From a8ac495c1d53cc7dbbf339b76fa0a183a4009969 Mon Sep 17 00:00:00 2001 From: DerekRushton Date: Wed, 14 Aug 2024 11:55:10 -0300 Subject: [PATCH 1/2] Resolved some issues with the Tanium image. Signed-off-by: DerekRushton --- .../ibm_cloud_pak_for_security/Dockerfile | 5 +- .../tanium/configuration/config.json | 8 ++- .../tanium/configuration/lang_en.json | 4 ++ .../stix_translation/json/to_stix_map.json | 65 +++---------------- .../tanium/stix_transmission/connector.py | 11 ++-- 5 files changed, 25 insertions(+), 68 deletions(-) diff --git a/deployment/ibm_cloud_pak_for_security/Dockerfile b/deployment/ibm_cloud_pak_for_security/Dockerfile index 388bde9d5..a394cd647 100644 --- a/deployment/ibm_cloud_pak_for_security/Dockerfile +++ b/deployment/ibm_cloud_pak_for_security/Dockerfile @@ -1,12 +1,11 @@ -FROM registry.access.redhat.com/ubi8/ubi-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal ARG APP ARG VERSION USER root RUN microdnf update -y && rm -fr /var/cache/yum && \ - microdnf update -y gnutls systemd kernel-headers && \ - microdnf install --nodocs python3 python3-devel unzip openssl && \ + microdnf install -y --nodocs python3 unzip openssl python3-pip && \ rm -fr /var/cache/yum && microdnf update -y && rm -rf /var/cache/yum && \ microdnf clean all diff --git a/stix_shifter_modules/tanium/configuration/config.json b/stix_shifter_modules/tanium/configuration/config.json index d59e9ed47..4fed88441 100644 --- a/stix_shifter_modules/tanium/configuration/config.json +++ b/stix_shifter_modules/tanium/configuration/config.json @@ -14,14 +14,20 @@ "min": 1, "max": 65535 }, + "help": { + "type": "link", + "default": "data-sources.html" + }, "options": { "unmapped_fallback": { - "default": true + "type": "boolean", + "default": false } } }, "configuration": { "auth": { + "type": "fields", "accessToken": { "type": "password" } diff --git a/stix_shifter_modules/tanium/configuration/lang_en.json b/stix_shifter_modules/tanium/configuration/lang_en.json index 8b508c01f..261f4cc7a 100644 --- a/stix_shifter_modules/tanium/configuration/lang_en.json +++ b/stix_shifter_modules/tanium/configuration/lang_en.json @@ -7,6 +7,10 @@ "port": { "label": "Host port", "description": "Set the port number that is associated with the hostname or IP address" + }, + "help": { + "label": "Need additional help?", + "description": "More details on the data source setting can be found in the specified link" } }, "configuration": { diff --git a/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json b/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json index 34e66e958..daf853d93 100644 --- a/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json @@ -218,13 +218,6 @@ "object": "processFile", "references": "processFileDirectory" }, - { - "key": "directory.contains_refs", - "object": "processFileDirectory", - "references": [ - "processFile" - ] - }, { "key": "process.binary_ref", "object": "process", @@ -241,11 +234,6 @@ "key": "process.parent_ref", "object": "process", "references": "parent-process" - }, - { - "key": "process.child_ref", - "object": "parent-process", - "references": "process" } ], "start_time": { @@ -292,10 +280,6 @@ "key": "x-ibm-finding.x_finding_source_name", "object": "alert" }, - "intel_intra_ids": { - "key": "x-ibm-finding.x_finding_intel_intra_ids", - "object": "alert" - }, "artifact_activity": { "acting_artifact": { "process": { @@ -366,13 +350,6 @@ "object": "processFileDirectory", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "processFileDirectory", - "references": [ - "processFile" - ] - }, { "key": "file.parent_directory_ref", "object": "processFile", @@ -429,11 +406,6 @@ "key": "x-oca-event.parent_process_ref", "object": "event", "references": "process" - }, - { - "key": "process.child_ref", - "object": "parent-process", - "references": "process" } ], "arguments": { @@ -486,13 +458,6 @@ "object": "parent-processFileDirectory", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "parent-processFileDirectory", - "references": [ - "parent-processFile" - ] - }, { "key": "file.parent_directory_ref", "object": "parent-processFile", @@ -595,13 +560,6 @@ "object": "file-directory-action", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "file-directory-action", - "references": [ - "file-action" - ] - }, { "key": "file.parent_directory_ref", "object": "file-action", @@ -663,13 +621,6 @@ "object": "file-directory-action", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "file-directory-action", - "references": [ - "file-action" - ] - }, { "key": "file.parent_directory_ref", "object": "file-action", @@ -788,7 +739,7 @@ }, "alertedAt": [ { - "key": "x-ibm-finding.x_alertedAt", + "key": "x-ibm-finding.x_alerted_at", "object": "alert" } ], @@ -945,19 +896,19 @@ "object": "alert" }, "unresolvedAlertCount": { - "key": "x-tanium-inteldocument.unresolvedAlertCount", + "key": "x-tanium-inteldocument.unresolved_alert_count", "object": "intel-document" }, "customHash": { - "key": "x-tanium-inteldocument.customHash", + "key": "x-tanium-inteldocument.custom_hash", "object": "intel-document" }, "throttledFindingCount": { - "key": "x-tanium-inteldocument.throttledFindingCount", + "key": "x-tanium-inteldocument.throttled_finding_count", "object": "intel-document" }, "allowAutoDisable": { - "key": "x-tanium-inteldocument.allowAutoDisable", + "key": "x-tanium-inteldocument.allow_auto_disable", "object": "intel-document" }, "disabled": { @@ -965,15 +916,15 @@ "object": "intel-document" }, "disabledEndpointCount": { - "key": "x-tanium-inteldocument.disabledEndpointCount", + "key": "x-tanium-inteldocument.disabled_endpoint_count", "object": "intel-document" }, "firstDeploymentTimestamp": { - "key": "x-tanium-inteldocument.firstDeploymentTimestamp", + "key": "x-tanium-inteldocument.first_deployment_timestamp", "object": "intel-document" }, "lastDeploymentTimestamp": { - "key": "x-tanium-inteldocument.lastDeploymentTimestamp", + "key": "x-tanium-inteldocument.last_deployment_timestamp", "object": "intel-document" }, "status": { diff --git a/stix_shifter_modules/tanium/stix_transmission/connector.py b/stix_shifter_modules/tanium/stix_transmission/connector.py index bc3919113..4173e45b5 100644 --- a/stix_shifter_modules/tanium/stix_transmission/connector.py +++ b/stix_shifter_modules/tanium/stix_transmission/connector.py @@ -44,20 +44,17 @@ async def create_results_connection(self, query, offset, length): self.current_offset = offset #This can be any value up to 500. - max_per_query_length = 500 - - if(length < max_per_query_length): - per_query_length = length + per_query_length = min(500, length) try: - results = await self.get_results(per_query_length, query, self.current_offset) + results = await self.get_results(per_query_length, query, self.current_offset) + #Are we done? while(len(self.final_results) < length and len(results) > 0): results = await self.get_results(per_query_length, query, self.current_offset) - + self.return_obj["data"] = self.final_results self.return_obj['success'] = True - except Exception as err: self.logger.error(f'error when connecting to the Tanium datasource {self.return_obj["error"]}:') return self.return_obj From 7f2a65985e826657ae1a9cdaffe785d3551cad1e Mon Sep 17 00:00:00 2001 From: DerekRushton Date: Wed, 14 Aug 2024 16:56:23 -0300 Subject: [PATCH 2/2] Tanium test fixed and stix2.1 Signed-off-by: DerekRushton --- .../json/stix_2_1/to_stix_map.json | 20 ++++++--------- .../test_from_json_to_stix.py | 25 +++++++++++-------- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json index c62db6b84..1c8cc3d30 100644 --- a/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json @@ -287,10 +287,6 @@ "key": "x-ibm-finding.x_finding_source_name", "object": "alert" }, - "intel_intra_ids": { - "key": "x-ibm-finding.x_finding_intel_intra_ids", - "object": "alert" - }, "artifact_activity": { "acting_artifact": { "process": { @@ -783,7 +779,7 @@ }, "alertedAt": [ { - "key": "x-ibm-finding.x_alertedAt", + "key": "x-ibm-finding.x_alerted_at", "object": "alert" } ], @@ -940,19 +936,19 @@ "object": "alert" }, "unresolvedAlertCount": { - "key": "x-tanium-inteldocument.unresolvedAlertCount", + "key": "x-tanium-inteldocument.unresolved_alert_count", "object": "intel-document" }, "customHash": { - "key": "x-tanium-inteldocument.customHash", + "key": "x-tanium-inteldocument.custom_hash", "object": "intel-document" }, "throttledFindingCount": { - "key": "x-tanium-inteldocument.throttledFindingCount", + "key": "x-tanium-inteldocument.throttled_finding_count", "object": "intel-document" }, "allowAutoDisable": { - "key": "x-tanium-inteldocument.allowAutoDisable", + "key": "x-tanium-inteldocument.allow_auto_disable", "object": "intel-document" }, "disabled": { @@ -960,15 +956,15 @@ "object": "intel-document" }, "disabledEndpointCount": { - "key": "x-tanium-inteldocument.disabledEndpointCount", + "key": "x-tanium-inteldocument.disabled_endpoint_count", "object": "intel-document" }, "firstDeploymentTimestamp": { - "key": "x-tanium-inteldocument.firstDeploymentTimestamp", + "key": "x-tanium-inteldocument.first_deployment_timestamp", "object": "intel-document" }, "lastDeploymentTimestamp": { - "key": "x-tanium-inteldocument.lastDeploymentTimestamp", + "key": "x-tanium-inteldocument.last_deployment_timestamp", "object": "intel-document" }, "status": { diff --git a/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py b/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py index 7761fdbbd..c00d107a4 100644 --- a/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py +++ b/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py @@ -144,6 +144,9 @@ def _test_against_sample_data(self, result_bundle_object, type_name): self.x_tanium_inteldocument(result_bundle_object) elif(type_name == 'x-compiled-terms'): self.x_compiled_terms(result_bundle_object) + elif(type_name == 'x-Tanium'): + #Unmapped fields aren't necessarily an error (In this case they map be duplicates) + self.x_tanium(result_bundle_object) else: raise except: @@ -181,7 +184,7 @@ def _test_against_sample_data_stix21(self, result_bundle_object, type_name): self.x_compiled_terms(result_bundle_object) elif(type_name == 'x-Tanium'): #Unmapped fields aren't necessarily an error (In this case they map be duplicates) - return + self.x_tanium(result_bundle_object) else: raise except: @@ -232,7 +235,7 @@ def alert_asserts(self, result_bundle_object): assert result_bundle_object["x_config_id"] == 2 assert result_bundle_object["x_path"] == 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' assert result_bundle_object["x_received_at"] == '2023-10-16T12:29:34.609Z' - assert result_bundle_object["x_alertedAt"] == "2023-10-16T12:26:51.000Z" + assert result_bundle_object["x_alerted_at"] == "2023-10-16T12:26:51.000Z" assert result_bundle_object["x_acked_at"] == "2023-10-16T12:38:03.961Z" assert result_bundle_object["x_first_eid_resolution_attempt"] == "2023-10-16T12:29:37.091Z" assert result_bundle_object["x_intel_doc_ref"] is not None @@ -249,7 +252,6 @@ def alert_asserts(self, result_bundle_object): assert result_bundle_object["x_match_recorder_id"] == "3994044258139188996" assert result_bundle_object["x_finding_source_name"] == "recorder" - assert result_bundle_object["x_finding_intel_intra_ids"] == [{'id_v2': '901388892329936882'}] assert result_bundle_object["x_finding_process_ref"] is not None assert result_bundle_object["x_finding_id"] == "1245935966959239109" assert result_bundle_object["x_finding_domain"] == "threatresponse" @@ -308,7 +310,6 @@ def file_asserts21(self, result_bundle_object): def directory_asserts(self, result_bundle_object): assert result_bundle_object["path"] == 'C:/Program Files (x86)/Microsoft/Edge/Application' - assert result_bundle_object["contains_refs"] is not None def certificate_asserts(self, result_bundle_object): @@ -360,13 +361,13 @@ def x_tanium_inteldocument(self, result_bundle_object): assert result_bundle_object["syntax_version"] == 6 assert result_bundle_object["is_schema_valid"] == True assert result_bundle_object["source_id"] == 2 - assert result_bundle_object["unresolvedAlertCount"] == 8 - assert result_bundle_object["throttledFindingCount"] == 0 - assert result_bundle_object["allowAutoDisable"] == True + assert result_bundle_object["unresolved_alert_count"] == 8 + assert result_bundle_object["throttled_finding_count"] == 0 + assert result_bundle_object["allow_auto_disable"] == True assert result_bundle_object["disabled"] == False - assert result_bundle_object["disabledEndpointCount"] == 0 - assert result_bundle_object["firstDeploymentTimestamp"] == "2023-10-13T19:28:05.584Z" - assert result_bundle_object["lastDeploymentTimestamp"] == "2023-11-28T18:50:31.920Z" + assert result_bundle_object["disabled_endpoint_count"] == 0 + assert result_bundle_object["first_deployment_timestamp"] == "2023-10-13T19:28:05.584Z" + assert result_bundle_object["last_deployment_timestamp"] == "2023-11-28T18:50:31.920Z" assert result_bundle_object["status"] == "HIGH_FIDELITY" def x_compiled_terms(self, result_bundle_object): @@ -375,3 +376,7 @@ def x_compiled_terms(self, result_bundle_object): assert result_bundle_object["value"] == "eicar" assert result_bundle_object["object"] == "file" assert result_bundle_object["property"] == "path" + + #Unmapped fields + def x_tanium(self, result_bundle_object): + assert result_bundle_object["intel_intra_ids"] == [{'id_v2': '901388892329936882'}]