From 1f0712dbbbe52678a1a047d4db868e11063d37a4 Mon Sep 17 00:00:00 2001 From: Arthur Muradyan Date: Thu, 28 Apr 2022 14:24:04 -0300 Subject: [PATCH] Reaqta connector (#879) Co-authored-by: Md Azam --- stix_shifter_modules/reaqta/README.md | 227 ++ stix_shifter_modules/reaqta/__init__.py | 0 .../reaqta/configuration/config.json | 32 + .../reaqta/configuration/lang_en.json | 29 + stix_shifter_modules/reaqta/entry_point.py | 13 + .../reaqta/stix_translation/__init__.py | 0 .../json/event_names_map.json | 93 + .../stix_translation/json/from_stix_map.json | 275 +++ .../json/network_protocol_map.json | 5 + .../stix_translation/json/operators.json | 13 + .../json/stix_2_1/from_stix_map.json | 274 +++ .../json/stix_2_1/to_stix_map.json | 2033 +++++++++++++++++ .../stix_translation/json/to_stix_map.json | 1995 ++++++++++++++++ .../stix_translation/query_constructor.py | 203 ++ .../stix_translation/query_translator.py | 26 + .../stix_translation/results_translator.py | 56 + .../reaqta/stix_transmission/__init__.py | 0 .../reaqta/stix_transmission/api_client.py | 93 + .../reaqta/stix_transmission/connector.py | 98 + .../stix_translation/json/event_result.json | 325 +++ .../test_reaqta_json_to_stix.py | 465 ++++ .../test_stix_to_hunt_query.py | 289 +++ .../test_hunt_transmission.py | 103 + .../src/patterns/pattern_objects.py | 16 +- stix_shifter_utils/utils/helpers.py | 12 +- 25 files changed, 6673 insertions(+), 2 deletions(-) create mode 100644 stix_shifter_modules/reaqta/README.md create mode 100644 stix_shifter_modules/reaqta/__init__.py create mode 100644 stix_shifter_modules/reaqta/configuration/config.json create mode 100644 stix_shifter_modules/reaqta/configuration/lang_en.json create mode 100644 stix_shifter_modules/reaqta/entry_point.py create mode 100644 stix_shifter_modules/reaqta/stix_translation/__init__.py create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/event_names_map.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/from_stix_map.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/network_protocol_map.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/operators.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json create mode 100644 stix_shifter_modules/reaqta/stix_translation/query_constructor.py create mode 100644 stix_shifter_modules/reaqta/stix_translation/query_translator.py create mode 100644 stix_shifter_modules/reaqta/stix_translation/results_translator.py create mode 100644 stix_shifter_modules/reaqta/stix_transmission/__init__.py create mode 100644 stix_shifter_modules/reaqta/stix_transmission/api_client.py create mode 100644 stix_shifter_modules/reaqta/stix_transmission/connector.py create mode 100644 stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json create mode 100644 stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py create mode 100644 stix_shifter_modules/reaqta/test/stix_translation/test_stix_to_hunt_query.py create mode 100644 stix_shifter_modules/reaqta/test/stix_transmission/test_hunt_transmission.py diff --git a/stix_shifter_modules/reaqta/README.md b/stix_shifter_modules/reaqta/README.md new file mode 100644 index 000000000..7a3fa39d1 --- /dev/null +++ b/stix_shifter_modules/reaqta/README.md @@ -0,0 +1,227 @@ +# ReaQta Connector + +Reaqta is an AI-powered, automated endpoint security platform. ReaQta Connector can be used to search security events and alerts generated in ReaQta platform. + +## API and Query Language + +Connector uses Reaqta Hunt API. Endpoint Path: `/1/events/hunt` + +For search, the connector uses HunQ: The ReaQta-Hive Hunt Query Language. The query is similar to the WHERE clause of a SQL query. + + +### Format for making STIX translation calls via the CLI + +`python main.py ` + +Note the identity object is only used when converting from HunQ response JSON to STIX, but due to positional arguments, an empty hash will need to be passed in when converting from STIX patterns to HunQ query. + + +## Converting from STIX patterns to HunQ queries + +This example input pattern: + +`python main.py translate reaqta query {} "[ipv4-addr:value = '192.168.1.2' OR network-traffic:src_port = 443] START t'2022-04-06T00:00:00.000Z' STOP t'2022-04-06T00:05:00.000Z'"` + +Returns the following HunQ query: + +`(eventdata.localPort = "443" OR (login.ip = "192.168.1.2" OR $ip = "192.168.1.2")) AND happenedAfter = "2022-04-06T00:00:00.000Z" AND happenedBefore = "2022-04-06T00:05:00.000Z"` + + +## Sending Query to Hunt API + +This is a synchronous connector. Therefore, the connector can only uses results transmission call to send query to the API. Example results call: + +``` +python main.py transmit reaqta '{"host":""}' '{ "auth": { "app_id": "", "secret_key": "" } }' results '(eventdata.localPort = "443" OR (login.ip = "192.168.1.2" OR $ip = "192.168.138.128")) AND happenedAfter = "2022-04-06T00:00:00.000Z" AND happenedBefore = "2022-04-06T00:05:00.000Z"' 0 1 +``` + +### Transmit Results Output + +``` + { + "eventId": "847102109500309505", + "endpointId": "842028663686823936", + "payload": { + "localId": "847101972854081537", + "process": { + "id": "842028663686823936:2222:1648564483636", + "parentId": "842028663686823936:1111:1648485432579", + "endpointId": "842028663686823936", + "program": { + "path": "c:\\users\\reaqta\\downloads\\test.exe", + "filename": "abcd.exe", + "md5": "d05807b758e56634abfdb7cd62798765", + "sha1": "adb328949df38cece2fc7ad818788d12ej311a9a90", + "sha256": "a4693a722a69bb5b58e02bd1b28369a123459047bd37bda4836b97a6a6c65432", + "size": 73802, + "arch": "x32", + "fsName": "test.exe" + }, + "user": "DESKTOP-TEST\\ReaQta-test", + "pid": 2222, + "startTime": "2022-03-29T14:34:43.636Z", + "ppid": 1111, + "pstartTime": "2022-03-28T16:37:12.579Z", + "userSID": "S-1-1-11-00000000-1111111-222222222-9999", + "privilegeLevel": "MEDIUM", + "noGui": false, + "logonId": "0xxx1s1" + }, + "incidents": [], + "triggeredIncidents": [], + "data": { + "addressFamily": 0, + "protocol": 0, + "localAddr": "192.168.1.2", + "localPort": 443, + "remoteAddr": "192.168.2.3", + "remotePort": 8443, + "outbound": true + }, + "eventType": 8 + }, + "happenedAt": "2022-03-29T14:40:48.722Z", + "receivedAt": "2022-03-29T14:41:21.301Z" + } +``` + +## ReaQta response results to STIX objects + +### Translate command +``` +python main.py translate reaqta results '{"type":"identity","id":"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff","name":"reaqta","identity_class":"events", "created": "2022-04-07T20:35:41.042Z", "modified": "2022-04-07T20:35:41.042Z"}' '[]' +``` +### STIX 2.0 Output + +``` +{ + "type": "bundle", + "id": "bundle--4cec3200-a574-43fb-8720-ddf81d93929b", + "objects": [ + { + "type": "identity", + "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "name": "reaqta", + "identity_class": "events", + "created": "2022-04-07T20:35:41.042Z", + "modified": "2022-04-07T20:35:41.042Z" + }, + { + "id": "observed-data--400d3905-a4fd-46f3-888d-804283a973b6", + "type": "observed-data", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2022-04-19T20:21:52.930Z", + "modified": "2022-04-19T20:21:52.930Z", + "objects": { + "0": { + "type": "x-oca-event", + "code": 847102109500309505, + "file_ref": "4", + "user_ref": "5", + "process_ref": "2", + "parent_process_ref": "6", + "network_ref": "8", + "created": "2022-03-29T14:41:21.301Z" + }, + "1": { + "type": "x-reaqta-event", + "endpoint_id": "842028663686823936", + "local_id": "847101972854081537" + }, + "2": { + "type": "process", + "extensions": { + "x-reaqta-process": { + "process_id": "842028663686823936:2222:1648564483636", + "parent_process_id": "842028663686823936:1111:1648485432579", + "process_endpoint_id": "842028663686823936", + "privilege_level": "MEDIUM", + "no_gui": false, + "logon_id": "0xxx1s1" + }, + "windows-process-ext": { + "owner_sid": "S-1-1-11-00000000-1111111-222222222-9999" + } + }, + "binary_ref": "4", + "creator_user_ref": "5", + "pid": 2222, + "created": "2022-03-29T14:34:43.636Z", + "parent_ref": "6" + }, + "3": { + "type": "directory", + "path": "c:\\users\\reaqta\\downloads" + }, + "4": { + "type": "file", + "parent_directory_ref": "3", + "name": "abcd.exe", + "hashes": { + "MD5": "d05807b758e56634abfdb7cd62798765", + "SHA-1": "adb328949df38cece2fc7ad818788d12ej311a9a90", + "SHA-256": "a4693a722a69bb5b58e02bd1b28369a123459047bd37bda4836b97a6a6c65432" + }, + "size": 73802, + "extensions": { + "x-reaqta-program": { + "arch": "x32", + "fsname": "test.exe" + } + } + }, + "5": { + "type": "user-account", + "user_id": "DESKTOP-TEST\\ReaQta-test" + }, + "6": { + "type": "process", + "pid": 1111 + }, + "7": { + "type": "x-ibm-finding", + "extensions": { + "x-reaqta-alert": { + "incidents": [], + "triggered_incidents": [] + } + }, + "src_ip_ref": "9", + "dst_ip_ref": "11", + "finding_type": "8", + "name": "Network Connection Established" + }, + "8": { + "type": "network-traffic", + "extensions": { + "x-reaqta-network": { + "address_family": "IPv4", + "outbound": true + } + }, + "src_port": 443, + "dst_port": 8443, + "src_ref": "9", + "dst_ref": "11" + }, + "9": { + "type": "ipv4-addr", + "value": "192.168.1.2" + }, + "11": { + "type": "ipv4-addr", + "value": "192.168.2.3" + } + }, + "first_observed": "2022-03-29T14:40:48.722Z", + "last_observed": "2022-03-29T14:40:48.722Z", + "number_observed": 1 + } + ], + "spec_version": "2.0" +} +``` + +## Limitations + +- Only 500 events can be retrieved in a single API call. \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/__init__.py b/stix_shifter_modules/reaqta/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/stix_shifter_modules/reaqta/configuration/config.json b/stix_shifter_modules/reaqta/configuration/config.json new file mode 100644 index 000000000..401e01848 --- /dev/null +++ b/stix_shifter_modules/reaqta/configuration/config.json @@ -0,0 +1,32 @@ +{ + "connection": { + "type": { + "displayName": "ReaQta" + }, + "host": { + "type": "text", + "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$" + }, + "port": { + "type": "number", + "default": 443, + "min": 1, + "max": 65535 + }, + "help": { + "type": "link", + "default": "data-sources.html" + } + }, + "configuration": { + "auth": { + "type" : "fields", + "app_id": { + "type": "password" + }, + "secret_key": { + "type": "password" + } + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/configuration/lang_en.json b/stix_shifter_modules/reaqta/configuration/lang_en.json new file mode 100644 index 000000000..1b03c3951 --- /dev/null +++ b/stix_shifter_modules/reaqta/configuration/lang_en.json @@ -0,0 +1,29 @@ +{ + "connection": { + "host": { + "label": "Management IP address or Hostname", + "placeholder": "192.168.1.10", + "description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it" + }, + "port": { + "label": "Host Port", + "description": "Set the port number that is associated with the Host name or IP" + }, + "help": { + "label": "Need additional help?", + "description": "More details on the data source setting can be found in the specified link" + } + }, + "configuration": { + "auth": { + "app_id": { + "label": "Reaqta App ID", + "description": "Reaqta App ID with access to the Hunt API" + }, + "secret_key": { + "label": "Secret Key", + "description": "Reaqta App Secret Key with access to the Hunt API" + } + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/entry_point.py b/stix_shifter_modules/reaqta/entry_point.py new file mode 100644 index 000000000..62f887a6c --- /dev/null +++ b/stix_shifter_modules/reaqta/entry_point.py @@ -0,0 +1,13 @@ +from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint + + +class EntryPoint(BaseEntryPoint): + + def __init__(self, connection={}, configuration={}, options={}): + super().__init__(connection, configuration, options) + self.set_async(False) + + if connection: + self.setup_transmission_basic(connection, configuration) + + self.add_dialect('default', default=True) \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/__init__.py b/stix_shifter_modules/reaqta/stix_translation/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/stix_shifter_modules/reaqta/stix_translation/json/event_names_map.json b/stix_shifter_modules/reaqta/stix_translation/json/event_names_map.json new file mode 100644 index 000000000..bd3030813 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/event_names_map.json @@ -0,0 +1,93 @@ +{ + "1": "Heartbeat", + "2": "Process Created", + "3": "Process Terminated", + "4": "Cross-process Operation", + "5": "File Created", + "6": "File Renamed", + "7": "File Deleted", + "8": "Network Connection Established", + "9": "Registry Persistence", + "10": "Registry Value Set", + "11": "Registry Entry Deleted", + "12": "File Written", + "13": "Executable Dropped", + "14": "Executable Duplicated", + "15": "Keylog", + "16": "Screenshot", + "17": "Privilege Escalation", + "18": "Filesystem Persistence", + "19": "Free with Process", + "20": "Process Impersonation", + "21": "File Read", + "22": "Forged Digital Signature", + "23": "Correlated Alert", + "24": "Harvested Credentials", + "25": "Whitelist Triggered", + "26": "Dll Hijacking", + "27": "Suspicious Script", + "28": "Policy Hit", + "30": "Alert Terminated", + "31": "Behavioral Anomaly", + "32": "Token Stealing", + "33": "Protection Policy", + "34": "Ransomware", + "35": "RAT Behavior", + "36": "WMI Activity", + "37": "ETW WinINet", + "38": "ETW DNS", + "39": "Account Logged On", + "40": "Account Logged On Failed", + "41": "Account Credentials Validation Attempted", + "42": "Account Credentials Logon Attempted", + "43": "Android Microphone On", + "44": "Android Microphone Off", + "45": "Android Camera On", + "46": "Android Camera Off", + "47": "Android Package Installed", + "48": "Android Package Uninstalled", + "49": "DeStra", + "50": "Remediation Process Killed", + "51": "Remediation Endpoint Isolated", + "52": "Remediation File Deleted", + "53": "Kerberos Auth Ticket Requested", + "54": "Kerberos Service Ticket Requested", + "55": "Kerberos Pre Auth Failed", + "56": "Login Special Priv Assigned", + "57": "Module Loaded", + "58": "WMI Process Created", + "59": "DeStra No Process", + "60": "Custom Event", + "61": "Custom Event No Process", + "62": "Macro Enabled Document", + "63": "In Memory Executable", + "64": "Process Killed", + "65": "Mitre ATT&CK ™", + "66": "WMI Event Filter", + "67": "WMI Event Consumer", + "68": "WMI Filter To Consumer", + "69": "Registry Key Created", + "70": "COM Object Hijacked", + "71": "User Account Created", + "72": "User Account Deleted", + "73": "Remediation Registry Value Deleted", + "74": "Powershell Script Block Logged", + "75": "ETW Security Audit", + "76": "Anti-Malware Detection", + "77": "Anti-Malware Detection Extended", + "78": "Remediation Anti-Malware", + "79": "Remediation Quarantine", + "80": "Remediation Quarantine", + "81": "Scheduled Task Created", + "82": "Scheduled Task Deleted", + "83": "Scheduled Task Updated", + "84": "Scheduled Task Executed", + "85": "Service Created", + "86": "Service Deleted", + "87": "Service Started", + "88": "Service Stopped", + "89": "Anti-Malware Scan Interface", + "90": "Mitre ATT&CK ™ No Process", + "91": "Correlated Alert No Process", + "93": "Windows Installed Apps" +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/json/from_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/from_stix_map.json new file mode 100644 index 000000000..1da3ae26f --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/from_stix_map.json @@ -0,0 +1,275 @@ +{ + "directory": { + "fields": { + "path": ["path", "accessor.path", "consumer.workingDirectory", "__etwHomePath"] + } + }, + "file": { + "fields": { + "extensions.'x-reaqta-data'.arch": ["eventdata.arch"], + "extensions.'x-reaqta-data'.file_type": ["eventdata.filetype"], + "extensions.'x-reaqta-data'.fsname": ["filename"], + "extensions.'x-reaqta-program'.arch": ["service.arch"], + "extensions.'x-reaqta-program'.fsname": ["filename"], + "hashes.'MD5'": ["md5"], + "hashes.'SHA-1'": ["sha1"], + "hashes.'SHA-256'": ["sha256"], + "name": ["filename", "consumer.script.filename"], + "parent_directory_ref.path": ["path"], + "size": ["eventdata.size.gte", "eventdata.size.lte"] + } + }, + "ipv4-addr": { + "fields": { + "value": ["login.ip", "ip"] + } + }, + "ipv6-addr": { + "fields": { + "value": ["ip"] + } + }, + "network-traffic": { + "fields": { + "dst_port": ["eventdata.remotePort"], + "dst_ref.value": ["ip"], + "extensions.'x-reaqta-network'.outbound": ["isOutbound"], + "src_port": ["eventdata.localPort"], + "src_ref.value": ["ip"] + } + }, + "process": { + "fields": { + "binary_ref.name": ["filename"], + "creator_user_ref.user_id": [], + "extensions.'windows-process-ext'.owner_sid": ["user.sid"], + "extensions.'x-reaqta-process'.logon_id": ["service.login.id"], + "extensions.'x-reaqta-process'.no_gui": ["service.hasGui"], + "extensions.'x-reaqta-process'.privilege_level": ["service.privilege"], + "name": ["login.processName", "__etwCallerProcessName", "__etwProcessName", "__etwLogonProcessName"], + "parent_ref.binary_ref.name": ["service.ppid"], + "pid": ["wmi.clientPid", "__etwProcessId", "__etwCallerProcessId", "engine.ppid", "host.pid", "accessor.pid", "eventdata.targetProcessId", "pid", "service.pid", "service.ppid", "wmiHost.pid", "engine.pid", "allocator.ppid", "ppid", "allocator.pid", "accessor.ppid"] + } + }, + "url": { + "fields": { + "value": ["eventdata.url"] + } + }, + "user-account": { + "fields": { + "user_id": ["login.src.username", "__etwNewTargetUserName", "__etwTargetOutboundUserName", "wmi.user", "accessor.user", "engine.user", "service.user", "__etwOldTargetUserName", "allocator.user", "login.dst.username", "user"] + } + }, + "windows-process-ext": { + "fields": { + "owner_sid": ["engine.user.sid", "accessor.user.sid", "login.src.sid", "service.user.sid", "allocator.user.sid", "user.sid"] + } + }, + "x-ibm-finding": { + "fields": { + "category": ["eventType"], + "dst_ip_ref.value": ["ip"], + "extensions.'x-reaqta-avdetection'.av_scan_reason": ["antimalware.scanReason"], + "extensions.'x-reaqta-avdetection'.av_threat_info_array": ["antimalware.threatInfo"], + "finding_type": ["antimalware.threatType"], + "name": ["antimalware.objectStatus"], + "src_ip_ref.value": ["ip"] + } + }, + "x-oca-asset": { + "fields": { + "extensions.'x-reaqta-consumer'.command_line_template_tokens": ["consumer.cmdline"], + "extensions.'x-reaqta-consumer'.consumer_name": ["wmi.consumerName"], + "extensions.'x-reaqta-consumer'.consumer_type": ["wmi.consumerType"], + "extensions.'x-reaqta-consumer'.event_namespace": ["wmi.eventNamespace"], + "extensions.'x-reaqta-consumer'.executablePath": ["consumer.execPath"], + "extensions.'x-reaqta-consumer'.runInteractively": ["consumer.runInteractively"], + "extensions.'x-reaqta-consumer'.scriptingEngine": ["consumer.script.engine"], + "extensions.'x-reaqta-consumer'.showWindowCommand": ["consumer.showWindowCmd"], + "extensions.'x-wmi-event'.client_machine_fqn": ["wmi.clientMachineFqn"], + "host_id": ["__etwWorkstation"], + "hostname": ["wmi.clientMachine", "wmi.machineName", "__etwWorkstationName"], + "ip_refs[*].value": ["ip"] + } + }, + "x-oca-event": { + "fields": { + "agent": ["antimalware.appName"], + "code": ["eventId", "eventdata.etwEventId"], + "extensions.'x-reaqta-amsi'.content_name": ["antimalware.contentName"], + "extensions.'x-reaqta-amsi'.scan_result": ["antimalware.scanResult"], + "extensions.'x-reaqta-etw'.etw_event_record_id": ["eventdata.etwEventVersion"], + "extensions.'x-reaqta-etw'.etw_failure_reason": ["__etwFailureReason"], + "extensions.'x-reaqta-etw'.etw_home_directory": ["__etwHomeDirectory"], + "file_ref.name": ["path"], + "host_ref.x-oca-asset.hostname": ["wmi.clientMachine"], + "ip_refs[*].value": ["login.ip"], + "network_ref.dst_ref.value": ["ip"], + "network_ref.src_ref.value": ["ip"], + "parent_process_ref.pid": ["service.ppid"], + "process_ref.pid": ["wmi.clientPid"], + "user_ref.user_id": [] + } + }, + "x-reaqta-amsi": { + "fields": { + "content_name": ["antimalware.contentName"], + "scan_result": ["antimalware.scanResult"] + } + }, + "x-reaqta-avdetection": { + "fields": { + "av_scan_reason": ["antimalware.scanReason"], + "av_threat_info_array": ["antimalware.threatInfo"] + } + }, + "x-reaqta-cert": { + "fields": { + "expired": ["allocator.expired", "service.expired", "eventdata.cert.expired", "expired", "engine.expired", "accessor.expired"], + "signer": ["engine.signer", "allocator.signer", "service.signer", "signer", "accessor.signer", "eventdata.cert.signer"], + "trusted": ["eventdata.cert.trusted", "service.trusted", "allocator.trusted", "engine.trusted", "accessor.trusted", "trusted"] + } + }, + "x-reaqta-consumer": { + "fields": { + "command_line_template_tokens": ["consumer.cmdline"], + "consumer_name": ["wmi.consumerName"], + "consumer_type": ["wmi.consumerType"], + "event_namespace": ["wmi.eventNamespace"], + "executablePath": ["consumer.execPath"], + "runInteractively": ["consumer.runInteractively"], + "scriptingEngine": ["consumer.script.engine"], + "showWindowCommand": ["consumer.showWindowCmd"] + } + }, + "x-reaqta-data": { + "fields": { + "arch": ["eventdata.arch"], + "file_type": ["eventdata.filetype"], + "fsname": ["filename"] + } + }, + "x-reaqta-etw": { + "fields": { + "etwRestrictedAdminMode": ["__etwRestrictedAdminMode"], + "etwSamAccountName": ["__etwSamAccountName"], + "etwScriptPath": ["__etwScriptPath"], + "etwServiceName": ["__etwServiceName"], + "etwServiceSid": ["__etwServiceSid"], + "etwSidHistory": ["__etwSidHistory"], + "etwSidList": ["__etwSidList"], + "etwStatus": ["__etwStatus"], + "etwSubStatus": ["__etwSubStatus", "login.src.domain"], + "etwSubjectLogonId": ["login.subjectLogonId"], + "etwTargetDomainName": ["login.dst.domain"], + "etwTargetInfo": ["__etwTargetInfo"], + "etwTargetLinkedLogonId": ["__etwTargetLinkedLogonId"], + "etwTargetLogonGuid": ["__etwTargetLogonGuid"], + "etwTargetLogonId": ["login.targetLogonId"], + "etwTargetOutboundDomainName": ["__etwTargetServerName", "__etwTargetOutboundDomainName"], + "etwTargetSid": ["__etwTargetSid"], + "etwTargetUserSid": ["login.dst.sid"], + "etwTask": ["eventdata.etwTask"], + "etwTicketEncryptionType": ["__etwTicketEncryptionType"], + "etwTicketOptions": ["__etwTicketOptions"], + "etwTransmittedServices": ["__etwTransmittedServices"], + "etwUserAccountControl": ["__etwUserAccountControl"], + "etwUserParameters": ["__etwUserParameters"], + "etwUserPrincipalName": ["__etwUserPrincipalName"], + "etwUserWorkstations": ["__etwUserWorkstations"], + "etwVirtualAccount": ["__etwVirtualAccount"], + "etw_allowed_to_delegateto": ["__etwAllowedToDelegateTo"], + "etw_authentication_packagename": ["login.authenticationPackage"], + "etw_cert_thumbprint": ["__etwCertThumbprint"], + "etw_display_name": ["__etwDisplayName"], + "etw_dummy": ["__etwDummy"], + "etw_elevated_token": ["__etwElevatedToken"], + "etw_event_record_id": ["eventdata.etwEventVersion", "__etwEventRecordId"], + "etw_failure_reason": ["__etwFailureReason"], + "etw_home_directory": ["__etwHomeDirectory"], + "etw_impersonation_level": ["__etwImpersonationLevel"], + "etw_ip_port": ["login.port"], + "etw_key_length": ["__etwKeyLength"], + "etw_lm_package_name": ["login.packageName"], + "etw_logon_guid": ["__etwLogonGuid"], + "etw_logon_hours": ["__etwLogonHours"], + "etw_logon_type": ["login.type"], + "etw_member_name": ["__etwMemberName"], + "etw_member_sid": ["__etwMemberSid"], + "etw_new_uac_value": ["__etwNewUacValue"], + "etw_old_uac_value": ["__etwOldUacValue"], + "etw_package_name": ["__etwPackageName"], + "etw_password_last_set": ["__etwPasswordLastSet"], + "etw_pre_auth_type": ["__etwPreAuthType"], + "etw_primary_groupId": ["__etwPrimaryGroupId"], + "etw_privilege_list": ["__etwPrivilegeList"], + "etw_profile_path": ["__etwProfilePath"] + } + }, + "x-reaqta-event": { + "fields": { + "action_name": ["task.actionName"], + "custom_name": ["customName"], + "custom_type": ["customType"], + "data": ["reg.data"], + "display_name": ["service.displayName"], + "endpoint_id": ["endpointId"], + "filter_name": ["wmi.filterName"], + "is_local": ["wmi.isLocal"], + "name": ["reg.name"], + "namespace_name": ["wmi.namespaceName"], + "operation": ["wmi.operation"], + "operation_type": ["wmi.operationType"], + "pe_type": ["eventdata.peType"], + "query": ["wmi.query"], + "queryLanguage": ["wmi.queryLanguage"], + "queryName": ["eventdata.dns"], + "region_size": ["eventdata.regionSize.gte", "eventdata.regionSize.lte"], + "relevance": ["eventdata.relevance.lte", "eventdata.relevance.gte", "eventdata.relevance"], + "return_code": ["eventdata.returnCode"], + "root_object": ["path"], + "service_name": ["service.name"], + "service_type": ["service.type"], + "start_type": ["service.startType"], + "tactics": ["mitre.tactic"], + "tags": ["eventdata.tag"], + "task_name": ["task.name"], + "technique": ["mitre.technique"], + "version": ["eventdata.version"] + } + }, + "x-reaqta-network": { + "fields": { + "outbound": ["isOutbound"] + } + }, + "x-reaqta-process": { + "fields": { + "logon_id": ["accessor.login.id", "engine.login.id", "allocator.login.id", "service.login.id", "login.id"], + "no_gui": ["hasGui", "service.hasGui", "engine.hasGui", "allocator.hasGui", "accessor.hasGui"], + "privilege_level": ["privilege", "allocator.privilege", "service.privilege", "accessor.privilege", "engine.privilege"] + } + }, + "x-reaqta-program": { + "fields": { + "arch": ["accessor.arch", "allocator.arch", "service.arch", "engine.arch", "arch"], + "fsname": ["filename"] + } + }, + "x-wmi-event": { + "fields": { + "client_machine_fqn": ["wmi.clientMachineFqn"] + } + }, + "x509-certificate": { + "fields": { + "extensions.'x-reaqta-cert'.expired": ["service.expired"], + "extensions.'x-reaqta-cert'.signer": ["signer"], + "extensions.'x-reaqta-cert'.trusted": ["trusted"], + "extensions.'x-reaqta-etw'.etw_cert_thumbprint": ["__etwCertThumbprint"], + "issuer": ["accessor.issuer", "eventdata.cert.issuer", "allocator.issuer", "__etwCertIssuerName", "issuer", "engine.issuer", "service.issuer"], + "serial_number": ["__etwCertSerialNumber"] + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/json/network_protocol_map.json b/stix_shifter_modules/reaqta/stix_translation/json/network_protocol_map.json new file mode 100644 index 000000000..88b539f09 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/network_protocol_map.json @@ -0,0 +1,5 @@ +{ + "0": "tcp", + "1": "udp", + "2": "icmp" +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/json/operators.json b/stix_shifter_modules/reaqta/stix_translation/json/operators.json new file mode 100644 index 000000000..02205c05c --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/operators.json @@ -0,0 +1,13 @@ +{ + "ComparisonExpressionOperators.And": "AND", + "ComparisonExpressionOperators.Or": "OR", + "ComparisonComparators.GreaterThanOrEqual": ".gte", + "ComparisonComparators.LessThanOrEqual": ".lte", + "ComparisonComparators.Equal": "=", + "ComparisonComparators.NotEqual": "!=", + "ComparisonComparators.Like": "=", + "ComparisonComparators.In": "=", + "ComparisonComparators.Matches": "=", + "ObservationOperators.Or": "OR", + "ObservationOperators.And": "AND" +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json new file mode 100644 index 000000000..2a58ed0dd --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/from_stix_map.json @@ -0,0 +1,274 @@ +{ + "directory": { + "fields": { + "path": ["__etwHomePath", "accessor.path", "path", "consumer.workingDirectory"] + } + }, + "file": { + "fields": { + "extensions.'x-reaqta-data'.arch": ["eventdata.arch"], + "extensions.'x-reaqta-data'.file_type": ["eventdata.filetype"], + "extensions.'x-reaqta-data'.fsname": ["filename"], + "extensions.'x-reaqta-program'.arch": ["service.arch"], + "extensions.'x-reaqta-program'.fsname": ["filename"], + "hashes.'MD5'": ["md5"], + "hashes.'SHA-1'": ["sha1"], + "hashes.'SHA-256'": ["sha256"], + "name": ["consumer.script.filename", "filename"], + "parent_directory_ref.path": ["path"], + "size": ["eventdata.size.lte", "eventdata.size.gte"] + } + }, + "ipv4-addr": { + "fields": { + "value": ["login.ip", "ip"] + } + }, + "ipv6-addr": { + "fields": { + "value": ["ip"] + } + }, + "network-traffic": { + "fields": { + "dst_port": ["eventdata.remotePort"], + "dst_ref.value": ["ip"], + "extensions.'x-reaqta-network'.outbound": ["isOutbound"], + "src_port": ["eventdata.localPort"], + "src_ref.value": ["ip"] + } + }, + "process": { + "fields": { + "binary_ref.name": ["filename"], + "creator_user_ref.user_id": [], + "extensions.'windows-process-ext'.owner_sid": ["user.sid"], + "extensions.'x-reaqta-process'.logon_id": ["service.login.id"], + "extensions.'x-reaqta-process'.no_gui": ["service.hasGui"], + "extensions.'x-reaqta-process'.privilege_level": ["service.privilege"], + "name": ["__etwCallerProcessName", "login.processName", "__etwLogonProcessName", "__etwProcessName"], + "parent_ref.binary_ref.name": ["service.ppid"], + "pid": ["engine.ppid", "service.pid", "ppid", "service.ppid", "pid", "eventdata.targetProcessId", "wmiHost.pid", "__etwProcessId", "wmi.clientPid", "engine.pid", "host.pid", "allocator.pid", "accessor.pid", "allocator.ppid", "accessor.ppid", "__etwCallerProcessId"] + } + }, + "url": { + "fields": { + "value": ["eventdata.url"] + } + }, + "user-account": { + "fields": { + "user_id": ["allocator.user", "service.user", "engine.user", "__etwTargetOutboundUserName", "user", "__etwOldTargetUserName", "__etwNewTargetUserName", "accessor.user", "wmi.user", "login.src.username", "login.dst.username"] + } + }, + "windows-process-ext": { + "fields": { + "owner_sid": ["engine.user.sid", "login.src.sid", "accessor.user.sid", "user.sid", "allocator.user.sid", "service.user.sid"] + } + }, + "x-ibm-finding": { + "fields": { + "dst_ip_ref.value": ["ip"], + "extensions.'x-reaqta-avdetection'.av_scan_reason": ["antimalware.scanReason"], + "extensions.'x-reaqta-avdetection'.av_threat_info_array": ["antimalware.threatInfo"], + "finding_type": ["antimalware.threatType", "eventType"], + "name": ["antimalware.objectStatus"], + "src_ip_ref.value": ["ip"] + } + }, + "x-oca-asset": { + "fields": { + "extensions.'x-reaqta-consumer'.command_line_template_tokens": ["consumer.cmdline"], + "extensions.'x-reaqta-consumer'.consumer_name": ["wmi.consumerName"], + "extensions.'x-reaqta-consumer'.consumer_type": ["wmi.consumerType"], + "extensions.'x-reaqta-consumer'.event_namespace": ["wmi.eventNamespace"], + "extensions.'x-reaqta-consumer'.executablePath": ["consumer.execPath"], + "extensions.'x-reaqta-consumer'.runInteractively": ["consumer.runInteractively"], + "extensions.'x-reaqta-consumer'.scriptingEngine": ["consumer.script.engine"], + "extensions.'x-reaqta-consumer'.showWindowCommand": ["consumer.showWindowCmd"], + "extensions.'x-wmi-event'.client_machine_fqn": ["wmi.clientMachineFqn"], + "host_id": ["__etwWorkstation"], + "hostname": ["wmi.machineName", "__etwWorkstationName", "wmi.clientMachine"], + "ip_refs[*].value": ["ip"] + } + }, + "x-oca-event": { + "fields": { + "agent": ["antimalware.appName"], + "code": ["eventdata.etwEventId", "eventId"], + "extensions.'x-reaqta-amsi'.content_name": ["antimalware.contentName"], + "extensions.'x-reaqta-amsi'.scan_result": ["antimalware.scanResult"], + "extensions.'x-reaqta-etw'.etw_event_record_id": ["eventdata.etwEventVersion"], + "extensions.'x-reaqta-etw'.etw_failure_reason": ["__etwFailureReason"], + "extensions.'x-reaqta-etw'.etw_home_directory": ["__etwHomeDirectory"], + "file_ref.name": ["path"], + "host_ref.x-oca-asset.hostname": ["wmi.clientMachine"], + "ip_refs[*].value": ["login.ip"], + "network_ref.dst_ref.value": ["ip"], + "network_ref.src_ref.value": ["ip"], + "parent_process_ref.pid": ["service.ppid"], + "process_ref.pid": ["wmi.clientPid"], + "user_ref.user_id": [] + } + }, + "x-reaqta-amsi": { + "fields": { + "content_name": ["antimalware.contentName"], + "scan_result": ["antimalware.scanResult"] + } + }, + "x-reaqta-avdetection": { + "fields": { + "av_scan_reason": ["antimalware.scanReason"], + "av_threat_info_array": ["antimalware.threatInfo"] + } + }, + "x-reaqta-cert": { + "fields": { + "expired": ["eventdata.cert.expired", "engine.expired", "service.expired", "allocator.expired", "expired", "accessor.expired"], + "signer": ["eventdata.cert.signer", "engine.signer", "accessor.signer", "service.signer", "signer", "allocator.signer"], + "trusted": ["allocator.trusted", "accessor.trusted", "eventdata.cert.trusted", "trusted", "service.trusted", "engine.trusted"] + } + }, + "x-reaqta-consumer": { + "fields": { + "command_line_template_tokens": ["consumer.cmdline"], + "consumer_name": ["wmi.consumerName"], + "consumer_type": ["wmi.consumerType"], + "event_namespace": ["wmi.eventNamespace"], + "executablePath": ["consumer.execPath"], + "runInteractively": ["consumer.runInteractively"], + "scriptingEngine": ["consumer.script.engine"], + "showWindowCommand": ["consumer.showWindowCmd"] + } + }, + "x-reaqta-data": { + "fields": { + "arch": ["eventdata.arch"], + "file_type": ["eventdata.filetype"], + "fsname": ["filename"] + } + }, + "x-reaqta-etw": { + "fields": { + "etwRestrictedAdminMode": ["__etwRestrictedAdminMode"], + "etwSamAccountName": ["__etwSamAccountName"], + "etwScriptPath": ["__etwScriptPath"], + "etwServiceName": ["__etwServiceName"], + "etwServiceSid": ["__etwServiceSid"], + "etwSidHistory": ["__etwSidHistory"], + "etwSidList": ["__etwSidList"], + "etwStatus": ["__etwStatus"], + "etwSubStatus": ["login.src.domain", "__etwSubStatus"], + "etwSubjectLogonId": ["login.subjectLogonId"], + "etwTargetDomainName": ["login.dst.domain"], + "etwTargetInfo": ["__etwTargetInfo"], + "etwTargetLinkedLogonId": ["__etwTargetLinkedLogonId"], + "etwTargetLogonGuid": ["__etwTargetLogonGuid"], + "etwTargetLogonId": ["login.targetLogonId"], + "etwTargetOutboundDomainName": ["__etwTargetOutboundDomainName", "__etwTargetServerName"], + "etwTargetSid": ["__etwTargetSid"], + "etwTargetUserSid": ["login.dst.sid"], + "etwTask": ["eventdata.etwTask"], + "etwTicketEncryptionType": ["__etwTicketEncryptionType"], + "etwTicketOptions": ["__etwTicketOptions"], + "etwTransmittedServices": ["__etwTransmittedServices"], + "etwUserAccountControl": ["__etwUserAccountControl"], + "etwUserParameters": ["__etwUserParameters"], + "etwUserPrincipalName": ["__etwUserPrincipalName"], + "etwUserWorkstations": ["__etwUserWorkstations"], + "etwVirtualAccount": ["__etwVirtualAccount"], + "etw_allowed_to_delegateto": ["__etwAllowedToDelegateTo"], + "etw_authentication_packagename": ["login.authenticationPackage"], + "etw_cert_thumbprint": ["__etwCertThumbprint"], + "etw_display_name": ["__etwDisplayName"], + "etw_dummy": ["__etwDummy"], + "etw_elevated_token": ["__etwElevatedToken"], + "etw_event_record_id": ["__etwEventRecordId", "eventdata.etwEventVersion"], + "etw_failure_reason": ["__etwFailureReason"], + "etw_home_directory": ["__etwHomeDirectory"], + "etw_impersonation_level": ["__etwImpersonationLevel"], + "etw_ip_port": ["login.port"], + "etw_key_length": ["__etwKeyLength"], + "etw_lm_package_name": ["login.packageName"], + "etw_logon_guid": ["__etwLogonGuid"], + "etw_logon_hours": ["__etwLogonHours"], + "etw_logon_type": ["login.type"], + "etw_member_name": ["__etwMemberName"], + "etw_member_sid": ["__etwMemberSid"], + "etw_new_uac_value": ["__etwNewUacValue"], + "etw_old_uac_value": ["__etwOldUacValue"], + "etw_package_name": ["__etwPackageName"], + "etw_password_last_set": ["__etwPasswordLastSet"], + "etw_pre_auth_type": ["__etwPreAuthType"], + "etw_primary_groupId": ["__etwPrimaryGroupId"], + "etw_privilege_list": ["__etwPrivilegeList"], + "etw_profile_path": ["__etwProfilePath"] + } + }, + "x-reaqta-event": { + "fields": { + "action_name": ["task.actionName"], + "custom_name": ["customName"], + "custom_type": ["customType"], + "data": ["reg.data"], + "display_name": ["service.displayName"], + "endpoint_id": ["endpointId"], + "filter_name": ["wmi.filterName"], + "is_local": ["wmi.isLocal"], + "name": ["reg.name"], + "namespace_name": ["wmi.namespaceName"], + "operation": ["wmi.operation"], + "operation_type": ["wmi.operationType"], + "pe_type": ["eventdata.peType"], + "query": ["wmi.query"], + "queryLanguage": ["wmi.queryLanguage"], + "queryName": ["eventdata.dns"], + "region_size": ["eventdata.regionSize.lte", "eventdata.regionSize.gte"], + "relevance": ["eventdata.relevance", "eventdata.relevance.lte", "eventdata.relevance.gte"], + "return_code": ["eventdata.returnCode"], + "root_object": ["path"], + "service_name": ["service.name"], + "service_type": ["service.type"], + "start_type": ["service.startType"], + "tactics": ["mitre.tactic"], + "tags": ["eventdata.tag"], + "task_name": ["task.name"], + "technique": ["mitre.technique"], + "version": ["eventdata.version"] + } + }, + "x-reaqta-network": { + "fields": { + "outbound": ["isOutbound"] + } + }, + "x-reaqta-process": { + "fields": { + "logon_id": ["allocator.login.id", "accessor.login.id", "login.id", "engine.login.id", "service.login.id"], + "no_gui": ["allocator.hasGui", "hasGui", "service.hasGui", "engine.hasGui", "accessor.hasGui"], + "privilege_level": ["service.privilege", "engine.privilege", "allocator.privilege", "privilege", "accessor.privilege"] + } + }, + "x-reaqta-program": { + "fields": { + "arch": ["engine.arch", "arch", "service.arch", "allocator.arch", "accessor.arch"], + "fsname": ["filename"] + } + }, + "x-wmi-event": { + "fields": { + "client_machine_fqn": ["wmi.clientMachineFqn"] + } + }, + "x509-certificate": { + "fields": { + "extensions.'x-reaqta-cert'.expired": ["service.expired"], + "extensions.'x-reaqta-cert'.signer": ["signer"], + "extensions.'x-reaqta-cert'.trusted": ["trusted"], + "extensions.'x-reaqta-etw'.etw_cert_thumbprint": ["__etwCertThumbprint"], + "issuer": ["issuer", "engine.issuer", "allocator.issuer", "accessor.issuer", "__etwCertIssuerName", "service.issuer", "eventdata.cert.issuer"], + "serial_number": ["__etwCertSerialNumber"] + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json new file mode 100644 index 000000000..2264a519f --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/stix_2_1/to_stix_map.json @@ -0,0 +1,2033 @@ +{ + "endpointId": { + "key": "x-reaqta-event.endpoint_id", + "object": "x-reaqta" + }, + "eventId": { + "key": "x-oca-event.code", + "object": "event", + "transformer": "ToInteger" + }, + "happenedAt": [ + { + "cybox": false, + "key": "first_observed" + }, + { + "cybox": false, + "key": "last_observed" + } + ], + "receivedAt": { + "key": "x-oca-event.created", + "object": "event" + }, + "payload": { + "eventName": { + "key": "x-oca-event.action", + "object": "event" + }, + "eventType": { + "key": "x-ibm-finding.category", + "object": "event", + "transformer": "ToString" + }, + "incidents": { + "key": "x-ibm-finding.extensions.x-reaqta-alert-ext.incidents", + "object": "x-ibm-finding" + }, + "triggeredIncidents": { + "key": "x-ibm-finding.extensions.x-reaqta-alert-ext.triggered_incidents", + "object": "x-ibm-finding" + }, + "localId": { + "key": "x-reaqta-event.local_id", + "object": "x-reaqta" + }, + "process": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "process" + }, + "pid": [ + { + "key": "process.pid", + "object": "process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event", + "references": "process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "process", + "references": "parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "event", + "references": "parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "file" + }, + { + "key": "process.binary_ref", + "object": "process", + "references": "file" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "file" + }, + "path": [ + { + "key": "directory.path", + "object": "dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "file" + }, + { + "key": "file.parent_directory_ref", + "object": "file", + "references": "dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "file" + }, + "size": { + "key": "file.size", + "object": "file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "process" + }, + "startTime": { + "key": "process.created", + "object": "process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "process", + "references": "useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "event", + "references": "useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "process" + } + }, + "data": { + "accessorProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "accessorProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "accessorProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "accessorProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "accessorProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "accessorProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "accessorProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "accessorProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "accessorProcess_process", + "references": "accessorProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "accessorProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "accessorProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "accessorProcess_file" + }, + { + "key": "process.binary_ref", + "object": "accessorProcess_process", + "references": "accessorProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "accessorProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "accessorProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "accessorProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "accessorProcess_file", + "references": "accessorProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "accessorProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "accessorProcess_file" + }, + "size": { + "key": "file.size", + "object": "accessorProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "accessorProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "accessorProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "accessorProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "accessorProcess_process", + "references": "accessorProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "accessorProcess_process" + } + }, + "actionName": { + "key": "x-reaqta-event.action_name", + "object": "x-reaqta" + }, + "addressFamily": { + "key": "network-traffic.extensions.x-reaqta-network.address_family", + "object": "nt" + }, + "allocatorProc": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "allocatorProc_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "allocatorProc_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "allocatorProc_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "allocatorProc_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "allocatorProc_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "allocatorProc_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "allocatorProc_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "allocatorProc_process", + "references": "allocatorProc_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "allocatorProc_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "allocatorProc_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "allocatorProc_file" + }, + { + "key": "process.binary_ref", + "object": "allocatorProc_process", + "references": "allocatorProc_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "allocatorProc_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "allocatorProc_file" + }, + "path": [ + { + "key": "directory.path", + "object": "allocatorProc_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_file" + }, + { + "key": "file.parent_directory_ref", + "object": "allocatorProc_file", + "references": "allocatorProc_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "allocatorProc_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "allocatorProc_file" + }, + "size": { + "key": "file.size", + "object": "allocatorProc_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "allocatorProc_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "allocatorProc_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "allocatorProc_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "allocatorProc_process", + "references": "allocatorProc_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "allocatorProc_process" + } + }, + "appName": { + "key": "x-oca-event.agent", + "object": "antimalware_event" + }, + "arch": { + "key": "file.extensions.x-reaqta-data.arch", + "object": "file_data" + }, + "avObjectStatus": { + "key": "x-ibm-finding.name", + "object": "finding_data" + }, + "avScanReason": { + "key": "x-ibm-finding.extensions.x-reaqta-avdetection.av_scan_reason", + "object": "finding_data" + }, + "avThreatInfoArray": { + "key": "x-ibm-finding.extensions.x-reaqta-avdetection.av_threat_info_array", + "object": "finding_data" + }, + "avThreatType": { + "key": "x-ibm-finding.finding_type", + "object": "finding_data" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "childProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "childProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "childProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "childProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "childProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "childProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "childProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "childProcess_event", + "references": "childProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "childProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "childProcess_process", + "references": "childProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "childProcess_event", + "references": "childProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "childProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "childProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "childProcess_file" + }, + { + "key": "process.binary_ref", + "object": "childProcess_process", + "references": "childProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "childProcess_event", + "references": "childProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "childProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "childProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "childProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "childProcess_event", + "references": "childProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "childProcess_file", + "references": "childProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "childProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "childProcess_file" + }, + "size": { + "key": "file.size", + "object": "childProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "childProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "childProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "childProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "childProcess_process", + "references": "childProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "childProcess_event", + "references": "childProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "childProcess_process" + } + }, + "clientMachine": [ + { + "key": "x-oca-asset.hostname", + "object": "asset_data" + }, + { + "key": "x-oca-event.host_ref", + "object": "event_data", + "references": "asset_data" + } + ], + "clientMachineFqn": { + "key": "x-oca-asset.extensions.x-wmi-event.client_machine_fqn", + "object": "asset_data" + }, + "clientPid": [ + { + "key": "process.pid", + "object": "process_data", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event_data", + "references": "process_data" + } + ], + "cmdLine": { + "key": "process.command_line", + "object": "process" + }, + "cmdLineArgs": { + "key": "process.extensions.x-reaqta-process-ext.command_line_args", + "object": "process" + }, + "consumerData": { + "commandLineTemplateTokens": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.command_line_template_tokens", + "object": "consumerData" + }, + "executablePath": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.executablePath", + "object": "consumerData" + }, + "runInteractively": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.runInteractively", + "object": "consumerData" + }, + "scriptFileName": { + "key": "file.name", + "object": "file_consumerData" + }, + "scriptingEngine": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.scriptingEngine", + "object": "consumerData" + }, + "showWindowCommand": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.showWindowCommand", + "object": "consumerData" + }, + "workingDirectory": [ + { + "key": "directory.path", + "object": "dir_consumerData", + "transformer": "ToDirectoryPath" + }, + { + "key": "file.parent_directory_ref", + "object": "file_consumerData", + "references": "dir_consumerData" + } + ] + }, + "consumerName": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.consumer_name", + "object": "consumerData" + }, + "consumerType": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.consumer_type", + "object": "consumerData" + }, + "contentName": { + "key": "x-oca-event.extensions.x-reaqta-amsi.content_name", + "object": "antimalware_event" + }, + "customName": { + "key": "x-reaqta-event.custom_name", + "object": "x-reaqta" + }, + "customType": { + "key": "x-reaqta-event.custom_type", + "object": "x-reaqta" + }, + "data": { + "key": "x-reaqta-event.data", + "object": "x-reaqta" + }, + "displayName": { + "key": "x-reaqta-event.display_name", + "object": "x-reaqta" + }, + "engineProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "engineProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "engineProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "engineProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "engineProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "engineProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "engineProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "engineProcess_event", + "references": "engineProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "engineProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "engineProcess_process", + "references": "engineProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "engineProcess_event", + "references": "engineProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "engineProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "engineProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "engineProcess_file" + }, + { + "key": "process.binary_ref", + "object": "engineProcess_process", + "references": "engineProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "engineProcess_event", + "references": "engineProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "engineProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "engineProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "engineProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "engineProcess_event", + "references": "engineProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "engineProcess_file", + "references": "engineProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "engineProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "engineProcess_file" + }, + "size": { + "key": "file.size", + "object": "engineProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "engineProcess_process", + "transformer": "EpochToTimestamp" + }, + "startTime": { + "key": "x-oca-event.start", + "object": "engineProcess_event", + "transformer": "EpochToTimestamp" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "engineProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "engineProcess_process", + "references": "engineProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "engineProcess_event", + "references": "engineProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "engineProcess_process" + } + }, + "etwAllowedToDelegateTo": { + "key": "x-reaqta-etw.etw_allowed_to_delegateto", + "object": "x-etw" + }, + "etwAuthenticationPackageName": { + "key": "x-reaqta-etw.etw_authentication_packagename", + "object": "x-etw" + }, + "etwCallerProcessId": [ + { + "key": "process.pid", + "object": "process_etw", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "etw_event", + "references": "process_etw" + } + ], + "etwCallerProcessName": [ + { + "key": "file.name", + "object": "etw_file" + }, + { + "key": "process.binary_ref", + "object": "process_etw", + "references": "etw_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "etw_event", + "references": "etw_file" + } + ], + "etwCertIssuerName": { + "key": "x509-certificate.issuer", + "object": "etw_cert" + }, + "etwCertSerialNumber": { + "key": "x509-certificate.serial_number", + "object": "etw_cert" + }, + "etwCertThumbprint": { + "key": "x509-certificate.extensions.x-reaqta-etw.etw_cert_thumbprint", + "object": "etw_cert" + }, + "etwDisplayName": { + "key": "x-reaqta-etw.etw_display_name", + "object": "x-etw" + }, + "etwDummy": { + "key": "x-reaqta-etw.etw_dummy", + "object": "x-etw" + }, + "etwElevatedToken": { + "key": "x-reaqta-etw.etw_elevated_token", + "object": "x-etw" + }, + "etwEventId": { + "key": "x-oca-event.code", + "object": "etw_event", + "transformer": "ToInteger" + }, + "etwEventRecordId": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_event_record_id", + "object": "etw_event" + }, + "etwEventVersion": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_event_record_id", + "object": "etw_event" + }, + "etwFailureReason": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_failure_reason", + "object": "etw_event" + }, + "etwHomeDirectory": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_home_directory", + "object": "etw_event" + }, + "etwHomePath": [ + { + "key": "directory.path", + "object": "etw_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "etw_event", + "references": "serviceProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "etw_file", + "references": "etw_event" + } + ], + "etwImpersonationLevel": { + "key": "x-reaqta-etw.etw_impersonation_level", + "object": "x-etw" + }, + "etwIpAddress": [ + { + "key": "ipv4-addr.value", + "object": "etw_ip" + }, + { + "key": "x-oca-event.ip_refs", + "object": "etw_event", + "references": ["etw_ip"] + }, + { + "key": "x-oca-asset.ip_refs", + "object": "etw_asset", + "references": ["etw_ip"], + "group": true + } + ], + "etwIpPort": { + "key": "x-reaqta-etw.etw_ip_port", + "object": "x-etw" + }, + "etwKeyLength": { + "key": "x-reaqta-etw.etw_key_length", + "object": "x-etw" + }, + "etwLmPackageName": { + "key": "x-reaqta-etw.etw_lm_package_name", + "object": "x-etw" + }, + "etwLogonGuid": { + "key": "x-reaqta-etw.etw_logon_guid", + "object": "x-etw" + }, + "etwLogonHours": { + "key": "x-reaqta-etw.etw_logon_hours", + "object": "x-etw" + }, + "etwLogonProcessName": [ + { + "key": "file.name", + "object": "etw_file" + }, + { + "key": "process.binary_ref", + "object": "process_etw", + "references": "etw_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "etw_event", + "references": "etw_file" + } + ], + "etwLogonType": { + "key": "x-reaqta-etw.etw_logon_type", + "object": "x-etw" + }, + "etwMemberName": { + "key": "x-reaqta-etw.etw_member_name", + "object": "x-etw" + }, + "etwMemberSid": { + "key": "x-reaqta-etw.etw_member_sid", + "object": "x-etw" + }, + "etwNewTargetUserName": { + "key": "user-account.user_id", + "object": "etwNewTargetUserName" + }, + "etwNewUacValue": { + "key": "x-reaqta-etw.etw_new_uac_value", + "object": "x-etw" + }, + "etwOldTargetUserName": { + "key": "user-account.user_id", + "object": "etwOldTargetUserName" + }, + "etwOldUacValue": { + "key": "x-reaqta-etw.etw_old_uac_value", + "object": "x-etw" + }, + "etwPackageName": { + "key": "x-reaqta-etw.etw_package_name", + "object": "x-etw" + }, + "etwPasswordLastSet": { + "key": "x-reaqta-etw.etw_password_last_set", + "object": "x-etw" + }, + "etwPreAuthType": { + "key": "x-reaqta-etw.etw_pre_auth_type", + "object": "x-etw" + }, + "etwPrimaryGroupId": { + "key": "x-reaqta-etw.etw_primary_groupId", + "object": "x-etw" + }, + "etwPrivilegeList": { + "key": "x-reaqta-etw.etw_privilege_list", + "object": "x-etw" + }, + "etwProcessId": [ + { + "key": "process.pid", + "object": "process_etw", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "etw_event", + "references": "process_etw" + } + ], + "etwProcessName": [ + { + "key": "file.name", + "object": "etw_file" + }, + { + "key": "process.binary_ref", + "object": "process_etw", + "references": "etw_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "etw_event", + "references": "etw_file" + } + ], + "etwProfilePath": { + "key": "x-reaqta-etw.etw_profile_path", + "object": "x-etw" + }, + "etwRestrictedAdminMode": { + "key": "x-reaqta-etw.etwRestrictedAdminMode", + "object": "x-etw" + }, + "etwSamAccountName": { + "key": "x-reaqta-etw.etwSamAccountName", + "object": "x-etw" + }, + "etwScriptPath": { + "key": "x-reaqta-etw.etwScriptPath", + "object": "x-etw" + }, + "etwServiceName": { + "key": "x-reaqta-etw.etwServiceName", + "object": "x-etw" + }, + "etwServiceSid": { + "key": "x-reaqta-etw.etwServiceSid", + "object": "x-etw" + }, + "etwSidHistory": { + "key": "x-reaqta-etw.etwSidHistory", + "object": "x-etw" + }, + "etwSidList": { + "key": "x-reaqta-etw.etwSidList", + "object": "x-etw" + }, + "etwStatus": { + "key": "x-reaqta-etw.etwStatus", + "object": "x-etw" + }, + "etwSubStatus": { + "key": "x-reaqta-etw.etwSubStatus", + "object": "x-etw" + }, + "etwSubjectDomainName": { + "key": "x-reaqta-etw.etwSubStatus", + "object": "x-etw" + }, + "etwSubjectLogonId": { + "key": "x-reaqta-etw.etwSubjectLogonId", + "object": "x-etw" + }, + "etwSubjectUserName": [ + { + "key": "user-account.user_id", + "object": "etw_user" + }, + { + "key": "process.creator_user_ref", + "object": "process_etw", + "references": "etw_user" + }, + { + "key": "x-oca-event.user_ref", + "object": "etw_event", + "references": "etw_user" + } + ], + "etwSubjectUserSid": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "process_etw" + }, + "etwTargetDomainName": { + "key": "x-reaqta-etw.etwTargetDomainName", + "object": "x-etw" + }, + "etwTargetInfo": { + "key": "x-reaqta-etw.etwTargetInfo", + "object": "x-etw" + }, + "etwTargetLinkedLogonId": { + "key": "x-reaqta-etw.etwTargetLinkedLogonId", + "object": "x-etw" + }, + "etwTargetLogonGuid": { + "key": "x-reaqta-etw.etwTargetLogonGuid", + "object": "x-etw" + }, + "etwTargetLogonId": { + "key": "x-reaqta-etw.etwTargetLogonId", + "object": "x-etw" + }, + "etwTargetOutboundDomainName": { + "key": "x-reaqta-etw.etwTargetOutboundDomainName", + "object": "x-etw" + }, + "etwTargetOutboundUserName": { + "key": "user-account.user_id", + "object": "etwTargetOutboundUserName" + }, + "etwTargetServerName": { + "key": "x-reaqta-etw.etwTargetOutboundDomainName", + "object": "x-etw" + }, + "etwTargetSid": { + "key": "x-reaqta-etw.etwTargetSid", + "object": "x-etw" + }, + "etwTargetUserName": { + "key": "user-account.user_id", + "object": "etwTargetUserName" + }, + "etwTargetUserSid": { + "key": "x-reaqta-etw.etwTargetUserSid", + "object": "x-etw" + }, + "etwTask": { + "key": "x-reaqta-etw.etwTask", + "object": "x-etw" + }, + "etwTicketEncryptionType": { + "key": "x-reaqta-etw.etwTicketEncryptionType", + "object": "x-etw" + }, + "etwTicketOptions": { + "key": "x-reaqta-etw.etwTicketOptions", + "object": "x-etw" + }, + "etwTransmittedServices": { + "key": "x-reaqta-etw.etwTransmittedServices", + "object": "x-etw" + }, + "etwUserAccountControl": { + "key": "x-reaqta-etw.etwUserAccountControl", + "object": "x-etw" + }, + "etwUserParameters": { + "key": "x-reaqta-etw.etwUserParameters", + "object": "x-etw" + }, + "etwUserPrincipalName": { + "key": "x-reaqta-etw.etwUserPrincipalName", + "object": "x-etw" + }, + "etwUserWorkstations": { + "key": "x-reaqta-etw.etwUserWorkstations", + "object": "x-etw" + }, + "etwVirtualAccount": { + "key": "x-reaqta-etw.etwVirtualAccount", + "object": "x-etw" + }, + "etwWorkstation": { + "key": "x-oca-asset.host_id", + "object": "etw_asset" + }, + "etwWorkstationName": { + "key": "x-oca-asset.hostname", + "object": "etw_asset" + }, + "eventNamespace": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.event_namespace", + "object": "consumerData" + }, + "file": [ + { + "key": "file.name", + "object": "file_data" + }, + { + "key": "x-oca-event.file_ref", + "object": "event_data", + "references": "file_data" + } + ], + "fileType": { + "key": "file.extensions.x-reaqta-data.file_type", + "object": "file_data" + }, + "filename": [ + { + "key": "file.name", + "object": "file_data" + }, + { + "key": "x-oca-event.file_ref", + "object": "event_data", + "references": "file_data" + } + ], + "creationTime": { + "key": "file.created", + "object": "file_data" + }, + "filterName": { + "key": "x-reaqta-event.filter_name", + "object": "x-reaqta" + }, + "fsName": { + "key": "file.extensions.x-reaqta-data.fsname", + "object": "file_data" + }, + "hostPid": [ + { + "key": "process.pid", + "object": "process_data", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event_data", + "references": "process_data" + } + ], + "isLocal": { + "key": "x-reaqta-event.is_local", + "object": "x-reaqta" + }, + "localAddrV4": [ + { + "key": "ipv4-addr.value", + "object": "src_ip" + }, + { + "key": "network-traffic.src_ref", + "object": "nt", + "references": "src_ip" + }, + { + "key": "x-ibm-finding.src_ip_ref", + "object": "x-ibm-finding", + "references": "src_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + }, + { + "group": true, + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_ip" + ] + } + ], + "localAddrV6": [ + { + "key": "ipv6-addr.value", + "object": "src_ip" + }, + { + "key": "network-traffic.src_ref", + "object": "nt", + "references": "src_ip" + }, + { + "key": "x-ibm-finding.src_ip_ref", + "object": "x-ibm-finding", + "references": "src_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + }, + { + "group": true, + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_ip" + ] + } + ], + "localPort": { + "key": "network-traffic.src_port", + "object": "nt", + "transformer": "ToInteger" + }, + "machineName": { + "key": "x-oca-asset.hostname", + "object": "consumerData" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "file_data" + }, + "name": { + "key": "x-reaqta-event.name", + "object": "x-reaqta" + }, + "namespaceName": { + "key": "x-reaqta-event.namespace_name", + "object": "x-reaqta" + }, + "operation": { + "key": "x-reaqta-event.operation", + "object": "x-reaqta" + }, + "operationType": { + "key": "x-reaqta-event.operation_type", + "object": "x-reaqta" + }, + "outbound": { + "key": "network-traffic.extensions.x-reaqta-network.outbound", + "object": "nt" + }, + "path": [ + { + "key": "directory.path", + "object": "dir_data", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "event_data", + "references": "file_data" + }, + { + "key": "file.parent_directory_ref", + "object": "file_data", + "references": "dir_data" + } + ], + "peType": { + "key": "x-reaqta-event.pe_type", + "object": "x-reaqta" + }, + "protocol": { + "key": "network-traffic.protocols", + "object": "nt", + "transformer": "ToLowercaseArray" + }, + "query": { + "key": "x-reaqta-event.query", + "object": "x-reaqta" + }, + "queryLanguage": { + "key": "x-reaqta-event.queryLanguage", + "object": "x-reaqta" + }, + "queryName": { + "key": "x-reaqta-event.queryName", + "object": "x-reaqta" + }, + "regionSize": { + "key": "x-reaqta-event.region_size", + "object": "x-reaqta" + }, + "relevance": { + "key": "x-reaqta-event.relevance", + "object": "x-reaqta" + }, + "remoteAddrV4": [ + { + "key": "ipv4-addr.value", + "object": "dst_ip" + }, + { + "key": "network-traffic.dst_ref", + "object": "nt", + "references": "dst_ip" + }, + { + "key": "x-ibm-finding.dst_ip_ref", + "object": "x-ibm-finding", + "references": "dst_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + } + ], + "remoteAddrV6": [ + { + "key": "ipv6-addr.value", + "object": "dst_ip" + }, + { + "key": "network-traffic.dst_ref", + "object": "nt", + "references": "dst_ip" + }, + { + "key": "x-ibm-finding.dst_ip_ref", + "object": "x-ibm-finding", + "references": "dst_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + } + ], + "remotePort": { + "key": "network-traffic.dst_port", + "object": "nt", + "transformer": "ToInteger" + }, + "returnCode": { + "key": "x-reaqta-event.return_code", + "object": "x-reaqta" + }, + "rootObject": { + "key": "x-reaqta-event.root_object", + "object": "x-reaqta" + }, + "scanResult": { + "key": "x-oca-event.extensions.x-reaqta-amsi.scan_result", + "object": "antimalware_event" + }, + "serviceName": { + "key": "x-reaqta-event.service_name", + "object": "x-reaqta" + }, + "serviceProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "serviceProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "serviceProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "serviceProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "serviceProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "serviceProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "serviceProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "serviceProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "serviceProcess_process", + "references": "serviceProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "serviceProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "serviceProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "serviceProcess_file" + }, + { + "key": "process.binary_ref", + "object": "serviceProcess_process", + "references": "serviceProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "serviceProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "serviceProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "serviceProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "serviceProcess_file", + "references": "serviceProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "serviceProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "serviceProcess_file" + }, + "size": { + "key": "file.size", + "object": "serviceProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "serviceProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "serviceProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "serviceProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "serviceProcess_process", + "references": "serviceProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "serviceProcess_process" + } + }, + "serviceType": { + "key": "x-reaqta-event.service_type", + "object": "x-reaqta" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "file_data" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "file_data" + }, + "size": { + "key": "file.size", + "object": "file_data" + }, + "startType": { + "key": "x-reaqta-event.start_type", + "object": "x-reaqta" + }, + "tactics": { + "key": "x-reaqta-event.tactics", + "object": "x-reaqta" + }, + "tags": { + "key": "x-reaqta-event.tags", + "object": "x-reaqta" + }, + "targetProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process-ext.process_endpoint_id", + "object": "targetProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process-ext.process_id", + "object": "targetProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process-ext.logon_id", + "object": "targetProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process-ext.no_gui", + "object": "targetProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process-ext.parent_process_id", + "object": "targetProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "targetProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "targetProcess_event", + "references": "targetProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "targetProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "targetProcess_process", + "references": "targetProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "targetProcess_event", + "references": "targetProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process-ext.privilege_level", + "object": "targetProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program-ext.arch", + "object": "targetProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert-ext.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "targetProcess_file" + }, + { + "key": "process.binary_ref", + "object": "targetProcess_process", + "references": "targetProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "targetProcess_event", + "references": "targetProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program-ext.fsname", + "object": "targetProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "targetProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "targetProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "targetProcess_event", + "references": "targetProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "targetProcess_file", + "references": "targetProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "targetProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "targetProcess_file" + }, + "size": { + "key": "file.size", + "object": "targetProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "targetProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "targetProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "targetProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "targetProcess_process", + "references": "targetProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "targetProcess_event", + "references": "targetProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "targetProcess_process" + } + }, + "targetProcessId": [ + { + "key": "process.pid", + "object": "targetProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "targetProcess_event", + "references": "targetProcess_process" + } + ], + "taskName": { + "key": "x-reaqta-event.task_name", + "object": "x-reaqta" + }, + "technique": { + "key": "x-reaqta-event.technique", + "object": "x-reaqta" + }, + "url": { + "key": "url.value", + "object": "url" + }, + "user": { + "key": "user-account.user_id", + "object": "user" + }, + "version": { + "key": "x-reaqta-event.version", + "object": "x-reaqta" + }, + "wmiHostPid": { + "key": "process.pid", + "object": "wmi_process", + "transformer": "ToInteger" + } + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json b/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json new file mode 100644 index 000000000..70b88d4f0 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/json/to_stix_map.json @@ -0,0 +1,1995 @@ +{ + "endpointId": { + "key": "x-reaqta-event.endpoint_id", + "object": "x-reaqta" + }, + "eventId": { + "key": "x-oca-event.code", + "object": "event", + "transformer": "ToInteger" + }, + "happenedAt": [ + { + "cybox": false, + "key": "first_observed" + }, + { + "cybox": false, + "key": "last_observed" + } + ], + "receivedAt": { + "key": "x-oca-event.created", + "object": "event" + }, + "payload": { + "eventName": { + "key": "x-oca-event.action", + "object": "event" + }, + "eventType": { + "key": "x-ibm-finding.category", + "object": "event" + }, + "incidents": { + "key": "x-ibm-finding.extensions.x-reaqta-alert.incidents", + "object": "x-ibm-finding" + }, + "triggeredIncidents": { + "key": "x-ibm-finding.extensions.x-reaqta-alert.triggered_incidents", + "object": "x-ibm-finding" + }, + "localId": { + "key": "x-reaqta-event.local_id", + "object": "x-reaqta" + }, + "process": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "process" + }, + "pid": [ + { + "key": "process.pid", + "object": "process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event", + "references": "process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "process", + "references": "parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "event", + "references": "parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "file" + }, + { + "key": "process.binary_ref", + "object": "process", + "references": "file" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "file" + }, + "path": [ + { + "key": "directory.path", + "object": "dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "file" + }, + { + "key": "file.parent_directory_ref", + "object": "file", + "references": "dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "file" + }, + "size": { + "key": "file.size", + "object": "file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "process" + }, + "startTime": { + "key": "process.created", + "object": "process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "process", + "references": "useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "event", + "references": "useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "process" + } + }, + "data": { + "accessorProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "accessorProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "accessorProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "accessorProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "accessorProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "accessorProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "accessorProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "accessorProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "accessorProcess_process", + "references": "accessorProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "accessorProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "accessorProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "accessorProcess_file" + }, + { + "key": "process.binary_ref", + "object": "accessorProcess_process", + "references": "accessorProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "accessorProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "accessorProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "accessorProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "accessorProcess_file", + "references": "accessorProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "accessorProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "accessorProcess_file" + }, + "size": { + "key": "file.size", + "object": "accessorProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "accessorProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "accessorProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "accessorProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "accessorProcess_process", + "references": "accessorProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "accessorProcess_event", + "references": "accessorProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "accessorProcess_process" + } + }, + "actionName": { + "key": "x-reaqta-event.action_name", + "object": "x-reaqta" + }, + "addressFamily": { + "key": "network-traffic.extensions.x-reaqta-network.address_family", + "object": "nt" + }, + "allocatorProc": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "allocatorProc_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "allocatorProc_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "allocatorProc_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "allocatorProc_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "allocatorProc_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "allocatorProc_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "allocatorProc_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "allocatorProc_process", + "references": "allocatorProc_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "allocatorProc_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "allocatorProc_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "allocatorProc_file" + }, + { + "key": "process.binary_ref", + "object": "allocatorProc_process", + "references": "allocatorProc_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "allocatorProc_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "allocatorProc_file" + }, + "path": [ + { + "key": "directory.path", + "object": "allocatorProc_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_file" + }, + { + "key": "file.parent_directory_ref", + "object": "allocatorProc_file", + "references": "allocatorProc_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "allocatorProc_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "allocatorProc_file" + }, + "size": { + "key": "file.size", + "object": "allocatorProc_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "allocatorProc_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "allocatorProc_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "allocatorProc_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "allocatorProc_process", + "references": "allocatorProc_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "allocatorProc_event", + "references": "allocatorProc_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "allocatorProc_process" + } + }, + "appName": { + "key": "x-oca-event.agent", + "object": "antimalware_event" + }, + "arch": { + "key": "file.extensions.x-reaqta-data.arch", + "object": "file_data" + }, + "avObjectStatus": { + "key": "x-ibm-finding.name", + "object": "finding_data" + }, + "avScanReason": { + "key": "x-ibm-finding.extensions.x-reaqta-avdetection.av_scan_reason", + "object": "finding_data" + }, + "avThreatInfoArray": { + "key": "x-ibm-finding.extensions.x-reaqta-avdetection.av_threat_info_array", + "object": "finding_data" + }, + "avThreatType": { + "key": "x-ibm-finding.finding_type", + "object": "finding_data" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "childProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "childProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "childProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "childProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "childProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "childProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "childProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "childProcess_event", + "references": "childProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "childProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "childProcess_process", + "references": "childProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "childProcess_event", + "references": "childProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "childProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "childProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "childProcess_file" + }, + { + "key": "process.binary_ref", + "object": "childProcess_process", + "references": "childProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "childProcess_event", + "references": "childProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "childProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "childProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "childProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "childProcess_event", + "references": "childProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "childProcess_file", + "references": "childProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "childProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "childProcess_file" + }, + "size": { + "key": "file.size", + "object": "childProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "childProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "childProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "childProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "childProcess_process", + "references": "childProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "childProcess_event", + "references": "childProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "childProcess_process" + } + }, + "clientMachine": [ + { + "key": "x-oca-asset.hostname", + "object": "asset_data" + }, + { + "key": "x-oca-event.host_ref", + "object": "event_data", + "references": "asset_data" + } + ], + "clientMachineFqn": { + "key": "x-oca-asset.extensions.x-wmi-event.client_machine_fqn", + "object": "asset_data" + }, + "clientPid": [ + { + "key": "process.pid", + "object": "process_data", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event_data", + "references": "process_data" + } + ], + "cmdLine": { + "key": "process.command_line", + "object": "process" + }, + "cmdLineArgs": { + "key": "process.extensions.x-reaqta-process.command_line_args", + "object": "process" + }, + "consumerData": { + "commandLineTemplateTokens": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.command_line_template_tokens", + "object": "consumerData" + }, + "executablePath": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.executablePath", + "object": "consumerData" + }, + "runInteractively": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.runInteractively", + "object": "consumerData" + }, + "scriptFileName": { + "key": "file.name", + "object": "file_consumerData" + }, + "scriptingEngine": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.scriptingEngine", + "object": "consumerData" + }, + "showWindowCommand": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.showWindowCommand", + "object": "consumerData" + }, + "workingDirectory": [ + { + "key": "directory.path", + "object": "dir_consumerData", + "transformer": "ToDirectoryPath" + }, + { + "key": "file.parent_directory_ref", + "object": "file_consumerData", + "references": "dir_consumerData" + } + ] + }, + "consumerName": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.consumer_name", + "object": "consumerData" + }, + "consumerType": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.consumer_type", + "object": "consumerData" + }, + "contentName": { + "key": "x-oca-event.extensions.x-reaqta-amsi.content_name", + "object": "antimalware_event" + }, + "customName": { + "key": "x-reaqta-event.custom_name", + "object": "x-reaqta" + }, + "customType": { + "key": "x-reaqta-event.custom_type", + "object": "x-reaqta" + }, + "data": { + "key": "x-reaqta-event.data", + "object": "x-reaqta" + }, + "displayName": { + "key": "x-reaqta-event.display_name", + "object": "x-reaqta" + }, + "engineProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "engineProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "engineProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "engineProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "engineProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "engineProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "engineProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "engineProcess_event", + "references": "engineProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "engineProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "engineProcess_process", + "references": "engineProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "engineProcess_event", + "references": "engineProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "engineProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "engineProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "engineProcess_file" + }, + { + "key": "process.binary_ref", + "object": "engineProcess_process", + "references": "engineProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "engineProcess_event", + "references": "engineProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "engineProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "engineProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "engineProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "engineProcess_event", + "references": "engineProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "engineProcess_file", + "references": "engineProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "engineProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "engineProcess_file" + }, + "size": { + "key": "file.size", + "object": "engineProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "engineProcess_process", + "transformer": "EpochToTimestamp" + }, + "startTime": { + "key": "x-oca-event.start", + "object": "engineProcess_event", + "transformer": "EpochToTimestamp" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "engineProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "engineProcess_process", + "references": "engineProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "engineProcess_event", + "references": "engineProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "engineProcess_process" + } + }, + "etwAllowedToDelegateTo": { + "key": "x-reaqta-etw.etw_allowed_to_delegateto", + "object": "x-etw" + }, + "etwAuthenticationPackageName": { + "key": "x-reaqta-etw.etw_authentication_packagename", + "object": "x-etw" + }, + "etwCallerProcessId": [ + { + "key": "process.pid", + "object": "process_etw", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "etw_event", + "references": "process_etw" + } + ], + "etwCallerProcessName": { + "key": "process.name", + "object": "process_etw" + }, + "etwCertIssuerName": { + "key": "x509-certificate.issuer", + "object": "etw_cert" + }, + "etwCertSerialNumber": { + "key": "x509-certificate.serial_number", + "object": "etw_cert" + }, + "etwCertThumbprint": { + "key": "x509-certificate.extensions.x-reaqta-etw.etw_cert_thumbprint", + "object": "etw_cert" + }, + "etwDisplayName": { + "key": "x-reaqta-etw.etw_display_name", + "object": "x-etw" + }, + "etwDummy": { + "key": "x-reaqta-etw.etw_dummy", + "object": "x-etw" + }, + "etwElevatedToken": { + "key": "x-reaqta-etw.etw_elevated_token", + "object": "x-etw" + }, + "etwEventId": { + "key": "x-oca-event.code", + "object": "etw_event", + "transformer": "ToInteger" + }, + "etwEventRecordId": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_event_record_id", + "object": "etw_event" + }, + "etwEventVersion": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_event_record_id", + "object": "etw_event" + }, + "etwFailureReason": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_failure_reason", + "object": "etw_event" + }, + "etwHomeDirectory": { + "key": "x-oca-event.extensions.x-reaqta-etw.etw_home_directory", + "object": "etw_event" + }, + "etwHomePath": [ + { + "key": "directory.path", + "object": "etw_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "etw_event", + "references": "serviceProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "etw_file", + "references": "etw_event" + } + ], + "etwImpersonationLevel": { + "key": "x-reaqta-etw.etw_impersonation_level", + "object": "x-etw" + }, + "etwIpAddress": [ + { + "key": "ipv4-addr.value", + "object": "etw_ip" + }, + { + "key": "x-oca-event.ip_refs", + "object": "etw_event", + "references": ["etw_ip"] + }, + { + "key": "x-oca-asset.ip_refs", + "object": "etw_asset", + "references": ["etw_ip"], + "group": true + } + ], + "etwIpPort": { + "key": "x-reaqta-etw.etw_ip_port", + "object": "x-etw" + }, + "etwKeyLength": { + "key": "x-reaqta-etw.etw_key_length", + "object": "x-etw" + }, + "etwLmPackageName": { + "key": "x-reaqta-etw.etw_lm_package_name", + "object": "x-etw" + }, + "etwLogonGuid": { + "key": "x-reaqta-etw.etw_logon_guid", + "object": "x-etw" + }, + "etwLogonHours": { + "key": "x-reaqta-etw.etw_logon_hours", + "object": "x-etw" + }, + "etwLogonProcessName": { + "key": "process.name", + "object": "process_etw" + }, + "etwLogonType": { + "key": "x-reaqta-etw.etw_logon_type", + "object": "x-etw" + }, + "etwMemberName": { + "key": "x-reaqta-etw.etw_member_name", + "object": "x-etw" + }, + "etwMemberSid": { + "key": "x-reaqta-etw.etw_member_sid", + "object": "x-etw" + }, + "etwNewTargetUserName": { + "key": "user-account.user_id", + "object": "etwNewTargetUserName" + }, + "etwNewUacValue": { + "key": "x-reaqta-etw.etw_new_uac_value", + "object": "x-etw" + }, + "etwOldTargetUserName": { + "key": "user-account.user_id", + "object": "etwOldTargetUserName" + }, + "etwOldUacValue": { + "key": "x-reaqta-etw.etw_old_uac_value", + "object": "x-etw" + }, + "etwPackageName": { + "key": "x-reaqta-etw.etw_package_name", + "object": "x-etw" + }, + "etwPasswordLastSet": { + "key": "x-reaqta-etw.etw_password_last_set", + "object": "x-etw" + }, + "etwPreAuthType": { + "key": "x-reaqta-etw.etw_pre_auth_type", + "object": "x-etw" + }, + "etwPrimaryGroupId": { + "key": "x-reaqta-etw.etw_primary_groupId", + "object": "x-etw" + }, + "etwPrivilegeList": { + "key": "x-reaqta-etw.etw_privilege_list", + "object": "x-etw" + }, + "etwProcessId": [ + { + "key": "process.pid", + "object": "process_etw" + }, + { + "key": "x-oca-event.process_ref", + "object": "etw_event", + "references": "process_etw" + } + ], + "etwProcessName": { + "key": "process.name", + "object": "process_etw" + }, + "etwProfilePath": { + "key": "x-reaqta-etw.etw_profile_path", + "object": "x-etw" + }, + "etwRestrictedAdminMode": { + "key": "x-reaqta-etw.etwRestrictedAdminMode", + "object": "x-etw" + }, + "etwSamAccountName": { + "key": "x-reaqta-etw.etwSamAccountName", + "object": "x-etw" + }, + "etwScriptPath": { + "key": "x-reaqta-etw.etwScriptPath", + "object": "x-etw" + }, + "etwServiceName": { + "key": "x-reaqta-etw.etwServiceName", + "object": "x-etw" + }, + "etwServiceSid": { + "key": "x-reaqta-etw.etwServiceSid", + "object": "x-etw" + }, + "etwSidHistory": { + "key": "x-reaqta-etw.etwSidHistory", + "object": "x-etw" + }, + "etwSidList": { + "key": "x-reaqta-etw.etwSidList", + "object": "x-etw" + }, + "etwStatus": { + "key": "x-reaqta-etw.etwStatus", + "object": "x-etw" + }, + "etwSubStatus": { + "key": "x-reaqta-etw.etwSubStatus", + "object": "x-etw" + }, + "etwSubjectDomainName": { + "key": "x-reaqta-etw.etwSubStatus", + "object": "x-etw" + }, + "etwSubjectLogonId": { + "key": "x-reaqta-etw.etwSubjectLogonId", + "object": "x-etw" + }, + "etwSubjectUserName": [ + { + "key": "user-account.user_id", + "object": "etw_user" + }, + { + "key": "process.creator_user_ref", + "object": "process_etw", + "references": "etw_user" + }, + { + "key": "x-oca-event.user_ref", + "object": "etw_event", + "references": "etw_user" + } + ], + "etwSubjectUserSid": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "process_etw" + }, + "etwTargetDomainName": { + "key": "x-reaqta-etw.etwTargetDomainName", + "object": "x-etw" + }, + "etwTargetInfo": { + "key": "x-reaqta-etw.etwTargetInfo", + "object": "x-etw" + }, + "etwTargetLinkedLogonId": { + "key": "x-reaqta-etw.etwTargetLinkedLogonId", + "object": "x-etw" + }, + "etwTargetLogonGuid": { + "key": "x-reaqta-etw.etwTargetLogonGuid", + "object": "x-etw" + }, + "etwTargetLogonId": { + "key": "x-reaqta-etw.etwTargetLogonId", + "object": "x-etw" + }, + "etwTargetOutboundDomainName": { + "key": "x-reaqta-etw.etwTargetOutboundDomainName", + "object": "x-etw" + }, + "etwTargetOutboundUserName": { + "key": "user-account.user_id", + "object": "etwTargetOutboundUserName" + }, + "etwTargetServerName": { + "key": "x-reaqta-etw.etwTargetOutboundDomainName", + "object": "x-etw" + }, + "etwTargetSid": { + "key": "x-reaqta-etw.etwTargetSid", + "object": "x-etw" + }, + "etwTargetUserName": { + "key": "user-account.user_id", + "object": "etwTargetUserName" + }, + "etwTargetUserSid": { + "key": "x-reaqta-etw.etwTargetUserSid", + "object": "x-etw" + }, + "etwTask": { + "key": "x-reaqta-etw.etwTask", + "object": "x-etw" + }, + "etwTicketEncryptionType": { + "key": "x-reaqta-etw.etwTicketEncryptionType", + "object": "x-etw" + }, + "etwTicketOptions": { + "key": "x-reaqta-etw.etwTicketOptions", + "object": "x-etw" + }, + "etwTransmittedServices": { + "key": "x-reaqta-etw.etwTransmittedServices", + "object": "x-etw" + }, + "etwUserAccountControl": { + "key": "x-reaqta-etw.etwUserAccountControl", + "object": "x-etw" + }, + "etwUserParameters": { + "key": "x-reaqta-etw.etwUserParameters", + "object": "x-etw" + }, + "etwUserPrincipalName": { + "key": "x-reaqta-etw.etwUserPrincipalName", + "object": "x-etw" + }, + "etwUserWorkstations": { + "key": "x-reaqta-etw.etwUserWorkstations", + "object": "x-etw" + }, + "etwVirtualAccount": { + "key": "x-reaqta-etw.etwVirtualAccount", + "object": "x-etw" + }, + "etwWorkstation": { + "key": "x-oca-asset.host_id", + "object": "etw_asset" + }, + "etwWorkstationName": { + "key": "x-oca-asset.hostname", + "object": "etw_asset" + }, + "eventNamespace": { + "key": "x-oca-asset.extensions.x-reaqta-consumer.event_namespace", + "object": "consumerData" + }, + "file": [ + { + "key": "file.name", + "object": "file_data" + }, + { + "key": "x-oca-event.file_ref", + "object": "event_data", + "references": "file_data" + } + ], + "fileType": { + "key": "file.extensions.x-reaqta-data.file_type", + "object": "file_data" + }, + "filename": [ + { + "key": "file.name", + "object": "file_data" + }, + { + "key": "x-oca-event.file_ref", + "object": "event_data", + "references": "file_data" + } + ], + "creationTime": { + "key": "file.created", + "object": "file_data" + }, + "filterName": { + "key": "x-reaqta-event.filter_name", + "object": "x-reaqta" + }, + "fsName": { + "key": "file.extensions.x-reaqta-data.fsname", + "object": "file_data" + }, + "hostPid": [ + { + "key": "process.pid", + "object": "process_data", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event_data", + "references": "process_data" + } + ], + "isLocal": { + "key": "x-reaqta-event.is_local", + "object": "x-reaqta" + }, + "localAddrV4": [ + { + "key": "ipv4-addr.value", + "object": "src_ip" + }, + { + "key": "network-traffic.src_ref", + "object": "nt", + "references": "src_ip" + }, + { + "key": "x-ibm-finding.src_ip_ref", + "object": "x-ibm-finding", + "references": "src_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + }, + { + "group": true, + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_ip" + ] + } + ], + "localAddrV6": [ + { + "key": "ipv6-addr.value", + "object": "src_ip" + }, + { + "key": "network-traffic.src_ref", + "object": "nt", + "references": "src_ip" + }, + { + "key": "x-ibm-finding.src_ip_ref", + "object": "x-ibm-finding", + "references": "src_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + }, + { + "group": true, + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_ip" + ] + } + ], + "localPort": { + "key": "network-traffic.src_port", + "object": "nt", + "transformer": "ToInteger" + }, + "machineName": { + "key": "x-oca-asset.hostname", + "object": "consumerData" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "file_data" + }, + "name": { + "key": "x-reaqta-event.name", + "object": "x-reaqta" + }, + "namespaceName": { + "key": "x-reaqta-event.namespace_name", + "object": "x-reaqta" + }, + "operation": { + "key": "x-reaqta-event.operation", + "object": "x-reaqta" + }, + "operationType": { + "key": "x-reaqta-event.operation_type", + "object": "x-reaqta" + }, + "outbound": { + "key": "network-traffic.extensions.x-reaqta-network.outbound", + "object": "nt" + }, + "path": [ + { + "key": "directory.path", + "object": "dir_data", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "event_data", + "references": "file_data" + }, + { + "key": "file.parent_directory_ref", + "object": "file_data", + "references": "dir_data" + } + ], + "peType": { + "key": "x-reaqta-event.pe_type", + "object": "x-reaqta" + }, + "protocol": { + "key": "network-traffic.protocols", + "object": "nt", + "transformer": "ToLowercaseArray" + }, + "query": { + "key": "x-reaqta-event.query", + "object": "x-reaqta" + }, + "queryLanguage": { + "key": "x-reaqta-event.queryLanguage", + "object": "x-reaqta" + }, + "queryName": { + "key": "x-reaqta-event.queryName", + "object": "x-reaqta" + }, + "regionSize": { + "key": "x-reaqta-event.region_size", + "object": "x-reaqta" + }, + "relevance": { + "key": "x-reaqta-event.relevance", + "object": "x-reaqta" + }, + "remoteAddrV4": [ + { + "key": "ipv4-addr.value", + "object": "dst_ip" + }, + { + "key": "network-traffic.dst_ref", + "object": "nt", + "references": "dst_ip" + }, + { + "key": "x-ibm-finding.dst_ip_ref", + "object": "x-ibm-finding", + "references": "dst_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + } + ], + "remoteAddrV6": [ + { + "key": "ipv6-addr.value", + "object": "dst_ip" + }, + { + "key": "network-traffic.dst_ref", + "object": "nt", + "references": "dst_ip" + }, + { + "key": "x-ibm-finding.dst_ip_ref", + "object": "x-ibm-finding", + "references": "dst_ip" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "nt" + } + ], + "remotePort": { + "key": "network-traffic.dst_port", + "object": "nt", + "transformer": "ToInteger" + }, + "returnCode": { + "key": "x-reaqta-event.return_code", + "object": "x-reaqta" + }, + "rootObject": { + "key": "x-reaqta-event.root_object", + "object": "x-reaqta" + }, + "scanResult": { + "key": "x-oca-event.extensions.x-reaqta-amsi.scan_result", + "object": "antimalware_event" + }, + "serviceName": { + "key": "x-reaqta-event.service_name", + "object": "x-reaqta" + }, + "serviceProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "serviceProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "serviceProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "serviceProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "serviceProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "serviceProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "serviceProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "serviceProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "serviceProcess_process", + "references": "serviceProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "serviceProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "serviceProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "serviceProcess_file" + }, + { + "key": "process.binary_ref", + "object": "serviceProcess_process", + "references": "serviceProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "serviceProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "serviceProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "serviceProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "serviceProcess_file", + "references": "serviceProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "serviceProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "serviceProcess_file" + }, + "size": { + "key": "file.size", + "object": "serviceProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "serviceProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "serviceProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "serviceProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "serviceProcess_process", + "references": "serviceProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "serviceProcess_event", + "references": "serviceProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "serviceProcess_process" + } + }, + "serviceType": { + "key": "x-reaqta-event.service_type", + "object": "x-reaqta" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "file_data" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "file_data" + }, + "size": { + "key": "file.size", + "object": "file_data" + }, + "startType": { + "key": "x-reaqta-event.start_type", + "object": "x-reaqta" + }, + "tactics": { + "key": "x-reaqta-event.tactics", + "object": "x-reaqta" + }, + "tags": { + "key": "x-reaqta-event.tags", + "object": "x-reaqta" + }, + "targetProcess": { + "endpointId": { + "key": "process.extensions.x-reaqta-process.process_endpoint_id", + "object": "targetProcess_process" + }, + "id": { + "key": "process.extensions.x-reaqta-process.process_id", + "object": "targetProcess_process" + }, + "logonId": { + "key": "process.extensions.x-reaqta-process.logon_id", + "object": "targetProcess_process" + }, + "noGui": { + "key": "process.extensions.x-reaqta-process.no_gui", + "object": "targetProcess_process" + }, + "parentId": { + "key": "process.extensions.x-reaqta-process.parent_process_id", + "object": "targetProcess_process" + }, + "pid": [ + { + "key": "process.pid", + "object": "targetProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "targetProcess_event", + "references": "targetProcess_process" + } + ], + "ppid": [ + { + "key": "process.pid", + "object": "targetProcess_parent_process", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "targetProcess_process", + "references": "targetProcess_parent_process" + }, + { + "key": "x-oca-event.parent_process_ref", + "object": "targetProcess_event", + "references": "targetProcess_parent_process" + } + ], + "privilegeLevel": { + "key": "process.extensions.x-reaqta-process.privilege_level", + "object": "targetProcess_process" + }, + "program": { + "arch": { + "key": "file.extensions.x-reaqta-program.arch", + "object": "targetProcess_file" + }, + "certInfo": { + "expired": { + "key": "x509-certificate.extensions.x-reaqta-cert.expired", + "object": "certInfo" + }, + "issuer": { + "key": "x509-certificate.issuer", + "object": "certInfo" + }, + "signer": { + "key": "x509-certificate.extensions.x-reaqta-cert.signer", + "object": "certInfo" + }, + "trusted": { + "key": "x509-certificate.extensions.x-reaqta-cert.trusted", + "object": "certInfo" + } + }, + "filename": [ + { + "key": "file.name", + "object": "targetProcess_file" + }, + { + "key": "process.binary_ref", + "object": "targetProcess_process", + "references": "targetProcess_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "targetProcess_event", + "references": "targetProcess_file" + } + ], + "fsName": { + "key": "file.extensions.x-reaqta-program.fsname", + "object": "targetProcess_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "targetProcess_file" + }, + "path": [ + { + "key": "directory.path", + "object": "targetProcess_dir", + "transformer": "ToDirectoryPath" + }, + { + "key": "x-oca-event.file_ref", + "object": "targetProcess_event", + "references": "targetProcess_file" + }, + { + "key": "file.parent_directory_ref", + "object": "targetProcess_file", + "references": "targetProcess_dir" + } + ], + "sha1": { + "key": "file.hashes.SHA-1", + "object": "targetProcess_file" + }, + "sha256": { + "key": "file.hashes.SHA-256", + "object": "targetProcess_file" + }, + "size": { + "key": "file.size", + "object": "targetProcess_file" + } + }, + "pstartTime": { + "key": "process.created", + "object": "targetProcess_parent_process" + }, + "startTime": { + "key": "process.created", + "object": "targetProcess_process" + }, + "user": [ + { + "key": "user-account.user_id", + "object": "targetProcess_useraccount" + }, + { + "key": "process.creator_user_ref", + "object": "targetProcess_process", + "references": "targetProcess_useraccount" + }, + { + "key": "x-oca-event.user_ref", + "object": "targetProcess_event", + "references": "targetProcess_useraccount" + } + ], + "userSID": { + "key": "process.extensions.windows-process-ext.owner_sid", + "object": "targetProcess_process" + } + }, + "targetProcessId": [ + { + "key": "process.pid", + "object": "targetProcess_process", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "targetProcess_event", + "references": "targetProcess_process" + } + ], + "taskName": { + "key": "x-reaqta-event.task_name", + "object": "x-reaqta" + }, + "technique": { + "key": "x-reaqta-event.technique", + "object": "x-reaqta" + }, + "url": { + "key": "url.value", + "object": "url" + }, + "user": { + "key": "user-account.user_id", + "object": "user" + }, + "version": { + "key": "x-reaqta-event.version", + "object": "x-reaqta" + }, + "wmiHostPid": { + "key": "process.pid", + "object": "wmi_process", + "transformer": "ToInteger" + } + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_translation/query_constructor.py b/stix_shifter_modules/reaqta/stix_translation/query_constructor.py new file mode 100644 index 000000000..b31863b59 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/query_constructor.py @@ -0,0 +1,203 @@ +import datetime +from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, \ + ComparisonExpression, ComparisonComparators, Pattern, \ + CombinedComparisonExpression, CombinedObservationExpression, StartStopQualifier +from stix_shifter_utils.stix_translation.src.json_to_stix import observable +import logging +import re + +UNIVERSAL_FIELDS = ["filename", "ip", "md5", "path", "sha1", "sha256"] +GREATER_LESS_FIELDS = ["eventdata.regionSize", "eventdata.relevance", "eventdata.size"] + +logger = logging.getLogger(__name__) + + +class QueryStringPatternTranslator: + + def __init__(self, pattern: Pattern, data_model_mapper, options:dict): + self.dmm = data_model_mapper + self.comparator_lookup = self.dmm.map_comparator() + self.pattern = pattern + self.options = options + self.is_combined_expression = False + self.translated = self.parse_expression(pattern) + + @staticmethod + def _format_set(values) -> str: + gen = values.element_iterator() + return "({})".format(" OR ".join([QueryStringPatternTranslator._escape_value(value) for value in gen])) + + @staticmethod + def _format_equality(value) -> str: + return '"{}"'.format(value) + + @staticmethod + def _escape_value(value) -> str: + if isinstance(value, str): + return '{}'.format(value.replace('\\', '\\\\').replace('\"', '\\"').replace('(', '\\(').replace(')', '\\)')) + else: + return value + + @staticmethod + def _negate_comparison(comparison_string): + """ + :param comparison_string: str + :return: str + """ + if ' OR ' in comparison_string: + con_string = re.sub(r'\(', '(NOT ', comparison_string, 1) + comparison_string = con_string.replace(' OR ', ' OR NOT ') + else: + comparison_string = "NOT " + comparison_string + return comparison_string + + @staticmethod + def _format_universal_field(field) -> str: + if field in UNIVERSAL_FIELDS: + return '${}'.format(field) + return field + + @staticmethod + def _check_value_type(value): + value = str(value) + for key, pattern in observable.REGEX.items(): + if key != 'date' and bool(re.search(pattern, value)): + return key + return None + + @staticmethod + def _lookup_comparison_operator(self, expression_operator): + if str(expression_operator) not in self.comparator_lookup: + raise NotImplementedError("Comparison operator {} unsupported for connector".format(expression_operator.name)) + return self.comparator_lookup[str(expression_operator)] + + def _format_qualifier(self, qualifier, time_range) -> str: + str_qualifier_pattern = 'AND happenedAfter = "{start_iso}" AND happenedBefore = "{stop_iso}"' + if qualifier and isinstance(qualifier, StartStopQualifier): + start_iso = qualifier.start.replace("t'","").replace("'", "") + stop_iso = qualifier.stop.replace("t'","").replace("'", "") + formated_qualifier = str_qualifier_pattern.format(start_iso=start_iso, stop_iso=stop_iso) + else: + stop_time = datetime.datetime.utcnow() + start_time = stop_time - datetime.timedelta(minutes=time_range) + converted_starttime = start_time.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + converted_stoptime = stop_time.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + formated_qualifier = str_qualifier_pattern.format(start_iso=converted_starttime, stop_iso=converted_stoptime) + + return formated_qualifier + + def _parse_mapped_fields(self, value, comparator, mapped_fields_array) -> str: + """Convert a list of mapped fields into a query string.""" + comparison_strings = [] + str_ = None + + if isinstance(value, str): + value = [value] + + for val in value: + for mapped_field in mapped_fields_array: + mapped_field = self._format_universal_field(mapped_field) + comparison_strings.append(f'{mapped_field} {comparator} {val}') + + # Only wrap in () if there's more than one comparison string + if len(comparison_strings) == 1: + str_ = comparison_strings[0] + elif len(comparison_strings) > 1: + str_ = f"{' OR '.join(comparison_strings)}" + else: + raise RuntimeError((f'Failed to convert {mapped_fields_array} mapped fields into query string')) + + return str_ + + def _parse_expression(self, expression, qualifier=None) -> str: + if isinstance(expression, ComparisonExpression): # Base Case + # Resolve STIX Object Path to a field in the target Data Model + stix_object, stix_field = expression.object_path.split(':') + # Multiple data source fields may map to the same STIX Object + mapped_fields_array = self.dmm.map_field(stix_object, stix_field) + # Resolve the comparison symbol to use in the query string (usually just ':') + comparator = self._lookup_comparison_operator(self, expression.comparator) + + # Some values are formatted differently based on how they're being compared + if expression.comparator == ComparisonComparators.In: + value = self._format_set(expression.value) + value = list(map(self._format_equality, expression.value.element_iterator())) + elif expression.comparator == ComparisonComparators.Matches: + value = self._format_equality(expression.value) + elif expression.comparator == ComparisonComparators.Like: + value = self._format_equality(expression.value) + elif expression.comparator == ComparisonComparators.Equal or expression.comparator == ComparisonComparators.NotEqual: + # Should be in single-quotes + value = self._format_equality(expression.value) + else: + value = self._escape_value(expression.value) + + comparison_string = self._parse_mapped_fields( + value=value, + comparator=comparator, + mapped_fields_array=mapped_fields_array + ) + + mapped_fields_array_len = len(mapped_fields_array) + + if(mapped_fields_array_len > 1): + # More than one data source field maps to the STIX attribute, so group comparisons together. + comparison_string = "({})".format(comparison_string) + + if expression.negated: + comparison_string = self._negate_comparison(comparison_string) + + return "{}".format(comparison_string) + + elif isinstance(expression, CombinedComparisonExpression): + operator = self._lookup_comparison_operator(self, expression.operator) + expression_01 = self._parse_expression(expression.expr1) + expression_02 = self._parse_expression(expression.expr2) + if not expression_01 or not expression_02: + return '' + + expression_string = "{} {} {}".format(expression_01, operator, expression_02) + + return "{}".format(expression_string) + elif isinstance(expression, ObservationExpression): + formated_qualifier = self._format_qualifier(qualifier, self.options['time_range']) + expression_string = self._parse_expression(expression.comparison_expression) + expression_string = "({}) {}".format(expression_string, formated_qualifier) + + return expression_string + elif hasattr(expression, 'qualifier') and hasattr(expression, 'observation_expression'): + formated_qualifier = self._format_qualifier(expression, self.options['time_range']) + + if isinstance(expression.observation_expression, CombinedObservationExpression): + expression_string = self._parse_expression(expression.observation_expression, expression) + return "{}".format(expression_string) + else: + expression_string = self._parse_expression(expression.observation_expression.comparison_expression, expression) + return "({}) {}".format(expression_string, formated_qualifier) + + elif isinstance(expression, CombinedObservationExpression): + operator = self._lookup_comparison_operator(self, expression.operator) + expression_01 = self._parse_expression(expression.expr1, qualifier) + expression_02 = self._parse_expression(expression.expr2, qualifier) + if expression_01 and expression_02: + return "{} {} {}".format(expression_01, operator, expression_02) + elif expression_01: + return "{}".format(expression_01) + elif expression_02: + return "{}".format(expression_02) + else: + return '' + elif isinstance(expression, Pattern): + return "{expr}".format(expr=self._parse_expression(expression.expression)) + else: + raise RuntimeError("Unknown Recursion Case for expression={}, type(expression)={}".format( + expression, type(expression))) + + def parse_expression(self, pattern: Pattern): + return self._parse_expression(pattern) + + +def translate_pattern(pattern: Pattern, data_model_mapping, options): + query_translator = QueryStringPatternTranslator(pattern, data_model_mapping, options) + query = query_translator.translated + return query diff --git a/stix_shifter_modules/reaqta/stix_translation/query_translator.py b/stix_shifter_modules/reaqta/stix_translation/query_translator.py new file mode 100644 index 000000000..ae00e2f04 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/query_translator.py @@ -0,0 +1,26 @@ +import logging + +from stix_shifter_utils.modules.base.stix_translation.base_query_translator import BaseQueryTranslator +from . import query_constructor + +logger = logging.getLogger(__name__) + + +class QueryTranslator(BaseQueryTranslator): + + def transform_antlr(self, data, antlr_parsing_object): + """ + Transforms STIX pattern into a different query format. Based on a mapping file + :param antlr_parsing_object: Antlr parsing objects for the STIX pattern + :type antlr_parsing_object: object + :param mapping: The mapping file path to use as instructions on how to transform the given STIX query into another format. This should default to something if one isn't passed in + :type mapping: str (filepath) + :return: transformed query string + :rtype: str + """ + + # logger.info("Converting STIX2 Pattern to data source query") + + query_string = query_constructor.translate_pattern( + antlr_parsing_object, self, self.options) + return query_string diff --git a/stix_shifter_modules/reaqta/stix_translation/results_translator.py b/stix_shifter_modules/reaqta/stix_translation/results_translator.py new file mode 100644 index 000000000..ca9052ce4 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_translation/results_translator.py @@ -0,0 +1,56 @@ +import os +import json +from stix_shifter_utils.stix_translation.src.json_to_stix.json_to_stix import JSONToStix + +class ResultsTranslator(JSONToStix): + + def __init__(self, options, dialect, base_file_path=None, callback=None): + super().__init__(options, dialect, base_file_path, callback) + + event_names_path = os.path.abspath(os.path.join(base_file_path, "json", "event_names_map.json")) + network_protocol_path = os.path.abspath(os.path.join(base_file_path, "json", "network_protocol_map.json")) + self.event_names = self.read_json(event_names_path, options) + self.network_protocol = self.read_json(network_protocol_path, options) + + def translate_results(self, data_source, data): + results = json.loads(data) + for result in results: + payload = result['payload'] + if payload.get('eventType'): + event_name = self.event_names[str(payload.get('eventType'))] + result['payload']['eventName'] = event_name + + result_data = payload.get('data') + + if 'protocol' in result_data: + protocol = self.network_protocol[str(payload['data'].get('protocol'))] + result['payload']['data']['protocol'] = protocol + + + if 'addressFamily' in payload['data']: + address_family = payload['data'].get('addressFamily') + + if address_family == 0: + payload['data']['addressFamily'] = 'IPv4' + + local_addr = result['payload']['data']['localAddr'] + result['payload']['data']['localAddrV4'] = local_addr + del result['payload']['data']['localAddr'] + + remote_addr = result['payload']['data']['remoteAddr'] + result['payload']['data']['remoteAddrV4'] = remote_addr + del result['payload']['data']['remoteAddr'] + elif address_family == 1: + result['payload']['data']['addressFamily'] = 'IPv6' + + local_addr = result['payload']['data']['localAddr'] + + result['payload']['data']['localAddrV6'] = local_addr + del result['payload']['data']['localAddr'] + + remote_addr = result['payload']['data']['remoteAddr'] + result['payload']['data']['remoteAddrV6'] = remote_addr + del result['payload']['data']['remoteAddr'] + + data = json.dumps(results) + return super().translate_results(data_source, data) \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_transmission/__init__.py b/stix_shifter_modules/reaqta/stix_transmission/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/stix_shifter_modules/reaqta/stix_transmission/api_client.py b/stix_shifter_modules/reaqta/stix_transmission/api_client.py new file mode 100644 index 000000000..c89ae09f9 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_transmission/api_client.py @@ -0,0 +1,93 @@ +from stix_shifter_utils.stix_transmission.utils.RestApiClient import RestApiClient +import requests +from datetime import datetime, timedelta +import json + +class APIClient(): + AUTH_ENDPOINT = "rqt-api/1/authenticate" + EVENT_ENDPOINT = "rqt-api/1/events/hunt" + + def __init__(self, connection, configuration): + self.headers = dict() + self.headers['Accept'] = 'application/json' + url_modifier_function = None + auth = configuration.get('auth') + self.host = connection.get('host') + self.client = RestApiClient(connection.get('host'), + None, + self.headers, + url_modifier_function=url_modifier_function, + cert_verify=connection.get('selfSignedCert', True), + sni=connection.get('sni', None) + ) + self.timeout = connection['options'].get('timeout') + self.app_id = auth['app_id'] + self.secret_key = auth['secret_key'] + self.token = None + self.token_expiresat = None + + def ping_data_source(self): + # Pings the data source + return self.get_token() + + def get_search_results(self, search_id, length): + # Return the search results. Results must be in JSON format before being translated into STIX + params = dict() + params['count'] = length + token_response = self.get_token() + response_code = token_response['code'] + if response_code == 200: + self.headers['Authorization'] = 'Bearer {}'.format(token_response['token']) + else: + raise Exception(token_response) + + body_data = {'query': search_id} + + return self.client.call_api(self.EVENT_ENDPOINT, 'POST', urldata=params, headers=self.headers, data=body_data) + + def page_search(self, search_id, next_page_url, length): + params = dict() + params['count'] = length + if not self.token_expired(): + token_response = self.get_token() + response_code = token_response['code'] + if response_code == 200: + self.headers['Authorization'] = 'Bearer {}'.format(token_response['token']) + + body_data = {'query': search_id} + page = next_page_url.split('?', maxsplit=1)[1] + next_page_endpoint = self.EVENT_ENDPOINT + '?' + page + + return self.client.call_api(next_page_endpoint, 'POST', headers=self.headers, data=body_data) + + def get_token(self): + auth_data = dict() + response_dict= dict() + auth_data['id'] = self.app_id + auth_data['secret'] = self.secret_key + + try: + response = self.client.call_api(self.AUTH_ENDPOINT, 'POST', headers=self.headers, data=auth_data) + + response_dict['code'] = response.code + response_text = json.loads(response.read()) + if response.code == 200: + response_dict['token'] = response_text['token'] + self.token_expiresat = response_text['expiresAt'] + else: + response_dict['message'] = 'Authentication Error: Token Generation Failed. ' + response_text['message'] + except Exception as ex: + if ex.__class__.__name__ == 'ConnectionError': + raise ConnectionError('Token Generation Failed: ' + str(ex)) + else: + raise ex + + return response_dict + + def token_expired(self) -> bool: + """Check if the token is expired. + :return: True if token is expired, False if not expired + :rtype: bool + """ + expires_at = datetime.fromtimestamp(self.token_expiresat) + return expires_at >= datetime.now() \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/stix_transmission/connector.py b/stix_shifter_modules/reaqta/stix_transmission/connector.py new file mode 100644 index 000000000..663d6ce59 --- /dev/null +++ b/stix_shifter_modules/reaqta/stix_transmission/connector.py @@ -0,0 +1,98 @@ +import json +from stix_shifter_utils.modules.base.stix_transmission.base_sync_connector import BaseSyncConnector +from .api_client import APIClient +from stix_shifter_utils.utils.error_response import ErrorResponder +from stix_shifter_utils.utils import logger + + +class Connector(BaseSyncConnector): + # LOOKS LIKE MAX COUNT is 500. response doesn't show why it fails + MAX_LIMIT = 500 + + def __init__(self, connection, configuration): + self.api_client = APIClient(connection, configuration) + self.logger = logger.set_logger(__name__) + self.connector = __name__.split('.')[1] + + def ping_connection(self): + return_obj = dict() + response_dict = dict() + try: + response = self.api_client.ping_data_source() + response_code = response['code'] + + if response_code == 200: + return_obj['success'] = True + elif response_code == 401: + response_dict['type'] = 'AuthenticationError' + response_dict['message'] = 'Invalid App Secret key provided. {}'.format(response['message']) + ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector) + else: + response_dict['type'] = 'AuthenticationError' + response_dict['message'] = 'Invalid App ID provided. {}'.format(response['message']) + ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector) + return return_obj + except ConnectionError as ex: + self.logger.error('error when pinging datasource {}:'.format(ex)) + response_dict['type'] = 'ConnectionError' + response_dict['message'] = 'Invalid hostname provided. {}'.format(ex) + ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector) + except Exception as ex: + self.logger.error('error when pinging datasource {}:'.format(ex)) + response_dict['type'] = 'AuthenticationError' + response_dict['message'] = 'Authentication Failure. API Response: {}'.format(ex) + ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector) + + return return_obj + + def create_results_connection(self, search_id, offset, length): + return_obj = dict() + length = int(length) + offset = int(offset) + total_records = offset + length + + try: + if total_records <= self.MAX_LIMIT: + # Grab the response, extract the response code, and convert it to readable json + response = self.api_client.get_search_results(search_id, length) + elif total_records > self.MAX_LIMIT: + response = self.api_client.get_search_results(search_id, self.MAX_LIMIT) + + response_code = response.code + response_text = response.read() + try: + response_dict = json.loads(response_text) + except ValueError as ex: + self.logger.debug(response_text) + error = Exception(f'Can not parse response from reaqta. The response is not a valid json: {response_text} : {ex}') + + if response_code == 200: + return_obj['success'] = True + return_obj['data'] = response_dict['result'] + while len(return_obj['data']) < total_records: + remainings = total_records - len(return_obj['data']) + try: + next_page_url = response_dict['nextPage'] + if next_page_url: + response = self.api_client.page_search(search_id, next_page_url, remainings) + response_code = response.code + response_dict = json.loads(response.read()) + if response_code == 200: + return_obj['data'].extend(response_dict['result']) + else: + break + except Exception as ex: + raise ex + return_obj['data'] = return_obj['data'][offset:total_records] + elif response_code == 422: + error_string = 'query_syntax_error: ' + response_dict['message'] + ErrorResponder.fill_error(return_obj, error_string, ['message'], connector=self.connector) + else: + error_string = 'query_syntax_error: ' + response_dict['message'] + ErrorResponder.fill_error(return_obj, error_string, ['message'], connector=self.connector) + + except Exception as err: + self.logger.error('error when getting search results: {}'.format(str(err))) + ErrorResponder.fill_error(return_obj, err, ['message'], connector=self.connector) + + return return_obj \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json b/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json new file mode 100644 index 000000000..0bf02f7cd --- /dev/null +++ b/stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json @@ -0,0 +1,325 @@ +{ + "eventId": "846769082492518401", + "endpointId": "841111111118681116", + "payload": { + "localId": "844930920409466881", + "process": { + "id": "841111111118681116:692:1648046461800", + "parentId": "841111111118681116:556:1648046461638", + "endpointId": "841111111118681116", + "program": { + "path": "c:\\windows\\system32\\services.exe", + "filename": "services.exe", + "md5": "c00000000000000111111111197b2d5d", + "sha1": "c000000000000001111111111850c26c9cd0d89d", + "sha256": "c000000000000001111111111c00000000000000111111111110ff61f20015ad", + "certInfo": { + "signer": "Microsoft Windows", + "issuer": "Microsoft Windows Production PCA 2011", + "trusted": true, + "expired": false + }, + "size": 714856, + "arch": "x64", + "fsName": "services.exe" + }, + "user": "EXAMPLE USER", + "pid": 692, + "startTime": "2022-03-23T14:41:01.800Z", + "ppid": 556, + "pstartTime": "2022-03-23T14:41:01.638Z", + "userSID": "S-1-1-1", + "privilegeLevel": "SYSTEM", + "noGui": false, + "logonId": "0x141111" + }, + "incidents": [], + "triggeredIncidents": [], + "data": { + "cmdLine": "java -cp /app/resources:/app/classes:/app/libs/* com.ibm.security.apps.controller.operator.KubernetesAppOperator ", + "cmdLineArgs": [], + "terminationTime": 1648047229530, + "file": "c:\\windows\\assembly\\nativeimages_v4.0.00000_64\\system.core\\c0000000000000011111111111676373\\system.core.ni.dll.aux", + "disposition": "File Overwrite If", + "newFile": "c:\\users\\Example User\\appdata\\roaming\\microsoft\\word\\zrothschild_cv3093900000000000086502\\zrothschild_cv((unsaved-30000000000000608)).asd", + "sha256": "c000000000000001111111111c000000000000001111111111175b9fd9ddd3f9", + "addressFamily": 0, + "protocol": 0, + "localAddr": "127.0.0.10", + "localPort": 49818, + "remoteAddr": "127.0.0.50", + "remotePort": 443, + "outbound": true, + "rootObject": "\\registry\\machine\\system\\services\\ExampleSvc", + "type": 1, + "name": "dharma.exe", + "data": "c:\\users\\Example User\\appdata\\roaming\\dharma.exe", + "version": 1, + "md5": "c00000000000000111111111169cbb4a", + "sha1": "c0000000000000011111111111a03cda0b19b2bb", + "fsName": "vcruntime140.dll", + "size": 80896, + "description": "microsoft\u00ae c runtime library", + "certInfo": { + "signer": "Microsoft Corporation", + "issuer": "Microsoft Code Signing PCA 2010", + "trusted": true, + "expired": false + }, + "arch": "x32", + "creationTime": 1612525240404, + "accessTime": 1643105806911, + "lastWriteTime": 1641371136474, + "fileType": 2, + "filename": "vcruntime140.dll", + "matched": [ + { + "policyId": "0000011111112", + "versionId": "0000011111113", + "matcherId": "0000011111114" + } + ], + "path": "C:\\Windows\\System32\\svchost.exe -k wsappx -p", + "behaviourType": 1, + "files": [ + { + "file": "c:\\$recycle.bin\\s-1-5-21-100000000-100000000-1000000000-1001\\atnconfig.py" + }, + { + "file": "c:\\$recycle.bin\\s-1-5-21-100000000-100000000-1000000000-1001\\atnconfigset.py" + }, + { + "file": "c:\\$recycle.bin\\s-1-5-21-100000000-100000000-1000000000-1001\\atndeserializationoptions.py" + } + ], + "etwEventId": 200, + "hostPid": 656, + "namespaceName": "\\\\.\\ROOT\\EXAMPLE", + "operation": "start iwbemservices::execquery - root\\cimv2 : select id from win32_serverfeature", + "clientPid": 9392, + "isLocal": true, + "clientMachine": "TEST-REMOTE-ENDPO", + "clientMachineFqn": "TEST-REMOTE-ENDPOINT", + "user": "NT AUTHORITY\\SYSTEM", + "requestHeaders": "CONNECT self.events.data.microsoft.com:443 HTTP/1.0\r\nHost: self.events.data.microsoft.com:443\r\nContent-Length: 0\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\n\r\n", + "responseHeaders": "\r\n\r\n", + "url": "http://self.events.data.microsoft.com:443/", + "queryName": "settings-win.data.microsoft.com", + "queryOptions": 1073766400, + "queryResults": "type: 5 atm-settingsfe-prod-geo.trafficmanager.net;type: 5 settings-prod-www-2.test.cloudapp.example.com;10.0.0.208;", + "queryType": 1, + "status": 0, + "etwEventRecordId": 141452, + "etwEventVersion": 0, + "etwTimeCreated": "2022-02-12T00:34:07.0789319Z", + "etwSubjectUserSid": "S-1-5-21-100000000-100000000-1000000000-1001", + "etwSubjectUserName": "reaqta", + "etwSubjectDomainName": "TEST-REMOTE-ENDPO", + "etwSubjectLogonId": "0x16f223", + "etwTargetUserSid": "S-1-5-21-100000000-100000000-1000000000-1001", + "etwTargetUserName": "reaqta", + "etwTargetDomainName": "TEST-REMOTE-ENDPO", + "etwTargetLogonId": "0x0000008", + "etwLogonType": "7", + "etwLogonProcessName": "User32 ", + "etwAuthenticationPackageName": "Negotiate", + "etwWorkstationName": "DESKTOP-EXAMPLE2", + "etwLogonGuid": "{00000000-0000-0000-0000-000000000000}", + "etwTransmittedServices": "-", + "etwLmPackageName": "-", + "etwKeyLength": "0", + "etwProcessId": "0x2a4", + "etwProcessName": "C:\\Windows\\System32\\winlogon.exe", + "etwIpAddress": "-", + "etwIpPort": "-", + "etwImpersonationLevel": "%%1833", + "etwRestrictedAdminMode": "-", + "etwTargetOutboundUserName": "-", + "etwTargetOutboundDomainName": "-", + "etwVirtualAccount": "%%1843", + "etwTargetLinkedLogonId": "0x0", + "etwElevatedToken": "%%1842", + "etwEventDescription": "Vault credentials were read.", + "etwTask": 13824, + "etwStatus": "0xc000006d", + "etwFailureReason": "%%2313", + "etwSubStatus": "0xc000006a", + "etwTargetLogonGuid": "{00000000-0000-0000-0000-000000000000}", + "etwTargetServerName": "localhost", + "etwTargetInfo": "localhost", + "cause": { + "remediationRequestId": "82450000000000001", + "incidentLocalId": "82450000000000002", + "serverRequestId": "82450000000000007", + "sourceEventLocalId": "82450000000000003", + "remediationActionIndex": 4, + "type": 0 + }, + "pid": 2736, + "startTime": 1643105807393, + "errorCode": 2, + "error": "Name not found", + "customType": "Keeper-info", + "customName": "Performance monitor", + "customDescription": "Performances: CPU mean: 1.31469% MEM mean: 343853738", + "relevance": 10, + "tags": [], + "customData": { + "MEM_MAX": "343875584", + "CPU_MEAN": "1.314689", + "CPU_MIN": "0.000000", + "CPU_MAX": "15.361343", + "MEM_MEAN": "343853738", + "EVT_COUNT": "0", + "MEM_MIN": "343834624", + "path": "C:\\Windows\\system32\\svchost.exe -k wsappx -p", + "rootObject": "\\registry\\machine\\system\\controlset001\\services\\AppXSvc", + "serviceName": "AppXSvc", + "servicePid": "1768", + "actionName": "OneSettings Refresh Cache Task Handler", + "enginePid": "9460", + "taskName": "\\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache", + "cmdLine": "\"c:\\program files\\microsoft office\\root\\office16\\winword.exe\" /n \"c:\\users\\example\\desktop\\example.doc\" /o \"\"", + "file": "c:\\windows\\temp\\w5751\\wyserver.wys", + "remoteAddr": "127.0.0.50", + "remotePort": "443" + }, + "allocatorProc": { + "program": { + "path": "c:\\users\\Example User\\appdata\\local\\temp\\tryme.exe", + "filename": "tryme.exe", + "md5": "c0000000000000011111111117d3f9d2", + "sha1": "c000000000000001111111111847a924627210cc", + "sha256": "c000000000000001111111111c0000000000000011111111110151f0e1c374dd", + "size": 84992, + "arch": "x32", + "fsName": "tryme.exe" + }, + "user": "DESKTOP-EXAMPLE2\\Example User", + "pid": 2736, + "startTime": 1643105807393, + "ppid": 7252, + "pstartTime": 1643105805509, + "userSID": "S-1-5-21-100000000-100000000-1000000000-1001", + "privilegeLevel": "MEDIUM", + "noGui": false, + "logonId": "0x100009" + }, + "baseAddress": 272695296, + "regionSize": 221184, + "allocationType": 12288, + "memProtection": 64, + "peType": 2, + "targetProcessId": 9520, + "returnCode": 0, + "targetProcess": { + "program": { + "path": "c:\\program files (x86)\\remotepc\\remotepcservice.exe", + "filename": "remotepcservice.exe", + "md5": "c000000000000001111111111ef8db40", + "sha1": "c000000000000001111111111bfa770d04c861b8", + "sha256": "c000000000000001111111111c000000000000001111111111e4ddd60dbc1957", + "certInfo": { + "signer": "Pro Softnet Corporation", + "issuer": "thawte SHA256 Code Signing CA", + "trusted": true, + "expired": false + }, + "size": 1462448, + "arch": "x32", + "fsName": "remotepcservice.exe" + }, + "user": "NT AUTHORITY\\SYSTEM", + "pid": 9520, + "startTime": 1644724461684, + "ppid": 656, + "pstartTime": 1643790802003, + "userSID": "S-1-5-18", + "privilegeLevel": "SYSTEM", + "noGui": false, + "logonId": "0x3e7" + }, + "technique": "T1043", + "tactics": [ + 10 + ], + "hijackingType": 2, + "scriptBlockText": "# Localized\t12/07/2019 05:47 AM (GMT)\t303:6.40.20520\r\nadminTSHistorySize=Disk space\r\n###PSLOC\r\n'@\r\n", + "scriptBlockSize": 3498, + "scriptBlockId": "10000000-99fe-491b-b123-1000000000", + "scriptBlockEntropy": 4.0000000001111, + "taskName": "\\MicrosoftEdgeUpdateTaskMachineUA1d7bcbe442e52e3", + "etwActivityId": "{D0000000-0C5B-4DA9-B7B3-60000000D}", + "actionName": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "engineProcess": { + "program": { + "path": "c:\\program files (x86)\\microsoft\\edgeupdate\\microsoftedgeupdate.exe", + "filename": "msedgeupdate.dll", + "md5": "c00000000000000111111111173ac03a", + "sha1": "c00000000000000111111111150bbc242325d0c4", + "sha256": "c000000000000001111111111c00000000000000111111111181196d5ed93db5", + "certInfo": { + "signer": "Microsoft Corporation", + "issuer": "Microsoft Code Signing PCA 2011", + "trusted": true, + "expired": true + }, + "size": 224160, + "arch": "x32", + "fsName": "microsoftedgeupdate.exe" + }, + "user": "NT AUTHORITY\\SYSTEM", + "pid": 8392, + "startTime": 1645555504839, + "ppid": 1144, + "pstartTime": 1643790805202, + "userSID": "S-1-5-18", + "privilegeLevel": "SYSTEM", + "noGui": false, + "logonId": "0x001" + }, + "enginePid": 8392, + "serviceName": "ExampleSvc", + "startType": 3, + "serviceType": 0, + "servicePid": 7260, + "serviceProcess": { + "program": { + "path": "c:\\windows\\system32\\svchost.exe", + "filename": "svchost.exe", + "md5": "c000000000000001111111111bc16316", + "sha1": "c0000000000000011111111116fd425ba8d42d82", + "sha256": "c000000000000001111111111c000000000000001111111111c958c13b6558c7", + "certInfo": { + "signer": "Microsoft Windows", + "issuer": "Microsoft Windows Production PCA 2011", + "trusted": true, + "expired": false + }, + "size": 57360, + "arch": "x64", + "fsName": "svchost.exe" + }, + "user": "NT AUTHORITY\\SYSTEM", + "pid": 7260, + "startTime": 1645558995554, + "ppid": 656, + "pstartTime": 1643790802003, + "userSID": "S-1-1-18", + "privilegeLevel": "SYSTEM", + "noGui": false, + "logonId": "0x3e7" + }, + "scanResult": 1, + "appName": "PowerShell_C:\\Windows\\System32\\sdiagnhost.exe_10.0.19041.1", + "contentSize": 5186, + "originalSize": 5186, + "contentName": "C:\\Windows\\TEMP\\SDIAG_0dc8f1b1-00000-00000-a272-00000000001\\TS_DiagnosticHistory.ps1", + "content": "# Copyright \u00a9 2008, Microsoft Corporation. All rights reserved.\r\n\r\ntrap {break} @{'UnwantedSpace'=(Format-DiskSpaceMB $totalSize)}\r\n" + }, + "eventType": 88, + "relevance": 83 + }, + "happenedAt": "2022-03-23T14:53:49.483Z", + "receivedAt": "2022-03-28T16:38:01.475Z" +} \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py b/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py new file mode 100644 index 000000000..b6bc28535 --- /dev/null +++ b/stix_shifter_modules/reaqta/test/stix_translation/test_reaqta_json_to_stix.py @@ -0,0 +1,465 @@ +import json +import unittest +from stix_shifter_modules.reaqta.entry_point import EntryPoint + + +def find(element, dd, default=None): + try: + keys = element.split('.') + rv = dd + for key in keys: + rv = rv[key] + return rv + except Exception: + return default + +ENTRY_POINT = EntryPoint() + +RESULT_FILE = open('stix_shifter_modules/reaqta/test/stix_translation/json/event_result.json', 'r').read() +DATA = json.loads(RESULT_FILE) + +DATA_RECEIVED_AR_TIMESTAMP = find('receivedAt', DATA) +DATA_HAPPENED_AT_TIMESTAMP = find('happenedAt', DATA) +DATA_EVENT_ID = int(find('eventId', DATA)) +DATA_EVENT_TYPE = find('payload.eventType', DATA) +DATA_LOCAL_ID = find('payload.localId', DATA) +DATA_PROCESS_ID = find('payload.process.id', DATA) +DATA_PROCESS_PARENT_ID = find('payload.process.parentId', DATA) +DATA_PROCESS_ID_ENDPOINT_ID = find('payload.process.endpointId', DATA) +DATA_PROCESS_IMAGE_FILE = find('payload.process.program.filename', DATA) +DATA_PROCESS_IMAGE_FILE_MD5 = find('payload.process.program.md5', DATA) +DATA_PROCESS_IMAGE_FILE_SHA1 = find('payload.process.program.sha1', DATA) +DATA_PROCESS_IMAGE_FILE_SHA256 = find('payload.process.program.sha256', DATA) +DATA_PROCESS_IMAGE_FILE_SIZE = find('payload.process.program.size', DATA) +DATA_PROCESS_IMAGE_ARCH = find('payload.process.program.arch', DATA) +DATA_PROCESS_IMAGE_DIR = find('payload.process.program.path', DATA).replace('\\' + DATA_PROCESS_IMAGE_FILE, '') +DATA_PROCESS_SIGNER = find('payload.process.program.certInfo.signer', DATA) +DATA_PROCESS_ISSUER = find('payload.process.program.certInfo.issuer', DATA) +DATA_PROCESS_TRUSTED = find('payload.process.program.certInfo.trusted', DATA) +DATA_PROCESS_EXPIRED = find('payload.process.program.certInfo.expired', DATA) +DATA_PROCESS_COMMAND_LINE = find('payload.data.cmdLine', DATA) +DATA_PROCESS_PRIVILEGE_LEVEL = find('payload.process.privilegeLevel', DATA) +DATA_PROCESS_NO_GUI = find('payload.process.noGui', DATA) +DATA_PROCESS_LOGON_ID = find('payload.process.logonId', DATA) +DATA_PROCESS_USER_SID = find('payload.process.userSID', DATA) +DATA_PROCESS_USER = find('payload.process.user', DATA) +DATA_PROCESS_PPID = find('payload.process.ppid', DATA) +DATA_LOCAL_PORT = find('payload.data.localPort', DATA) +DATA_REMOTE_PORT = find('payload.data.remotePort', DATA) +DATA_LOCAL_IP = find('payload.data.localAddr', DATA) +DATA_REMOTE_IP = find('payload.data.remoteAddr', DATA) +DATA_SERVICE_NAME = find('payload.data.serviceName', DATA) +DATA_ROOT_OBJECT = find('payload.data.rootObject', DATA) +DATA_START_TYPE = find('payload.data.startType', DATA) +DATA_SERVICE_TYPE = find('payload.data.serviceType', DATA) +DATA_TECHNIQUE = find('payload.data.technique', DATA) +DATA_TACTICS = find('payload.data.tactics', DATA) +DATA_TAGS = find('payload.data.tags', DATA) +DATA_RELEVANCE = find('payload.data.relevance', DATA) +DATA_VERSION = find('payload.data.version', DATA) + +STIX_2_1_OBJECT_REFS = [ + "directory--9d6f3ae4-4fb1-5eaf-a295-7ae1189befeb", + "file--697ce471-a30e-5867-83ab-69d38fc4c07c", + "user-account--80bb9f7c-1010-5f6f-bc9c-d862451be62c", + "file--6463fa96-e6e4-50d6-b636-792bc7fe096e", + "network-traffic--1447b4e4-99c4-552d-b140-07fa908504af", + "directory--c616d2f7-3b0a-5ccb-843c-e4592f5d5c50", + "user-account--a50c0708-1b89-55c6-92e9-6d93a80d2708", + "url--91ba42cf-130a-58f8-8a18-7613abffd412", + "user-account--c0152e8f-c3db-55c6-8881-7e8d8373e8a0", + "file--0af4f45b-8970-5c87-819f-814b93e472ca", + "user-account--4fe2a8d1-b519-5701-b521-1145606b1903", + "directory--5c0ad0f9-38c5-56c0-a059-85994be2032a", + "file--ffc24f98-eb84-500d-a5d5-52376ce5ffa9", + "user-account--da9a51b3-80fa-5e94-adb9-a78bf00d9a56", + "directory--0c5773ea-0ddb-5b4d-bef7-2c29818f0170", + "file--ce0f32cf-1b48-59f9-8139-11e01d198bfc", + "directory--2f2498e1-8be8-53fa-93cd-6e54220b452a", + "file--1b887397-3edf-5eba-961c-83f62a816661", + "file--19a3ab44-7c99-570a-918a-61d3bb96ecad", + "ipv4-addr--a47ff5c6-efeb-5caa-b606-62198d19839d", + "ipv4-addr--adac2d17-0bea-5ec1-8d7a-653cba4476e4" +] + +DATA_SOURCE = { + "type": "identity", + "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", + "name": "Reaqta", + "identity_class": "events" +} + +class TestReaqtaResultsToStix(unittest.TestCase): + """ + class to perform unit test case for reaqta translate results + """ + @staticmethod + def get_first(itr, constraint): + return next( + (obj for obj in itr if constraint(obj)), + None + ) + + @staticmethod + def get_first_of_type(itr, typ): + return TestReaqtaResultsToStix.get_first(itr, lambda o: type(o) == dict and o.get('type') == typ) + + @staticmethod + def get_first_cybox_of_type_stix_2_1(itr, type): + for obj in itr: + if obj["type"] == type: + return obj + + @staticmethod + def get_observed_data_objects(): + result_bundle = ENTRY_POINT.translate_results(json.dumps(DATA_SOURCE), json.dumps([DATA])) + result_bundle_objects = result_bundle['objects'] + observed_data = result_bundle_objects[1] + + return observed_data['objects'] + + def test_common_prop(self): + result_bundle = ENTRY_POINT.translate_results(json.dumps(DATA_SOURCE), json.dumps([DATA])) + + assert(result_bundle['type'] == 'bundle') + result_bundle_objects = result_bundle['objects'] + + result_bundle_identity = result_bundle_objects[0] + assert(result_bundle_identity['type'] == DATA_SOURCE['type']) + assert(result_bundle_identity['id'] == DATA_SOURCE['id']) + assert(result_bundle_identity['name'] == DATA_SOURCE['name']) + assert(result_bundle_identity['identity_class'] == DATA_SOURCE['identity_class']) + + observed_data = result_bundle_objects[1] + + assert(observed_data['id'] is not None) + assert(observed_data['type'] == "observed-data") + assert(observed_data['created_by_ref'] == result_bundle_identity['id']) + + assert(observed_data['number_observed'] == 1) + assert(observed_data['created'] is not None) + assert(observed_data['modified'] is not None) + assert(observed_data['first_observed'] == DATA_HAPPENED_AT_TIMESTAMP) + assert(observed_data['last_observed'] == DATA_HAPPENED_AT_TIMESTAMP) + + def test_cybox_observables_process(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + proc_obj = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'process') + + assert(proc_obj is not None), 'process object type not found' + assert(proc_obj.keys() == {'type', 'extensions', 'binary_ref', 'creator_user_ref', 'pid', 'created', 'parent_ref', 'command_line'}) + + user_ref = proc_obj['creator_user_ref'] + assert(user_ref in objects), f"creator_user_ref with key {proc_obj['creator_user_ref']} not found" + + binary_ref = proc_obj['binary_ref'] + assert(binary_ref in objects), f"binary_ref with key {proc_obj['binary_ref']} not found" + + binary = objects[binary_ref] + assert(binary.keys() == {'type', 'parent_directory_ref', 'name', 'hashes', 'size', 'extensions'}) + assert(binary['name'] == DATA_PROCESS_IMAGE_FILE) + assert(binary['parent_directory_ref'] in objects), f"binary.parent_directory_ref with key {binary_ref['parent_directory_ref']} not found" + assert(objects[binary['parent_directory_ref']]['path'] == DATA_PROCESS_IMAGE_DIR) + + parent_ref = proc_obj['parent_ref'] + assert(parent_ref in objects), f"parent_ref with key {proc_obj['parent_ref']} not found" + assert(proc_obj['command_line'] == DATA_PROCESS_COMMAND_LINE) + + extensions = find('extensions.x-reaqta-process', proc_obj) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'process_id', 'parent_process_id', 'process_endpoint_id', 'privilege_level', 'no_gui', 'logon_id', 'command_line_args'}) + assert(extensions['process_id'] == DATA_PROCESS_ID) + assert(extensions['parent_process_id'] == DATA_PROCESS_PARENT_ID) + assert(extensions['process_endpoint_id'] == DATA_PROCESS_ID_ENDPOINT_ID) + assert(extensions['privilege_level'] == DATA_PROCESS_PRIVILEGE_LEVEL) + assert(extensions['no_gui'] == DATA_PROCESS_NO_GUI) + assert(extensions['logon_id'] == DATA_PROCESS_LOGON_ID) + assert(extensions['command_line_args'] == []) + + extensions = find('extensions.windows-process-ext', proc_obj) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'owner_sid'}) + assert(extensions['owner_sid'] == DATA_PROCESS_USER_SID) + + def test_cybox_observables_file(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + file_obj = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'file') + + assert(file_obj is not None), 'file object type not found' + assert(file_obj.keys() == {'type', 'parent_directory_ref', 'name', 'hashes', 'size', 'extensions'}) + assert(file_obj['type'] == 'file') + assert(file_obj['name'] == DATA_PROCESS_IMAGE_FILE) + assert(file_obj['size'] == DATA_PROCESS_IMAGE_FILE_SIZE) + + parent_obj = objects[file_obj['parent_directory_ref']] + assert(parent_obj is not None), "file parent ref not found" + assert(parent_obj.keys() == {'type', 'path'}) + assert(parent_obj['type'] == "directory") + assert(parent_obj['path'] == DATA_PROCESS_IMAGE_DIR) + + hashes = file_obj['hashes'] + assert(hashes.keys() == {'MD5', 'SHA-1', 'SHA-256'}) + assert(hashes['MD5'] == DATA_PROCESS_IMAGE_FILE_MD5) + assert(hashes['SHA-1'] == DATA_PROCESS_IMAGE_FILE_SHA1) + assert(hashes['SHA-256'] == DATA_PROCESS_IMAGE_FILE_SHA256) + + extensions = find('extensions.x-reaqta-program', file_obj) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'arch', 'fsname'}) + assert(extensions['arch'] == DATA_PROCESS_IMAGE_ARCH) + assert(extensions['fsname'] == DATA_PROCESS_IMAGE_FILE) + + def test_cybox_observables_network_traffic(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + network_obj = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'network-traffic') + + assert(network_obj is not None), 'network-traffic object type not found' + assert(network_obj.keys() == {'type', 'extensions', 'protocols', 'src_port', 'dst_port', 'src_ref', 'dst_ref'}) + assert(network_obj['type'] == 'network-traffic') + assert(network_obj['src_port'] == DATA_LOCAL_PORT) + assert(network_obj['dst_port'] == DATA_REMOTE_PORT) + + ip_ref = network_obj['src_ref'] + assert(ip_ref in objects), f"src_ref with key {network_obj['src_ref']} not found" + ip_obj = objects[ip_ref] + assert(ip_obj.keys() == {'type', 'value'}) + assert(ip_obj['type'] == 'ipv4-addr') + assert(ip_obj['value'] == DATA_LOCAL_IP) + + ip_ref = network_obj['dst_ref'] + assert(ip_ref in objects), f"dst_ref with key {network_obj['dst_ref']} not found" + ip_obj = objects[ip_ref] + assert(ip_obj.keys() == {'type', 'value'}) + assert(ip_obj['type'] == 'ipv4-addr') + assert(ip_obj['value'] == DATA_REMOTE_IP) + + extensions = find('extensions.x-reaqta-network', network_obj) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'address_family', 'outbound'}) + assert(extensions['address_family'] == 'IPv4') + assert(extensions['outbound'] == True) + + def test_x_oca_event(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') + + assert(event['type']) == "x-oca-event" + assert(event['code']) == DATA_EVENT_ID + assert(event['created'] == DATA_RECEIVED_AR_TIMESTAMP) + assert(event['category'] == DATA_EVENT_TYPE) + assert(event['action'] == "Service Stopped") + + file_ref = event['file_ref'] + assert(file_ref in objects), f"file_ref with key {event['file_ref']} not found" + file_obj = objects[file_ref] + assert(file_obj.keys() == {'type', 'parent_directory_ref', 'name', 'hashes', 'size', 'extensions'}) + assert(file_obj['type'] == 'file') + assert(file_obj['name'] == DATA_PROCESS_IMAGE_FILE) + parent_obj = objects[file_obj['parent_directory_ref']] + assert(parent_obj is not None), "file parent ref not found" + assert(parent_obj.keys() == {'type', 'path'}) + assert(parent_obj['type'] == "directory") + assert(parent_obj['path'] == DATA_PROCESS_IMAGE_DIR) + + user_ref = event['user_ref'] + assert(user_ref in objects), f"user_ref with key {event['user_ref']} not found" + user_obj = objects[user_ref] + assert(user_obj.keys() == {'type', 'user_id'}) + assert(user_obj['type'] == 'user-account') + assert(user_obj['user_id'] == DATA_PROCESS_USER) + + process_ref = event['process_ref'] + assert(process_ref in objects), f"process_ref with key {event['process_ref']} not found" + process_obj = objects[process_ref] + assert(process_obj.keys() == {'type', 'extensions', 'binary_ref', 'creator_user_ref', 'pid', 'created', 'parent_ref', 'command_line'}) + assert(process_obj['type'] == 'process') + assert(process_obj['command_line'] == DATA_PROCESS_COMMAND_LINE) + binary_obj = objects[process_obj['binary_ref']] + assert(binary_obj is not None), "process binary ref not found" + assert(binary_obj.keys() == {'type', 'parent_directory_ref', 'name', 'hashes', 'size', 'extensions'}) + assert(binary_obj['type'] == "file") + assert(binary_obj['name'] == DATA_PROCESS_IMAGE_FILE) + binary_parent_dir_obj = objects[binary_obj['parent_directory_ref']] + assert(binary_parent_dir_obj is not None), "process binary parent directory ref not found" + assert(binary_parent_dir_obj['type'] == "directory") + assert(binary_parent_dir_obj['path'] == DATA_PROCESS_IMAGE_DIR) + + parent_process_ref = event['parent_process_ref'] + assert(parent_process_ref in objects), f"parent_process_ref with key {event['parent_process_ref']} not found" + parent_process_obj = objects[parent_process_ref] + assert(parent_process_obj.keys() == {'type', 'pid'}) + assert(parent_process_obj['type'] == 'process') + assert(parent_process_obj['pid'] == DATA_PROCESS_PPID) + + network_ref = event['network_ref'] + assert(network_ref in objects), f"network_ref with key {event['network_ref']} not found" + network_obj = objects[network_ref] + assert(network_obj.keys() == {'type', 'extensions', 'protocols', 'src_port', 'dst_port', 'src_ref', 'dst_ref'}) + assert(network_obj['type'] == 'network-traffic') + assert(network_obj['src_port'] == DATA_LOCAL_PORT) + assert(network_obj['dst_port'] == DATA_REMOTE_PORT) + + ip_ref = network_obj['src_ref'] + assert(ip_ref in objects), f"src_ref with key {network_obj['src_ref']} not found" + ip_obj = objects[ip_ref] + assert(ip_obj.keys() == {'type', 'value'}) + assert(ip_obj['type'] == 'ipv4-addr') + assert(ip_obj['value'] == DATA_LOCAL_IP) + + ip_ref = network_obj['dst_ref'] + assert(ip_ref in objects), f"dst_ref with key {network_obj['dst_ref']} not found" + ip_obj = objects[ip_ref] + assert(ip_obj.keys() == {'type', 'value'}) + assert(ip_obj['type'] == 'ipv4-addr') + assert(ip_obj['value'] == DATA_REMOTE_IP) + + + def test_x_ibm_finding(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') + + assert(event is not None), "x-ibm-finding not found" + assert(event.keys() == {'type', 'extensions', 'src_ip_ref', 'dst_ip_ref'}) + assert(event['type'] == "x-ibm-finding") + + ip_ref = event['src_ip_ref'] + assert(ip_ref in objects), f"src_ip_ref with key {event['src_ip_ref']} not found" + ip_obj = objects[ip_ref] + assert(ip_obj.keys() == {'type', 'value'}) + assert(ip_obj['type'] == 'ipv4-addr') + assert(ip_obj['value'] == DATA_LOCAL_IP) + + ip_ref = event['dst_ip_ref'] + assert(ip_ref in objects), f"dst_ip_ref with key {event['dst_ip_ref']} not found" + ip_obj = objects[ip_ref] + assert(ip_obj.keys() == {'type', 'value'}) + assert(ip_obj['type'] == 'ipv4-addr') + assert(ip_obj['value'] == DATA_REMOTE_IP) + + extensions = find('extensions.x-reaqta-alert', event) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'incidents', 'triggered_incidents'}) + assert(extensions['incidents'] == []) + assert(extensions['triggered_incidents'] == []) + + def test_x_reaqta_event(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x-reaqta-event') + + assert(event is not None), "x-reaqta-event not found" + assert(event.keys() == {'type', 'endpoint_id', 'local_id', 'root_object', 'name', 'data', 'version', 'namespace_name', 'operation', 'is_local', 'queryName', 'custom_type', 'custom_name', 'relevance', 'tags', 'region_size', 'pe_type', 'return_code', 'technique', 'tactics', 'task_name', 'action_name', 'service_name', 'start_type', 'service_type'}) + assert(event['type'] == "x-reaqta-event") + assert(event['endpoint_id'] == DATA_PROCESS_ID_ENDPOINT_ID) + assert(event['local_id'] == DATA_LOCAL_ID) + assert(event['technique'] == DATA_TECHNIQUE) + assert(event['tactics'] == DATA_TACTICS) + assert(event['tags'] == DATA_TAGS) + assert(event['relevance'] == DATA_RELEVANCE) + assert(event['version'] == DATA_VERSION) + assert(event['service_name'] == DATA_SERVICE_NAME) + assert(event['root_object'] == DATA_ROOT_OBJECT) + assert(event['start_type'] == DATA_START_TYPE) + assert(event['service_type'] == DATA_SERVICE_TYPE) + + + def test_x509_certificate(self): + objects = TestReaqtaResultsToStix.get_observed_data_objects() + event = TestReaqtaResultsToStix.get_first_of_type(objects.values(), 'x509-certificate') + + assert(event is not None), "x509-certificate not found" + assert(event.keys() == {'type', 'extensions', 'issuer'}) + assert(event['type'] == "x509-certificate") + assert(event['issuer'] == DATA_PROCESS_ISSUER) + + extensions = find('extensions.x-reaqta-cert', event) + assert(extensions is not None), "x-reaqta-cert extensions not found" + assert(extensions.keys() == {'signer', 'trusted', 'expired'}) + assert(extensions['signer'] == DATA_PROCESS_SIGNER) + assert(extensions['trusted'] == DATA_PROCESS_TRUSTED) + assert(extensions['expired'] == DATA_PROCESS_EXPIRED) + + + def test_stix_21_prop(self): + result_bundle = EntryPoint(options={"stix_2.1": True}).translate_results(json.dumps(DATA_SOURCE), json.dumps([DATA])) + + assert(result_bundle['type'] == 'bundle') + result_bundle_objects = result_bundle['objects'] + + result_bundle_identity = result_bundle_objects[0] + assert(result_bundle_identity['type'] == DATA_SOURCE['type']) + assert(result_bundle_identity['id'] == DATA_SOURCE['id']) + assert(result_bundle_identity['name'] == DATA_SOURCE['name']) + assert(result_bundle_identity['identity_class'] == DATA_SOURCE['identity_class']) + + observed_data = result_bundle_objects[1] + assert(observed_data['id'] is not None) + assert(observed_data['type'] == "observed-data") + assert(observed_data['created_by_ref'] == result_bundle_identity['id']) + assert(observed_data['number_observed'] == 1) + assert(observed_data['created'] is not None) + assert(observed_data['modified'] is not None) + assert(observed_data['first_observed'] == DATA_HAPPENED_AT_TIMESTAMP) + assert(observed_data['last_observed'] == DATA_HAPPENED_AT_TIMESTAMP) + + # Count object types + assert(sum(obj['type'] == 'directory' for obj in result_bundle_objects) == 5) + assert(sum(obj['type'] == 'file' for obj in result_bundle_objects) == 7) + assert(sum(obj['type'] == 'ipv4-addr' for obj in result_bundle_objects) == 2) + assert(sum(obj['type'] == 'network-traffic' for obj in result_bundle_objects) == 1) + assert(sum(obj['type'] == 'process' for obj in result_bundle_objects) == 12) + assert(sum(obj['type'] == 'url' for obj in result_bundle_objects) == 1) + assert(sum(obj['type'] == 'user-account' for obj in result_bundle_objects) == 5) + assert(sum(obj['type'] == 'x-ibm-finding' for obj in result_bundle_objects) == 1) + assert(sum(obj['type'] == 'x-oca-asset' for obj in result_bundle_objects) == 2) + assert(sum(obj['type'] == 'x-oca-event' for obj in result_bundle_objects) == 4) + assert(sum(obj['type'] == 'x-reaqta-etw' for obj in result_bundle_objects) == 1) + assert(sum(obj['type'] == 'x-reaqta-event' for obj in result_bundle_objects) == 1) + + # Insure fixed deterministic IDs are present + assert(set(STIX_2_1_OBJECT_REFS).issubset(observed_data['object_refs'])) + + event = TestReaqtaResultsToStix.get_first_cybox_of_type_stix_2_1(result_bundle_objects, 'x-reaqta-event') + assert(event is not None), "x-reaqta-event not found" + assert(event.keys() == {'type', 'endpoint_id', 'id', 'spec_version', 'local_id', 'root_object', 'name', 'data', 'version', 'namespace_name', 'operation', 'is_local', 'queryName', 'custom_type', 'custom_name', 'relevance', 'tags', 'region_size', 'pe_type', 'return_code', 'technique', 'tactics', 'task_name', 'action_name', 'service_name', 'start_type', 'service_type'}) + assert(event['type'] == "x-reaqta-event") + assert(event['endpoint_id'] == DATA_PROCESS_ID_ENDPOINT_ID) + assert(event['local_id'] == DATA_LOCAL_ID) + assert(event['technique'] == DATA_TECHNIQUE) + assert(event['tactics'] == DATA_TACTICS) + assert(event['tags'] == DATA_TAGS) + assert(event['relevance'] == DATA_RELEVANCE) + assert(event['version'] == DATA_VERSION) + assert(event['service_name'] == DATA_SERVICE_NAME) + assert(event['root_object'] == DATA_ROOT_OBJECT) + assert(event['start_type'] == DATA_START_TYPE) + assert(event['service_type'] == DATA_SERVICE_TYPE) + + proc_obj = TestReaqtaResultsToStix.get_first_cybox_of_type_stix_2_1(result_bundle_objects, 'process') + assert(proc_obj is not None), 'process object type not found' + assert(proc_obj.keys() == {'type', 'extensions', 'id', 'spec_version', 'binary_ref', 'creator_user_ref', 'pid', 'created', 'parent_ref', 'command_line'}) + + user_ref = proc_obj['creator_user_ref'] + assert(user_ref.object_id in observed_data['object_refs']), f"creator_user_ref with key {proc_obj['creator_user_ref']} not found" + + binary_ref = proc_obj['binary_ref'] + assert(binary_ref.object_id in observed_data['object_refs']), f"binary_ref with key {proc_obj['binary_ref']} not found" + + parent_ref = proc_obj['parent_ref'] + assert(parent_ref.object_id in observed_data['object_refs']), f"parent_ref with key {proc_obj['parent_ref']} not found" + assert(proc_obj['command_line'] == DATA_PROCESS_COMMAND_LINE) + + extensions = find('extensions.x-reaqta-process-ext', proc_obj) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'process_id', 'parent_process_id', 'process_endpoint_id', 'privilege_level', 'no_gui', 'logon_id', 'command_line_args'}) + assert(extensions['process_id'] == DATA_PROCESS_ID) + assert(extensions['parent_process_id'] == DATA_PROCESS_PARENT_ID) + assert(extensions['process_endpoint_id'] == DATA_PROCESS_ID_ENDPOINT_ID) + assert(extensions['privilege_level'] == DATA_PROCESS_PRIVILEGE_LEVEL) + assert(extensions['no_gui'] == DATA_PROCESS_NO_GUI) + assert(extensions['logon_id'] == DATA_PROCESS_LOGON_ID) + assert(extensions['command_line_args'] == []) + + extensions = find('extensions.windows-process-ext', proc_obj) + assert(extensions is not None), "file extensions not found" + assert(extensions.keys() == {'owner_sid'}) + assert(extensions['owner_sid'] == DATA_PROCESS_USER_SID) \ No newline at end of file diff --git a/stix_shifter_modules/reaqta/test/stix_translation/test_stix_to_hunt_query.py b/stix_shifter_modules/reaqta/test/stix_translation/test_stix_to_hunt_query.py new file mode 100644 index 000000000..be31ee3ab --- /dev/null +++ b/stix_shifter_modules/reaqta/test/stix_translation/test_stix_to_hunt_query.py @@ -0,0 +1,289 @@ +from stix_shifter.stix_translation import stix_translation +import re +import unittest +from stix2patterns.validator import run_validator as pattern_validator + +translation = stix_translation.StixTranslation() + +TEST_START_DATE1 = "2022-04-06T00:00:00.000Z" +TEST_STOP_DATE1 = "2022-04-06T00:05:00.000Z" +TEST_START_STOP_STIX_VALUE1 = "START t'{}' STOP t'{}'".format(TEST_START_DATE1, TEST_STOP_DATE1) +TEST_START_STOP_TRANSLATED1 = 'AND happenedAfter = "{}" AND happenedBefore = "{}"'.format(TEST_START_DATE1, TEST_STOP_DATE1) + +TEST_START_DATE2 = "2022-04-07T00:00:00.000Z" +TEST_STOP_DATE2 = "2022-04-07T00:05:00.000Z" +TEST_START_STOP_STIX_VALUE2 = "START t'{}' STOP t'{}'".format(TEST_START_DATE2, TEST_STOP_DATE2) +TEST_START_STOP_TRANSLATED2 = 'AND happenedAfter = "{}" AND happenedBefore = "{}"'.format(TEST_START_DATE2, TEST_STOP_DATE2) + +TEST_DATE_PATTERN = r"(\"\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}(\.\d+)?Z\")" + + +class TestQueryTranslator(unittest.TestCase): + + def assertPattern(self, stix_pattern): + errors = pattern_validator(stix_pattern, stix_version='2.1') + + # print('\nPattern:', stix_pattern) + # print('Errors', errors) + + assert len(errors) == 0 + + + def assertQuery(self, query, test_string, stix_pattern): + self.assertPattern(stix_pattern) + + # print('\nTranslated:', query[0]) + # print('Expected :', test_string[0]) + + self.assertEqual(query, test_string) + + #################################### + ## Operators and qualifier checks ## + #################################### + + def test_timeinterval(self): + stix_pattern = "[ipv4-addr:value = '172.16.60.184'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['((login.ip = "172.16.60.184" OR $ip = "172.16.60.184")) {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_no_timeinterval(self): + ''' + The missing qualifier for thw observation expressio should be added using default time interval + ''' + stix_pattern = "[ipv4-addr:value = '192.168.1.2']" + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'][0] + + assert '((login.ip = "192.168.1.2" OR $ip = "192.168.1.2")) AND happenedAfter = "' in query + + found = re.findall(TEST_DATE_PATTERN, query) + assert len(found) == 2 + + def test_one_observation_expression_with_timeinterval(self): + stix_pattern = "[ipv4-addr:value = '192.168.1.2' OR url:value = 'www.example.com'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(eventdata.url = "www.example.com" OR (login.ip = "192.168.1.2" OR $ip = "192.168.1.2")) {}'.format(TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_two_observation_expressions_with_two_timeintervals(self): + stix_pattern = "[ipv4-addr:value = '192.168.1.2'] {} OR [url:value = 'www.example.com'] {}".format(TEST_START_STOP_STIX_VALUE1, TEST_START_STOP_STIX_VALUE2) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['((login.ip = "192.168.1.2" OR $ip = "192.168.1.2")) {} OR (eventdata.url = "www.example.com") {}'.format(TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED2)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_two_observation_expressions_with_one_timeinterval(self): + ''' + Only one qualifier is present for 2 observation expressions. + The missing qualifier should be added using default time interval + ''' + stix_pattern = "[ipv4-addr:value = '192.168.1.2'] OR [url:value = 'www.example.com'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(($ip = "192.168.1.2") {}) OR ((eventdata.url = "www.example.com") {})'.format(TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED1)] + self.assertNotEqual(query, test_string) + + assert '((login.ip = "192.168.1.2" OR $ip = "192.168.1.2")) AND happenedAfter = "' in query[0] + assert 'OR (eventdata.url = "www.example.com") AND happenedAfter = "' in query[0] + + found = re.findall(TEST_DATE_PATTERN, query[0]) + assert len(found) == 4 + + + def test_combined_observation_expressions_with_timeintervals(self): + stix_pattern = "([ipv4-addr:value = '192.168.1.2'] {} OR [url:value = 'www.example.com']) {}".format(TEST_START_STOP_STIX_VALUE1, TEST_START_STOP_STIX_VALUE2) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['((login.ip = "192.168.1.2" OR $ip = "192.168.1.2")) {} OR (eventdata.url = "www.example.com") {}'.format(TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED2)] + + self.assertQuery(query, test_string, stix_pattern) + + + def test_not_operator(self): + stix_pattern = "[ipv4-addr:value NOT = '172.31.60.104' OR network-traffic:src_ref.value != '172.31.60.104']" \ + "START t'2022-03-24T20:21:35.519Z' STOP t'2022-03-24T20:21:35.619Z'" + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($ip != "172.31.60.104" OR (NOT login.ip = "172.31.60.104" OR NOT $ip = "172.31.60.104"))' \ + ' AND happenedAfter = "2022-03-24T20:21:35.519Z" AND happenedBefore = "2022-03-24T20:21:35.619Z"'] + + self.assertQuery(query, test_string, stix_pattern) + + + def test_in_operator(self): + stix_pattern = "[network-traffic:src_port IN (443, 446)] {} OR [ipv4-addr:value IN ('127.0.0.1', '127.0.0.2')] {}".format(TEST_START_STOP_STIX_VALUE1, TEST_START_STOP_STIX_VALUE2) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(eventdata.localPort = "443" OR eventdata.localPort = "446") {} OR ((login.ip = "127.0.0.1" OR $ip = "127.0.0.1" OR login.ip = "127.0.0.2" OR $ip = "127.0.0.2")) {}'.format(TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED2)] + + self.assertQuery(query, test_string, stix_pattern) + + + def test_match_operator(self): + stix_pattern = "[file:name MATCHES 'serv'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(($filename = "serv" OR consumer.script.filename = "serv")) {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + + def test_like_operator(self): + stix_pattern = "[file:name LIKE 'svc'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(($filename = "svc" OR consumer.script.filename = "svc")) {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_combined(self): + stix_pattern = "([network-traffic:src_ref.value = '127.0.0.1' AND file:hashes.'MD5' != '23db6982caef9e9152f1a5b2589e6ca3' OR file:hashes.'SHA-256' = 'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad'] " \ + "AND [ipv4-addr:value = '10.0.0.1' OR ipv4-addr:value = '12.0.0.1' OR ipv4-addr:value = '12.0.0.2'] " \ + "AND [url:value = 'http://aaa.bbb' OR url:value = 'http://ccc.ddd']) {}".format(TEST_START_STOP_STIX_VALUE1) + + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($sha256 = "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" OR $md5 != "23db6982caef9e9152f1a5b2589e6ca3" AND $ip = "127.0.0.1") {} ' \ + 'AND ((login.ip = "12.0.0.2" OR $ip = "12.0.0.2") OR (login.ip = "12.0.0.1" OR $ip = "12.0.0.1") OR (login.ip = "10.0.0.1" OR $ip = "10.0.0.1")) {} ' \ + 'AND (eventdata.url = "http://ccc.ddd" OR eventdata.url = "http://aaa.bbb") {}' + .format(TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED1, TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + ######################## + ## stix objects check ## + ######################## + + def test_ipv4_addr(self): + stix_pattern = "[ipv4-addr:value = '192.168.122.83' OR ipv4-addr:value = '192.168.122.84'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['((login.ip = "192.168.122.84" OR $ip = "192.168.122.84") OR (login.ip = "192.168.122.83" OR $ip = "192.168.122.83")) {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_ipv6_addr(self): + stix_pattern = "[ipv6-addr:value = '2001:db8:3333:4444:5555:6666:7777:8888'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($ip = "2001:db8:3333:4444:5555:6666:7777:8888") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_url(self): + stix_pattern = "[url:value = 'https://example.com/example/path'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(eventdata.url = "https://example.com/example/path") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_file_name(self): + stix_pattern = "[file:name = 'winword.exe'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(($filename = "winword.exe" OR consumer.script.filename = "winword.exe")) {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_file_sha1(self): + stix_pattern = "[file:hashes.'SHA-1' = 'D56C753E0F8CE84BA3D3AB284628CF6594FDAA74'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($sha1 = "D56C753E0F8CE84BA3D3AB284628CF6594FDAA74") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_file_sha256(self): + stix_pattern = "[file:hashes.'SHA-256' = '47D1D8273710FD6F6A5995FAC1A0983FE0E8828C288E35E80450DDC5C4412DEF'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($sha256 = "47D1D8273710FD6F6A5995FAC1A0983FE0E8828C288E35E80450DDC5C4412DEF") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_file_md5(self): + stix_pattern = "[file:hashes.'MD5' = '7d351ff6fea9e9dc100b7deb0e03fd35'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($md5 = "7d351ff6fea9e9dc100b7deb0e03fd35") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_directory_file_path(self): + stix_pattern = "[file:parent_directory_ref.path = 'c:\\\program files\\\microsoft office\\\\root\\\office16\\\winword.exe' OR directory:path = 'c:\\\program files\\\microsoft office\\\\root\\\office16\\\winword.exe'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + path = "c:\\program files\\microsoft office\\root\\office16\\winword.exe" + + test_string = ['(($path = "{}" OR accessor.path = "{}" OR consumer.workingDirectory = "{}" OR __etwHomePath = "{}") OR $path = "{}") {}'.format(path, path, path, path, path, TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_network_traffic_src_port(self): + stix_pattern = "[network-traffic:src_port = 443] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(eventdata.localPort = "443") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_network_traffic_ip_port(self): + stix_pattern = "[network-traffic:src_ref.value = '169.62.55.114' AND network-traffic:src_port = 3389 AND network-traffic:dst_ref.value = '143.244.41.203' AND network-traffic:dst_port = 60008] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['(eventdata.remotePort = "60008" AND $ip = "143.244.41.203" AND eventdata.localPort = "3389" AND $ip = "169.62.55.114") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + ############################### + ## custom stix objects check ## + ############################### + + + def test_x_ibm_finding(self): + stix_pattern = "[x-ibm-finding:dst_ip_ref.value = '169.62.55.114' AND x-ibm-finding:finding_type = '8' AND x-ibm-finding:src_ip_ref.value = '143.244.41.203'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($ip = "143.244.41.203" AND antimalware.threatType = "8" AND $ip = "169.62.55.114") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + def test_oca_asset(self): + stix_pattern = "[x-oca-asset:ip_refs[*].value = '143.244.41.203'] {}".format(TEST_START_STOP_STIX_VALUE1) + queries = translation.translate('reaqta', 'query', '{}', stix_pattern) + query = queries['queries'] + + test_string = ['($ip = "143.244.41.203") {}'.format(TEST_START_STOP_TRANSLATED1)] + + self.assertQuery(query, test_string, stix_pattern) + + + diff --git a/stix_shifter_modules/reaqta/test/stix_transmission/test_hunt_transmission.py b/stix_shifter_modules/reaqta/test/stix_transmission/test_hunt_transmission.py new file mode 100644 index 000000000..ff2a195bd --- /dev/null +++ b/stix_shifter_modules/reaqta/test/stix_transmission/test_hunt_transmission.py @@ -0,0 +1,103 @@ +from stix_shifter_modules.reaqta.entry_point import EntryPoint +from stix_shifter.stix_transmission import stix_transmission +from stix_shifter_utils.utils.error_response import ErrorCode + + +import json +import unittest +from unittest.mock import patch + +class ReaqtaMockResponse: + def __init__(self, response_code, object): + self.code = response_code + self.object = object + + def read(self): + return bytearray(self.object, 'utf-8') + +@patch('stix_shifter_modules.reaqta.stix_transmission.api_client.APIClient.__init__', autospec=True) +class TestReaqtaConnection(unittest.TestCase, object): + configuration = { + "auth": { + "app_id": "bla", + "secret_key": "bla" + } + } + + connection = { + 'host': 'api.reaqta.com' + } + + def test_is_async(self, mock_api_client): + mock_api_client.return_value = None + entry_point = EntryPoint(self.connection, self.configuration) + check_async = entry_point.is_async() + assert check_async is False + + @patch('stix_shifter_modules.reaqta.stix_transmission.api_client.APIClient.ping_data_source') + def test_ping(self, mock_generate_token, mock_api_client): + mock_api_client.return_value = None + mocked_return_value = {"code": 200, "token": "abcdef"} + mock_generate_token.return_value = mocked_return_value + entry_point = EntryPoint(self.connection, self.configuration) + ping_result = entry_point.ping_connection() + assert ping_result["success"] is True + + @patch('stix_shifter_modules.reaqta.stix_transmission.api_client.APIClient.ping_data_source') + def test_ping_failure(self, mock_generate_token, mock_api_client): + mock_api_client.return_value = None + mocked_return_value = {"code": 401, "message": 'Authentication Error: Token Generation Failed. Authentication failed'} + mock_generate_token.return_value = mocked_return_value + entry_point = EntryPoint(self.connection, self.configuration) + ping_response = entry_point.ping_connection() + + assert ping_response["success"] is False + assert ping_response['error'] == 'reaqta connector error => Invalid App Secret key provided. Authentication Error: Token Generation Failed. Authentication failed' + assert ping_response['code'] == ErrorCode.TRANSMISSION_AUTH_CREDENTIALS.value + + @patch('stix_shifter_modules.reaqta.stix_transmission.api_client.APIClient.get_search_results') + def test_results_reponse(self, mock_query, mock_api_client): + mock_api_client.return_value = None + payload = {"result": [{"eventId": "847828325903630337", "endpointId": "822862264951373824"},{"eventId": "84782832", + "endpointId": "822862264951373824"}],"status_code": "200"} + mock_query.side_effect = [ReaqtaMockResponse(200, json.dumps(payload))] + transmission = stix_transmission.StixTransmission('reaqta', self.connection, self.configuration) + results_response = transmission.results('$ip="172.16.60.184"', 0, 2) + assert results_response["success"] is True + assert results_response["data"] == payload["result"] + + @patch('stix_shifter_modules.reaqta.stix_transmission.api_client.APIClient.get_search_results') + def test_results_failure(self, mock_query, mock_api_client): + mock_api_client.return_value = None + payload = {"message":"$ip1 is not a valid field.", "code": 422} + mock_query.side_effect = [ReaqtaMockResponse(422, json.dumps(payload))] + transmission = stix_transmission.StixTransmission('reaqta', self.connection, self.configuration) + results_response = transmission.results('$ip1="172.16.60.184" and hasAlert=t', 0, 2) + assert results_response["success"] is False + assert results_response['code'] == 'invalid_query' + assert results_response["error"] == 'reaqta connector error => query_syntax_error: $ip1 is not a valid field.' + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClient.RestApiClient.call_api') + def test_query(self, mock_query, mock_api_client): + mock_api_client.return_value = None + query = '$ip="172.16.60.184"' + mock_query.side_effect = [ReaqtaMockResponse(200, query)] + transmission = stix_transmission.StixTransmission("reaqta", self.connection, self.configuration) + query_response = transmission.query(query) + self.assertTrue(query_response["success"]) + self.assertEqual(query_response["search_id"], query) + + def test_status(self, mock_api_client): + mock_api_client.return_value = None + transmission = stix_transmission.StixTransmission("reaqta", self.connection, self.configuration) + status_response = transmission.status("search_id") + # print(status_response) + self.assertTrue(status_response["success"]) + self.assertEqual(status_response["status"], "COMPLETED") + self.assertEqual(status_response["progress"], 100) + + def test_delete(self, mock_api_client): + mock_api_client.return_value = None + transmission = stix_transmission.StixTransmission("reaqta", self.connection, self.configuration) + delete_response = transmission.delete("search_id") + self.assertTrue(delete_response["success"]) \ No newline at end of file diff --git a/stix_shifter_utils/stix_translation/src/patterns/pattern_objects.py b/stix_shifter_utils/stix_translation/src/patterns/pattern_objects.py index 7d5f20851..75ca4800b 100644 --- a/stix_shifter_utils/stix_translation/src/patterns/pattern_objects.py +++ b/stix_shifter_utils/stix_translation/src/patterns/pattern_objects.py @@ -191,7 +191,21 @@ def __init__(self, qualifier, observation_expression: BaseObservationExpression, raise RuntimeError("Invalid STIX timestamp {}".format(stop)) def __repr__(self) -> str: - return "{observation_expression} StartStopQualifier({qualifier}, start={start}, stop={stop})".format(observation_expression=self.observation_expression, qualifier=self.qualifier, start=self.start, stop=self.stop) + return "StartStopQualifier({qualifier}, start={start}, stop={stop}, observation_expression={observation_expression})".format(qualifier=self.qualifier, start=self.start, stop=self.stop, observation_expression=self.observation_expression) + + @property + def start_iso(self): + if self.start: + return self.start.replace("t'","").replace("'", "") + else: + return self.start + + @property + def stop_iso(self): + if self.stop: + return self.stop.replace("t'","").replace("'", "") + else: + return self.stop class Pattern: def __init__(self, expression: BaseObservationExpression, qualifier=None) -> None: diff --git a/stix_shifter_utils/utils/helpers.py b/stix_shifter_utils/utils/helpers.py index 4171fb0b9..8aefbf5a5 100644 --- a/stix_shifter_utils/utils/helpers.py +++ b/stix_shifter_utils/utils/helpers.py @@ -83,4 +83,14 @@ def dict_merge(dct, merge_dct, add_keys=True): except Exception as e: pass - return dct \ No newline at end of file + return dct + +def find(element, dd, default=None): + try: + keys = element.split('.') + rv = dd + for key in keys: + rv = rv[key] + return rv + except Exception: + return default