diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json index 302d27bce..a07b85e3b 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json @@ -1,7 +1,12 @@ { "ipv4-addr": { "fields": { - "value": ["networkConnections.sourceAddress", "networkConnections.destinationAddress"] + "value": [ + "networkConnections.sourceAddress", + "networkConnections.destinationAddress", + "networkConnections.natSourceAddress", + "networkConnections.natDestinationAddress" + ] } }, "ipv6-addr": { @@ -11,8 +16,8 @@ }, "network-traffic": { "fields": { - "src_port": ["networkConnections.sourcePort"], - "dst_port": ["networkConnections.destinationPort"], + "src_port": ["networkConnections.sourcePort", "networkConnections.natSourcePort"], + "dst_port": ["networkConnections.destinationPort", "networkConnections.natDestinationPort"], "protocols[*]": ["networkConnections.protocol"], "src_ref.value": ["networkConnections.sourceAddress"], "dst_ref.value": ["networkConnections.destinationAddress"] @@ -56,7 +61,7 @@ }, "user-account": { "fields": { - "user_id": ["userStates.accountName", "processes.accountName"], + "user_id": ["userStates.accountName", "processes.accountName", "userStates.aadUserId"], "account_login": ["userStates.logonId"], "account_type": ["userStates.userAccountType"], "account_last_login": ["userStates.logonDateTime"] @@ -64,7 +69,7 @@ }, "software": { "fields": { - "name": ["vendorInformation.provider", "networkConnections.applicationName"], + "name": ["vendorInformation.provider"], "vendor": ["vendorInformation.vendor"], "version": ["vendorInformation.providerVersion"] } @@ -92,18 +97,19 @@ "fields": { "activityGroupName": ["activityGroupName"], "assignedTo": ["assignedTo"], - "category": ["category"], - "closedDateTime": ["closedDateTime"], - "cloudAppStates.destinationServiceName": ["cloudAppStates.destinationServiceName"], - "cloudAppStates.destinationServiceIp": ["cloudAppStates.destinationServiceIp"], - "cloudAppStates.riskScore": ["cloudAppStates.riskScore"], "comments": ["comments"], "confidence": ["confidence"], - "createdDateTime": ["createdDateTime"], - "description": ["description"], "detectionIds": ["detectionIds"], - "eventDateTime": ["eventDateTime"], "feedback": ["feedback"], + "id": ["id"], + "incidentIds": ["incidentIds"], + "recommendedActions": ["recommendedActions"], + "sourceMaterials": ["sourceMaterials"], + "status": ["status"], + "tags": ["tags"], + "cloudAppStates.destinationServiceName": ["cloudAppStates.destinationServiceName"], + "cloudAppStates.destinationServiceIp": ["cloudAppStates.destinationServiceIp"], + "cloudAppStates.riskScore": ["cloudAppStates.riskScore"], "hostStates.isAzureAadJoined": ["hostStates.isAzureAadJoined"], "hostStates.isAzureAadRegistered": ["hostStates.isAzureAadRegistered"], "hostStates.isHybridAzureDomainJoined": ["hostStates.isHybridAzureDomainJoined"], @@ -111,36 +117,23 @@ "hostStates.publicIpAddress": ["hostStates.publicIpAddress"], "hostStates.privateIpAddress": ["hostStates.privateIpAddress"], "hostStates.riskScore": ["hostStates.riskScore"], - "id": ["id"], - "incidentIds": ["incidentIds"], - "lastModifiedDateTime": ["lastModifiedDateTime"], "malwareStates.category": ["malwareStates.category"], "malwareStates.family": ["malwareStates.family"], "malwareStates.name": ["malwareStates.family"], "malwareStates.severity": ["malwareStates.family"], "malwareStates.wasRunning": ["malwareStates.family"], - "networkConnections.destinationLocation": ["networkConnections.destinationLocation"], + "networkConnections.applicationName": ["networkConnections.applicationName"], "networkConnections.direction": ["networkConnections.direction"], "networkConnections.domainRegisteredDateTime": ["networkConnections.domainRegisteredDateTime"], "networkConnections.localDnsName": ["networkConnections.localDnsName"], - "networkConnections.natDestinationAddress": ["networkConnections.natDestinationAddress"], "networkConnections.natDestinationPort": ["networkConnections.natDestinationPort"], - "networkConnections.natSourceAddress": ["networkConnections.natSourceAddress"], "networkConnections.natSourcePort": ["networkConnections.natSourcePort"], "networkConnections.riskScore": ["networkConnections.riskScore"], - "networkConnections.sourceLocation": ["networkConnections.sourceLocation"], "networkConnections.status": ["networkConnections.status"], - "networkConnections.urlParameters": ["networkConnections.urlParameters"], "processes.integrityLevel": ["processes.integrityLevel"], "processes.isElevated": ["processes.isElevated"], - "recommendedActions": ["recommendedActions"], "securityResources.resource": ["securityResources.resource"], "securityResources.resourceType": ["securityResources.resourceType"], - "severity": ["severity"], - "sourceMaterials": ["sourceMaterials"], - "status": ["status"], - "tags": ["tags"], - "title": ["title"], "triggers.name": ["triggers.name"], "triggers.type": ["triggers.type"], "triggers.value": ["triggers.value"], @@ -154,10 +147,40 @@ "userStates.riskScore": ["userStates.riskScore"], "userStates.userAccountType": ["userStates.userAccountType"], "userStates.userPrincipalName": ["userStates.userPrincipalName"], - "vendorInformation.subProvider": ["vendorInformation.subProvider"], "vulnerabilityStates.cve": ["vulnerabilityStates.cve"], "vulnerabilityStates.severity": ["vulnerabilityStates.severity"], "vulnerabilityStates.wasRunning": ["vulnerabilityStates.wasRunning"] } + }, + + "x-ibm-finding": { + "fields": { + "name": ["title"], + "description": ["description"], + "severity": ["severity"], + "start": ["createdDateTime"], + "end": ["closedDateTime"], + "finding_type": ["category"], + "src_ip_ref.value": ["networkConnections.natSourceAddress"], + "dst_ip_ref.value": ["networkConnections.natDestinationAddress"], + "src_os_ref.name": ["hostStates.os"], + "dst_application_ref.name": ["cloudAppStates.destinationServiceName"], + "src_geolocation": ["networkConnections.sourceLocation"], + "dst_geolocation": ["networkConnections.destinationLocation"], + "src_application_user_ref.user_id":["userStates.aadUserId"], + "src_application_user_ref.type":["userStates.logonType"], + "time_observed": ["lastModifiedDateTime"] + } + }, + "x-oca-event": { + "fields": { + "action": ["title"], + "code": ["id"], + "category": ["category"], + "created": ["createdDateTime"], + "provider": ["vendorInformation.subProvider"], + "domain_ref.value": ["networkConnections.urlParameters"], + "url_ref.value": ["networkConnections.urlParameters"] + } } } diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index 968b11fbb..89f83d5d9 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -3,10 +3,6 @@ { "key": "first_observed", "cybox": false - }, - { - "key": "last_observed", - "cybox": false } ], "event_count": { @@ -31,18 +27,26 @@ "object": "alert" }, "category": { - "key": "x-msazure-sentinel-alert.category", - "object": "alert" - }, - "closedDateTime": { - "key": "x-msazure-sentinel-alert.closedDateTime", - "object": "alert" + "key": "x-oca-event.category", + "object": "event" + } + , + "closedDateTime":{ + "key": "last_observed", + "cybox": false }, "cloudAppStates": { - "destinationServiceName": { - "key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceName", - "object": "alert" - }, + "destinationServiceName": [ + { + "key":"software.name", + "object":"software" + }, + { + "key":"x-ibm-finding.dst_application_ref", + "object":"finding", + "references":"software" + } + ], "destinationServiceIp": { "key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceIp", "object": "alert" @@ -67,13 +71,17 @@ "cybox": false }, { - "key": "x-msazure-sentinel-alert.createddatetime", - "object": "alert" + "key": "x-ibm-finding.createddatetime", + "object": "finding" + }, + { + "key": "x-oca-event.created", + "object": "event" } ], "description": { - "key": "x-msazure-sentinel-alert.description", - "object": "alert" + "key": "x-ibm-finding.description", + "object": "finding" }, "detectionIds": { "key": "x-msazure-sentinel-alert.detectionids", @@ -162,10 +170,16 @@ "key": "x-msazure-sentinel-alert.hostStates.isHybridAzureDomainJoined", "object": "alert" }, - "os": { - "key": "x-msazure-sentinel-alert.hostStates.os", - "object": "alert" - }, + "os": [ + { + "key": "x-ibm-finding.src_os_ref.name", + "object": "finding" + }, + { + "key": "software.name", + "object": "application" + } + ], "privateIpAddress": { "key": "ipv4-addr.value" }, @@ -178,8 +192,8 @@ } }, "id": { - "key": "x-msazure-sentinel-alert.providerid", - "object": "alert" + "key": "x-oca-event.code", + "object": "event" }, "incidentIds": { "key": "x-msazure-sentinel-alert.incidentIds", @@ -192,8 +206,8 @@ "cybox": false }, { - "key": "x-msazure-sentinel-alert.lastmodifieddatetime", - "object": "alert" + "key": "x-ibm-finding.time_observed", + "object": "finding" } ], "malwareStates": { @@ -220,7 +234,8 @@ }, "networkConnections": { "applicationName": { - "key": "software.name" + "key": "software.name", + "object": "application" }, "destinationAddress": [ { @@ -234,7 +249,7 @@ } ], "destinationLocation": { - "key": "x-msazure-sentinel-alert.networkConnections.destinationLocation", + "key": "x-ibm-finding.dst_geolocation", "object": "alert" }, "destinationDomain": { @@ -263,16 +278,16 @@ "object": "alert" }, "natDestinationAddress": { - "key": "x-msazure-sentinel-alert.networkConnections.natDestinationAddress", - "object": "alert" + "key": "x-ibm-finding.dst_ip_ref.value", + "object": "finding" }, "natDestinationPort": { "key": "x-msazure-sentinel-alert.networkConnections.natDestinationPort", "object": "alert" }, "natSourceAddress": { - "key": "x-msazure-sentinel-alert.networkConnections.natSourceAddress", - "object": "alert" + "key": "x-ibm-finding.src_ip_ref.value", + "object": "finding" }, "natSourcePort": { "key": "x-msazure-sentinel-alert.networkConnections.natSourcePort", @@ -300,7 +315,7 @@ } ], "sourceLocation": { - "key": "x-msazure-sentinel-alert.networkConnections.sourceLocation", + "key": "x-ibm-finding.src_geolocation", "object": "alert" }, "sourcePort": { @@ -312,10 +327,16 @@ "key": "x-msazure-sentinel-alert.networkConnections.status", "object": "alert" }, - "urlParameters": { - "key": "x-msazure-sentinel-alert.networkConnections.urlParameters", - "object": "alert" - } + "urlParameters": [ + { + "key": "x-oca-event.domain_ref.value", + "object": "event" + }, + { + "key": "x-oca-event.url_ref.value", + "object": "event" + } + ] }, "processes": { "accountName": [ @@ -476,8 +497,8 @@ } }, "severity": { - "key": "x-msazure-sentinel-alert.severity", - "object": "alert" + "key": "x-ibm-finding.severity", + "object": "finding" }, "sourceMaterials": { "key": "x-msazure-sentinel-alert.sourcematerials", @@ -494,10 +515,16 @@ "object": "alert", "transformer": "ToString" }, - "title": { - "key": "x-msazure-sentinel-alert.title", - "object": "alert" - }, + "title": [ + { + "key": "x-ibm-finding.name", + "object": "finding" + }, + { + "key": "x-oca-event.action", + "object": "event" + } + ], "triggers": { "name": { "key": "x-msazure-sentinel-alert.triggers.name", @@ -514,8 +541,8 @@ }, "userStates": { "aadUserId": { - "key": "x-msazure-sentinel-alert.userStates.aaduserid", - "object": "alert" + "key": "x-ibm-finding.src_application_user_ref.user_id", + "object": "finding" }, "accountName": { "key": "user-account.user_id", @@ -548,8 +575,8 @@ "object": "alert" }, "logonType": { - "key": "x-msazure-sentinel-alert.userStates.logonType", - "object": "alert" + "key": "x-ibm-finding.src_application_user_ref.type", + "object": "finding" }, "onPremisesSecurityIdentifier": { "key": "x-msazure-sentinel-alert.userStates.onpremisessecurityidentifier", @@ -582,8 +609,8 @@ "object": "application" }, "subProvider": { - "key": "x-msazure-sentinel-alert.vendorinformation.subprovider", - "object": "alert" + "key": "x-oca-event.provider", + "object": "event" } }, "vulnerabilityStates": { diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py index 2b8761b4c..6d0d55f53 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py @@ -143,6 +143,10 @@ def test_custom_property(): custom_object_1 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-msazure-sentinel') custom_object_2 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-msazure-sentinel-alert') + custom_object_3 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') + custom_object_4 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') + + assert custom_object_1 is not None, 'Custom object type not found' assert custom_object_1.keys() == {'type', 'tenant_id', 'subscription_id'} @@ -150,12 +154,12 @@ def test_custom_property(): assert custom_object_1['subscription_id'] == '083de1fb-cd2d-4b7c-895a-2b5af1d091e8' assert custom_object_2 is not None, 'Custom object type not found' - assert custom_object_2.keys() == {'type', 'providerid', 'category', 'createddatetime', 'description', - 'lastmodifieddatetime', 'recommendedactions', 'severity', 'status', 'title'} - - assert custom_object_2['providerid'] == '2518268485253060642_52b1a353-2fd8-4c45-8f8a-94db98dca29d' - assert custom_object_2['title'] == 'Rare SVCHOST service group executed' + assert custom_object_2.keys() == {'type', 'recommendedactions', 'status'} + assert custom_object_3.keys() == {'type', 'createddatetime', 'description', 'time_observed', 'severity', 'name'} + assert custom_object_3['name'] == 'Rare SVCHOST service group executed' + assert custom_object_4.keys() == {'type', 'code', 'category', 'created', 'action'} + assert custom_object_4['category'] == 'SuspiciousSVCHOSTRareGroup' @staticmethod def test_file_process_json_to_stix(): """ @@ -208,7 +212,7 @@ def test_file_process_json_to_stix(): assert file_obj .keys() == {'type', 'name', 'parent_directory_ref'} assert file_obj['type'] == 'file' assert file_obj['name'] == 'services.exe' - assert file_obj['parent_directory_ref'] == '3' + assert file_obj['parent_directory_ref'] == '5' assert directory_obj['path'] == 'c:\\windows\\system32' @staticmethod @@ -258,8 +262,8 @@ def test_network_json_to_stix(): assert network_obj['src_port'] == 9475 assert network_obj['dst_port'] == 22 assert network_obj['protocols'] == ['tcp'] - assert network_obj['src_ref'] == '5' - assert network_obj['dst_ref'] == '3' + assert network_obj['src_ref'] == '7' + assert network_obj['dst_ref'] == '5' @staticmethod def test_network_json_to_stix_negative(): diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py index 7967cc552..d5564bfaa 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py @@ -43,8 +43,9 @@ def test_process_comp_exp(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) eq 'svchost.exe') or processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and (eventDateTime ge " - "2019-12-24T09:22:44.667Z and eventDateTime le 2019-12-24T09:27:44.667Z)"] + queries = [ + "((processes/any(query1:tolower(query1/name) eq 'svchost.exe') or processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and (eventDateTime ge " + "2019-12-24T09:22:44.667Z and eventDateTime le 2019-12-24T09:27:44.667Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -54,9 +55,13 @@ def test_network_comp_exp(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) or " - "networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')))) " - "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = [ + "((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) " + "or networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) " + "or networkConnections/any(query1:tolower(query1/natSourceAddress) eq '172.16.2.22') " + "or networkConnections/any(query1:tolower(query1/natDestinationAddress) eq '172.16.2.22'))) " + "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)" + ] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -80,8 +85,8 @@ def test_directory_path_exp(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((fileStates/any(query1:contains(tolower(query1/path), 'windows')) or " - "process/any(query1:tolower(query1/path) eq 'windows'))) and " - "(eventDateTime ge 2019-12-24T09:46:34.835Z and eventDateTime le 2019-12-24T09:51:34.835Z)"] + "process/any(query1:tolower(query1/path) eq 'windows'))) and " + "(eventDateTime ge 2019-12-24T09:46:34.835Z and eventDateTime le 2019-12-24T09:51:34.835Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -92,8 +97,9 @@ def test_noteq_comp_exp(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) ne 'services.exe') or processes/any(query1:tolower(query1/parentProcessName) ne 'services.exe'))) " - "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = [ + "((processes/any(query1:tolower(query1/name) ne 'services.exe') or processes/any(query1:tolower(query1/parentProcessName) ne 'services.exe'))) " + "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -120,13 +126,13 @@ def test_matches_comp_exp(self): def test_custom_in_comp_exp(self): stix_pattern = "[x-msazure-sentinel:tenant_id NOT IN ('Sb73e5ba','b73e5ba8')" \ - "AND x-msazure-sentinel-alert:title LIKE 'Suspicious']" + "AND x-ibm-finding:name LIKE 'Suspicious']" query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["(contains(tolower(title), 'Suspicious') and tolower(azureTenantId) ne " - "'Sb73e5ba' and tolower(azureTenantId) ne 'b73e5ba8') and " - "(eventDateTime ge 2019-12-27T04:50:48.593Z and eventDateTime le 2019-12-27T04:55:48.593Z)"] + "'Sb73e5ba' and tolower(azureTenantId) ne 'b73e5ba8') and " + "(eventDateTime ge 2019-12-27T04:50:48.593Z and eventDateTime le 2019-12-27T04:55:48.593Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -136,10 +142,10 @@ def test_in_comp_exp(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " - "processes/any(query1:tolower(query1/name) eq 'svchost.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and " - "(eventDateTime ge 2019-12-24T09:50:39.638Z and eventDateTime le 2019-12-24T09:55:39.638Z)"] + "processes/any(query1:tolower(query1/name) eq 'svchost.exe') or " + "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe') or " + "processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and " + "(eventDateTime ge 2019-12-24T09:50:39.638Z and eventDateTime le 2019-12-24T09:55:39.638Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -150,11 +156,11 @@ def test_comb_comparison_exp_1(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["(fileStates/any(query1:tolower(query1/name) eq 'notepad.exe') or " - "(processes/any(query2:tolower(query2/name) eq 'services.exe') or " - "processes/any(query2:tolower(query2/name) eq 'svchost.exe') or " - "processes/any(query2:tolower(query2/parentProcessName) eq 'services.exe') or " - "processes/any(query2:tolower(query2/parentProcessName) eq 'svchost.exe'))) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + "(processes/any(query2:tolower(query2/name) eq 'services.exe') or " + "processes/any(query2:tolower(query2/name) eq 'svchost.exe') or " + "processes/any(query2:tolower(query2/parentProcessName) eq 'services.exe') or " + "processes/any(query2:tolower(query2/parentProcessName) eq 'svchost.exe'))) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -165,10 +171,12 @@ def test_comb_comparison_exp_2(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) ne 'powershell.exe') and " - "processes/any(query1:tolower(query1/parentProcessName) ne 'powershell.exe')) or " - "networkConnections/any(query2:tolower(query2/sourcePort) eq '454')) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = ["((processes/any(query1:tolower(query1/name) ne 'powershell.exe') " + "and processes/any(query1:tolower(query1/parentProcessName) " + "ne 'powershell.exe')) " + "or (networkConnections/any(query2:tolower(query2/sourcePort) eq '454') " + "or networkConnections/any(query2:tolower(query2/natSourcePort) eq '454'))) " + "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -178,11 +186,19 @@ def test_comb_observation_obs(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) and " - "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)", - "(networkConnections/any(query2:tolower(query2/destinationPort) ge '100')) and " - "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)"] + queries = [ + "((processes/any(query1:tolower(query1/name) eq 'services.exe') " + "or processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) " + "and (eventDateTime ge 2021-11-20T02:39:16.342Z and eventDateTime le 2021-11-20T02:44:16.342Z)", + "((networkConnections/any(query2:tolower(query2/destinationPort) ge '100') " + "or networkConnections/any(query2:tolower(query2/natDestinationPort) ge '100'))) " + "and (eventDateTime ge 2021-11-20T02:39:16.343Z and eventDateTime le 2021-11-20T02:44:16.343Z)" + ] + # queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " + # "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) and " + # "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)", + # "(networkConnections/any(query2:tolower(query2/destinationPort) ge '100')) and " + # "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -194,13 +210,14 @@ def test_comb_observation_obs_qualifier_one(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:query1/processId eq 110) or processes/any(query1:query1/processId eq 220) or " - "processes/any(query1:query1/parentProcessId eq 110) or processes/any(query1:query1/parentProcessId eq 220) or " - "registryKeyStates/any(query1:query1/processId eq 110) or registryKeyStates/any(query1:query1/processId eq 220))) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)", - "(userStates/any(query2:query2/logonDateTime eq 2019-09-23T10:43:10.453Z) and " - "networkConnections/any(query3:contains(tolower(query3/sourceAddress), '52.94.233.129'))) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = [ + "((processes/any(query1:query1/processId eq 110) or processes/any(query1:query1/processId eq 220) or " + "processes/any(query1:query1/parentProcessId eq 110) or processes/any(query1:query1/parentProcessId eq 220) or " + "registryKeyStates/any(query1:query1/processId eq 110) or registryKeyStates/any(query1:query1/processId eq 220))) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)", + "(userStates/any(query2:query2/logonDateTime eq 2019-09-23T10:43:10.453Z) and " + "networkConnections/any(query3:contains(tolower(query3/sourceAddress), '52.94.233.129'))) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -231,3 +248,29 @@ def test_comb_observation_obs_qualifier_two(self): queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) + + def test_x_ibm_finding(self): + stix_pattern = "[x-ibm-finding:name = 'photos'] AND [x-ibm-finding:finding_type = 'test type'] " \ + "AND [x-ibm-finding:description = 'test description'] AND " \ + "[x-ibm-finding:severity = 'test severity'] AND " \ + "[x-ibm-finding:src_geolocation = 'canada'] AND" \ + "[x-ibm-finding:dst_geolocation = 'us']" + query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + + print(query['queries']) + + queries = ["(tolower(title) eq 'photos') and (eventDateTime ge 2021-10-08T00:18:50.449Z and eventDateTime le " + "2021-10-08T00:23:50.449Z)", + "(tolower(category) eq 'test type') and (eventDateTime ge 2021-10-08T00:18:50.449Z and " + "eventDateTime le 2021-10-08T00:23:50.449Z)", + "(tolower(description) eq 'test description') and (eventDateTime ge 2021-10-08T00:18:50.449Z and " + "eventDateTime le 2021-10-08T00:23:50.449Z)", + "(tolower(severity) eq 'test severity') and (eventDateTime ge 2021-10-08T00:18:50.449Z and " + "eventDateTime le 2021-10-08T00:23:50.449Z)", + "(networkConnections/any(query5:tolower(query5/sourceLocation) eq 'canada')) and (eventDateTime " + "ge 2021-10-08T00:18:50.449Z and eventDateTime le 2021-10-08T00:23:50.449Z)", + "(networkConnections/any(query6:tolower(query6/destinationLocation) eq 'us')) and (eventDateTime " + "ge 2021-10-08T00:18:50.449Z and eventDateTime le 2021-10-08T00:23:50.449Z)"] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries)