From c455ab2c7d1fb613d69971c05fce58eddd83b743 Mon Sep 17 00:00:00 2001 From: Md Azam Date: Wed, 22 Nov 2023 12:17:54 -0400 Subject: [PATCH] Remove future timestamp qualifier conditions (#1619) --- .../stix_translation/query_constructor.py | 4 --- .../test_aws_guardduty_stix_to_query.py | 27 +++++++++++++++---- .../stix_translation/query_constructor.py | 4 --- .../test_okta_stix_to_query.py | 11 ++++---- 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py b/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py index e472c794a..56e6a1edc 100644 --- a/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py +++ b/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py @@ -372,13 +372,9 @@ def _check_time_range_values(time_range_list): checks for valid start and stop time :param time_range_list: list """ - utc_timestamp = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' - converted_utc_timestamp = QueryStringPatternTranslator._format_datetime(utc_timestamp) converted_timestamp = [] for timestamp in time_range_list: converted_time = QueryStringPatternTranslator._format_datetime(timestamp) - if converted_time > converted_utc_timestamp: - raise StartStopQualifierValueException('Start/Stop time should not be in the future UTC timestamp') converted_timestamp.append(converted_time) if converted_timestamp[0] >= converted_timestamp[1]: raise StartStopQualifierValueException('Start time should be lesser than Stop time') diff --git a/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py b/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py index 4fb644afc..aa0bf80b1 100644 --- a/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py +++ b/stix_shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py @@ -654,13 +654,30 @@ def test_multiple_observation_with_single_qualifier_with_precedence_bracket(self queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) - def test_invalid_qualifier_with_future_timestamp(self): + def test_timestamp_qualifier(self): stix_pattern = "[network-traffic:src_port >= 32794]START t'2023-01-19T11:00:00.000Z' " \ "STOP t'2024-02-07T11:00:00.003Z'" - result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern) - assert result['success'] is False - assert "translation_error" == result['code'] - assert 'Start/Stop time should not be in the future UTC timestamp' in result['error'] + queries = { + "queries": [ + { + "FindingCriteria": { + "Criterion": { + "service.action.networkConnectionAction.localPortDetails.port": { + "GreaterThanOrEqual": 32794 + }, + "updatedAt": { + "GreaterThanOrEqual": 1674126000000, + "LessThanOrEqual": 1707303600003 + } + } + } + } + ] + } + query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern) + query = _remove_timestamp_from_query(query) + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) def test_stop_time_lesser_than_start_time(self): stix_pattern = "[network-traffic:src_port >= 32794]START t'2023-01-19T11:00:00.000Z' " \ diff --git a/stix_shifter_modules/okta/stix_translation/query_constructor.py b/stix_shifter_modules/okta/stix_translation/query_constructor.py index 1d2df7b5d..21d733f8e 100644 --- a/stix_shifter_modules/okta/stix_translation/query_constructor.py +++ b/stix_shifter_modules/okta/stix_translation/query_constructor.py @@ -230,13 +230,9 @@ def _check_time_range_values(time_range_list): checks for valid start and stop time :param time_range_list: list """ - utc_timestamp = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' - converted_utc_timestamp = QueryStringPatternTranslator._format_datetime(utc_timestamp) converted_timestamp = [] for timestamp in time_range_list: converted_time = QueryStringPatternTranslator._format_datetime(timestamp) - if converted_time > converted_utc_timestamp: - raise StartStopQualifierValueException('Start/Stop time should not be in the future UTC timestamp') converted_timestamp.append(converted_time) if converted_timestamp[0] >= converted_timestamp[1]: raise StartStopQualifierValueException('Start time should be lesser than Stop time') diff --git a/stix_shifter_modules/okta/test/stix_translation/test_okta_stix_to_query.py b/stix_shifter_modules/okta/test/stix_translation/test_okta_stix_to_query.py index cf3864a21..6e9755b77 100644 --- a/stix_shifter_modules/okta/test/stix_translation/test_okta_stix_to_query.py +++ b/stix_shifter_modules/okta/test/stix_translation/test_okta_stix_to_query.py @@ -317,13 +317,14 @@ def test_wildcard_characters_like_operator(self): queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) - def test_invalid_qualifier_with_future_timestamp(self): + def test_timestamp_qualifier(self): stix_pattern = "[domain-name:value LIKE 'amazonaws.com'] " \ "START t'2023-01-19T11:00:00.000Z' STOP t'2024-02-07T11:00:00.003Z'" - result = translation.translate('okta', 'query', '{}', stix_pattern) - assert result['success'] is False - assert "translation_error" == result['code'] - assert 'Start/Stop time should not be in the future UTC timestamp' in result['error'] + query = translation.translate('okta', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = ["filter=securityContext.domain co \"amazonaws.com\" &since=2023-01-19T11:00:00.000Z&until=2024-02-07T11:00:00.003Z"] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) def test_invalid_operator_for_integer_type_field(self): stix_pattern = "[autonomous-system:number LIKE '50']"