Merge branch 'develop' into develop_Qradar_Filter_Zero_Values

adapter-guide/connectors/azure_sentinel_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 02/27/23
+##### Updated on 05/02/23
 ## Microsoft Graph Security
 ### Supported STIX Operators
 *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*
@@ -45,7 +45,7 @@
 | **process**:pid | processes.processId, processes.parentProcessId, registryKeyStates.processId |
 | **process**:created | processes.createdDateTime |
 | **process**:parent_ref.pid | processes.parentProcessId |
-| **process**:binary_ref.path | processes.path |
+| **process**:binary_ref.parent_directory_ref.path | processes.path |
 | **domain-name**:value | hostStates.fqdn, hostStates.netBiosName, networkConnections.destinationDomain, userStates.domainName |
 | **user-account**:user_id | userStates.accountName, processes.accountName, userStates.aadUserId |
 | **user-account**:account_login | userStates.logonId |
@@ -54,11 +54,11 @@
 | **software**:name | vendorInformation.provider |
 | **software**:vendor | vendorInformation.vendor |
 | **software**:version | vendorInformation.providerVersion |
-| **url**:name | networkConnections.destinationUrl |
+| **url**:value | networkConnections.destinationUrl |
 | **windows-registry-key**:key | registryKeyStates.key |
-| **windows-registry-key**:extensions.windows-registry-value-type.valueData | registryKeyStates.valueData |
-| **windows-registry-key**:extensions.windows-registry-value-type.name | registryKeyStates.valueName |
-| **windows-registry-key**:extensions.windows-registry-value-type.valueType | registryKeyStates.valueType |
+| **windows-registry-key**:values[*].data | registryKeyStates.valueData |
+| **windows-registry-key**:values[*].name | registryKeyStates.valueName |
+| **windows-registry-key**:values[*].data_type | registryKeyStates.valueType |
 | **x-msazure-sentinel**:tenant_id | azureTenantId |
 | **x-msazure-sentinel**:subscription_id | azureSubscriptionId |
 | **x-msazure-sentinel-alert**:activityGroupName | activityGroupName |
@@ -148,10 +148,6 @@
 | domain-name | value | destinationDomain |
 | domain-name | value | domainName |
 | <br> | | |
-| extensions | windows-registry-value-type.valueData | registryKeyStates |
-| extensions | windows-registry-value-type.name | registryKeyStates |
-| extensions | windows-registry-value-type.valuetype | registryKeyStates |
-| <br> | | |
 | file | hashes.SHA-256 | sha256 |
 | file | hashes.SHA-1 | sha1 |
 | file | hashes.MD5 | md5 |
@@ -201,6 +197,9 @@
 | user-account | account_login | logonId |
 | <br> | | |
 | windows-registry-key | key | registryKeyStates |
+| windows-registry-key | values.data | registryKeyStates |
+| windows-registry-key | values.name | registryKeyStates |
+| windows-registry-key | values.data_type | registryKeyStates |
 | <br> | | |
 | x-ibm-finding | dst_application_ref | destinationServiceName |
 | x-ibm-finding | createddatetime | createdDateTime |

requirements-dev.txt

@@ -2,6 +2,7 @@
 astroid==2.12.12
 autopep8==1.3.4
 coverage==6.5.0
+debugpy-run
 flake8==3.5.0
 freezegun==1.2.2
 isort==4.3.4

stix_shifter_modules/alienvault_otx/.coveragerc

@@ -0,0 +1,2 @@
+[run]
+omit = tests/*

stix_shifter_modules/alienvault_otx/configuration/config.json

@@ -0,0 +1,117 @@
+{
+    "connection": {
+        "type": {
+            "id": "OTXQuery_Connector",
+            "displayName": "AlienVault OTX",
+            "description": "Query AlienVault OTX for IPs, domains, URLs, or file hashes"
+        },
+        "help": {
+            "default": "www.ibm.com",
+            "type": "link"
+        },
+        "options": {
+            "type": "fields",
+            "concurrent": {
+                "default": 4,
+                "min": 1,
+                "max": 100,
+                "type": "number",
+                "previous": "connection.maxConcurrentSearches"
+            },
+            "result_limit": {
+                "default": 10000,
+                "min": 1,
+                "max": 500000,
+                "type": "number",
+                "previous": "connection.resultSizeLimit",
+                "hidden": true
+            },
+            "time_range": {
+                "default": 5,
+                "min": 1,
+                "max": 10000,
+                "type": "number",
+                "previous": "connection.timerange",
+                "nullable": true,
+                "hidden": true
+            },
+            "timeout": {
+                "default": 30,
+                "min": 1,
+                "max": 60,
+                "type": "number",
+                "previous": "connection.timeoutLimit"
+            }
+        },
+        "namespace":{
+            "type": "text",
+            "default": "9d4bedaf-d351-4f50-930f-f8eb121e5bae",
+            "hidden": true
+        },
+        "host": {
+            "type": "text",
+            "default": "",
+            "hidden": true
+        },
+        "port": {
+            "default": 443,
+            "type": "number",
+            "min": 1,
+            "max": 65535,
+            "hidden": true
+        }
+    },
+    "configuration": {
+        "auth": {
+            "type": "fields",
+            "key": {
+                "type": "password"
+            }
+        },
+        "rateLimit": {
+            "type": "fields",
+            "rateLimit": {
+                "default": 10000,
+                "type": "number",
+                "hidden": true
+            },
+            "rateUnit": {
+                "type": "text",
+                "default": "Hour",
+                "hidden": true
+            }
+        },
+        "cacheDuration": {
+            "type": "fields",
+            "cacheDuration": {
+                "default": 10,
+                "type": "number",
+                "hidden": true
+            },
+            "unit": {
+                "default": "Minute",
+                "type": "text",
+                "hidden": true
+            }
+        },
+        "dataTypeList": {
+            "type": "fields",
+            "ip": {
+                "type": "checkbox",
+                "default": true
+            },
+            "domain": {
+                "type": "checkbox",
+                "default": true
+            },
+            "url": {
+                "type": "checkbox",
+                "default": true
+            },
+            "hash": {
+                "type": "checkbox",
+                "default": true
+            }
+        }
+    }
+}

stix_shifter_modules/alienvault_otx/configuration/lang_en.json

@@ -0,0 +1,73 @@
+{
+    "connection": {
+        "options": {
+            "concurrent": {
+                "label": "Concurrent Search Limit",
+                "description": "The number of simultaneous connections that can be made between the host and the data source.  Valid input range is {{min}} to {{max}}."
+            },
+            "search_timeout": {
+                "label": "Query Search Timeout Limit",
+                "description": "The limit on how long the query will run, in minutes, on the data source."
+            }
+        },
+        "host": {
+            "label": "Management IP address or Hostname",
+            "placeholder": "192.168.1.10",
+            "description": "Specify the OCP Cluster hostname or the XForce API host URL"
+        },
+        "port": {
+            "label": "Host Port",
+            "description": "Set the port number that is associated with the Host name or IP"
+        },
+        "namespace": {
+            "label": "The UUID Namespace to generate unique ",
+            "description": "Supply a UUID to generate deterministic UUIDs for the resulting STIX bundle"
+        }
+    },
+    "configuration": {
+        "auth": {
+            "key": {
+                "label": "key",
+                "description": "The APIKey for the Alienvault OTX"
+            }
+        },
+        "rateLimit": {
+            "rateLimit": {
+                "label": "Rate Limit",
+                "description": "The number of queries allowed by Alienvault OTX"
+            },
+            "rateUnit": {
+                "label": "Rate Unit",
+                "description": "The rate unit for rate limit in [seconds, minutes, days, months, years ...]"
+            }
+        },
+        "cacheDuration": {
+            "cacheDuration": {
+                "label": "Cache Duration",
+                "description": "How long should we cache the results of the STIX Bundle execution?"
+            },
+            "unit": {
+                "label": "Rate Unit",
+                "description": "The unit for cache in [seconds, minutes, days, months, years ...]"
+            }
+        },
+        "dataTypeList": {
+            "ip": {
+                "label": "IP Address",
+                "description": "Whether IP Address lookup queries are supported by Alienvault OTX based on the User's API Provisioning"
+            },
+            "domain": {
+                "label": "Domain",
+                "description": "Whether Domain queries are supported by Alienvault OTX based on the User's API Provisioning"
+            },
+            "url": {
+                "label": "URL",
+                "description": "Whether Domain queries are supported by Alienvault OTX based on the User's API Provisioning"
+            },
+            "hash": {
+                "label": "Hash",
+                "description": "Whether Hash queries are supported by Alienvault OTX based on the User's API Provisioning"
+            }
+        }
+    }
+}

stix_shifter_modules/alienvault_otx/entry_point.py

@@ -0,0 +1,42 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+from stix_shifter_utils.modules.base.stix_transmission.base_sync_connector import BaseSyncConnector
+from .stix_transmission.ping_connector import PingConnector
+from .stix_transmission.delete_connector import DeleteConnector
+from .stix_transmission.results_connector import ResultsConnector
+from .stix_transmission.api_client import APIClient
+from .stix_translation.query_translator import QueryTranslator
+from .stix_translation.results_translator import ResultsTranslator
+import os
+
+class EntryPoint(BaseEntryPoint):
+
+    # python main.py translate virus_total results '{}' "[ipv4-addr:value = '127.0.0.1']"
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(False)
+        if connection:
+            api_client = APIClient(connection, configuration)
+            base_sync_connector = BaseSyncConnector()
+            ping_connector = PingConnector(api_client)
+            query_connector = base_sync_connector
+            status_connector = base_sync_connector
+            results_connector = ResultsConnector(api_client)
+            delete_connector = DeleteConnector(api_client)
+
+            self.set_results_connector(results_connector)
+            self.set_status_connector(status_connector)
+            self.set_delete_connector(delete_connector)
+            self.set_query_connector(query_connector)
+            self.set_ping_connector(ping_connector)
+
+        # Use default translation setup with default dialect otherwise...
+        # self.setup_translation_simple(dialect_default='default')
+
+        basepath = os.path.dirname(__file__)
+        filepath = os.path.abspath(os.path.join(basepath, "stix_translation"))
+
+        dialect = 'default'
+        query_translator = QueryTranslator(options, dialect, filepath)
+        results_translator = ResultsTranslator(options, dialect, filepath)
+        self.add_dialect(dialect, query_translator=query_translator, results_translator=results_translator, default=True)

stix_shifter_modules/alienvault_otx/requirements.txt

@@ -0,0 +1 @@
+uuid==1.30

stix_shifter_modules/alienvault_otx/stix_translation/json/from_stix_map.json

@@ -0,0 +1,30 @@
+{
+  "url": {
+    "fields": {
+        "value": ["Url"]
+    }
+  },
+  "ipv4-addr": {
+    "fields": {
+      "value":["SourceIpV4", "DestinationIpV4"]
+    }
+  },
+  "ipv6-addr": {
+    "fields":{
+      "value":["SourceIpV6", "DestinationIpV6"]
+    }
+  },
+  "domain-name":{
+    "fields":{
+      "value":["Url"]
+    }
+  },
+  "file":{
+    "fields":{
+      "hashes.'SHA-256'": ["sha256hash"],
+      "hashes.MD5": ["md5hash"],
+      "hashes.'MD5'": ["md5hash"],
+      "hashes.'SHA-1'": ["sha1hash"]
+    }
+  }
+}

stix_shifter_modules/alienvault_otx/stix_translation/json/operators.json

@@ -0,0 +1,16 @@
+{
+  "ComparisonExpressionOperators.And": "AND",
+  "ComparisonExpressionOperators.Or": "OR",
+  "ComparisonComparators.GreaterThan": ">",
+  "ComparisonComparators.GreaterThanOrEqual": ">=",
+  "ComparisonComparators.LessThan": "<",
+  "ComparisonComparators.LessThanOrEqual": "<=",
+  "ComparisonComparators.Equal": "=",
+  "ComparisonComparators.NotEqual": "!=",
+  "ComparisonComparators.Like": "=",
+  "ComparisonComparators.In": "IN",
+  "ComparisonComparators.Matches": "CONTAINS",
+  "ComparisonComparators.IsSubSet": "insubnet",
+  "ObservationOperators.Or": "OR",
+  "ObservationOperators.And": "AND"
+}

stix_shifter_modules/alienvault_otx/stix_translation/json/to_stix_map.json

@@ -0,0 +1,3 @@
+{
+
+}