opencybersecurityalliance · mdazam1942 · Oct 12, 2023 · Sep 18, 2023 · Sep 29, 2023 · Sep 29, 2023
diff --git a/stix_shifter_modules/cisco_secure_email/README.md b/stix_shifter_modules/cisco_secure_email/README.md
diff --git a/stix_shifter_modules/cisco_secure_email/__init__.py b/stix_shifter_modules/cisco_secure_email/__init__.py
diff --git a/stix_shifter_modules/cisco_secure_email/cisco_secure_email_supported_stix.md b/stix_shifter_modules/cisco_secure_email/cisco_secure_email_supported_stix.md
@@ -0,0 +1,162 @@
+##### Updated on 14/09/23
+## Cisco Secure Email
+### Results STIX Domain Objects
+* Identity
+* Observed Data
+<br>
+### Supported STIX Operators
+*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*
+
+| STIX Operator | Data Cisco Secure Email Operator |
+|--|--|
+| AND (Comparision) | & |
+| = | = |
+| IN | = |
+| LIKE | = |
+| OR (Observation) | OR |
+| AND (Observation) | OR |
+| <br> | |
+### Searchable STIX objects and properties
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **email-addr**:value | envelopeRecipientfilterValue, envelopeSenderfilterValue |
+| **email-message**:from_ref | envelopeSenderfilterValue |
+| **email-message**:sender_ref | envelopeSenderfilterValue |
+| **email-message**:to_refs | envelopeRecipientfilterValue |
+| **email-message**:subject | subjectfilterValue |
+| **email-message**:x_message_id_header | messageIdHeader |
+| **email-message**:x_cisco_mid | ciscoMid |
+| **email-message**:x_sender_ip_ref | senderIp |
+| **file**:name | attachmentNameValue |
+| **file**:hashes.'SHA-256' | fileSha256 |
+| **ipv4-addr**:value | senderIp |
+| **ipv6-addr**:value | senderIp |
+| **domain-name**:value | domainNameValue |
+| **x-oca-host**:hostname | ciscoHost |
+| **x-cisco-email-msgevent**:advanced_malware_protection_mailflow_direction | advancedMalwareProtectionMailflowDirection |
+| **x-cisco-email-msgevent**:advanced_malware_protection | advancedMalwareProtection |
+| **x-cisco-email-msgevent**:app_forwarding | appForwarding |
+| **x-cisco-email-msgevent**:content_filters_name | contentFiltersName |
+| **x-cisco-email-msgevent**:content_filters_direction | contentFiltersDirection |
+| **x-cisco-email-msgevent**:content_filters_action | contentFiltersAction |
+| **x-cisco-email-msgevent**:dane_failure | daneFailure |
+| **x-cisco-email-msgevent**:message_status | deliveryStatus |
+| **x-cisco-email-msgevent**:message_delivered | message_delivered |
+| **x-cisco-email-msgevent**:dlp_violations_names | dlpViolationsNames |
+| **x-cisco-email-msgevent**:dlpViolationsSeverities | dlpViolationsSeverities |
+| **x-cisco-email-msgevent**:dlp_action | dlpAction |
+| **x-cisco-email-msgevent**:dmarc_from | dmarcFrom |
+| **x-cisco-email-msgevent**:dmarc_action | dmarcAction |
+| **x-cisco-email-msgevent**:etf_sources | etfSources |
+| **x-cisco-email-msgevent**:etf_iocs | etfIocs |
+| **x-cisco-email-msgevent**:forged_email_detection | forgedEmailDetection |
+| **x-cisco-email-msgevent**:geo_location | geoLocation |
+| **x-cisco-email-msgevent**:graymail | graymail |
+| **x-cisco-email-msgevent**:hard_bounced | hardBounced |
+| **x-cisco-email-msgevent**:ip_reputation | ipReputation |
+| **x-cisco-email-msgevent**:macro_mailflow_direction | macroMailflowDirection |
+| **x-cisco-email-msgevent**:macro_file_types_detected | macroFileTypesDetected |
+| **x-cisco-email-msgevent**:message_filters | messageFilters |
+| **x-cisco-email-msgevent**:message_direction | messageDirection |
+| **x-cisco-email-msgevent**:contained_malicious_urls | containedMaliciousUrls |
+| **x-cisco-email-msgevent**:contained_neutral_urls | containedNeutralUrls |
+| **x-cisco-email-msgevent**:outbreak_filters_url_rewritten_byof | outbreakFiltersUrlRewrittenByOf |
+| **x-cisco-email-msgevent**:outbreak_filtersVofThreatCategory | outbreakFiltersVofThreatCategory |
+| **x-cisco-email-msgevent**:in_outbreak_quarantine | inOutbreakQuarantine |
+| **x-cisco-email-msgevent**:quarantined_to | quarantinedTo |
+| **x-cisco-email-msgevent**:reply_to | replyToValue |
+| **x-cisco-email-msgevent**:s_mime | smime |
+| **x-cisco-email-msgevent**:domain_categories | domainCategories |
+| **x-cisco-email-msgevent**:sdr_categories | sdrCategories |
+| **x-cisco-email-msgevent**:sdr_threat_levels | sdrThreatLevels |
+| **x-cisco-email-msgevent**:soft_bounced | softBounced |
+| **x-cisco-email-msgevent**:spam_positive | spamPositive |
+| **x-cisco-email-msgevent**:quarantined_as_spam | quarantinedAsSpam |
+| **x-cisco-email-msgevent**:quarantine_status | quarantineStatus |
+| **x-cisco-email-msgevent**:threat_name | threatName |
+| **x-cisco-email-msgevent**:suspect_spam | suspectSpam |
+| **x-cisco-email-msgevent**:url_categories | urlCategories |
+| **x-cisco-email-msgevent**:url_reputation | urlReputation |
+| **x-cisco-email-msgevent**:safeprint_ext | safeprintExt |
+| **x-cisco-email-msgevent**:virus_positive | virusPositive |
+| **x-cisco-email-msgevent**:web_interaction_tracking_urls | webInteractionTrackingUrls |
+| **x-cisco-email-msgevent**:web_interaction_tracking_mailflow_direction | webInteractionTrackingMailflowDirection |
+| **x-cisco-email-msgevent**:mail_policy | mailPolicyName |
+| **x-cisco-email-msgevent**:mail_policy_direction | mailPolicyDirection |
+| <br> | |
+### Supported STIX Objects and Properties for Query Results
+| STIX Object | STIX Property | Data Source Field |
+|--|--|--|
+| email-addr | value | envelopeRecipientfilterValue |
+| email-addr | value | envelopeSenderfilterValue |
+| <br> | | |
+| email-message | from_ref | envelopeSenderfilterValue |
+| email-message | sender_ref | envelopeSenderfilterValue |
+| email-message | to_refs | envelopeRecipientfilterValue |
+| email-message | subject | subjectfilterValue |
+| email-message | x_message_id_header | messageIdHeader |
+| email-message | x_cisco_mid | ciscoMid |
+| email-message | x_sender_ip_ref | senderIp |
+| <br> | | |
+| file | name | attachmentNameValue |
+| file | hashes.'SHA-256' | fileSha256 |
+| <br> | | |
+| ipv4-addr | value | senderIp |
+| <br> | | |
+| ipv6-addr | value | senderIp |
+| <br> | | |
+| domain-name | value | domainNameValue |
+| <br> | | |
+| x-oca-host | hostname | ciscoHost |
+| <br> | | |
+| x-cisco-email-msgevent | advanced_malware_protection_mailflow_direction | advancedMalwareProtectionMailflowDirection |
+| x-cisco-email-msgevent | advanced_malware_protection | advancedMalwareProtection |
+| x-cisco-email-msgevent | app_forwarding | appForwarding |
+| x-cisco-email-msgevent | content_filters_name | contentFiltersName |
+| x-cisco-email-msgevent | content_filters_direction | contentFiltersDirection |
+| x-cisco-email-msgevent | content_filters_action | contentFiltersAction |
+| x-cisco-email-msgevent | dane_failure | daneFailure |
+| x-cisco-email-msgevent | message_status | deliveryStatus |
+| x-cisco-email-msgevent | message_delivered | message_delivered |
+| x-cisco-email-msgevent | dlp_violations_names | dlpViolationsNames |
+| x-cisco-email-msgevent | dlpViolationsSeverities | dlpViolationsSeverities |
+| x-cisco-email-msgevent | dlp_action | dlpAction |
+| x-cisco-email-msgevent | dmarc_from | dmarcFrom |
+| x-cisco-email-msgevent | dmarc_action | dmarcAction |
+| x-cisco-email-msgevent | etf_sources | etfSources |
+| x-cisco-email-msgevent | etf_iocs | etfIocs |
+| x-cisco-email-msgevent | forged_email_detection | forgedEmailDetection |
+| x-cisco-email-msgevent | geo_location | geoLocation |
+| x-cisco-email-msgevent | graymail | graymail |
+| x-cisco-email-msgevent | hard_bounced | hardBounced |
+| x-cisco-email-msgevent | ip_reputation | ipReputation |
+| x-cisco-email-msgevent | macro_mailflow_direction | macroMailflowDirection |
+| x-cisco-email-msgevent | macro_file_types_detected | macroFileTypesDetected |
+| x-cisco-email-msgevent | message_filters | messageFilters |
+| x-cisco-email-msgevent | message_direction | messageDirection |
+| x-cisco-email-msgevent | contained_malicious_urls | containedMaliciousUrls |
+| x-cisco-email-msgevent | contained_neutral_urls | containedNeutralUrls |
+| x-cisco-email-msgevent | outbreak_filters_url_rewritten_byof | outbreakFiltersUrlRewrittenByOf |
+| x-cisco-email-msgevent | outbreak_filtersVofThreatCategory | outbreakFiltersVofThreatCategory |
+| x-cisco-email-msgevent | in_outbreak_quarantine | inOutbreakQuarantine |
+| x-cisco-email-msgevent | quarantined_to | quarantinedTo |
+| x-cisco-email-msgevent | reply_to | replyToValue |
+| x-cisco-email-msgevent | s_mime | smime |
+| x-cisco-email-msgevent | domain_categories | domainCategories |
+| x-cisco-email-msgevent | sdr_categories | sdrCategories |
+| x-cisco-email-msgevent | sdr_threat_levels | sdrThreatLevels |
+| x-cisco-email-msgevent | soft_bounced | softBounced |
+| x-cisco-email-msgevent | spam_positive | spamPositive |
+| x-cisco-email-msgevent | quarantined_as_spam | quarantinedAsSpam |
+| x-cisco-email-msgevent | quarantine_status | quarantineStatus |
+| x-cisco-email-msgevent | threat_name | threatName |
+| x-cisco-email-msgevent | suspect_spam | suspectSpam |
+| x-cisco-email-msgevent | url_categories | urlCategories |
+| x-cisco-email-msgevent | url_reputation | urlReputation |
+| x-cisco-email-msgevent | safeprint_ext | safeprintExt |
+| x-cisco-email-msgevent | virus_positive | virusPositive |
+| x-cisco-email-msgevent | web_interaction_tracking_urls | webInteractionTrackingUrls |
+| x-cisco-email-msgevent | web_interaction_tracking_mailflow_direction | webInteractionTrackingMailflowDirection |
+| x-cisco-email-msgevent | mail_policy | mailPolicyName |
+| x-cisco-email-msgevent | mail_policy_direction | mailPolicyDirection |
+| <br> | | |
diff --git a/stix_shifter_modules/cisco_secure_email/configuration/config.json b/stix_shifter_modules/cisco_secure_email/configuration/config.json
@@ -0,0 +1,46 @@
+{
+    "connection": {
+        "type": {
+            "displayName": "Cisco Secure Email",
+            "group": "cisco"
+        },
+        "host": {
+            "type": "text",
+            "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$"
+        },
+        "port": {
+            "type": "number",
+            "default": 443,
+            "min": 1,
+            "max": 65535
+        },
+        "help": {
+            "type": "link",
+            "default": "data-sources.html"
+        },
+        "selfSignedCert": {
+            "type": "password",
+            "optional": true
+        },
+        "options": {
+            "result_limit": {
+                "default": 800,
+                "min": 1,
+                "max": 800,
+                "type": "number",
+                "previous": "connection.resultSizeLimit"
+            }
+        }
+    },
+    "configuration": {
+        "auth": {
+            "type" : "fields",
+            "username": {
+                "type": "text"
+            },
+            "password": {
+                "type": "password"
+            }
+        }
+    }
+}
diff --git a/stix_shifter_modules/cisco_secure_email/configuration/lang_en.json b/stix_shifter_modules/cisco_secure_email/configuration/lang_en.json
@@ -0,0 +1,38 @@
+{
+    "connection": {
+        "host": {
+            "label": "Management IP address or hostname",
+            "description": "Specify the IP address or hostname of the data source"
+        },
+        "port": {
+            "label": "Host port",
+            "description": "Set the port number that is associated with the hostname or IP address"
+        },
+        "help": {
+            "label": "Need additional help?",
+            "description": "More details on the data source setting can be found in the specified link"
+        },
+        "selfSignedCert": {
+            "label": "Cisco Secure Email HTTPS connection certificate",
+            "description": "Use self-signed Security Sockets Layer (SSL) or CA certificate for HTTPS services"
+        },
+         "options": {
+             "result_limit": {
+                 "label": "Result size limit",
+                 "description": "The maximum number of entries or objects that are returned by search query.  Valid input range is {{min}} to {{max}}."
+             }
+         }
+    },
+    "configuration": {
+        "auth": {
+            "username": {
+                "label": "Username",
+                "description": "Username with access to the tracking API"
+            },
+            "password": {
+                "label": "Password",
+                "description": "Password of the user with access to the tracking API"
+            }
+        }
+    }
+}
diff --git a/stix_shifter_modules/cisco_secure_email/entry_point.py b/stix_shifter_modules/cisco_secure_email/entry_point.py
@@ -0,0 +1,11 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+
+class EntryPoint(BaseEntryPoint):
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(False)
+        if connection:
+            self.setup_transmission_basic(connection, configuration)
+        self.setup_translation_simple(dialect_default='default')
diff --git a/stix_shifter_modules/cisco_secure_email/stix_translation/__init__.py b/stix_shifter_modules/cisco_secure_email/stix_translation/__init__.py