From 8128dfb296c705b8845847007115adafeac17e2b Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Mon, 11 Oct 2021 23:56:56 -0300 Subject: [PATCH 1/8] Mapping azure_sentinel UDI connector --- .../stix_translation/json/from_stix_map.json | 65 +++++++---- .../stix_translation/json/to_stix_map.json | 106 +++++++++++------- 2 files changed, 108 insertions(+), 63 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json index 302d27bce..5356e0942 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json @@ -92,18 +92,19 @@ "fields": { "activityGroupName": ["activityGroupName"], "assignedTo": ["assignedTo"], - "category": ["category"], - "closedDateTime": ["closedDateTime"], - "cloudAppStates.destinationServiceName": ["cloudAppStates.destinationServiceName"], - "cloudAppStates.destinationServiceIp": ["cloudAppStates.destinationServiceIp"], - "cloudAppStates.riskScore": ["cloudAppStates.riskScore"], "comments": ["comments"], "confidence": ["confidence"], - "createdDateTime": ["createdDateTime"], - "description": ["description"], "detectionIds": ["detectionIds"], - "eventDateTime": ["eventDateTime"], "feedback": ["feedback"], + "id": ["id"], + "incidentIds": ["incidentIds"], + "recommendedActions": ["recommendedActions"], + "sourceMaterials": ["sourceMaterials"], + "status": ["status"], + "tags": ["tags"], + "cloudAppStates.destinationServiceName": ["cloudAppStates.destinationServiceName"], + "cloudAppStates.destinationServiceIp": ["cloudAppStates.destinationServiceIp"], + "cloudAppStates.riskScore": ["cloudAppStates.riskScore"], "hostStates.isAzureAadJoined": ["hostStates.isAzureAadJoined"], "hostStates.isAzureAadRegistered": ["hostStates.isAzureAadRegistered"], "hostStates.isHybridAzureDomainJoined": ["hostStates.isHybridAzureDomainJoined"], @@ -111,36 +112,22 @@ "hostStates.publicIpAddress": ["hostStates.publicIpAddress"], "hostStates.privateIpAddress": ["hostStates.privateIpAddress"], "hostStates.riskScore": ["hostStates.riskScore"], - "id": ["id"], - "incidentIds": ["incidentIds"], - "lastModifiedDateTime": ["lastModifiedDateTime"], "malwareStates.category": ["malwareStates.category"], "malwareStates.family": ["malwareStates.family"], "malwareStates.name": ["malwareStates.family"], "malwareStates.severity": ["malwareStates.family"], "malwareStates.wasRunning": ["malwareStates.family"], - "networkConnections.destinationLocation": ["networkConnections.destinationLocation"], "networkConnections.direction": ["networkConnections.direction"], "networkConnections.domainRegisteredDateTime": ["networkConnections.domainRegisteredDateTime"], "networkConnections.localDnsName": ["networkConnections.localDnsName"], - "networkConnections.natDestinationAddress": ["networkConnections.natDestinationAddress"], "networkConnections.natDestinationPort": ["networkConnections.natDestinationPort"], - "networkConnections.natSourceAddress": ["networkConnections.natSourceAddress"], "networkConnections.natSourcePort": ["networkConnections.natSourcePort"], "networkConnections.riskScore": ["networkConnections.riskScore"], - "networkConnections.sourceLocation": ["networkConnections.sourceLocation"], "networkConnections.status": ["networkConnections.status"], - "networkConnections.urlParameters": ["networkConnections.urlParameters"], "processes.integrityLevel": ["processes.integrityLevel"], "processes.isElevated": ["processes.isElevated"], - "recommendedActions": ["recommendedActions"], "securityResources.resource": ["securityResources.resource"], "securityResources.resourceType": ["securityResources.resourceType"], - "severity": ["severity"], - "sourceMaterials": ["sourceMaterials"], - "status": ["status"], - "tags": ["tags"], - "title": ["title"], "triggers.name": ["triggers.name"], "triggers.type": ["triggers.type"], "triggers.value": ["triggers.value"], @@ -154,10 +141,42 @@ "userStates.riskScore": ["userStates.riskScore"], "userStates.userAccountType": ["userStates.userAccountType"], "userStates.userPrincipalName": ["userStates.userPrincipalName"], - "vendorInformation.subProvider": ["vendorInformation.subProvider"], "vulnerabilityStates.cve": ["vulnerabilityStates.cve"], "vulnerabilityStates.severity": ["vulnerabilityStates.severity"], "vulnerabilityStates.wasRunning": ["vulnerabilityStates.wasRunning"] } + }, + + "x-ibm-finding": { + "fields": { + "name": ["title"], + "description": ["description"], + "severity": ["severity"], + "start": ["createdDateTime"], + "end": ["closedDateTime"], + "finding_type": ["category"], + "src_ip_ref.value": ["networkConnections.natSourceAddress"], + "dst_ip_ref.value": ["networkConnections.natDestinationAddress"], + "src_os_ref.name": ["hostStates.os"], + "dst_application_ref.name": ["cloudAppStates.destinationServiceName"], + "src_geolocation": ["networkConnections.sourceLocation"], + "dst_geolocation": ["networkConnections.destinationLocation"], + "src_application_user_ref.user_id":["userStates.aadUserId"], + "src_application_user_ref.type":["userStates.logonType"], + "time_observed": ["lastModifiedDateTime"] + } + }, + + "x-oca-event": { + "fields": { + "action": ["title"], + "code": ["id"], + "outcome": ["category"], + "category": ["category"], + "created": ["createdDateTime"], + "provider": ["vendorInformation.subProvider"], + "domain_ref.value": ["networkConnections.urlParameters"], + "url_ref.value": ["networkConnections.urlParameters"] + } } } diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index 968b11fbb..3ff88789d 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -30,18 +30,28 @@ "key": "x-msazure-sentinel-alert.assignedTo", "object": "alert" }, - "category": { - "key": "x-msazure-sentinel-alert.category", - "object": "alert" - }, + "category": [ + { + "key": "x-ibm-finding.finding_type", + "object": "finding" + }, + { + "key": "x-oca-event.outcome", + "object": "event" + }, + { + "key": "x-oca-event.category", + "object": "event" + } + ], "closedDateTime": { - "key": "x-msazure-sentinel-alert.closedDateTime", - "object": "alert" + "key": "x-ibm-finding.closedDateTime", + "object": "finding" }, "cloudAppStates": { "destinationServiceName": { - "key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceName", - "object": "alert" + "key": "x-ibm-finding.dst_application_ref.name", + "object": "finding" }, "destinationServiceIp": { "key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceIp", @@ -67,13 +77,17 @@ "cybox": false }, { - "key": "x-msazure-sentinel-alert.createddatetime", - "object": "alert" + "key": "x-ibm-finding.createddatetime", + "object": "finding" + }, + { + "key": "x-oca-eventg.created", + "object": "event" } ], "description": { - "key": "x-msazure-sentinel-alert.description", - "object": "alert" + "key": "x-ibm-finding.description", + "object": "finding" }, "detectionIds": { "key": "x-msazure-sentinel-alert.detectionids", @@ -163,8 +177,8 @@ "object": "alert" }, "os": { - "key": "x-msazure-sentinel-alert.hostStates.os", - "object": "alert" + "key": "x-ibm-finding.src_os_ref.name", + "object": "finding" }, "privateIpAddress": { "key": "ipv4-addr.value" @@ -178,8 +192,8 @@ } }, "id": { - "key": "x-msazure-sentinel-alert.providerid", - "object": "alert" + "key": "x-oca-event.code", + "object": "event" }, "incidentIds": { "key": "x-msazure-sentinel-alert.incidentIds", @@ -192,8 +206,8 @@ "cybox": false }, { - "key": "x-msazure-sentinel-alert.lastmodifieddatetime", - "object": "alert" + "key": "x-ibm-finding.time_observed", + "object": "finding" } ], "malwareStates": { @@ -234,7 +248,7 @@ } ], "destinationLocation": { - "key": "x-msazure-sentinel-alert.networkConnections.destinationLocation", + "key": "x-ibm-finding.dst_geolocation", "object": "alert" }, "destinationDomain": { @@ -263,16 +277,16 @@ "object": "alert" }, "natDestinationAddress": { - "key": "x-msazure-sentinel-alert.networkConnections.natDestinationAddress", - "object": "alert" + "key": "x-ibm-finding.dst_ip_ref.value", + "object": "finding" }, "natDestinationPort": { "key": "x-msazure-sentinel-alert.networkConnections.natDestinationPort", "object": "alert" }, "natSourceAddress": { - "key": "x-msazure-sentinel-alert.networkConnections.natSourceAddress", - "object": "alert" + "key": "x-ibm-finding.src_ip_ref.value", + "object": "finding" }, "natSourcePort": { "key": "x-msazure-sentinel-alert.networkConnections.natSourcePort", @@ -300,7 +314,7 @@ } ], "sourceLocation": { - "key": "x-msazure-sentinel-alert.networkConnections.sourceLocation", + "key": "x-ibm-finding.src_geolocation", "object": "alert" }, "sourcePort": { @@ -312,10 +326,16 @@ "key": "x-msazure-sentinel-alert.networkConnections.status", "object": "alert" }, - "urlParameters": { - "key": "x-msazure-sentinel-alert.networkConnections.urlParameters", - "object": "alert" - } + "urlParameters": [ + { + "key": "x-oca-event.domain_ref.value", + "object": "event" + }, + { + "key": "x-oca-event.url_ref.value", + "object": "event" + } + ] }, "processes": { "accountName": [ @@ -476,8 +496,8 @@ } }, "severity": { - "key": "x-msazure-sentinel-alert.severity", - "object": "alert" + "key": "x-ibm-finding.severity", + "object": "finding" }, "sourceMaterials": { "key": "x-msazure-sentinel-alert.sourcematerials", @@ -494,10 +514,16 @@ "object": "alert", "transformer": "ToString" }, - "title": { - "key": "x-msazure-sentinel-alert.title", - "object": "alert" - }, + "title": [ + { + "key": "x-ibm-finding.name", + "object": "finding" + }, + { + "key": "x-oca-event.action", + "object": "event" + } + ], "triggers": { "name": { "key": "x-msazure-sentinel-alert.triggers.name", @@ -514,8 +540,8 @@ }, "userStates": { "aadUserId": { - "key": "x-msazure-sentinel-alert.userStates.aaduserid", - "object": "alert" + "key": "x-ibm-finding.src_application_user_ref.user_id", + "object": "finding" }, "accountName": { "key": "user-account.user_id", @@ -548,8 +574,8 @@ "object": "alert" }, "logonType": { - "key": "x-msazure-sentinel-alert.userStates.logonType", - "object": "alert" + "key": "x-ibm-finding.src_application_user_ref.type", + "object": "finding" }, "onPremisesSecurityIdentifier": { "key": "x-msazure-sentinel-alert.userStates.onpremisessecurityidentifier", @@ -582,8 +608,8 @@ "object": "application" }, "subProvider": { - "key": "x-msazure-sentinel-alert.vendorinformation.subprovider", - "object": "alert" + "key": "x-oca-event.provider", + "object": "event" } }, "vulnerabilityStates": { From 34002f32f44bd1926d51a45934e64087001cd58f Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Tue, 12 Oct 2021 21:02:08 -0300 Subject: [PATCH 2/8] fix test --- .../test_azure_sentinel_json_to_stix.py | 20 ++-- .../test_azure_sentinel_stix_to_query.py | 98 ++++++++++++------- 2 files changed, 77 insertions(+), 41 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py index 2b8761b4c..e517772af 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py @@ -143,6 +143,10 @@ def test_custom_property(): custom_object_1 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-msazure-sentinel') custom_object_2 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-msazure-sentinel-alert') + custom_object_3 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') + custom_object_4 = TestAzureSentinelResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') + + assert custom_object_1 is not None, 'Custom object type not found' assert custom_object_1.keys() == {'type', 'tenant_id', 'subscription_id'} @@ -150,12 +154,12 @@ def test_custom_property(): assert custom_object_1['subscription_id'] == '083de1fb-cd2d-4b7c-895a-2b5af1d091e8' assert custom_object_2 is not None, 'Custom object type not found' - assert custom_object_2.keys() == {'type', 'providerid', 'category', 'createddatetime', 'description', - 'lastmodifieddatetime', 'recommendedactions', 'severity', 'status', 'title'} - - assert custom_object_2['providerid'] == '2518268485253060642_52b1a353-2fd8-4c45-8f8a-94db98dca29d' - assert custom_object_2['title'] == 'Rare SVCHOST service group executed' + assert custom_object_2.keys() == {'type', 'recommendedactions', 'status'} + assert custom_object_3.keys() == {'type', 'finding_type', 'createddatetime', 'description', 'time_observed', 'severity', 'name'} + assert custom_object_3['name'] == 'Rare SVCHOST service group executed' + assert custom_object_4.keys() == {'type', 'code', 'outcome', 'category', 'created', 'action'} + assert custom_object_4['category'] == 'SuspiciousSVCHOSTRareGroup' @staticmethod def test_file_process_json_to_stix(): """ @@ -208,7 +212,7 @@ def test_file_process_json_to_stix(): assert file_obj .keys() == {'type', 'name', 'parent_directory_ref'} assert file_obj['type'] == 'file' assert file_obj['name'] == 'services.exe' - assert file_obj['parent_directory_ref'] == '3' + assert file_obj['parent_directory_ref'] == '5' assert directory_obj['path'] == 'c:\\windows\\system32' @staticmethod @@ -258,8 +262,8 @@ def test_network_json_to_stix(): assert network_obj['src_port'] == 9475 assert network_obj['dst_port'] == 22 assert network_obj['protocols'] == ['tcp'] - assert network_obj['src_ref'] == '5' - assert network_obj['dst_ref'] == '3' + assert network_obj['src_ref'] == '7' + assert network_obj['dst_ref'] == '5' @staticmethod def test_network_json_to_stix_negative(): diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py index 7967cc552..25cf0a093 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py @@ -43,8 +43,9 @@ def test_process_comp_exp(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) eq 'svchost.exe') or processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and (eventDateTime ge " - "2019-12-24T09:22:44.667Z and eventDateTime le 2019-12-24T09:27:44.667Z)"] + queries = [ + "((processes/any(query1:tolower(query1/name) eq 'svchost.exe') or processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and (eventDateTime ge " + "2019-12-24T09:22:44.667Z and eventDateTime le 2019-12-24T09:27:44.667Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -55,7 +56,10 @@ def test_network_comp_exp(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) or " - "networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')))) " + "networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) or " + "hostStates/any(query1:tolower(query1/publicIpAddress) eq '172.16.2.22') or " + "hostStates/any(query1:tolower(query1/privateIpAddress) eq '172.16.2.22') or " + "userStates/any(query1:tolower(query1/logonIp) eq '172.16.2.22'))) " "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) @@ -80,8 +84,8 @@ def test_directory_path_exp(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((fileStates/any(query1:contains(tolower(query1/path), 'windows')) or " - "process/any(query1:tolower(query1/path) eq 'windows'))) and " - "(eventDateTime ge 2019-12-24T09:46:34.835Z and eventDateTime le 2019-12-24T09:51:34.835Z)"] + "process/any(query1:tolower(query1/path) eq 'windows'))) and " + "(eventDateTime ge 2019-12-24T09:46:34.835Z and eventDateTime le 2019-12-24T09:51:34.835Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -92,8 +96,9 @@ def test_noteq_comp_exp(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) ne 'services.exe') or processes/any(query1:tolower(query1/parentProcessName) ne 'services.exe'))) " - "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = [ + "((processes/any(query1:tolower(query1/name) ne 'services.exe') or processes/any(query1:tolower(query1/parentProcessName) ne 'services.exe'))) " + "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -120,13 +125,13 @@ def test_matches_comp_exp(self): def test_custom_in_comp_exp(self): stix_pattern = "[x-msazure-sentinel:tenant_id NOT IN ('Sb73e5ba','b73e5ba8')" \ - "AND x-msazure-sentinel-alert:title LIKE 'Suspicious']" + "AND x-ibm-finding:name LIKE 'Suspicious']" query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["(contains(tolower(title), 'Suspicious') and tolower(azureTenantId) ne " - "'Sb73e5ba' and tolower(azureTenantId) ne 'b73e5ba8') and " - "(eventDateTime ge 2019-12-27T04:50:48.593Z and eventDateTime le 2019-12-27T04:55:48.593Z)"] + "'Sb73e5ba' and tolower(azureTenantId) ne 'b73e5ba8') and " + "(eventDateTime ge 2019-12-27T04:50:48.593Z and eventDateTime le 2019-12-27T04:55:48.593Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -136,10 +141,10 @@ def test_in_comp_exp(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " - "processes/any(query1:tolower(query1/name) eq 'svchost.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and " - "(eventDateTime ge 2019-12-24T09:50:39.638Z and eventDateTime le 2019-12-24T09:55:39.638Z)"] + "processes/any(query1:tolower(query1/name) eq 'svchost.exe') or " + "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe') or " + "processes/any(query1:tolower(query1/parentProcessName) eq 'svchost.exe'))) and " + "(eventDateTime ge 2019-12-24T09:50:39.638Z and eventDateTime le 2019-12-24T09:55:39.638Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -150,11 +155,11 @@ def test_comb_comparison_exp_1(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["(fileStates/any(query1:tolower(query1/name) eq 'notepad.exe') or " - "(processes/any(query2:tolower(query2/name) eq 'services.exe') or " - "processes/any(query2:tolower(query2/name) eq 'svchost.exe') or " - "processes/any(query2:tolower(query2/parentProcessName) eq 'services.exe') or " - "processes/any(query2:tolower(query2/parentProcessName) eq 'svchost.exe'))) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + "(processes/any(query2:tolower(query2/name) eq 'services.exe') or " + "processes/any(query2:tolower(query2/name) eq 'svchost.exe') or " + "processes/any(query2:tolower(query2/parentProcessName) eq 'services.exe') or " + "processes/any(query2:tolower(query2/parentProcessName) eq 'svchost.exe'))) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -166,9 +171,9 @@ def test_comb_comparison_exp_2(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((processes/any(query1:tolower(query1/name) ne 'powershell.exe') and " - "processes/any(query1:tolower(query1/parentProcessName) ne 'powershell.exe')) or " - "networkConnections/any(query2:tolower(query2/sourcePort) eq '454')) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + "processes/any(query1:tolower(query1/parentProcessName) ne 'powershell.exe')) or " + "networkConnections/any(query2:tolower(query2/sourcePort) eq '454')) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -179,10 +184,10 @@ def test_comb_observation_obs(self): query['queries'] = _remove_timestamp_from_query(query['queries']) queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) and " - "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)", - "(networkConnections/any(query2:tolower(query2/destinationPort) ge '100')) and " - "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)"] + "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) and " + "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)", + "(networkConnections/any(query2:tolower(query2/destinationPort) ge '100')) and " + "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -194,13 +199,14 @@ def test_comb_observation_obs_qualifier_one(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:query1/processId eq 110) or processes/any(query1:query1/processId eq 220) or " - "processes/any(query1:query1/parentProcessId eq 110) or processes/any(query1:query1/parentProcessId eq 220) or " - "registryKeyStates/any(query1:query1/processId eq 110) or registryKeyStates/any(query1:query1/processId eq 220))) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)", - "(userStates/any(query2:query2/logonDateTime eq 2019-09-23T10:43:10.453Z) and " - "networkConnections/any(query3:contains(tolower(query3/sourceAddress), '52.94.233.129'))) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = [ + "((processes/any(query1:query1/processId eq 110) or processes/any(query1:query1/processId eq 220) or " + "processes/any(query1:query1/parentProcessId eq 110) or processes/any(query1:query1/parentProcessId eq 220) or " + "registryKeyStates/any(query1:query1/processId eq 110) or registryKeyStates/any(query1:query1/processId eq 220))) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)", + "(userStates/any(query2:query2/logonDateTime eq 2019-09-23T10:43:10.453Z) and " + "networkConnections/any(query3:contains(tolower(query3/sourceAddress), '52.94.233.129'))) and " + "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -231,3 +237,29 @@ def test_comb_observation_obs_qualifier_two(self): queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) + + def test_x_ibm_finding(self): + stix_pattern = "[x-ibm-finding:name = 'photos'] AND [x-ibm-finding:finding_type = 'test type'] " \ + "AND [x-ibm-finding:description = 'test description'] AND " \ + "[x-ibm-finding:severity = 'test severity'] AND " \ + "[x-ibm-finding:src_geolocation = 'canada'] AND" \ + "[x-ibm-finding:dst_geolocation = 'us']" + query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + + print(query['queries']) + + queries = ["(tolower(title) eq 'photos') and (eventDateTime ge 2021-10-08T00:18:50.449Z and eventDateTime le " + "2021-10-08T00:23:50.449Z)", + "(tolower(category) eq 'test type') and (eventDateTime ge 2021-10-08T00:18:50.449Z and " + "eventDateTime le 2021-10-08T00:23:50.449Z)", + "(tolower(description) eq 'test description') and (eventDateTime ge 2021-10-08T00:18:50.449Z and " + "eventDateTime le 2021-10-08T00:23:50.449Z)", + "(tolower(severity) eq 'test severity') and (eventDateTime ge 2021-10-08T00:18:50.449Z and " + "eventDateTime le 2021-10-08T00:23:50.449Z)", + "(networkConnections/any(query5:tolower(query5/sourceLocation) eq 'canada')) and (eventDateTime " + "ge 2021-10-08T00:18:50.449Z and eventDateTime le 2021-10-08T00:23:50.449Z)", + "(networkConnections/any(query6:tolower(query6/destinationLocation) eq 'us')) and (eventDateTime " + "ge 2021-10-08T00:18:50.449Z and eventDateTime le 2021-10-08T00:23:50.449Z)"] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) From 55dc6713a8b9be2ebc46e4152628176aaadcb5dd Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Wed, 13 Oct 2021 22:34:51 -0300 Subject: [PATCH 3/8] change according to comments --- .../stix_translation/json/from_stix_map.json | 2 +- .../stix_translation/json/to_stix_map.json | 19 +++++++++++-------- .../test_azure_sentinel_json_to_stix.py | 2 +- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json index 5356e0942..de2d3637a 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json @@ -64,7 +64,7 @@ }, "software": { "fields": { - "name": ["vendorInformation.provider", "networkConnections.applicationName"], + "name": ["vendorInformation.provider", "networkConnections.applicationName", "hostStates.os"], "vendor": ["vendorInformation.vendor"], "version": ["vendorInformation.providerVersion"] } diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index 3ff88789d..70f545a80 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -36,10 +36,6 @@ "object": "finding" }, { - "key": "x-oca-event.outcome", - "object": "event" - }, - { "key": "x-oca-event.category", "object": "event" } @@ -49,10 +45,17 @@ "object": "finding" }, "cloudAppStates": { - "destinationServiceName": { - "key": "x-ibm-finding.dst_application_ref.name", - "object": "finding" - }, + "destinationServiceName": [ + { + "key":"software.name", + "object":"software" + }, + { + "key":"x-ibm-finding.dst_application_ref", + "object":"finding", + "references":"software" + } + ], "destinationServiceIp": { "key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceIp", "object": "alert" diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py index e517772af..dd5451f63 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py @@ -158,7 +158,7 @@ def test_custom_property(): assert custom_object_2.keys() == {'type', 'recommendedactions', 'status'} assert custom_object_3.keys() == {'type', 'finding_type', 'createddatetime', 'description', 'time_observed', 'severity', 'name'} assert custom_object_3['name'] == 'Rare SVCHOST service group executed' - assert custom_object_4.keys() == {'type', 'code', 'outcome', 'category', 'created', 'action'} + assert custom_object_4.keys() == {'type', 'code', 'category', 'created', 'action'} assert custom_object_4['category'] == 'SuspiciousSVCHOSTRareGroup' @staticmethod def test_file_process_json_to_stix(): From d926841219803126b00b2c7da4f5346441b8d881 Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Wed, 13 Oct 2021 22:55:04 -0300 Subject: [PATCH 4/8] fix --- .../stix_translation/json/from_stix_map.json | 2 -- .../stix_translation/json/to_stix_map.json | 17 ++++++++++++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json index de2d3637a..704f4a87a 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json @@ -166,12 +166,10 @@ "time_observed": ["lastModifiedDateTime"] } }, - "x-oca-event": { "fields": { "action": ["title"], "code": ["id"], - "outcome": ["category"], "category": ["category"], "created": ["createdDateTime"], "provider": ["vendorInformation.subProvider"], diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index 70f545a80..420c88afe 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -179,10 +179,16 @@ "key": "x-msazure-sentinel-alert.hostStates.isHybridAzureDomainJoined", "object": "alert" }, - "os": { - "key": "x-ibm-finding.src_os_ref.name", - "object": "finding" - }, + "os": [ + { + "key": "x-ibm-finding.src_os_ref.name", + "object": "finding" + }, + { + "key": "software.name", + "object": "application" + } + ], "privateIpAddress": { "key": "ipv4-addr.value" }, @@ -237,7 +243,8 @@ }, "networkConnections": { "applicationName": { - "key": "software.name" + "key": "software.name", + "object": "application" }, "destinationAddress": [ { From 41246539f97ca9bda3400b4dc82e6cc0b1a1a5ab Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Fri, 19 Nov 2021 22:49:06 -0400 Subject: [PATCH 5/8] fix more fields Nov19 --- .../stix_translation/json/from_stix_map.json | 13 +++-- .../stix_translation/json/to_stix_map.json | 10 ++-- .../test_azure_sentinel_stix_to_query.py | 50 +++++++++++++------ 3 files changed, 47 insertions(+), 26 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json index 704f4a87a..addda428a 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json @@ -1,7 +1,12 @@ { "ipv4-addr": { "fields": { - "value": ["networkConnections.sourceAddress", "networkConnections.destinationAddress"] + "value": [ + "networkConnections.sourceAddress", + "networkConnections.destinationAddress", + "networkConnections.natSourceAddress", + "networkConnections.natDestinationAddress" + ] } }, "ipv6-addr": { @@ -11,8 +16,8 @@ }, "network-traffic": { "fields": { - "src_port": ["networkConnections.sourcePort"], - "dst_port": ["networkConnections.destinationPort"], + "src_port": ["networkConnections.sourcePort", "networkConnections.natSourcePort"], + "dst_port": ["networkConnections.destinationPort", "networkConnections.natDestinationPort"], "protocols[*]": ["networkConnections.protocol"], "src_ref.value": ["networkConnections.sourceAddress"], "dst_ref.value": ["networkConnections.destinationAddress"] @@ -56,7 +61,7 @@ }, "user-account": { "fields": { - "user_id": ["userStates.accountName", "processes.accountName"], + "user_id": ["userStates.accountName", "processes.accountName", "userStates.aadUserId"], "account_login": ["userStates.logonId"], "account_type": ["userStates.userAccountType"], "account_last_login": ["userStates.logonDateTime"] diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index 420c88afe..2293f041e 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -3,10 +3,6 @@ { "key": "first_observed", "cybox": false - }, - { - "key": "last_observed", - "cybox": false } ], "event_count": { @@ -40,9 +36,9 @@ "object": "event" } ], - "closedDateTime": { - "key": "x-ibm-finding.closedDateTime", - "object": "finding" + "closedDateTime":{ + "key": "last_observed", + "cybox": false }, "cloudAppStates": { "destinationServiceName": [ diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py index 25cf0a093..7c6c4f2b9 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py @@ -55,12 +55,22 @@ def test_network_comp_exp(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) or " - "networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) or " - "hostStates/any(query1:tolower(query1/publicIpAddress) eq '172.16.2.22') or " - "hostStates/any(query1:tolower(query1/privateIpAddress) eq '172.16.2.22') or " - "userStates/any(query1:tolower(query1/logonIp) eq '172.16.2.22'))) " - "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = [ + "((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) " + "or networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) " + "or hostStates/any(query1:tolower(query1/publicIpAddress) eq '172.16.2.22') " + "or hostStates/any(query1:tolower(query1/privateIpAddress) eq '172.16.2.22') " + "or userStates/any(query1:tolower(query1/logonIp) eq '172.16.2.22') " + "or networkConnections/any(query1:tolower(query1/natSourceAddress) eq '172.16.2.22') " + "or networkConnections/any(query1:tolower(query1/natDestinationAddress) eq '172.16.2.22'))) " + "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)" + ] + # queries = ["((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) or " + # "networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) or " + # "hostStates/any(query1:tolower(query1/publicIpAddress) eq '172.16.2.22') or " + # "hostStates/any(query1:tolower(query1/privateIpAddress) eq '172.16.2.22') or " + # "userStates/any(query1:tolower(query1/logonIp) eq '172.16.2.22'))) " + # "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -170,10 +180,12 @@ def test_comb_comparison_exp_2(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) ne 'powershell.exe') and " - "processes/any(query1:tolower(query1/parentProcessName) ne 'powershell.exe')) or " - "networkConnections/any(query2:tolower(query2/sourcePort) eq '454')) and " - "(eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] + queries = ["((processes/any(query1:tolower(query1/name) ne 'powershell.exe') " + "and processes/any(query1:tolower(query1/parentProcessName) " + "ne 'powershell.exe')) " + "or (networkConnections/any(query2:tolower(query2/sourcePort) eq '454') " + "or networkConnections/any(query2:tolower(query2/natSourcePort) eq '454'))) " + "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -183,11 +195,19 @@ def test_comb_observation_obs(self): query = translation.translate('azure_sentinel', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) - queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " - "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) and " - "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)", - "(networkConnections/any(query2:tolower(query2/destinationPort) ge '100')) and " - "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)"] + queries = [ + "((processes/any(query1:tolower(query1/name) eq 'services.exe') " + "or processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) " + "and (eventDateTime ge 2021-11-20T02:39:16.342Z and eventDateTime le 2021-11-20T02:44:16.342Z)", + "((networkConnections/any(query2:tolower(query2/destinationPort) ge '100') " + "or networkConnections/any(query2:tolower(query2/natDestinationPort) ge '100'))) " + "and (eventDateTime ge 2021-11-20T02:39:16.343Z and eventDateTime le 2021-11-20T02:44:16.343Z)" + ] + # queries = ["((processes/any(query1:tolower(query1/name) eq 'services.exe') or " + # "processes/any(query1:tolower(query1/parentProcessName) eq 'services.exe'))) and " + # "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)", + # "(networkConnections/any(query2:tolower(query2/destinationPort) ge '100')) and " + # "(eventDateTime ge 2021-03-23T19:07:25.737Z and eventDateTime le 2021-03-23T19:12:25.737Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) From 4b3f115d5b243371cf28ff9338c6fa4b87a5bdfd Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Sat, 27 Nov 2021 19:33:39 -0400 Subject: [PATCH 6/8] fix according to comments on Nov 23 --- .../stix_translation/json/from_stix_map.json | 3 ++- .../stix_translation/json/to_stix_map.json | 9 ++------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json index addda428a..a07b85e3b 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/from_stix_map.json @@ -69,7 +69,7 @@ }, "software": { "fields": { - "name": ["vendorInformation.provider", "networkConnections.applicationName", "hostStates.os"], + "name": ["vendorInformation.provider"], "vendor": ["vendorInformation.vendor"], "version": ["vendorInformation.providerVersion"] } @@ -122,6 +122,7 @@ "malwareStates.name": ["malwareStates.family"], "malwareStates.severity": ["malwareStates.family"], "malwareStates.wasRunning": ["malwareStates.family"], + "networkConnections.applicationName": ["networkConnections.applicationName"], "networkConnections.direction": ["networkConnections.direction"], "networkConnections.domainRegisteredDateTime": ["networkConnections.domainRegisteredDateTime"], "networkConnections.localDnsName": ["networkConnections.localDnsName"], diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index 2293f041e..bf92167c7 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -26,16 +26,11 @@ "key": "x-msazure-sentinel-alert.assignedTo", "object": "alert" }, - "category": [ - { - "key": "x-ibm-finding.finding_type", - "object": "finding" - }, - { + "category": { "key": "x-oca-event.category", "object": "event" } - ], + , "closedDateTime":{ "key": "last_observed", "cybox": false From 5e8e7dd4b54d6a8afd5bfc8cbf69f75ca50dcba9 Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Sat, 27 Nov 2021 19:45:15 -0400 Subject: [PATCH 7/8] fix test --- .../stix_translation/test_azure_sentinel_json_to_stix.py | 2 +- .../test_azure_sentinel_stix_to_query.py | 9 --------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py index dd5451f63..6d0d55f53 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_json_to_stix.py @@ -156,7 +156,7 @@ def test_custom_property(): assert custom_object_2 is not None, 'Custom object type not found' assert custom_object_2.keys() == {'type', 'recommendedactions', 'status'} - assert custom_object_3.keys() == {'type', 'finding_type', 'createddatetime', 'description', 'time_observed', 'severity', 'name'} + assert custom_object_3.keys() == {'type', 'createddatetime', 'description', 'time_observed', 'severity', 'name'} assert custom_object_3['name'] == 'Rare SVCHOST service group executed' assert custom_object_4.keys() == {'type', 'code', 'category', 'created', 'action'} assert custom_object_4['category'] == 'SuspiciousSVCHOSTRareGroup' diff --git a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py index 7c6c4f2b9..d5564bfaa 100644 --- a/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py +++ b/stix_shifter_modules/azure_sentinel/tests/stix_translation/test_azure_sentinel_stix_to_query.py @@ -58,19 +58,10 @@ def test_network_comp_exp(self): queries = [ "((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) " "or networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) " - "or hostStates/any(query1:tolower(query1/publicIpAddress) eq '172.16.2.22') " - "or hostStates/any(query1:tolower(query1/privateIpAddress) eq '172.16.2.22') " - "or userStates/any(query1:tolower(query1/logonIp) eq '172.16.2.22') " "or networkConnections/any(query1:tolower(query1/natSourceAddress) eq '172.16.2.22') " "or networkConnections/any(query1:tolower(query1/natDestinationAddress) eq '172.16.2.22'))) " "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)" ] - # queries = ["((networkConnections/any(query1:contains(tolower(query1/sourceAddress), '172.16.2.22')) or " - # "networkConnections/any(query1:contains(tolower(query1/destinationAddress), '172.16.2.22')) or " - # "hostStates/any(query1:tolower(query1/publicIpAddress) eq '172.16.2.22') or " - # "hostStates/any(query1:tolower(query1/privateIpAddress) eq '172.16.2.22') or " - # "userStates/any(query1:tolower(query1/logonIp) eq '172.16.2.22'))) " - # "and (eventDateTime ge 2019-09-10T08:43:10.003Z and eventDateTime le 2019-09-23T10:43:10.453Z)"] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) From c6ef67a73b723dba20bb71bcf8974f97ad24e50f Mon Sep 17 00:00:00 2001 From: "jingqiu.du" Date: Fri, 10 Dec 2021 10:01:34 -0400 Subject: [PATCH 8/8] fix typo issue --- .../azure_sentinel/stix_translation/json/to_stix_map.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json index bf92167c7..89f83d5d9 100644 --- a/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json @@ -75,7 +75,7 @@ "object": "finding" }, { - "key": "x-oca-eventg.created", + "key": "x-oca-event.created", "object": "event" } ],