diff --git a/deployment/ibm_cloud_pak_for_security/Dockerfile b/deployment/ibm_cloud_pak_for_security/Dockerfile index 388bde9d5..a394cd647 100644 --- a/deployment/ibm_cloud_pak_for_security/Dockerfile +++ b/deployment/ibm_cloud_pak_for_security/Dockerfile @@ -1,12 +1,11 @@ -FROM registry.access.redhat.com/ubi8/ubi-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal ARG APP ARG VERSION USER root RUN microdnf update -y && rm -fr /var/cache/yum && \ - microdnf update -y gnutls systemd kernel-headers && \ - microdnf install --nodocs python3 python3-devel unzip openssl && \ + microdnf install -y --nodocs python3 unzip openssl python3-pip && \ rm -fr /var/cache/yum && microdnf update -y && rm -rf /var/cache/yum && \ microdnf clean all diff --git a/stix_shifter_modules/tanium/configuration/config.json b/stix_shifter_modules/tanium/configuration/config.json index d59e9ed47..4fed88441 100644 --- a/stix_shifter_modules/tanium/configuration/config.json +++ b/stix_shifter_modules/tanium/configuration/config.json @@ -14,14 +14,20 @@ "min": 1, "max": 65535 }, + "help": { + "type": "link", + "default": "data-sources.html" + }, "options": { "unmapped_fallback": { - "default": true + "type": "boolean", + "default": false } } }, "configuration": { "auth": { + "type": "fields", "accessToken": { "type": "password" } diff --git a/stix_shifter_modules/tanium/configuration/lang_en.json b/stix_shifter_modules/tanium/configuration/lang_en.json index 8b508c01f..261f4cc7a 100644 --- a/stix_shifter_modules/tanium/configuration/lang_en.json +++ b/stix_shifter_modules/tanium/configuration/lang_en.json @@ -7,6 +7,10 @@ "port": { "label": "Host port", "description": "Set the port number that is associated with the hostname or IP address" + }, + "help": { + "label": "Need additional help?", + "description": "More details on the data source setting can be found in the specified link" } }, "configuration": { diff --git a/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json index c62db6b84..1c8cc3d30 100644 --- a/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/tanium/stix_translation/json/stix_2_1/to_stix_map.json @@ -287,10 +287,6 @@ "key": "x-ibm-finding.x_finding_source_name", "object": "alert" }, - "intel_intra_ids": { - "key": "x-ibm-finding.x_finding_intel_intra_ids", - "object": "alert" - }, "artifact_activity": { "acting_artifact": { "process": { @@ -783,7 +779,7 @@ }, "alertedAt": [ { - "key": "x-ibm-finding.x_alertedAt", + "key": "x-ibm-finding.x_alerted_at", "object": "alert" } ], @@ -940,19 +936,19 @@ "object": "alert" }, "unresolvedAlertCount": { - "key": "x-tanium-inteldocument.unresolvedAlertCount", + "key": "x-tanium-inteldocument.unresolved_alert_count", "object": "intel-document" }, "customHash": { - "key": "x-tanium-inteldocument.customHash", + "key": "x-tanium-inteldocument.custom_hash", "object": "intel-document" }, "throttledFindingCount": { - "key": "x-tanium-inteldocument.throttledFindingCount", + "key": "x-tanium-inteldocument.throttled_finding_count", "object": "intel-document" }, "allowAutoDisable": { - "key": "x-tanium-inteldocument.allowAutoDisable", + "key": "x-tanium-inteldocument.allow_auto_disable", "object": "intel-document" }, "disabled": { @@ -960,15 +956,15 @@ "object": "intel-document" }, "disabledEndpointCount": { - "key": "x-tanium-inteldocument.disabledEndpointCount", + "key": "x-tanium-inteldocument.disabled_endpoint_count", "object": "intel-document" }, "firstDeploymentTimestamp": { - "key": "x-tanium-inteldocument.firstDeploymentTimestamp", + "key": "x-tanium-inteldocument.first_deployment_timestamp", "object": "intel-document" }, "lastDeploymentTimestamp": { - "key": "x-tanium-inteldocument.lastDeploymentTimestamp", + "key": "x-tanium-inteldocument.last_deployment_timestamp", "object": "intel-document" }, "status": { diff --git a/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json b/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json index 34e66e958..daf853d93 100644 --- a/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json @@ -218,13 +218,6 @@ "object": "processFile", "references": "processFileDirectory" }, - { - "key": "directory.contains_refs", - "object": "processFileDirectory", - "references": [ - "processFile" - ] - }, { "key": "process.binary_ref", "object": "process", @@ -241,11 +234,6 @@ "key": "process.parent_ref", "object": "process", "references": "parent-process" - }, - { - "key": "process.child_ref", - "object": "parent-process", - "references": "process" } ], "start_time": { @@ -292,10 +280,6 @@ "key": "x-ibm-finding.x_finding_source_name", "object": "alert" }, - "intel_intra_ids": { - "key": "x-ibm-finding.x_finding_intel_intra_ids", - "object": "alert" - }, "artifact_activity": { "acting_artifact": { "process": { @@ -366,13 +350,6 @@ "object": "processFileDirectory", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "processFileDirectory", - "references": [ - "processFile" - ] - }, { "key": "file.parent_directory_ref", "object": "processFile", @@ -429,11 +406,6 @@ "key": "x-oca-event.parent_process_ref", "object": "event", "references": "process" - }, - { - "key": "process.child_ref", - "object": "parent-process", - "references": "process" } ], "arguments": { @@ -486,13 +458,6 @@ "object": "parent-processFileDirectory", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "parent-processFileDirectory", - "references": [ - "parent-processFile" - ] - }, { "key": "file.parent_directory_ref", "object": "parent-processFile", @@ -595,13 +560,6 @@ "object": "file-directory-action", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "file-directory-action", - "references": [ - "file-action" - ] - }, { "key": "file.parent_directory_ref", "object": "file-action", @@ -663,13 +621,6 @@ "object": "file-directory-action", "transformer": "ProcessCWDPathTransformer" }, - { - "key": "directory.contains_refs", - "object": "file-directory-action", - "references": [ - "file-action" - ] - }, { "key": "file.parent_directory_ref", "object": "file-action", @@ -788,7 +739,7 @@ }, "alertedAt": [ { - "key": "x-ibm-finding.x_alertedAt", + "key": "x-ibm-finding.x_alerted_at", "object": "alert" } ], @@ -945,19 +896,19 @@ "object": "alert" }, "unresolvedAlertCount": { - "key": "x-tanium-inteldocument.unresolvedAlertCount", + "key": "x-tanium-inteldocument.unresolved_alert_count", "object": "intel-document" }, "customHash": { - "key": "x-tanium-inteldocument.customHash", + "key": "x-tanium-inteldocument.custom_hash", "object": "intel-document" }, "throttledFindingCount": { - "key": "x-tanium-inteldocument.throttledFindingCount", + "key": "x-tanium-inteldocument.throttled_finding_count", "object": "intel-document" }, "allowAutoDisable": { - "key": "x-tanium-inteldocument.allowAutoDisable", + "key": "x-tanium-inteldocument.allow_auto_disable", "object": "intel-document" }, "disabled": { @@ -965,15 +916,15 @@ "object": "intel-document" }, "disabledEndpointCount": { - "key": "x-tanium-inteldocument.disabledEndpointCount", + "key": "x-tanium-inteldocument.disabled_endpoint_count", "object": "intel-document" }, "firstDeploymentTimestamp": { - "key": "x-tanium-inteldocument.firstDeploymentTimestamp", + "key": "x-tanium-inteldocument.first_deployment_timestamp", "object": "intel-document" }, "lastDeploymentTimestamp": { - "key": "x-tanium-inteldocument.lastDeploymentTimestamp", + "key": "x-tanium-inteldocument.last_deployment_timestamp", "object": "intel-document" }, "status": { diff --git a/stix_shifter_modules/tanium/stix_translation/query_constructor.py b/stix_shifter_modules/tanium/stix_translation/query_constructor.py index dcdf7878f..06ee2cc16 100644 --- a/stix_shifter_modules/tanium/stix_translation/query_constructor.py +++ b/stix_shifter_modules/tanium/stix_translation/query_constructor.py @@ -1,4 +1,5 @@ import regex +from stix_shifter_modules.tanium.stix_translation.transformers import ConvertTextSeverityToNumberValue from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, ComparisonExpression, \ Pattern,\ CombinedComparisonExpression, CombinedObservationExpression @@ -27,14 +28,27 @@ def _format_start_stop_qualifier(self, expression, qualifier) -> str: stop = qualifier_split[3] qualified_query = f"{expression}&alertedAtFrom={start}&alertedAtUntil={stop}" return qualified_query + + @staticmethod + def _format_severity(self, value): + if(value < 40): + return "info" + elif(value >= 40 and value < 80): + return "low" + elif(value >= 80): + return "high" @staticmethod def _parse_mapped_fields(self, value, comparator, mapped_fields_array): - {} + if(mapped_fields_array[0] == "severity"): + value = QueryStringPatternTranslator._format_severity(self, value) parsed_fields = f"{mapped_fields_array[0]}{comparator}{value}" + if(comparator == "IN"): parsed_fields = "" for current_value in value.values: + if(mapped_fields_array[0] == "severity"): + value = QueryStringPatternTranslator._format_severity(self, value) parsed_fields += f"{mapped_fields_array[0]}={current_value}&" parsed_fields = parsed_fields[:-1] return parsed_fields diff --git a/stix_shifter_modules/tanium/stix_transmission/connector.py b/stix_shifter_modules/tanium/stix_transmission/connector.py index bc3919113..4173e45b5 100644 --- a/stix_shifter_modules/tanium/stix_transmission/connector.py +++ b/stix_shifter_modules/tanium/stix_transmission/connector.py @@ -44,20 +44,17 @@ async def create_results_connection(self, query, offset, length): self.current_offset = offset #This can be any value up to 500. - max_per_query_length = 500 - - if(length < max_per_query_length): - per_query_length = length + per_query_length = min(500, length) try: - results = await self.get_results(per_query_length, query, self.current_offset) + results = await self.get_results(per_query_length, query, self.current_offset) + #Are we done? while(len(self.final_results) < length and len(results) > 0): results = await self.get_results(per_query_length, query, self.current_offset) - + self.return_obj["data"] = self.final_results self.return_obj['success'] = True - except Exception as err: self.logger.error(f'error when connecting to the Tanium datasource {self.return_obj["error"]}:') return self.return_obj diff --git a/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py b/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py index 7761fdbbd..c00d107a4 100644 --- a/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py +++ b/stix_shifter_modules/tanium/tests/stix_translation/test_from_json_to_stix.py @@ -144,6 +144,9 @@ def _test_against_sample_data(self, result_bundle_object, type_name): self.x_tanium_inteldocument(result_bundle_object) elif(type_name == 'x-compiled-terms'): self.x_compiled_terms(result_bundle_object) + elif(type_name == 'x-Tanium'): + #Unmapped fields aren't necessarily an error (In this case they map be duplicates) + self.x_tanium(result_bundle_object) else: raise except: @@ -181,7 +184,7 @@ def _test_against_sample_data_stix21(self, result_bundle_object, type_name): self.x_compiled_terms(result_bundle_object) elif(type_name == 'x-Tanium'): #Unmapped fields aren't necessarily an error (In this case they map be duplicates) - return + self.x_tanium(result_bundle_object) else: raise except: @@ -232,7 +235,7 @@ def alert_asserts(self, result_bundle_object): assert result_bundle_object["x_config_id"] == 2 assert result_bundle_object["x_path"] == 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' assert result_bundle_object["x_received_at"] == '2023-10-16T12:29:34.609Z' - assert result_bundle_object["x_alertedAt"] == "2023-10-16T12:26:51.000Z" + assert result_bundle_object["x_alerted_at"] == "2023-10-16T12:26:51.000Z" assert result_bundle_object["x_acked_at"] == "2023-10-16T12:38:03.961Z" assert result_bundle_object["x_first_eid_resolution_attempt"] == "2023-10-16T12:29:37.091Z" assert result_bundle_object["x_intel_doc_ref"] is not None @@ -249,7 +252,6 @@ def alert_asserts(self, result_bundle_object): assert result_bundle_object["x_match_recorder_id"] == "3994044258139188996" assert result_bundle_object["x_finding_source_name"] == "recorder" - assert result_bundle_object["x_finding_intel_intra_ids"] == [{'id_v2': '901388892329936882'}] assert result_bundle_object["x_finding_process_ref"] is not None assert result_bundle_object["x_finding_id"] == "1245935966959239109" assert result_bundle_object["x_finding_domain"] == "threatresponse" @@ -308,7 +310,6 @@ def file_asserts21(self, result_bundle_object): def directory_asserts(self, result_bundle_object): assert result_bundle_object["path"] == 'C:/Program Files (x86)/Microsoft/Edge/Application' - assert result_bundle_object["contains_refs"] is not None def certificate_asserts(self, result_bundle_object): @@ -360,13 +361,13 @@ def x_tanium_inteldocument(self, result_bundle_object): assert result_bundle_object["syntax_version"] == 6 assert result_bundle_object["is_schema_valid"] == True assert result_bundle_object["source_id"] == 2 - assert result_bundle_object["unresolvedAlertCount"] == 8 - assert result_bundle_object["throttledFindingCount"] == 0 - assert result_bundle_object["allowAutoDisable"] == True + assert result_bundle_object["unresolved_alert_count"] == 8 + assert result_bundle_object["throttled_finding_count"] == 0 + assert result_bundle_object["allow_auto_disable"] == True assert result_bundle_object["disabled"] == False - assert result_bundle_object["disabledEndpointCount"] == 0 - assert result_bundle_object["firstDeploymentTimestamp"] == "2023-10-13T19:28:05.584Z" - assert result_bundle_object["lastDeploymentTimestamp"] == "2023-11-28T18:50:31.920Z" + assert result_bundle_object["disabled_endpoint_count"] == 0 + assert result_bundle_object["first_deployment_timestamp"] == "2023-10-13T19:28:05.584Z" + assert result_bundle_object["last_deployment_timestamp"] == "2023-11-28T18:50:31.920Z" assert result_bundle_object["status"] == "HIGH_FIDELITY" def x_compiled_terms(self, result_bundle_object): @@ -375,3 +376,7 @@ def x_compiled_terms(self, result_bundle_object): assert result_bundle_object["value"] == "eicar" assert result_bundle_object["object"] == "file" assert result_bundle_object["property"] == "path" + + #Unmapped fields + def x_tanium(self, result_bundle_object): + assert result_bundle_object["intel_intra_ids"] == [{'id_v2': '901388892329936882'}] diff --git a/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py b/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py index f4fa02bf8..76f889540 100644 --- a/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py +++ b/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py @@ -95,7 +95,7 @@ def test_event_oca_query(self): " AND [x-oca-event:host_ref.ip_refs.value = '10.0.0.4']" \ " AND [x-oca-event:host_ref.os_ref.name = 'windows']" \ " AND [x-oca-event:file_ref.parent_directory_ref.path = 'Application']" \ - " AND [x-oca-event:severity = 'info']" \ + " AND [x-oca-event:severity = 0]" \ " AND [x-oca-event:x_ttp_tagging_refs.technique_id = 'T1204']" \ " START t'2022-07-01T00:00:00.000Z'" \ " STOP t'2024-07-27T00:05:00.000Z'" @@ -118,7 +118,7 @@ def test_event_oca_query(self): def test_ibm_finding(self): stix_pattern = "([x-ibm-finding:dst_ip_ref.value = '10.0.0.4']" \ " AND [x-ibm-finding:name = 'Outlook Spawned Process Creating DLL Files']" \ - " AND [x-ibm-finding:severity = 'info']" \ + " AND [x-ibm-finding:severity = 0]" \ " AND [x-ibm-finding:dst_os_ref.name = 'windows']" \ " AND [x-ibm-finding:x_ttp_tagging_refs.technique_id = 'T1204']" \ " AND [x-ibm-finding:x_guid = '00000000-0000-0000-114a-7429237cffc5']" \