0_publicip |
| domain-name | value | resource_instancedetails_networkinterfaces_0_privatednsname |
@@ -265,6 +338,27 @@
|
| | |
| email-addr | value | email_addr |
|
| | |
+| file | accessed | accessed_time |
+| file | extensions.x-ocsf-file-ext.attributes | attributes |
+| file | extensions.x-ocsf-file-ext.company_name | company_name |
+| file | extensions.x-ocsf-file-ext.confidentiality | confidentiality |
+| file | extensions.x-ocsf-file-ext.confidentiality_id | confidentiality_id |
+| file | created | created_time |
+| file | extensions.x-ocsf-file-ext.description | desc |
+| file | extensions.x-ocsf-file-ext.algorithm | algorithm |
+| file | extensions.x-ocsf-file-ext.algorithm_id | algorithm_id |
+| file | extensions.x-ocsf-file-ext.algorithm_value | value |
+| file | name | name |
+| file | parent_directory_ref | parent_folder |
+| file | extensions.x-ocsf-file-ext.path | path |
+| file | extensions.x-ocsf-file-ext.security_descriptor | security_descriptor |
+| file | extensions.x-ocsf-file-ext.signature | signature |
+| file | size | size |
+| file | extensions.x-ocsf-file-ext.type | type |
+| file | extensions.x-ocsf-file-ext.type_id | type_id |
+| file | extensions.x-ocsf-file-ext.uid | uid |
+| file | extensions.x-ocsf-file-ext.version | version |
+|
| | |
| ipv4-addr | value | ip |
| ipv4-addr | value | intermediate_ips |
| ipv4-addr | value | sourceaddress |
@@ -334,13 +428,33 @@
| network-traffic | dst_port | service_action_networkconnectionaction_remoteportdetails_port |
| network-traffic | protocols | service_action_networkconnectionaction_protocol |
|
| | |
-| software | extension.product.feature_name | name |
-| software | extension.product.feature_uid | uid |
-| software | extension.product.feature_version | version |
+| process | command_line | cmd_line |
+| process | created | created_time |
+| process | extensions.x-ocsf-process-ext.is_system | is_system |
+| process | mime_type | mime_type |
+| process | extensions.x-ocsf-process-ext.modified_time | modified_time |
+| process | binary_ref | name |
+| process | extensions.x-ocsf-process-ext.xattributes | xattributes |
+| process | extensions.x-ocsf-process-ext.integrity | integrity |
+| process | extensions.x-ocsf-process-ext.integrity_id | integrity_id |
+| process | extensions.x-ocsf-process-ext.lineage | lineage |
+| process | extensions.x-ocsf-process-ext.loaded_modules | loaded_modules |
+| process | name | name |
+| process | pid | pid |
+| process | child_refs | pid |
+| process | extensions.x-ocsf-process-ext.loaded_modules | sandbox |
+| process | extensions.x-ocsf-process-ext.terminated_time | terminated_time |
+| process | extensions.x-ocsf-process-ext.tid | tid |
+| process | x_unique_id | uid |
+| process | parent_ref | pid |
+|
| | |
+| software | extensions.x-ocsf-product-ext.feature_name | name |
+| software | extensions.x-ocsf-product-ext.feature_uid | uid |
+| software | extensions.x-ocsf-product-ext.feature_version | version |
| software | languages | lang |
| software | name | name |
-| software | extension.product.path | path |
-| software | extension.product.uid | uid |
+| software | extensions.x-ocsf-product-ext.installed_path | path |
+| software | extensions.x-ocsf-product-ext.product_uid | uid |
| software | vendor | vendor_name |
| software | version | version |
| software | name | resource_instancedetails_platform |
@@ -365,6 +479,23 @@
| user-account | extensions.aws-account-ext.type_id | type_id |
| user-account | extensions.aws-account-ext.uid | uid |
| user-account | extensions.aws-account-ext.uuid | uuid |
+| user-account | extensions.x-accessor-ext.account_type_id | account_type_id |
+| user-account | extensions.x-accessor-ext.account_uid | account_uid |
+| user-account | extensions.x-accessor-ext.credential_uid | credential_uid |
+| user-account | extensions.x-accessor-ext.domain | domain |
+| user-account | extensions.x-accessor-ext.group_desc | desc |
+| user-account | extensions.x-accessor-ext.group_name | name |
+| user-account | extensions.x-accessor-ext.group_privileges | privileges |
+| user-account | extensions.x-accessor-ext.group_type | type |
+| user-account | extensions.x-accessor-ext.group_uid | uid |
+| user-account | extensions.x-accessor-ext.org_uid | org_uid |
+| user-account | extensions.x-accessor-ext.session_uid | session_uid |
+| user-account | extensions.x-accessor-ext.session_uuid | session_uuid |
+| user-account | extensions.x-accessor-ext.type | type |
+| user-account | extensions.x-accessor-ext.type_id | type_id |
+| user-account | user_id | uid |
+| user-account | extensions.x-accessor-ext.uuid | uuid |
+| user-account | creator_user_ref | uid |
| user-account | user_id | resource_accesskeydetails_principalid |
| user-account | account_login | resource_accesskeydetails_username |
|
| | |
@@ -386,21 +517,35 @@
| x-aws-vpc | security_group_name | resource_instancedetails_networkinterfaces_0_securitygroups_0_groupname |
|
| | |
| x-ibm-finding | time_observed | _time |
+| x-ibm-finding | ttp_tagging_refs | name |
| x-ibm-finding | event_count | count |
| x-ibm-finding | end | end_time |
-| x-ibm-finding | name | name |
-| x-ibm-finding | finding_type | type |
-| x-ibm-finding | alert_id | type_id |
-| x-ibm-finding | description | value |
+| x-ibm-finding | start | created_time |
+| x-ibm-finding | description | desc |
+| x-ibm-finding | time_observed | first_seen_time |
+| x-ibm-finding | extensions.x-ocsf-findings.last_seen_time | last_seen_time |
+| x-ibm-finding | extensions.x-ocsf-findings.modified_time | modified_time |
+| x-ibm-finding | extensions.x-ocsf-findings.product_uid | product_uid |
+| x-ibm-finding | extensions.x-ocsf-findings.type | type |
+| x-ibm-finding | extensions.x-ocsf-findings.type_uid | type_uid |
+| x-ibm-finding | extensions.x-ocsf-findings.uid | uid |
+| x-ibm-finding | extensions.x-ocsf-findings.remediation_desc | desc |
+| x-ibm-finding | extensions.x-ocsf-findings.remediation_kb_articles | kb_articles |
+| x-ibm-finding | extensions.x-ocsf-findings.src_url | src_url |
+| x-ibm-finding | extensions.x-ocsf-findings.upporting_data | supporting_data |
+| x-ibm-finding | name | title |
+| x-ibm-finding | types | types |
+| x-ibm-finding | alert_id | uid |
+| x-ibm-finding | ioc_refs | name |
| x-ibm-finding | severity | severity_id |
| x-ibm-finding | src_ip_ref | ip |
| x-ibm-finding | dst_ip_ref | ip |
-| x-ibm-finding | start | start_time |
| x-ibm-finding | src_ip_ref | sourceaddress |
| x-ibm-finding | dst_ip_ref | destinationaddress |
| x-ibm-finding | start | starttime |
| x-ibm-finding | end | endtime |
| x-ibm-finding | finding_type | action |
+| x-ibm-finding | name | name |
| x-ibm-finding | src_ip_ref | resource_instancedetails_networkinterfaces_0_privateipaddress |
| x-ibm-finding | dst_ip_ref | service_action_networkconnectionaction_remoteipdetails_ipaddressv4 |
| x-ibm-finding | dst_geolocation | service_action_networkconnectionaction_remoteipdetails_ipaddressv4 |
@@ -412,12 +557,24 @@
| x-ibm-finding | dst_geolocation | service_action_awsapicallaction_remoteipdetails_ipaddressv4 |
| x-ibm-finding | src_ip_ref | dnsrequest_resource_instancedetails_networkinterfaces_0_privateipaddress |
| x-ibm-finding | severity | severity |
-| x-ibm-finding | name | title |
+| x-ibm-finding | finding_type | type |
| x-ibm-finding | description | description |
| x-ibm-finding | src_os_ref | resource_instancedetails_platform |
| x-ibm-finding | start | service_eventfirstseen |
| x-ibm-finding | end | service_eventlastseen |
|
| | |
+| x-ibm-observables | name | name |
+| x-ibm-observables | finding_type | type |
+| x-ibm-observables | alert_id | type_id |
+| x-ibm-observables | description | value |
+|
| | |
+| x-ibm-ttp-tagging | extensions.mitre-attack-ext.tactic_name | name |
+| x-ibm-ttp-tagging | extensions.mitre-attack-ext.tactic_id | uid |
+| x-ibm-ttp-tagging | name | name |
+| x-ibm-ttp-tagging | extensions.mitre-attack-ext.technique_name | name |
+| x-ibm-ttp-tagging | extensions.mitre-attack-ext.technique_id | uid |
+| x-ibm-ttp-tagging | extensions.mitre-attack-ext.versoin | version |
+|
| | |
| x-oca-asset | extensions.x-src-endpoint.svc_name | svc_name |
| x-oca-asset | ip_refs | ip |
| x-oca-asset | ip_refs | intermediate_ips |
@@ -434,10 +591,13 @@
|
| | |
| x-oca-event | action | activity |
| x-oca-event | code | activity_id |
+| x-oca-event | action | activity_name |
| x-oca-event | category | category_name |
| x-oca-event | code | category_uid |
| x-oca-event | module | class_name |
| x-oca-event | extensions.x-cloud-api.class_uid | class_uid |
+| x-oca-event | confidence | confidence |
+| x-oca-event | extensions.x-ocsf-data.data | data |
| x-oca-event | duration | duration |
| x-oca-event | network_ref | ip |
| x-oca-event | created | time |
@@ -480,6 +640,10 @@
| x-ocsf-cloud | type_name | type_name |
| x-ocsf-cloud | type_uid | type_uid |
|
| | |
+| x-ocsf-compliance | requirements | requirements |
+| x-ocsf-compliance | status | status |
+| x-ocsf-compliance | status_detail | status_detail |
+|
| | |
| x-ocsf-enrichments | data | data |
| x-ocsf-enrichments | name | name |
| x-ocsf-enrichments | provider | provider |
@@ -518,6 +682,25 @@
| x-ocsf-identity | session.mfa | mfa |
| x-ocsf-identity | session.uid | uid |
|
| | |
+| x-ocsf-malware | classification_ids | classification_ids |
+| x-ocsf-malware | classifications | classifications |
+| x-ocsf-malware | created_time | created_time |
+| x-ocsf-malware | base_score | base_score |
+| x-ocsf-malware | depth | depth |
+| x-ocsf-malware | name | name |
+| x-ocsf-malware | value | value |
+| x-ocsf-malware | overall_score | overall_score |
+| x-ocsf-malware | severity | severity |
+| x-ocsf-malware | vector_string | vector_string |
+| x-ocsf-malware | version | version |
+| x-ocsf-malware | cwe_uid | cwe_uid |
+| x-ocsf-malware | cwe_url | cwe_url |
+| x-ocsf-malware | modified_time | modified_time |
+| x-ocsf-malware | type | type |
+| x-ocsf-malware | uid | uid |
+| x-ocsf-malware | path | path |
+| x-ocsf-malware | provider | provider |
+|
| | |
| x-ocsf-metadata | correlation_uid | correlation_uid |
| x-ocsf-metadata | labels | labels |
| x-ocsf-metadata | logged_time | logged_time |
@@ -540,3 +723,30 @@
| x-ocsf-resources | type | type |
| x-ocsf-resources | uid | uid |
|
| | |
+| x-ocsf-vulnerabilities | created_time | created_time |
+| x-ocsf-vulnerabilities | base_score | base_score |
+| x-ocsf-vulnerabilities | depth | depth |
+| x-ocsf-vulnerabilities | name | name |
+| x-ocsf-vulnerabilities | value | value |
+| x-ocsf-vulnerabilities | overall_score | overall_score |
+| x-ocsf-vulnerabilities | severity | severity |
+| x-ocsf-vulnerabilities | vector_string | vector_string |
+| x-ocsf-vulnerabilities | version | version |
+| x-ocsf-vulnerabilities | cwe_uid | cwe_uid |
+| x-ocsf-vulnerabilities | cwe_url | cwe_url |
+| x-ocsf-vulnerabilities | modified_time | modified_time |
+| x-ocsf-vulnerabilities | type | type |
+| x-ocsf-vulnerabilities | uid | uid |
+| x-ocsf-vulnerabilities | desc | desc |
+| x-ocsf-vulnerabilities | kb_articles | kb_articles |
+| x-ocsf-vulnerabilities | packages_architecture | architecture |
+| x-ocsf-vulnerabilities | packages_epoch | epoch |
+| x-ocsf-vulnerabilities | packages_license | license |
+| x-ocsf-vulnerabilities | packages_name | name |
+| x-ocsf-vulnerabilities | packages_release | release |
+| x-ocsf-vulnerabilities | packages_version | version |
+| x-ocsf-vulnerabilities | references | references |
+| x-ocsf-vulnerabilities | related_vulnerabilities | related_vulnerabilities |
+| x-ocsf-vulnerabilities | title | title |
+| x-ocsf-vulnerabilities | vendor_name | vendor_name |
+|
| | |
diff --git a/adapter-guide/connectors/azure_log_analytics_supported_stix.md b/adapter-guide/connectors/azure_log_analytics_supported_stix.md
new file mode 100644
index 000000000..1eb8bd1cf
--- /dev/null
+++ b/adapter-guide/connectors/azure_log_analytics_supported_stix.md
@@ -0,0 +1,209 @@
+##### Updated on 01/24/23
+## Azure Log Analytics
+### Supported STIX Operators
+| STIX Operator | Data Source Operator |
+|--|--|
+| AND | and |
+| OR | or |
+| = | == |
+| != | != |
+| IN | in |
+| MATCHES | contains |
+| LIKE | startswith, endswith |
+|
| |
+### Searchable STIX objects and properties for Securityalert
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **x-ibm-finding**:start | StartTime, TimeGenerated |
+| **x-ibm-finding**:end | EndTime, ProcessingEndTime |
+| **x-ibm-finding**:name | AlertName |
+| **x-ibm-finding**:time_observed | TimeGenerated, EventTime |
+| **x-oca-event**:created | TimeGenerated |
+| **x-oca-event**:provider | ProviderName |
+| **x-oca-event**:domain_ref | DomainName |
+| **x-azure-security-alert**:tenant_id | TenantId |
+| **x-azure-security-alert**:subscription_id | WorkspaceSubscriptionId |
+| **x-azure-security-alert**:resourceId | _ResourceId |
+| **x-azure-security-alert**:alert_severity | AlertSeverity |
+| **x-azure-security-alert**:description | Description |
+| **x-azure-security-alert**:product_name | ProductName |
+| **x-azure-security-alert**:vendor_name | VendorName |
+| **x-azure-security-alert**:system_alertid | SystemAlertId |
+| **x-azure-security-alert**:status | Status |
+| **x-azure-security-alert**:extented_properties | ExtentedProperties |
+| **x-azure-security-alert**:confidence_level | ConfidenceLevel |
+| **x-azure-security-alert**:entities | Entities |
+| **x-azure-security-alert**:display_name | DisplayName |
+| **x-azure-security-alert**:workspace_resource_group | WorkspaceResourceGroup |
+| **x-azure-security-alert**:compromised_entity | CompromisedEntity |
+|
| |
+### Searchable STIX objects and properties for Securityevent
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **ipv4-addr**:value | IpAddress |
+| **domain-name**:value | TargetDomainName |
+| **user-account**:account_login | TargetUserName |
+| **directory**:path | HomeDirectory, HomePath |
+| **file**:path | FilePath |
+| **file**:hashes.'SHA-256' | FileHash |
+| **file**:hashes.MD5 | FileHash |
+| **file**:hashes.'SHA-1' | FileHash |
+| **process**:name | ProcessName, LogonProcessName |
+| **process**:parent_ref.name | ParentProcessName |
+| **process**:command_line | CommandLine |
+| **process**:pid | ProcessId |
+| **url**:value | QuarantineHelpURL |
+| **x-ibm-finding**:start | TimeGenerated |
+| **x-ibm-finding**:end | PreviousTime |
+| **x-ibm-finding**:name | EventSourceName |
+| **x-ibm-finding**:time_observed | TimeGenerated |
+| **x-ibm-finding**:src_ip_ref | IpAddress |
+| **x-ibm-finding**:dst_ip_ref | ClientIPAddress |
+| **x-oca-event**:created | TimeGenerated |
+| **x-oca-event**:code | EventID |
+| **x-oca-event**:provider | Account |
+| **x-oca-event**:url_ref | QuarantineHelpURL |
+| **x-oca-event**:process_ref | ProcessName |
+| **x-oca-event**:file_ref.hash | FileHash |
+| **x-oca-event**:file_ref.path | FilePath |
+| **x-oca-event**:file_ref.service | ServiceFileName |
+| **x-oca-event**:parent_process_ref | ParentProcessName |
+| **x-oca-event**:ip_refs.ip | IpAddress |
+| **x-oca-event**:ip_refs.clientIp | ClientIPAddress |
+| **x-azure-security-event**:title | Title |
+| **x-azure-security-event**:text | Description, DeviceDescription |
+| **x-azure-security-event**:device_name | DeviceId |
+| **x-azure-security-event**:source | SourceSystem |
+| **x-azure-security-event**:alert_type | AlertName |
+| **x-azure-security-event**:activity | Activity |
+| **x-azure-security-event**:computer | Computer |
+| **x-azure-security-event**:event_data | EventData |
+| **x-azure-security-event**:service_name | ServiceName |
+| **x-azure-security-event**:task | Task |
+| **x-azure-security-event**:user_parameter | UserParameter |
+| **x-azure-security-event**:member_name | MemberName |
+| **x-azure-security-event**:requester | Requester |
+|
| |
+### Searchable STIX objects and properties for Securityincident
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **url**:value | IncidentUrl |
+| **x-ibm-finding**:start | FirstActivityTime, FirstModifiedTime, TimeGenerated |
+| **x-ibm-finding**:end | ClosedTime, LastActivityTime, LastModifiedTime |
+| **x-ibm-finding**:name | IncidentName |
+| **x-ibm-finding**:time_observed | TimeGenerated |
+| **x-oca-event**:created | CreatedTime |
+| **x-oca-event**:provider | ProviderName |
+| **x-oca-event**:url_ref | IncidentUrl |
+| **x-oca-event**:domain_ref | DomainName |
+| **x-azure-security-incident**:incident_name | IncidentName |
+| **x-azure-security-incident**:severity | Severity |
+| **x-azure-security-incident**:owner | Owner |
+| **x-azure-security-incident**:additional_data | AdditionalData |
+| **x-azure-security-incident**:alertids | AlertIds |
+| **x-azure-security-incident**:comments | Comments |
+| **x-azure-security-incident**:description | Description |
+| **x-azure-security-incident**:labels | Labels |
+| **x-azure-security-incident**:modified_by | ModifiedBy |
+| **x-azure-security-incident**:classification | Classification |
+|
| |
+### Supported STIX Objects and Properties for Query Results
+| STIX Object | STIX Property | Data Source Field |
+|--|--|--|
+| directory | path | HomeDirectory |
+| directory | path | HomePath |
+|
| | |
+| domain-name | value | TargetDomainName |
+|
| | |
+| file | path | FilePath |
+| file | hashes | FileHash |
+|
| | |
+| ipv4-addr | value | IpAddress |
+|
| | |
+| process | name | ProcessName |
+| process | command_line | CommandLine |
+| process | pid | ProcessId |
+| process | parent_ref | ParentProcessName |
+| process | name | LogonProcessName |
+|
| | |
+| url | name | QuarantineHelpURL |
+| url | name | IncidentUrl |
+|
| | |
+| user-account | account_login | TargetUserName |
+|
| | |
+| x-azure-security-alert | tenant_id | TenantId |
+| x-azure-security-alert | subscription_id | WorkspaceSubscriptionId |
+| x-azure-security-alert | resourceId | _ResourceId |
+| x-azure-security-alert | alert_severity | AlertSeverity |
+| x-azure-security-alert | description | Description |
+| x-azure-security-alert | product_name | ProductName |
+| x-azure-security-alert | vendor_name | VendorName |
+| x-azure-security-alert | cloudAppStates.system_alertid | SystemAlertId |
+| x-azure-security-alert | status | Status |
+| x-azure-security-alert | extented_properties | ExtentedProperties |
+| x-azure-security-alert | confidence_level | ConfidenceLevel |
+| x-azure-security-alert | entities | Entities |
+| x-azure-security-alert | display_name | DisplayName |
+| x-azure-security-alert | workspace_resource_group | WorkspaceResourceGroup |
+| x-azure-security-alert | compromised_entity | CompromisedEntity |
+|
| | |
+| x-azure-security-event | alert_type | AlertName |
+| x-azure-security-event | description | Description |
+| x-azure-security-event | event_id | eventId |
+| x-azure-security-event | title | Title |
+| x-azure-security-event | text | DeviceDescription |
+| x-azure-security-event | source | SourceSystem |
+| x-azure-security-event | activity | Activity |
+| x-azure-security-event | computer | Computer |
+| x-azure-security-event | event_data | EventData |
+| x-azure-security-event | service_name | ServiceName |
+| x-azure-security-event | task | Task |
+| x-azure-security-event | user_parameter | UserParameter |
+| x-azure-security-event | member_name | MemberName |
+| x-azure-security-event | requester | Requester |
+|
| | |
+| x-azure-security-incident | incident_name | IncidentName |
+| x-azure-security-incident | severity | Severity |
+| x-azure-security-incident | owner | Owner |
+| x-azure-security-incident | additional_data | AdditionalData |
+| x-azure-security-incident | alertids | AlertIds |
+| x-azure-security-incident | comments | Comments |
+| x-azure-security-incident | description | Description__incident |
+| x-azure-security-incident | labels | Labels |
+| x-azure-security-incident | modified_by | ModifiedBy |
+|
| | |
+| x-ibm-finding | name | EventSourceName |
+| x-ibm-finding | name | AlertName |
+| x-ibm-finding | name | IncidentName |
+| x-ibm-finding | start | TimeGenerated |
+| x-ibm-finding | time_observed | TimeGenerated |
+| x-ibm-finding | time_observed | EventTime |
+| x-ibm-finding | start | PreviousTime |
+| x-ibm-finding | src_ip_ref | IpAddress |
+| x-ibm-finding | dst_ip_ref | ClientIPAddress |
+| x-ibm-finding | start | StartTime |
+| x-ibm-finding | end | EndTime |
+| x-ibm-finding | end | ProcessingEndTime |
+| x-ibm-finding | start | FirstActivityTime |
+| x-ibm-finding | start | FirstModifiedTime |
+| x-ibm-finding | end | ClosedTime |
+| x-ibm-finding | end | LastActivityTime |
+| x-ibm-finding | end | LastModifiedTime |
+|
| | |
+| x-oca-asset | device_id | DeviceId |
+|
| | |
+| x-oca-event | created | TimeGenerated |
+| x-oca-event | provider | ProviderName |
+| x-oca-event | code | EventID |
+| x-oca-event | ip_refs | IpAddress |
+| x-oca-event | ip_refs.clientIp | ClientIPAddress |
+| x-oca-event | created | CreatedTime |
+| x-oca-event | provider | Account |
+| x-oca-event | url_ref | QuarantineHelpURL |
+| x-oca-event | url_ref | IncidentUrl |
+| x-oca-event | process_ref | ProcessName |
+| x-oca-event | parent_process_ref | ParentProcessName |
+| x-oca-event | file_ref.path | FilePath |
+| x-oca-event | file_ref.path | FileHash |
+| x-oca-event | file_ref.service | ServiceFileName |
+|
| | |
diff --git a/adapter-guide/connectors/azure_sentinel_supported_stix.md b/adapter-guide/connectors/azure_sentinel_supported_stix.md
index aa7fd3075..7ca5c3f37 100644
--- a/adapter-guide/connectors/azure_sentinel_supported_stix.md
+++ b/adapter-guide/connectors/azure_sentinel_supported_stix.md
@@ -1,5 +1,5 @@
-##### Updated on 11/04/22
-## Microsoft Azure Sentinel
+##### Updated on 01/24/23
+## Microsoft Graph Security
### Supported STIX Operators
| STIX Operator | Data Source Operator |
|--|--|
diff --git a/adapter-guide/connectors/elastic_ecs_supported_stix.md b/adapter-guide/connectors/elastic_ecs_supported_stix.md
index 6725f0950..5c61254a4 100644
--- a/adapter-guide/connectors/elastic_ecs_supported_stix.md
+++ b/adapter-guide/connectors/elastic_ecs_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 11/04/22
+##### Updated on 01/24/23
## Elasticsearch ECS
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -506,7 +506,7 @@
| x-ecs-cloud | provider | provider |
| x-ecs-cloud | region | region |
|
| | |
-| x-ecs-container | id | id |
+| x-ecs-container | container_id | id |
| x-ecs-container | image_name | name |
| x-ecs-container | image_tag | tag |
| x-ecs-container | labels | labels |
@@ -543,7 +543,7 @@
| x-ecs-dll | hashes.SHA-512 | sha512 |
|
| | |
| x-ecs-error | code | code |
-| x-ecs-error | id | id |
+| x-ecs-error | error_id | id |
| x-ecs-error | message | message |
| x-ecs-error | stack_trace | stack_trace |
| x-ecs-error | type | type |
@@ -574,7 +574,7 @@
| x-ecs-file | uid | uid |
|
| | |
| x-ecs-group | domain | domain |
-| x-ecs-group | id | id |
+| x-ecs-group | group_id | id |
| x-ecs-group | name | name |
|
| | |
| x-ecs-http | request_body_bytes | bytes |
@@ -643,7 +643,7 @@
| x-ecs-observer | geo_region_iso_code | region_iso_code |
| x-ecs-observer | geo_region_name | region_name |
|
| | |
-| x-ecs-organization | id | id |
+| x-ecs-organization | organization_id | id |
| x-ecs-organization | name | name |
|
| | |
| x-ecs-process | code_signature_exists | exists |
@@ -688,7 +688,7 @@
| x-ecs-rule | author | author |
| x-ecs-rule | category | category |
| x-ecs-rule | description | description |
-| x-ecs-rule | id | id |
+| x-ecs-rule | rule_id | id |
| x-ecs-rule | license | license |
| x-ecs-rule | name | name |
| x-ecs-rule | reference | reference |
@@ -711,7 +711,7 @@
| x-ecs-server | geo_region_iso_code | region_iso_code |
| x-ecs-server | geo_region_name | region_name |
|
| | |
-| x-ecs-service | id | id |
+| x-ecs-service | service_id | id |
| x-ecs-service | name | name |
| x-ecs-service | state | state |
| x-ecs-service | type | type |
@@ -757,14 +757,14 @@
| x-ecs-tls | version | version |
| x-ecs-tls | version_protocol | version_protocol |
|
| | |
-| x-ecs-trace | id | id |
+| x-ecs-trace | trace_id | id |
|
| | |
-| x-ecs-transaction | id | id |
+| x-ecs-transaction | transaction_id | id |
|
| | |
| x-ecs-user | domain | domain |
| x-ecs-user | full_name | full_name |
| x-ecs-user | hash | hash |
-| x-ecs-user | id | id |
+| x-ecs-user | user_id | id |
| x-ecs-user | group_domain | domain |
| x-ecs-user | group_id | id |
| x-ecs-user | group_name | name |
@@ -778,7 +778,7 @@
| x-ecs-vulnerability | classification | classification |
| x-ecs-vulnerability | description | description |
| x-ecs-vulnerability | enumeration | enumeration |
-| x-ecs-vulnerability | id | id |
+| x-ecs-vulnerability | vulnerability_id | id |
| x-ecs-vulnerability | reference | reference |
| x-ecs-vulnerability | report_id | report_id |
| x-ecs-vulnerability | severity | severity |
@@ -791,7 +791,7 @@
| x-oca-asset | architecture | architecture |
| x-oca-asset | domain | domain |
| x-oca-asset | hostname | hostname |
-| x-oca-asset | id | id |
+| x-oca-asset | host_id | id |
| x-oca-asset | ip_refs | ip |
| x-oca-asset | mac_refs | mac |
| x-oca-asset | name | name |
@@ -823,7 +823,7 @@
| x-oca-event | network_ref | protocol |
| x-oca-event | original_ref | original |
| x-oca-event | action | action |
-| x-oca-event | id | id |
+| x-oca-event | event_id | id |
| x-oca-event | category | category |
| x-oca-event | code | code |
| x-oca-event | created | created |
diff --git a/adapter-guide/connectors/guardium_supported_stix.md b/adapter-guide/connectors/guardium_supported_stix.md
index f576d56a6..4e94c4803 100644
--- a/adapter-guide/connectors/guardium_supported_stix.md
+++ b/adapter-guide/connectors/guardium_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 11/04/22
+##### Updated on 01/24/23
## IBM Guardium Data Protection
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -77,7 +77,7 @@
| network-traffic | protocols | NetworkProtocol |
|
| | |
| process | command_line | Path |
-| process | id | Pid |
+| process | pid | Pid |
|
| | |
| software | name | db_type |
| software | name | Server Type |
diff --git a/adapter-guide/connectors/splunk_supported_stix.md b/adapter-guide/connectors/splunk_supported_stix.md
index 729569bdb..48f596407 100644
--- a/adapter-guide/connectors/splunk_supported_stix.md
+++ b/adapter-guide/connectors/splunk_supported_stix.md
@@ -1,4 +1,4 @@
-##### Updated on 12/13/22
+##### Updated on 01/24/23
## Splunk Enterprise Security
### Supported STIX Operators
| STIX Operator | Data Source Operator |
@@ -14,7 +14,7 @@
| MATCHES | encoders.matches |
| AND | {expr1} OR {expr2} |
| OR | {expr1} OR {expr2} |
-| ISSUBSET | = |
+| ISSUBSET | encoders.subset |
| FOLLOWEDBY | latest=[search {expr2} | append [makeresults 1 | eval _time=0] | head 1 | return $_time] | where {expr1} |
|
| |
### Searchable STIX objects and properties
@@ -43,7 +43,7 @@
| **x-oca-event**:user_ref.user_id | user |
| **x-oca-event**:url_ref.value | url |
| **x-oca-asset**:hostname | host |
-| **directory**:path | file_path |
+| **directory**:path | file_path, process_path, parent_process_path |
| **directory**:created | file_create_time |
| **directory**:modified | file_modify_time |
| **domain-name**:value | host, url |
@@ -71,21 +71,23 @@
| **ipv4-addr**:value | src_ip, dest_ip |
| **ipv6-addr**:value | src_ipv6, dest_ipv6 |
| **mac-addr**:value | src_mac, dest_mac |
-| **network-traffic**:src_ref.value | src |
+| **network-traffic**:src_ref.value | src_ip |
| **network-traffic**:src_port | src_port |
-| **network-traffic**:dst_ref.value | dest |
+| **network-traffic**:dst_ref.value | dest_ip |
| **network-traffic**:dst_port | dest_port |
| **network-traffic**:protocols[*] | protocol |
| **network-traffic**:start | earliest |
| **network-traffic**:end | latest |
-| **process**:name | process_name |
-| **process**:command_line | process |
-| **process**:pid | pid |
+| **process**:name | process_name, parent_process_name |
+| **process**:command_line | process, parent_process |
+| **process**:pid | process_id, parent_process_id |
| **process**:creator_user_ref.account_login | user |
+| **process**:creator_user_ref.user_login | user |
| **process**:binary_ref.parent_directory_ref.path | process_path |
| **process**:binary_ref.name | process_exec |
| **url**:value | url |
| **user-account**:user_id | user |
+| **user-account**:account_login | user |
| **windows-registry-key**:key | object |
| **windows-registry-key**:values[*] | result |
| **windows-registry-key**:creator_user_ref.account_login | user |
diff --git a/adapter-guide/supported-mappings.md b/adapter-guide/supported-mappings.md
index 23654bc13..f1df9440d 100644
--- a/adapter-guide/supported-mappings.md
+++ b/adapter-guide/supported-mappings.md
@@ -19,7 +19,7 @@ Stix-shifter currently offers connector support for the following cybersecurity
- [Microsoft Defender for Endpoint](connectors/msatp_supported_stix.md)
- [IBM Guardium Data Protection](connectors/guardium_supported_stix.md)
- [Amazon CloudWatch Logs](connectors/aws_cloud_watch_logs_supported_stix.md)
-- [Microsoft Azure Sentinel](connectors/azure_sentinel_supported_stix.md)
+- [Microsoft Graph Security](connectors/azure_sentinel_supported_stix.md)
- [Alertflex](connectors/alertflex_supported_stix.md)
- [Micro Focus ArcSight](connectors/arcsight_supported_stix.md)
- [Amazon Athena](connectors/aws_athena_supported_stix.md)
@@ -38,3 +38,4 @@ Stix-shifter currently offers connector support for the following cybersecurity
- [Red Hat Advanced Cluster Security for Kubernetes (StackRox)](connectors/rhacs_supported_stix.md)
- [IBM Security Verify](connectors/ibm_security_verify_supported_stix.md)
- [GCP Chronicle](connectors/gcp_chronicle_supported_stix.md)
+- [Azure Log Analytics](connectors/azure_log_analytics_supported_stix.md)
diff --git a/stix_shifter/scripts/supported_property_exporter.py b/stix_shifter/scripts/supported_property_exporter.py
index 99414debf..d080c8fb7 100644
--- a/stix_shifter/scripts/supported_property_exporter.py
+++ b/stix_shifter/scripts/supported_property_exporter.py
@@ -20,7 +20,7 @@
# "security_advisor": "IBM Cloud Security Advisor",
"guardium": "IBM Guardium Data Protection",
"aws_cloud_watch_logs": "Amazon CloudWatch Logs",
- "azure_sentinel": "Microsoft Azure Sentinel",
+ "azure_sentinel": "Microsoft Graph Security",
"alertflex": "Alertflex",
"arcsight": "Micro Focus ArcSight",
"aws_athena": "Amazon Athena",
@@ -39,7 +39,8 @@
"darktrace": "Darktrace",
"rhacs": "Red Hat Advanced Cluster Security for Kubernetes (StackRox)",
"ibm_security_verify": "IBM Security Verify",
- "gcp_chronicle": "GCP Chronicle"
+ "gcp_chronicle": "GCP Chronicle",
+ "azure_log_analytics": "Azure Log Analytics"
}
DIALECTS = {
@@ -51,7 +52,8 @@
"infoblox": ["dnsEventData", "dossierData", "tideDbData"],
"paloalto": ["xdr_data"],
"secretserver": ["event"],
- "trendmicro_vision_one": ["endpointActivityData", "messageActivityData"]
+ "trendmicro_vision_one": ["endpointActivityData", "messageActivityData"],
+ "azure_log_analytics": ["SecurityAlert", "SecurityEvent", "SecurityIncident"]
}
DEFAULT_DIALECT = "default"
From c2a356179021f3032a85c179d08bf7b32e8c7dfd Mon Sep 17 00:00:00 2001
From: Paul Coccoli
Date: Wed, 1 Feb 2023 08:43:13 -0500
Subject: [PATCH 28/30] elastic_ecs: fix STIX 2.1 results translation (#1306)
---
.../stix_translation/results_translator.py | 9 +------
.../test_elastic_ecs_json_to_stix.py | 26 +++++++++++++++++++
2 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/stix_shifter_modules/elastic_ecs/stix_translation/results_translator.py b/stix_shifter_modules/elastic_ecs/stix_translation/results_translator.py
index 6293b74d7..9b9be9bde 100644
--- a/stix_shifter_modules/elastic_ecs/stix_translation/results_translator.py
+++ b/stix_shifter_modules/elastic_ecs/stix_translation/results_translator.py
@@ -25,16 +25,9 @@ def translate_results(self, data_source, data):
event = result['event']
if event.get('original'):
result['event']['mime_type_event'] = 'text/plain'
-
+
data = json.dumps(results, indent=4)
results = super().translate_results(data_source, data)
- json_data = json.loads(data)
-
- if len(results['objects']) - 1 == len(json_data):
- for i in range(1, len(results['objects'])):
- results['objects'][i]['number_observed'] = 1
- else:
- raise RuntimeError("Incorrect number of result objects after translation. Found: {}, expected: {}.".format(len(results['objects']) - 1, len(json_data)))
return results
diff --git a/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_json_to_stix.py b/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_json_to_stix.py
index fa770081a..0a3a6d4bc 100644
--- a/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_json_to_stix.py
+++ b/stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_json_to_stix.py
@@ -201,6 +201,32 @@ def test_common_prop(self):
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (observed_data['created_by_ref'] == result_bundle_identity['id'])
+ assert (observed_data['created'] is not None)
+ assert (observed_data['modified'] is not None)
+ assert (observed_data['number_observed'] == 1)
+
+ def test_stix_2_1(self):
+ test_source = json.dumps(data_source)
+ test_data = json.dumps([data])
+ test_options = {
+ "stix_2.1": True
+ }
+
+ translation = stix_translation.StixTranslation()
+ result_bundle = translation.translate('elastic_ecs', 'results', test_source, test_data, test_options)
+ print(result_bundle)
+ result_bundle_objects = result_bundle['objects']
+ observed_data = result_bundle_objects[1]
+
+ assert (observed_data['id'] is not None)
+ assert (observed_data['type'] == "observed-data")
+ assert (observed_data['created_by_ref'] == data_source['id'])
+ assert (observed_data['created'] is not None)
+ assert (observed_data['modified'] is not None)
+ assert (observed_data['number_observed'] == 1)
+ assert('object_refs' in observed_data)
+ assert('objects' not in observed_data)
+ #TODO: check other objects
def test_custom_mapping(self):
data_source_string = json.dumps(data_source)
From adebe95e56a3a08df5c23dbeb419f2e4a6bddc23 Mon Sep 17 00:00:00 2001
From: Paul Coccoli
Date: Wed, 1 Feb 2023 09:32:28 -0500
Subject: [PATCH 29/30] elastic_ecs: remove unneeded ValueToList transformer
from event.category mapping (#1305)
---
.../elastic_ecs/stix_translation/json/to_stix_map.json | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json b/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json
index 72faf0d5b..c502ec5ca 100644
--- a/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json
+++ b/stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json
@@ -637,8 +637,7 @@
},
"category": {
"key": "x-oca-event.category",
- "object": "event",
- "transformer": "ValueToList"
+ "object": "event"
},
"code": {
"key": "x-oca-event.code",
From 3bf0aa5d67835e22518deceea3bf4f2ab606e3a8 Mon Sep 17 00:00:00 2001
From: Jingqiu Du
Date: Wed, 1 Feb 2023 11:02:58 -0400
Subject: [PATCH 30/30] Fix Reqata SITX 2.1 mappings for image_ref (#1291)
---
.../json/stix_2_1/from_stix_map.json | 4 ++--
.../json/stix_2_1/to_stix_map.json | 20 +++++++++----------
.../test_reaqta_json_to_stix.py | 6 +++---
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json
index 2a58ed0dd..6eb5a57c4 100644
--- a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json
+++ b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json
@@ -40,7 +40,7 @@
},
"process": {
"fields": {
- "binary_ref.name": ["filename"],
+ "image_ref.name": ["filename"],
"creator_user_ref.user_id": [],
"extensions.'windows-process-ext'.owner_sid": ["user.sid"],
"extensions.'x-reaqta-process'.logon_id": ["service.login.id"],
@@ -271,4 +271,4 @@
"serial_number": ["__etwCertSerialNumber"]
}
}
-}
\ No newline at end of file
+}
diff --git a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json
index 4911ed314..def60f39d 100644
--- a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json
+++ b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json
@@ -127,7 +127,7 @@
"object": "file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "process",
"references": "file"
},
@@ -288,7 +288,7 @@
"object": "accessorProcess_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "accessorProcess_process",
"references": "accessorProcess_file"
},
@@ -456,7 +456,7 @@
"object": "allocatorProc_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "allocatorProc_process",
"references": "allocatorProc_file"
},
@@ -658,7 +658,7 @@
"object": "childProcess_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "childProcess_process",
"references": "childProcess_file"
},
@@ -919,7 +919,7 @@
"object": "engineProcess_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "engineProcess_process",
"references": "engineProcess_file"
},
@@ -1024,7 +1024,7 @@
"object": "etw_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "process_etw",
"references": "etw_file"
},
@@ -1143,7 +1143,7 @@
"object": "etw_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "process_etw",
"references": "etw_file"
},
@@ -1219,7 +1219,7 @@
"object": "etw_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "process_etw",
"references": "etw_file"
},
@@ -1726,7 +1726,7 @@
"object": "serviceProcess_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "serviceProcess_process",
"references": "serviceProcess_file"
},
@@ -1914,7 +1914,7 @@
"object": "targetProcess_file"
},
{
- "key": "process.binary_ref",
+ "key": "process.image_ref",
"object": "targetProcess_process",
"references": "targetProcess_file"
},
diff --git a/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py b/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py
index 12d62a039..0d03ad1b6 100644
--- a/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py
+++ b/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py
@@ -432,13 +432,13 @@ def test_stix_21_prop(self):
proc_obj = TestReaqtaResultsToStix.get_first_cybox_of_type_stix_2_1(result_bundle_objects, 'process')
assert(proc_obj is not None), 'process object type not found'
- assert(proc_obj.keys() == {'type', 'extensions', 'id', 'spec_version', 'binary_ref', 'creator_user_ref', 'pid', 'created', 'parent_ref', 'command_line', 'x_unique_id'})
+ assert(proc_obj.keys() == {'type', 'extensions', 'id', 'spec_version', 'image_ref', 'creator_user_ref', 'pid', 'created', 'parent_ref', 'command_line', 'x_unique_id'})
user_ref = proc_obj['creator_user_ref']
assert(user_ref.object_id in observed_data['object_refs']), f"creator_user_ref with key {proc_obj['creator_user_ref']} not found"
- binary_ref = proc_obj['binary_ref']
- assert(binary_ref.object_id in observed_data['object_refs']), f"binary_ref with key {proc_obj['binary_ref']} not found"
+ image_ref = proc_obj['image_ref']
+ assert(image_ref.object_id in observed_data['object_refs']), f"image_ref with key {proc_obj['image_ref']} not found"
parent_ref = proc_obj['parent_ref']
assert(parent_ref.object_id in observed_data['object_refs']), f"parent_ref with key {proc_obj['parent_ref']} not found"