Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolved an issue where severity mapping in the from_stix was using text instead of int. #1722

Merged
merged 5 commits into from
Aug 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions deployment/ibm_cloud_pak_for_security/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
FROM registry.access.redhat.com/ubi8/ubi-minimal
FROM registry.access.redhat.com/ubi9/ubi-minimal
ARG APP
ARG VERSION

USER root

RUN microdnf update -y && rm -fr /var/cache/yum && \
microdnf update -y gnutls systemd kernel-headers && \
microdnf install --nodocs python3 python3-devel unzip openssl && \
microdnf install -y --nodocs python3 unzip openssl python3-pip && \
rm -fr /var/cache/yum && microdnf update -y && rm -rf /var/cache/yum && \
microdnf clean all

Expand Down
8 changes: 7 additions & 1 deletion stix_shifter_modules/tanium/configuration/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,20 @@
"min": 1,
"max": 65535
},
"help": {
"type": "link",
"default": "data-sources.html"
},
"options": {
"unmapped_fallback": {
"default": true
"type": "boolean",
"default": false
}
}
},
"configuration": {
"auth": {
"type": "fields",
"accessToken": {
"type": "password"
}
Expand Down
4 changes: 4 additions & 0 deletions stix_shifter_modules/tanium/configuration/lang_en.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@
"port": {
"label": "Host port",
"description": "Set the port number that is associated with the hostname or IP address"
},
"help": {
"label": "Need additional help?",
"description": "More details on the data source setting can be found in the specified link"
}
},
"configuration": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -287,10 +287,6 @@
"key": "x-ibm-finding.x_finding_source_name",
"object": "alert"
},
"intel_intra_ids": {
"key": "x-ibm-finding.x_finding_intel_intra_ids",
"object": "alert"
},
"artifact_activity": {
"acting_artifact": {
"process": {
Expand Down Expand Up @@ -783,7 +779,7 @@
},
"alertedAt": [
{
"key": "x-ibm-finding.x_alertedAt",
"key": "x-ibm-finding.x_alerted_at",
"object": "alert"
}
],
Expand Down Expand Up @@ -940,35 +936,35 @@
"object": "alert"
},
"unresolvedAlertCount": {
"key": "x-tanium-inteldocument.unresolvedAlertCount",
"key": "x-tanium-inteldocument.unresolved_alert_count",
"object": "intel-document"
},
"customHash": {
"key": "x-tanium-inteldocument.customHash",
"key": "x-tanium-inteldocument.custom_hash",
"object": "intel-document"
},
"throttledFindingCount": {
"key": "x-tanium-inteldocument.throttledFindingCount",
"key": "x-tanium-inteldocument.throttled_finding_count",
"object": "intel-document"
},
"allowAutoDisable": {
"key": "x-tanium-inteldocument.allowAutoDisable",
"key": "x-tanium-inteldocument.allow_auto_disable",
"object": "intel-document"
},
"disabled": {
"key": "x-tanium-inteldocument.disabled",
"object": "intel-document"
},
"disabledEndpointCount": {
"key": "x-tanium-inteldocument.disabledEndpointCount",
"key": "x-tanium-inteldocument.disabled_endpoint_count",
"object": "intel-document"
},
"firstDeploymentTimestamp": {
"key": "x-tanium-inteldocument.firstDeploymentTimestamp",
"key": "x-tanium-inteldocument.first_deployment_timestamp",
"object": "intel-document"
},
"lastDeploymentTimestamp": {
"key": "x-tanium-inteldocument.lastDeploymentTimestamp",
"key": "x-tanium-inteldocument.last_deployment_timestamp",
"object": "intel-document"
},
"status": {
Expand Down
65 changes: 8 additions & 57 deletions stix_shifter_modules/tanium/stix_translation/json/to_stix_map.json
Original file line number Diff line number Diff line change
Expand Up @@ -218,13 +218,6 @@
"object": "processFile",
"references": "processFileDirectory"
},
{
"key": "directory.contains_refs",
"object": "processFileDirectory",
"references": [
"processFile"
]
},
{
"key": "process.binary_ref",
"object": "process",
Expand All @@ -241,11 +234,6 @@
"key": "process.parent_ref",
"object": "process",
"references": "parent-process"
},
{
"key": "process.child_ref",
"object": "parent-process",
"references": "process"
}
],
"start_time": {
Expand Down Expand Up @@ -292,10 +280,6 @@
"key": "x-ibm-finding.x_finding_source_name",
"object": "alert"
},
"intel_intra_ids": {
"key": "x-ibm-finding.x_finding_intel_intra_ids",
"object": "alert"
},
"artifact_activity": {
"acting_artifact": {
"process": {
Expand Down Expand Up @@ -366,13 +350,6 @@
"object": "processFileDirectory",
"transformer": "ProcessCWDPathTransformer"
},
{
"key": "directory.contains_refs",
"object": "processFileDirectory",
"references": [
"processFile"
]
},
{
"key": "file.parent_directory_ref",
"object": "processFile",
Expand Down Expand Up @@ -429,11 +406,6 @@
"key": "x-oca-event.parent_process_ref",
"object": "event",
"references": "process"
},
{
"key": "process.child_ref",
"object": "parent-process",
"references": "process"
}
],
"arguments": {
Expand Down Expand Up @@ -486,13 +458,6 @@
"object": "parent-processFileDirectory",
"transformer": "ProcessCWDPathTransformer"
},
{
"key": "directory.contains_refs",
"object": "parent-processFileDirectory",
"references": [
"parent-processFile"
]
},
{
"key": "file.parent_directory_ref",
"object": "parent-processFile",
Expand Down Expand Up @@ -595,13 +560,6 @@
"object": "file-directory-action",
"transformer": "ProcessCWDPathTransformer"
},
{
"key": "directory.contains_refs",
"object": "file-directory-action",
"references": [
"file-action"
]
},
{
"key": "file.parent_directory_ref",
"object": "file-action",
Expand Down Expand Up @@ -663,13 +621,6 @@
"object": "file-directory-action",
"transformer": "ProcessCWDPathTransformer"
},
{
"key": "directory.contains_refs",
"object": "file-directory-action",
"references": [
"file-action"
]
},
{
"key": "file.parent_directory_ref",
"object": "file-action",
Expand Down Expand Up @@ -788,7 +739,7 @@
},
"alertedAt": [
{
"key": "x-ibm-finding.x_alertedAt",
"key": "x-ibm-finding.x_alerted_at",
"object": "alert"
}
],
Expand Down Expand Up @@ -945,35 +896,35 @@
"object": "alert"
},
"unresolvedAlertCount": {
"key": "x-tanium-inteldocument.unresolvedAlertCount",
"key": "x-tanium-inteldocument.unresolved_alert_count",
"object": "intel-document"
},
"customHash": {
"key": "x-tanium-inteldocument.customHash",
"key": "x-tanium-inteldocument.custom_hash",
"object": "intel-document"
},
"throttledFindingCount": {
"key": "x-tanium-inteldocument.throttledFindingCount",
"key": "x-tanium-inteldocument.throttled_finding_count",
"object": "intel-document"
},
"allowAutoDisable": {
"key": "x-tanium-inteldocument.allowAutoDisable",
"key": "x-tanium-inteldocument.allow_auto_disable",
"object": "intel-document"
},
"disabled": {
"key": "x-tanium-inteldocument.disabled",
"object": "intel-document"
},
"disabledEndpointCount": {
"key": "x-tanium-inteldocument.disabledEndpointCount",
"key": "x-tanium-inteldocument.disabled_endpoint_count",
"object": "intel-document"
},
"firstDeploymentTimestamp": {
"key": "x-tanium-inteldocument.firstDeploymentTimestamp",
"key": "x-tanium-inteldocument.first_deployment_timestamp",
"object": "intel-document"
},
"lastDeploymentTimestamp": {
"key": "x-tanium-inteldocument.lastDeploymentTimestamp",
"key": "x-tanium-inteldocument.last_deployment_timestamp",
"object": "intel-document"
},
"status": {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import regex
from stix_shifter_modules.tanium.stix_translation.transformers import ConvertTextSeverityToNumberValue
from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, ComparisonExpression, \
Pattern,\
CombinedComparisonExpression, CombinedObservationExpression
Expand Down Expand Up @@ -27,14 +28,27 @@ def _format_start_stop_qualifier(self, expression, qualifier) -> str:
stop = qualifier_split[3]
qualified_query = f"{expression}&alertedAtFrom={start}&alertedAtUntil={stop}"
return qualified_query

@staticmethod
def _format_severity(self, value):
if(value < 40):
return "info"
elif(value >= 40 and value < 80):
return "low"
elif(value >= 80):
return "high"

@staticmethod
def _parse_mapped_fields(self, value, comparator, mapped_fields_array):
{}
if(mapped_fields_array[0] == "severity"):
value = QueryStringPatternTranslator._format_severity(self, value)
parsed_fields = f"{mapped_fields_array[0]}{comparator}{value}"

if(comparator == "IN"):
parsed_fields = ""
for current_value in value.values:
if(mapped_fields_array[0] == "severity"):
value = QueryStringPatternTranslator._format_severity(self, value)
parsed_fields += f"{mapped_fields_array[0]}={current_value}&"
parsed_fields = parsed_fields[:-1]
return parsed_fields
Expand Down
11 changes: 4 additions & 7 deletions stix_shifter_modules/tanium/stix_transmission/connector.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,20 +44,17 @@ async def create_results_connection(self, query, offset, length):
self.current_offset = offset

#This can be any value up to 500.
max_per_query_length = 500

if(length < max_per_query_length):
per_query_length = length
per_query_length = min(500, length)

try:
results = await self.get_results(per_query_length, query, self.current_offset)
results = await self.get_results(per_query_length, query, self.current_offset)

#Are we done?
while(len(self.final_results) < length and len(results) > 0):
results = await self.get_results(per_query_length, query, self.current_offset)

self.return_obj["data"] = self.final_results
self.return_obj['success'] = True

except Exception as err:
self.logger.error(f'error when connecting to the Tanium datasource {self.return_obj["error"]}:')
return self.return_obj
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,9 @@ def _test_against_sample_data(self, result_bundle_object, type_name):
self.x_tanium_inteldocument(result_bundle_object)
elif(type_name == 'x-compiled-terms'):
self.x_compiled_terms(result_bundle_object)
elif(type_name == 'x-Tanium'):
#Unmapped fields aren't necessarily an error (In this case they map be duplicates)
self.x_tanium(result_bundle_object)
else:
raise
except:
Expand Down Expand Up @@ -181,7 +184,7 @@ def _test_against_sample_data_stix21(self, result_bundle_object, type_name):
self.x_compiled_terms(result_bundle_object)
elif(type_name == 'x-Tanium'):
#Unmapped fields aren't necessarily an error (In this case they map be duplicates)
return
self.x_tanium(result_bundle_object)
else:
raise
except:
Expand Down Expand Up @@ -232,7 +235,7 @@ def alert_asserts(self, result_bundle_object):
assert result_bundle_object["x_config_id"] == 2
assert result_bundle_object["x_path"] == 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'
assert result_bundle_object["x_received_at"] == '2023-10-16T12:29:34.609Z'
assert result_bundle_object["x_alertedAt"] == "2023-10-16T12:26:51.000Z"
assert result_bundle_object["x_alerted_at"] == "2023-10-16T12:26:51.000Z"
assert result_bundle_object["x_acked_at"] == "2023-10-16T12:38:03.961Z"
assert result_bundle_object["x_first_eid_resolution_attempt"] == "2023-10-16T12:29:37.091Z"
assert result_bundle_object["x_intel_doc_ref"] is not None
Expand All @@ -249,7 +252,6 @@ def alert_asserts(self, result_bundle_object):
assert result_bundle_object["x_match_recorder_id"] == "3994044258139188996"

assert result_bundle_object["x_finding_source_name"] == "recorder"
assert result_bundle_object["x_finding_intel_intra_ids"] == [{'id_v2': '901388892329936882'}]
assert result_bundle_object["x_finding_process_ref"] is not None
assert result_bundle_object["x_finding_id"] == "1245935966959239109"
assert result_bundle_object["x_finding_domain"] == "threatresponse"
Expand Down Expand Up @@ -308,7 +310,6 @@ def file_asserts21(self, result_bundle_object):

def directory_asserts(self, result_bundle_object):
assert result_bundle_object["path"] == 'C:/Program Files (x86)/Microsoft/Edge/Application'
assert result_bundle_object["contains_refs"] is not None


def certificate_asserts(self, result_bundle_object):
Expand Down Expand Up @@ -360,13 +361,13 @@ def x_tanium_inteldocument(self, result_bundle_object):
assert result_bundle_object["syntax_version"] == 6
assert result_bundle_object["is_schema_valid"] == True
assert result_bundle_object["source_id"] == 2
assert result_bundle_object["unresolvedAlertCount"] == 8
assert result_bundle_object["throttledFindingCount"] == 0
assert result_bundle_object["allowAutoDisable"] == True
assert result_bundle_object["unresolved_alert_count"] == 8
assert result_bundle_object["throttled_finding_count"] == 0
assert result_bundle_object["allow_auto_disable"] == True
assert result_bundle_object["disabled"] == False
assert result_bundle_object["disabledEndpointCount"] == 0
assert result_bundle_object["firstDeploymentTimestamp"] == "2023-10-13T19:28:05.584Z"
assert result_bundle_object["lastDeploymentTimestamp"] == "2023-11-28T18:50:31.920Z"
assert result_bundle_object["disabled_endpoint_count"] == 0
assert result_bundle_object["first_deployment_timestamp"] == "2023-10-13T19:28:05.584Z"
assert result_bundle_object["last_deployment_timestamp"] == "2023-11-28T18:50:31.920Z"
assert result_bundle_object["status"] == "HIGH_FIDELITY"

def x_compiled_terms(self, result_bundle_object):
Expand All @@ -375,3 +376,7 @@ def x_compiled_terms(self, result_bundle_object):
assert result_bundle_object["value"] == "eicar"
assert result_bundle_object["object"] == "file"
assert result_bundle_object["property"] == "path"

#Unmapped fields
def x_tanium(self, result_bundle_object):
assert result_bundle_object["intel_intra_ids"] == [{'id_v2': '901388892329936882'}]
Loading
Loading