Merge pull request #1656 from thangaraj-ramesh/nozomi_v1

Nozomi UDI connector
opencybersecurityalliance · May 6, 2024 · 31a9b9c · 31a9b9c
2 parents 8fd0095 + 7548f7c
commit 31a9b9c
Show file tree

Hide file tree

Showing 24 changed files with 5,140 additions and 0 deletions.
diff --git a/data/cybox/nozomi_vantage/nozomi_vantage_alerts_22022024.json b/data/cybox/nozomi_vantage/nozomi_vantage_alerts_22022024.json
diff --git a/stix_shifter_modules/nozomi_vantage/README.md b/stix_shifter_modules/nozomi_vantage/README.md
diff --git a/stix_shifter_modules/nozomi_vantage/__init__.py b/stix_shifter_modules/nozomi_vantage/__init__.py
diff --git a/stix_shifter_modules/nozomi_vantage/configuration/config.json b/stix_shifter_modules/nozomi_vantage/configuration/config.json
@@ -0,0 +1,47 @@
+{
+  "connection": {
+    "type": {
+      "displayName": "Nozomi Vantage",
+      "group": "nozomi"
+    },
+    "host": {
+      "type": "text",
+      "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_:/\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9_:/\\-]*[A-Za-z0-9])$"
+    },
+    "port": {
+      "type": "number",
+      "default": 443,
+      "min": 1,
+      "max": 65535
+    },
+    "help": {
+      "type": "link",
+      "default": "data-sources.html"
+    },
+    "selfSignedCert": {
+      "type": "password",
+      "optional": true
+    },
+    "options": {
+      "type": "fields",
+      "api_page_size": {
+        "default": 1000,
+        "min": 100,
+        "max": 10000,
+        "hidden": true,
+        "type": "number"
+      }
+    }
+  },
+  "configuration": {
+    "auth": {
+      "type": "fields",
+      "key_name": {
+        "type": "text"
+      },
+      "key_token": {
+        "type": "password"
+      }
+    }
+  }
+}
diff --git a/stix_shifter_modules/nozomi_vantage/configuration/lang_en.json b/stix_shifter_modules/nozomi_vantage/configuration/lang_en.json
@@ -0,0 +1,38 @@
+{
+  "connection": {
+    "host": {
+      "label": "Management IP address or hostname",
+      "description": "Specify the IP address or hostname of the data source"
+    },
+    "port": {
+      "label": "Host port",
+      "description": "Set the port number that is associated with the hostname or IP address"
+    },
+    "help": {
+      "label": "Need additional help?",
+      "description": "More details on the data source setting can be found in the specified link"
+    },
+    "selfSignedCert": {
+        "label": "PEM Formatted SSL certificate(s)",
+        "description": "Provide a self-signed or CA-signed certificate to securely communicate with the data source."
+    },
+    "options": {
+      "api_page_size": {
+        "label": "API Page Size",
+        "description": "Number of records per API call. Data source recommended value should be kept below or equal to 1000 per API call. Valid input range is {{min}} to {{max}}."
+      }
+    }
+  },
+  "configuration": {
+    "auth": {
+      "key_name": {
+        "label": "Key Name",
+        "description": "The name of the API key. Nozomi Vantage generates this name when you create the API key."
+      },
+      "key_token": {
+        "label": "Key Token",
+        "description": "A user generated access token used to authenticate with the API"
+      }
+    }
+  }
+}
diff --git a/stix_shifter_modules/nozomi_vantage/entry_point.py b/stix_shifter_modules/nozomi_vantage/entry_point.py
@@ -0,0 +1,11 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+
+class EntryPoint(BaseEntryPoint):
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(False)
+        if connection:
+            self.setup_transmission_basic(connection, configuration)
+        self.setup_translation_simple(dialect_default='default')
diff --git a/stix_shifter_modules/nozomi_vantage/nozomi_vantage_supported_stix.md b/stix_shifter_modules/nozomi_vantage/nozomi_vantage_supported_stix.md
@@ -0,0 +1,177 @@
+##### Updated on 01/22/24
+## Nozomi Vantage
+### Results STIX Domain Objects
+* Identity
+* Observed Data
+<br>
+### Supported STIX Operators
+*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*
+
+| STIX Operator | Data Source Operator |
+|--|--|
+| AND (Comparison) | \| |
+| OR (Comparison) | OR |
+| = | == |
+| != | != |
+| > | > |
+| >= | >= |
+| < | < |
+| <= | <= |
+| IN | in? |
+| LIKE | include? |
+| ISSUBSET | in_subnet? |
+| OR (Observation) | OR |
+| AND (Observation) | OR |
+| <br> | |
+### Searchable STIX objects and properties
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **ipv4-addr**:value | ip_src, ip_dst |
+| **ipv6-addr**:value | ip_src, ip_dst |
+| **network-traffic**:src_ref.value | ip_src |
+| **network-traffic**:dst_ref.value | ip_dst |
+| **network-traffic**:dst_port | port_dst |
+| **network-traffic**:src_port | port_src |
+| **network-traffic**:protocols[*] | protocol, transport_protocol |
+| **mac-addr**:value | mac_src, mac_dst |
+| **file**:name | properties/details_yara_file/value, properties/process/image_path |
+| **file**:hashes.'SHA-256' | properties/details_hash_SHA256/value, properties/process/image_hash_sha256 |
+| **file**:hashes.'SHA-1' | properties/details_hash_SHA1/value |
+| **file**:hashes.MD5 | properties/details_hash_MD5/value |
+| **file**:size | properties/details_file_size/value |
+| **file**:parent_directory_ref.path | properties/process/image_path |
+| **process**:pid | properties/process/pid |
+| **process**:command_line | properties/process/command_line |
+| **process**:creator_user_ref.user_id | properties/process/user |
+| **process**:binary_ref.name | properties/process/image_path |
+| **process**:binary_ref.parent_directory_ref.path | properties/process/image_path |
+| **process**:parent_ref.command_line | properties/process/ancestry |
+| **process**:parent_ref.binary_ref.name | properties/process/ancestry |
+| **process**:parent_ref.binary_ref.parent_directory_ref.path | properties/process/ancestry |
+| **user-account**:user_id | properties/process/user |
+| **directory**:path | properties/process/image_path |
+| **x-ibm-finding**:alert_id | id |
+| **x-ibm-finding**:finding_type | threat_name |
+| **x-ibm-finding**:name | type_name |
+| **x-ibm-finding**:description | description |
+| **x-ibm-finding**:time_observed | time |
+| **x-ibm-finding**:start | created_time |
+| **x-ibm-finding**:end | closed_time |
+| **x-ibm-finding**:severity | risk |
+| **x-ibm-finding**:src_ip_ref | ip_src |
+| **x-ibm-finding**:dst_ip_ref | ip_dst |
+| **x-ibm-finding**:rule_names[*] | trigger_type |
+| **x-ibm-finding**:x_alert_type_id | type_id |
+| **x-ibm-finding**:x_is_cybersecurity_alert | is_security |
+| **x-ibm-finding**:x_is_incident_alert | is_incident |
+| **x-ibm-finding**:x_sensor_host | appliance_host |
+| **x-ibm-finding**:x_sensor_interface | capture_device |
+| **x-ibm-finding**:x_threat_name | threat_name |
+| **x-ibm-finding**:x_rule_id | trigger_id |
+| **x-ibm-finding**:x_is_acknowledged | ack |
+| **x-ibm-finding**:x_alert_status | status |
+| **x-ibm-finding**:x_user_note | note |
+| **x-ibm-finding**:x_cause | properties/cause |
+| **x-ibm-finding**:x_solution | properties/solution |
+| **x-ibm-finding**:x_message | properties/message |
+| **x-ibm-finding**:x_cve_references | properties/cve_references |
+| **x-ibm-finding**:x_network_learnable | properties/network_learnable |
+| **x-ibm-ttp-tagging**:name | properties |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.technique_id | properties, mitre_attack_techniques |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.technique_name | properties |
+| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.tactic_name | properties, mitre_attack_tactics |
+| **x-nozomi-info**:zone | zone_dst, zone_src |
+| **x-nozomi-info**:roles | dst_roles, src_roles |
+| **x-nozomi-info**:label | label_src, label_dst |
+| **x-nozomi-info**:is_public | properties/is_dst_public, properties/is_src_public |
+| **x-nozomi-info**:is_node_learned | properties/is_dst_node_learned, properties/is_src_node_learned |
+| **x-nozomi-info**:is_reputation_bad | properties/is_dst_reputation_bad, properties/is_src_reputation_bad |
+| <br> | |
+### Supported STIX Objects and Properties for Query Results
+| STIX Object | STIX Property | Data Source Field |
+|--|--|--|
+| ipv4-addr | value | ip_src |
+| ipv4-addr | value | ip_dst |
+| <br> | | |
+| ipv6-addr | value | ip_src |
+| ipv6-addr | value | ip_dst |
+| <br> | | |
+| network-traffic | src_ref.value | ip_src |
+| network-traffic | dst_ref.value | ip_dst |
+| network-traffic | dst_port | port_dst |
+| network-traffic | src_port | port_src |
+| network-traffic | protocols[*] | protocol |
+| network-traffic | protocols[*] | transport_protocol |
+| <br> | | |
+| mac-addr | value | mac_src |
+| mac-addr | value | mac_dst |
+| <br> | | |
+| file | name | properties/details_yara_file/value |
+| file | name | properties/process/image_path |
+| file | hashes.'SHA-256' | properties/details_hash_SHA256/value |
+| file | hashes.'SHA-256' | properties/process/image_hash_sha256 |
+| file | hashes.'SHA-1' | properties/details_hash_SHA1/value |
+| file | hashes.MD5 | properties/details_hash_MD5/value |
+| file | size | properties/details_file_size/value |
+| file | parent_directory_ref.path | properties/process/image_path |
+| <br> | | |
+| process | pid | properties/process/pid |
+| process | command_line | properties/process/command_line |
+| process | creator_user_ref.user_id | properties/process/user |
+| process | binary_ref.name | properties/process/image_path |
+| process | binary_ref.parent_directory_ref.path | properties/process/image_path |
+| process | parent_ref.command_line | properties/process/ancestry |
+| process | parent_ref.binary_ref.name | properties/process/ancestry |
+| process | parent_ref.binary_ref.parent_directory_ref.path | properties/process/ancestry |
+| <br> | | |
+| user-account | user_id | properties/process/user |
+| <br> | | |
+| directory | path | properties/process/image_path |
+| <br> | | |
+| x-ibm-finding | alert_id | id |
+| x-ibm-finding | finding_type | threat_name |
+| x-ibm-finding | name | type_name |
+| x-ibm-finding | description | description |
+| x-ibm-finding | time_observed | time |
+| x-ibm-finding | start | created_time |
+| x-ibm-finding | end | closed_time |
+| x-ibm-finding | severity | risk |
+| x-ibm-finding | src_ip_ref | ip_src |
+| x-ibm-finding | dst_ip_ref | ip_dst |
+| x-ibm-finding | rule_names[*] | trigger_type |
+| x-ibm-finding | x_alert_type_id | type_id |
+| x-ibm-finding | x_is_cybersecurity_alert | is_security |
+| x-ibm-finding | x_is_incident_alert | is_incident |
+| x-ibm-finding | x_sensor_host | appliance_host |
+| x-ibm-finding | x_sensor_interface | capture_device |
+| x-ibm-finding | x_threat_name | threat_name |
+| x-ibm-finding | x_rule_id | trigger_id |
+| x-ibm-finding | x_is_acknowledged | ack |
+| x-ibm-finding | x_alert_status | status |
+| x-ibm-finding | x_user_note | note |
+| x-ibm-finding | x_cause | properties/cause |
+| x-ibm-finding | x_solution | properties/solution |
+| x-ibm-finding | x_message | properties/message |
+| x-ibm-finding | x_cve_references | properties/cve_references |
+| x-ibm-finding | x_network_learnable | properties/network_learnable |
+| <br> | | |
+| x-ibm-ttp-tagging | name | properties |
+| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.technique_id | properties |
+| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.technique_id | mitre_attack_techniques |
+| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.technique_name | properties |
+| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.tactic_name | properties |
+| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.tactic_name | mitre_attack_tactics |
+| <br> | | |
+| x-nozomi-info | zone | zone_dst |
+| x-nozomi-info | zone | zone_src |
+| x-nozomi-info | roles | dst_roles |
+| x-nozomi-info | roles | src_roles |
+| x-nozomi-info | label | label_src |
+| x-nozomi-info | label | label_dst |
+| x-nozomi-info | is_public | properties/is_dst_public |
+| x-nozomi-info | is_public | properties/is_src_public |
+| x-nozomi-info | is_node_learned | properties/is_dst_node_learned |
+| x-nozomi-info | is_node_learned | properties/is_src_node_learned |
+| x-nozomi-info | is_reputation_bad | properties/is_dst_reputation_bad |
+| x-nozomi-info | is_reputation_bad | properties/is_src_reputation_bad |
+| <br> | | |
diff --git a/stix_shifter_modules/nozomi_vantage/stix_translation/__init__.py b/stix_shifter_modules/nozomi_vantage/stix_translation/__init__.py
diff --git a/stix_shifter_modules/nozomi_vantage/stix_translation/json/config_map.json b/stix_shifter_modules/nozomi_vantage/stix_translation/json/config_map.json
@@ -0,0 +1,31 @@
+{
+  "int_supported_fields": [
+    "risk"
+  ],
+  "epoch_supported_fields": [
+    "time",
+    "created_time",
+    "closed_time"
+  ],
+  "enum_supported_fields": [
+    "threat_name"
+  ],
+  "enum_supported_values": {
+    "threat_name": [
+      "threat",
+      "alert"
+    ]
+  },
+  "bytes_supported_fields": [
+    "properties/details_file_size/value"
+  ],
+  "subset_supported_fields": [
+    "ip_dst"
+  ],
+  "properties_supported_fields": [
+    "properties",
+    "properties/process/ancestry",
+    "properties/process/image_path",
+    "properties/cve_references"
+  ]
+}