Merge branch 'develop' into develop

adapter-guide/connectors/elastic_ecs_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 06/01/22
+##### Updated on 07/21/22
 ## Elasticsearch ECS
 ### Supported STIX Operators
 | STIX Operator | Data Source Operator |
@@ -94,6 +94,7 @@
 | process | parent_ref | ppid |
 | process | command_line | command_line |
 | process | binary_ref | executable |
+| process | x_unique_id | entity_id |
 | process | parent_ref | name |
 | process | parent_ref | pid |
 | process | creator_user_ref | name |
@@ -287,11 +288,9 @@
 | x-ecs-process | pe_product | product |
 | x-ecs-process | args | args |
 | x-ecs-process | args_count | args_count |
-| x-ecs-process | entity_id | entity_id |
 | x-ecs-process | exit_code | exit_code |
 | x-ecs-process | parent_args | args |
 | x-ecs-process | parent_args_count | args_count |
-| x-ecs-process | parent_entity_id | entity_id |
 | x-ecs-process | parent_exit_code | exit_code |
 | x-ecs-process | parent_pgid | pgid |
 | x-ecs-process | parent_ppid | ppid |

adapter-guide/connectors/qradar_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 06/01/22
+##### Updated on 07/26/22
 ## IBM QRadar
 ### Supported STIX Operators
 | STIX Operator | Data Source Operator |
@@ -109,6 +109,7 @@
 | process | parent_ref | "Parent Process ID" |
 | process | binary_ref | TargetImage |
 | process | extensions.windows-service-ext.service_dll_refs | ServiceFileName |
+| process | x_unique_id | "Process Guid" |
 | <br> | | |
 | software | name | applicationname |
 | <br> | | |

adapter-guide/connectors/reaqta_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 06/01/22
+##### Updated on 07/27/22
 ## ReaQta
 ### Supported STIX Operators
 | STIX Operator | Data Source Operator |
@@ -54,10 +54,10 @@
 | network-traffic | dst_ref | remoteAddrV6 |
 | network-traffic | dst_port | remotePort |
 | <br> | | |
-| process | extensions.x-process-ext.process_uid | id |
+| process | x_unique_id | id |
 | process | extensions.x-reaqta-process.logon_id | logonId |
 | process | extensions.x-reaqta-process.no_gui | noGui |
-| process | extensions.x-process-ext.parent_process_uid | parentId |
+| process | x_unique_id | parentId |
 | process | pid | pid |
 | process | pid | ppid |
 | process | parent_ref | ppid |

adapter-guide/connectors/sentinelone_supported_stix.md

@@ -1,4 +1,4 @@
-##### Updated on 06/01/22
+##### Updated on 07/28/22
 ## SentinelOne
 ### Supported STIX Operators
 | STIX Operator | Data Source Operator |
@@ -98,8 +98,8 @@
 | process | extensions.x-sentinelone-process.story_line_id | tgtProcStorylineId |
 | process | extensions.x-sentinelone-process.integrity_level | srcProcIntegrityLevel |
 | process | extensions.x-sentinelone-process.integrity_level | tgtProcIntegrityLevel |
-| process | extensions.x-sentinelone-process.process_unique_id | srcProcUid |
-| process | extensions.x-sentinelone-process.process_unique_id | tgtProcUid |
+| process | x_unique_id | srcProcUid |
+| process | x_unique_id | tgtProcUid |
 | process | extensions.x-sentinelone-process.signed_status | srcProcSignedStatus |
 | process | extensions.x-sentinelone-process.signed_status | tgtProcSignedStatus |
 | process | extensions.x-sentinelone-process.publisher | srcProcPublisher |
@@ -122,7 +122,7 @@
 | process | extensions.x-sentinelone-process.active_content_hash | tgtProcActiveContentHash |
 | process | extensions.x-sentinelone-process.active_content_signed_status | srcProcActiveContentSignedStatus |
 | process | extensions.x-sentinelone-process.active_content_signed_status | tgtProcActiveContentSignedStatus |
-| process | extensions.x-sentinelone-process.process_unique_id | srcProcParentUid |
+| process | x_unique_id | srcProcParentUid |
 | <br> | | |
 | url | value | url |
 | <br> | | |

stix_shifter/scripts/stix_shifter.py

@@ -295,7 +295,7 @@ def is_async():
                     # Collect all results
                     results += result["data"]
                 else:
-                    raise RuntimeError("Fetching results failed; see log for details")
+                    raise RuntimeError("Fetching results failed; see log for details" + str(result))
             else:
                 log.error(str(search_result))
                 exit(0)

stix_shifter_modules/cbcloud/stix_translation/json/from_stix_map.json

@@ -32,7 +32,8 @@
       "parent_ref.name": ["parent_name"],
       "parent_ref.binary_ref.name": ["parent_name"],
       "parent_ref.binary_ref.hashes.MD5": ["parent_hash"],
-      "parent_ref.binary_ref.hashes.'SHA-256'": ["parent_hash"]
+      "parent_ref.binary_ref.hashes.'SHA-256'": ["parent_hash"],
+      "x_unique_id": ["process_guid", "parent_guid"]
     }
   },
   "software": {

stix_shifter_modules/cbcloud/stix_translation/json/stix_2_1/from_stix_map.json

@@ -31,7 +31,8 @@
       "parent_ref.name": ["parent_name"],
       "parent_ref.image_ref.name": ["parent_name"],
       "parent_ref.image_ref.hashes.MD5": ["parent_hash"],
-      "parent_ref.image_ref.hashes.'SHA-256'": ["parent_hash"]
+      "parent_ref.image_ref.hashes.'SHA-256'": ["parent_hash"],
+      "x_unique_id": ["process_guid", "parent_guid"]
     }
   },
   "software": {

stix_shifter_modules/elastic_ecs/stix_translation/json/from_stix_map.json

@@ -118,15 +118,15 @@
       "parent_ref.pid": ["process.ppid", "process.parent.ppid"],
       "parent_ref.name": ["process.parent.name"],
       "binary_ref.name": ["process.executable", "process.parent.executable"],
-      "x_ttp_tags": ["tags"]
+      "x_ttp_tags": ["tags"],
+      "x_unique_id": ["process.entity_id", "process.parent.entity_id"]
     }
   },
   "x-ecs-process": {
     "fields": {
       "args": ["process.args"],
       "args_count": ["process.args_count"],
       "executable": ["process.executable"],
-      "entity_id": ["process.entity_id"],
       "exit_code": ["process.exit_code"],
       "thread.id": ["process.thread.id"],
       "thread.name": ["process.thread.name"],
@@ -135,7 +135,6 @@
       "working_directory": ["process.working_directory"],
       "parent.args": ["process.parent.args"],
       "parent.args_count": ["process.parent.args_count"],
-      "parent.entity_id": ["process.parent.entity_id"],
       "parent.exit_code": ["process.parent.exit_code"],
       "parent.pgid": ["process.parent.pgid"],
       "parent.thread.id": ["process.parent.thread.id"],

stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/from_stix_map.json

@@ -117,15 +117,15 @@
       "parent_ref.pid": ["process.ppid", "process.parent.ppid"],
       "parent_ref.name": ["process.parent.name"],
       "image_ref.name": ["process.executable", "process.parent.executable"],
-      "x_ttp_tags": ["tags"]
+      "x_ttp_tags": ["tags"],
+      "x_unique_id": ["process.entity_id", "process.parent.entity_id"]
     }
   },
   "x-ecs-process": {
     "fields": {
       "args": ["process.args"],
       "args_count": ["process.args_count"],
       "executable": ["process.executable"],
-      "entity_id": ["process.entity_id"],
       "exit_code": ["process.exit_code"],
       "thread.thread_id": ["process.thread.id"],
       "thread.name": ["process.thread.name"],
@@ -134,7 +134,6 @@
       "working_directory": ["process.working_directory"],
       "parent.args": ["process.parent.args"],
       "parent.args_count": ["process.parent.args_count"],
-      "parent.entity_id": ["process.parent.entity_id"],
       "parent.exit_code": ["process.parent.exit_code"],
       "parent.pgid": ["process.parent.pgid"],
       "parent.thread.thread_id": ["process.parent.thread.id"],

stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json

@@ -855,8 +855,8 @@
       }
     ],
     "entity_id": {
-      "key": "x-ecs-process.entity_id",
-      "object": "x_process"
+      "key": "process.x_unique_id",
+      "object": "process"
     },
     "exit_code": {
       "key": "x-ecs-process.exit_code",
@@ -876,8 +876,8 @@
         "object": "process_parent"
       },
       "entity_id": {
-        "key": "x-ecs-process.parent_entity_id",
-        "object": "x_process"
+        "key": "process.x_unique_id",
+        "object": "process_parent"
       },
       "exit_code": {
         "key": "x-ecs-process.parent_exit_code",

stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json

@@ -867,8 +867,8 @@
       }
     ],
     "entity_id": {
-      "key": "x-ecs-process.entity_id",
-      "object": "x_process"
+      "key": "process.x_unique_id",
+      "object": "process"
     },
     "exit_code": {
       "key": "x-ecs-process.exit_code",
@@ -888,8 +888,8 @@
         "object": "process_parent"
       },
       "entity_id": {
-        "key": "x-ecs-process.parent_entity_id",
-        "object": "x_process"
+        "key": "process.x_unique_id",
+        "object": "process_parent"
       },
       "exit_code": {
         "key": "x-ecs-process.parent_exit_code",

stix_shifter_modules/elastic_ecs/tests/stix_translation/test_elastic_ecs_json_to_stix.py

@@ -329,7 +329,7 @@ def test_process_prop(self):
         proc_object = TestElasticEcsTransform.get_first_of_type(objects.values(), 'process')
         assert (proc_object is not None), 'process object type not found'
         assert (proc_object.keys() ==
-                {'type', 'pid', 'name', 'created', 'opened_connection_refs', 'creator_user_ref', 'binary_ref', 'parent_ref'})
+                {'type', 'pid', 'name', 'created', 'opened_connection_refs', 'creator_user_ref', 'binary_ref', 'parent_ref', 'x_unique_id'})
         assert (proc_object['type'] == 'process')
         assert (proc_object['pid'] == 609)
         assert (proc_object['created'] == '2019-04-10T11:33:57.571Z')

stix_shifter_modules/qradar/stix_translation/json/aql_events_fields.json

@@ -62,6 +62,7 @@
     "\"Process ID\" as ProcessId",
     "\"Parent Process ID\" as ParentProcessId",
     "hasoffense",
-    "\"Machine ID\" as MachineId"
+    "\"Machine ID\" as MachineId",
+    "\"Process Guid\" as ProcessGuid"
   ]
 }

stix_shifter_modules/qradar/stix_translation/json/events_from_stix_map.json

@@ -101,7 +101,8 @@
       "parent_ref.binary_ref.name": ["ParentImage"],
       "command_line": ["ProcessCommandLine", "ParentCommandLine"],
       "parent_ref.command_line": ["ParentCommandLine"],
-      "extensions.'windows-service-ext'.service_dll_refs[*].name": ["ServiceFileName"]
+      "extensions.'windows-service-ext'.service_dll_refs[*].name": ["ServiceFileName"],
+      "x_unique_id": ["ProcessGuid"]
     }
   },
   "x-oca-event": {

stix_shifter_modules/qradar/stix_translation/json/stix_2_1/events_from_stix_map.json

@@ -95,13 +95,14 @@
   "process": {
     "fields": {
       "pid": ["ProcessId"],
-      "name": ["ProcessName", "Image", "ParentImage"],
-      "image_ref.name": ["Image"],
-      "image_ref.parent_directory_ref.path": ["Image"],
+      "name": ["ProcessName", "Image", "ParentImage", "TargetImage"],
+      "image_ref.name": ["Image", "TargetImage"],
+      "image_ref.parent_directory_ref.path": ["Image", "TargetImage"],
       "parent_ref.image_ref.name": ["ParentImage"],
       "command_line": ["ProcessCommandLine", "ParentCommandLine"],
       "parent_ref.command_line": ["ParentCommandLine"],
-      "extensions.'windows-service-ext'.service_dll_refs[*].name": ["ServiceFileName"]
+      "extensions.'windows-service-ext'.service_dll_refs[*].name": ["ServiceFileName"],
+      "x_unique_id": ["ProcessGuid"]
     }
   },
   "x-oca-event": {
@@ -120,11 +121,11 @@
       "process_ref.name": ["ProcessName"],
       "process_ref.pid": ["ProcessId"],
       "parent_process_ref.command_line": ["ParentCommandLine"],
-      "parent_process_ref.image_ref.name": ["ParentImage"],
+      "parent_process_ref.image_ref.name": ["ParentImage", "TargetImage"],
       "domain_ref.value": ["domainname", "UrlHost"],
       "file_ref.name": ["filename"],
-      "host_ref.hostname": ["identityhostname"],
-      "host_ref.ip_refs[*].value": ["identityip"],
+      "host_ref.hostname": ["identityhostname", "MachineId"],
+      "host_ref.ip_refs[*].value": ["identityip", "sourceip"],
       "registry_ref.key": ["ObjectName", "RegistryKey"],
       "user_ref.user_id": ["username"],
       "url_ref.value": ["url"],
@@ -143,14 +144,5 @@
       "key": ["ObjectName", "RegistryKey"],
       "values[*].name": ["RegistryValueName"]
     }
-  },
-  "x-ibm-windows": {
-    "fields": {
-      "targetimage": ["TargetImage"],
-      "grantedaccess": ["GrantedAccess"],
-      "calltrace": ["CallTrace"],
-      "sourceimage": ["Image"],
-      "pipename": ["PipeName"]
-    }
   }
 }

stix_shifter_modules/qradar/stix_translation/json/stix_2_1/to_stix_map.json

@@ -491,8 +491,7 @@
       "key": "x-qradar.flow_source",
       "object": "x-qradar"
     }
-  ]
-  ,
+  ],
   "flowinterface": {
     "key": "x-qradar.flow_interface",
     "object": "x-qradar"
@@ -799,34 +798,28 @@
       "references": "winregistry"
     }
   ],
-  "TargetImage": {
-    "key": "x-ibm-windows.targetimage",
-    "object": "xwin"
-  },
-  "GrantedAccess": {
-    "key": "x-ibm-windows.granted_access",
-    "object": "xwin"
-  },
-  "CallTrace": {
-    "key": "x-ibm-windows.call_trace",
-    "object": "xwin"
-  },
-  "PipeName": {
-    "key": "x-ibm-windows.pipe_name",
-    "object": "xwin"
-  },
-  "StartModule": {
-    "key": "x-ibm-windows.start_module",
-    "object": "xwin"
-  },
-  "StartFunction": {
-    "key": "x-ibm-windows.start_function",
-    "object": "xwin"
-  },
-  "Signed": {
-    "key": "x-ibm-windows.signed",
-    "object": "xwin"
-  },
+  "TargetImage": [
+    {
+      "key": "file.name",
+      "object": "file_target_image",
+      "transformer": "ToFileName"
+    },
+    {
+      "key": "directory.path",
+      "object": "directory_target_image",
+      "transformer": "ToDirectoryPath"
+    },
+    {
+      "key": "process.binary_ref",
+      "object": "target_process",
+      "references": "file_target_image"
+    },
+    {
+      "key": "file.parent_directory_ref",
+      "object": "file_target_image",
+      "references": "directory_target_image"
+    }
+  ],
   "Message": [
     {
       "key": "artifact.payload_bin",
@@ -847,10 +840,6 @@
       "key": "artifact.mime_type",
       "object": "artifact"
   },
-  "IMPHash": {
-    "key": "x-ibm-windows.imphash",
-    "object": "xwin"
-  },
   "ServiceFileName": [
     {
       "key": "file.name",
@@ -877,5 +866,20 @@
   "hasoffense": {
     "key": "x-qradar.has_offense",
     "object": "x-qradar"
+  },
+  "MachineId": [
+    {
+      "key": "x-oca-asset.hostname",
+      "object": "host"
+    },
+    {
+      "key": "x-oca-event.host_ref",
+      "object": "event",
+      "references": "host"
+    }
+  ],
+  "ProcessGuid": {
+    "key": "process.x_unique_id",
+    "object": "process"
   }
 }

stix_shifter_modules/qradar/stix_translation/json/to_stix_map.json

@@ -888,5 +888,9 @@
       "object": "event",
       "references": "host"
     }
-  ]
+  ],
+  "ProcessGuid": {
+    "key": "process.x_unique_id",
+    "object": "process"
+  }
 }