Skip to content

Commit

Permalink
Initial To Stix mapping - Event and Transformers
Browse files Browse the repository at this point in the history
  • Loading branch information
@DerekRushton
DerekRushton committed Dec 7, 2023
1 parent 9c01cd5 commit a47f9ee
Show file tree
Hide file tree
Showing 6 changed files with 448 additions and 30 deletions.
31 changes: 15 additions & 16 deletions stix_shifter_modules/alertflex/stix_translation/json/to_stix_map.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,22 +9,21 @@
"transformer": "EpochToTimestamp"
}
],
"srcip":
[
{
"key": "ipv4-addr.value",
"object": "src_ip"
},
{
"key": "ipv6-addr.value",
"object": "src_ip"
},
{
"key": "network-traffic.src_ref",
"object": "nt",
"references": "src_ip"
}
],
"srcip": [
{
"key": "ipv4-addr.value",
"object": "src_ip"
},
{
"key": "ipv6-addr.value",
"object": "src_ip"
},
{
"key": "network-traffic.src_ref",
"object": "nt",
"references": "src_ip"
}
],
"dstip": [
{
"key": "ipv4-addr.value",
Expand Down
206 changes: 206 additions & 0 deletions stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,208 @@
{
"computerIpAddress":
[{
"key": "ipv4-addr.value",
"object": "ip"
},
{
"key": "x-oca-event.ip_refs",
"object": "x-oca-event",
"references": ["ip"]
},
{
"key": "x-oca-asset.ip_refs",
"object": "asset",
"references": ["ip"]
}],
"computerName":
[{
"key": "x-oca-asset.hostname",
"object": "asset"
},
{
"key": "x-oca-event.host_ref",
"object": "x-oca-event",
"references": "asset"
}],
"state":
{
"key": "x-oca-event.outcome",
"object": "x-oca-event"
},
"severity":
{
"key": "x-oca-event.severity",
"object": "x-oca-event"
},
"details": [
{
"key": "process",
"object": "process_all",
"transformer":"ProcessTransformer"
},
{
"key": "process.pid",
"object": "process_some",
"transformer":"ProcessPidTransformer"
},
{
"key": "process.created",
"object": "process_some",
"transformer":"ProcessCreatedTransformer"
},
{
"key": "process.args",
"object": "process_some",
"transformer":"ProcessArgsTransformer"
},
{
"key": "process.name",
"object": "process_some",
"transformer":"ProcessNameTransformer"
},
{
"key": "process.cwd",
"object": "process_some",
"transformer":"ProcessCWDPathTransformer"
},
{
"key": "user-account.user_id",
"object": "user",
"transformer":"ProcessUserIdTransformer"
},
{
"key": "user-account.display_name",
"object": "user",
"transformer":"ProcessUserDisplayNameTransformer"
},
{
"key": "user-account.is_service_account",
"object": "user",
"transformer":"ProcessUserDaemonTransformer"
},
{
"key": "process.creator_user_ref",
"object": "process_some",
"references":"user"
},
{
"key": "binary_ref.hashes",
"object": "processFile",
"transformer":"ProcessFileHashesTransformer"
},
{
"key": "binary_ref.name",
"object": "processFile",
"transformer": "ProcessNameTransformer"
},
{
"key": "parent_directory_ref.path",
"object": "processFileDirectory",
"transformer": "ProcessCWDPathTransformer"
},
{
"key": "content_refs.issuer",
"object": "certificate",
"transformer": "ProcessFileCertificateIssuerTransformer"
},
{
"key": "content_refs.subject",
"object": "certificate",
"transformer": "ProcessFileCertificateSubjectTransformer"
},
{
"key": "binary_ref.parent_directory_ref",
"object": "processFile",
"references": "processFileDirectory"
},
{
"key": "binary_ref.content_refs",
"object": "processFile",
"references": "certificate"
},
{
"key": "process.binary_ref",
"object": "process_some",
"references": "processFile"
},
{
"key": "x-oca-asset.process_ref",
"object": "x-oca-event",
"references": "process_some"
},
{
"key": "x-oca-asset.file_ref",
"object": "x-oca-event",
"references": "processFile"
}
],
"matchType":
{
"key": "x-oca-event.category",
"object": "x-oca-event"
},
"suppressedAt":
{
"key": "x-oca-event.end",
"object": "x-oca-event"
},
"alertedAt":
{
"key": "x-oca-event.created",
"object": "x-oca-event"
},
"createdAt":
{
"key":"x-oca-event.start",
"object":"x-oca-event"
},
"intelDocs":
{
"id":
{
},
"type":
{
"key":"x-oca-event.provider",
"object":"x-oca-event"
},
"typeVersion":
{
},
"md5":
{
},
"name":
{
"key":"x-oca-event.action",
"object":"x-oca-event"
},
"description":
{
"key":"x-oca-event.description",
"object":"x-oca-event"
},
"size":
{
},
"compiled":
{
},
"isSchemaValid":
{
},
"sourceId":
{
},
"mitreAttack":
{
"techniques":
{

}
},
"status":
{
}
}
}
5 changes: 2 additions & 3 deletions stix_shifter_modules/tanium/stix_translation/query_constructor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ def _format_match(value) -> str:

@staticmethod
def _format_equality(value) -> str:
return '\'{}\''.format(value)
return '{}'.format(value)

@staticmethod
def _format_like(value) -> str:
Expand Down Expand Up @@ -234,7 +234,6 @@ def translate_pattern(pattern: Pattern, data_model_mapping, options):
print(f'{key}: {options[key]}')

query = QueryStringPatternTranslator(pattern, data_model_mapping).translated
result_limit = f"&limit={options['result_limit']}"

# Add space around START STOP qualifiers
query = re.sub("START", "START ", query)
Expand All @@ -246,4 +245,4 @@ def translate_pattern(pattern: Pattern, data_model_mapping, options):
# A list is returned because some query languages require the STIX pattern to be split into multiple query strings.

logger.info("The Query is " + query)
return ["%s%s" % (query, result_limit)]
return ["%s" % (query)]
Loading

0 comments on commit a47f9ee

Please sign in to comment.