Merge branch 'develop' into intezer-connector

stix_shifter_modules/gcp_chronicle/README.md

@@ -56,8 +56,8 @@ translate gcp_chronicle query '{}' "[process:name = 'powershell.exe' AND file:ha
 ```shell
 transmit
 gcp_chronicle
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 query
 " { \"ruleText\": \"rule cp4s_gcp_udi_rule_1659699862 { meta: author = \\"ibm cp4s user\\" description = \\"Create event rule that should generate detections\\" events: ($udm.src.file.sha1 = \\"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9\\" nocase or $udm.target.file.sha1 = \\"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9\\" nocase or $udm.src.process.file.sha1 = \\"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9\\" nocase or $udm.target.process.file.sha1 = \\"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9\\" nocase or $udm.principal.process.file.sha1 = \\"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9\\" nocase or $udm.about.file.sha1 = \\"ded8fd7f36417f66eb6ada10e0c0d7c0022986e9\\" nocase) and ($udm.src.process.file.full_path = /(?s)powershell\\.exe/ nocase or $udm.target.process.file.full_path = /(?s)powershell\\.exe/ nocase or $udm.principal.process.file.full_path = /(?s)powershell\\.exe/ nocase or $udm.target.process.parent_process.file.full_path = /(?s)powershell\\.exe/ nocase or $udm.principal.process.parent_process.file.full_path = /(?s)powershell\\.exe/ nocase) condition: $udm}\", \"startTime\": \"2022-06-05T16:43:26.000Z\", \"endTime\": \"2022-06-10T16:43:26.003Z\" }"
 ```
@@ -74,8 +74,8 @@ query
 ```shell
 transmit
 gcp_chronicle
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 status
 "oh_cda1ea4f-87d8-4f21-b80c-9eb3c5e8bf6d:ru_2fec7add-f727-41e1-a839-9de344d2a98d"
 ```
@@ -93,8 +93,8 @@ status
 ```shell
 transmit
 gcp_chronicle
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 results
 "oh_cda1ea4f-87d8-4f21-b80c-9eb3c5e8bf6d:ru_2fec7add-f727-41e1-a839-9de344d2a98d" 0 1
 ```
@@ -369,8 +369,8 @@ translate gcp_chronicle query '{}' "[x-ibm-finding:finding_type = 'threat' AND x
 ```shell
 transmit
 gcp_chronicle
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 query
 "{ \"ruleText\": \"rule cp4s_gcp_udi_rule_1659715234 { meta: author = \\"ibm cp4s user\\" description = \\"Create event rule that should generate detections\\" events: $udm.metadata.event_type = \\"EMAIL_TRANSACTION\\" and (any $udm.security_result.category = \\"SOFTWARE_MALICIOUS\\" or any $udm.security_result.category = \\"SOFTWARE_PUA\\" or any $udm.security_result.category = \\"NETWORK_MALICIOUS\\" or any $udm.security_result.category = \\"MAIL_SPAM\\" or any $udm.security_result.category = \\"MAIL_PHISHING\\" or any $udm.security_result.category = \\"MAIL_SPOOFING\\") condition: $udm}\", \"startTime\": \"2022-06-21T16:43:26.000Z\", \"endTime\": \"2022-06-24T16:43:26.003Z\" }"
 ```
@@ -388,8 +388,8 @@ query
 ```shell
 transmit
 gcp_chronicle
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 status
 "oh_7111ae97-b1bc-4393-a305-ec88dd13fbb2:ru_d9341b46-4cea-4cbc-9890-5dabe1d2b62f"
 ```
@@ -408,8 +408,8 @@ status
 ```shell
 transmit
 gcp_chronicle
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 results
 "oh_7111ae97-b1bc-4393-a305-ec88dd13fbb2:ru_d9341b46-4cea-4cbc-9890-5dabe1d2b62f" 0 1
 ```
@@ -661,8 +661,8 @@ execute
 gcp_chronicle
 gcp_chronicle
 "{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"gcp_chronicle\",\"identity_class\":\"events\",\"created\":\"2022-08-05T13:22:50.336Z\",\"modified\":\"2022-08-05T13:22:50.336Z\"}"
-"{\"host\":\"xx.xx.xx\",\"selfSignedCert\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}"
-"{\"auth\":{ \"client_email\": \"xyz.com\"}}"
+"{\"host\":\"xx.xx.xx\"}"
+"{\"auth\":{ \"client_email\": \"xyz.com\",\"private_key\": \"-----BEGIN PRIVATE KEY-----\nxxx\n-----END PRIVATE KEY-----\n\"}}"
 "[ipv4-addr:value = '1.0.0.1' AND network-traffic:src_port = '52221'] START t'2022-06-06T00:00:00.000000Z' STOP t'2022-06-15T00:00:00.000000Z'"
 ```
 #### STIX Execute query - output
@@ -841,7 +841,7 @@ translate gcp_chronicle query '{}' "([file:hashes.'SHA-1' = '6cbce4a295c163791b6
 Reference: [Managing rules using the Rules Editor](#https://cloud.google.com/chronicle/docs/detection/manage-all-rules)
 
 ### Observations
-- The private_key value which is used for authentication should be passed in selfSignedCert field
+
 - It is recommended to use LIKE operator for substring match and MATCHES operator for regular expression match.
 - Supported values for the stix attribute x-ibm-finding:severity is 16,32,48,64,80,100. This has been mapped with chronicle severity value 'INFORMATIONAL','ERROR',LOW','MEDIUM','HIGH','CRITICAL' correspondingly.
 

stix_shifter_modules/gcp_chronicle/configuration/config.json

@@ -11,18 +11,17 @@
 		"help": {
 			"type": "link",
 			"default": "data-sources.html"
-		},
-		"selfSignedCert": {
-			"type": "password"
 		}
 	},
 	"configuration": {
 		"auth": {
 			"type": "fields",
 			"client_email": {
+				"type": "text"
+			},
+			"private_key": {
 				"type": "password"
 			}
-
 		}
 	}
 }

stix_shifter_modules/gcp_chronicle/configuration/lang_en.json

@@ -7,17 +7,17 @@
         "help": {
             "label": "Need additional help?",
             "description": "More details on the data source setting can be found in the specified link"
-        },
-         "selfSignedCert": {
-                "label": "Private key (Required)",
-                "description": "Private Key is a mandatory authentication parameter to communicate with the GCP Chronicle security datasource."
-            }
+        }
     },
     "configuration": {
         "auth": {
             "client_email": {
-                "label": "Client email",
-                "description": "Client email used in authentication to make API calls"
+                "label": "Client Email",
+                "description": "Client Email used in authentication to make API calls"
+            },
+            "private_key": {
+                "label": "Private Key",
+                "description": "Private Key is a authentication parameter used to communicate with the GCP Chronicle security datasource."
             }
         }
     }

stix_shifter_modules/gcp_chronicle/stix_transmission/api_client.py

@@ -7,6 +7,7 @@
 from stix_shifter_utils.utils import logger
 from stix_shifter_utils.utils.error_response import ErrorResponder
 
+
 class InvalidResponseException(Exception):
     pass
 
@@ -18,7 +19,7 @@ class APIClient:
 
     def __init__(self, connection, configuration):
         self.auth = configuration.get('auth')
-        self.auth['private_key'] = connection.get('selfSignedCert').replace('\\n', '\n')
+        self.auth['private_key'] = self.auth.get('private_key').replace('\\n', '\n')
         self.auth['token_uri'] = self.URI
         self.host = "https://" + connection.get('host')
         self.result_limit = connection['options'].get('result_limit')

stix_shifter_modules/gcp_chronicle/tests/stix_transmission/test_gcp_chronicle.py

@@ -20,15 +20,15 @@ class TestGCPChronicleConnection(unittest.TestCase, object):
     @staticmethod
     def connection():
         return {
-            "host": "hostbla",
-            "selfSignedCert": "hostbla"
+            "host": "hostbla"
         }
 
     @staticmethod
     def configuration():
         return {
             "auth": {
-                "client_email": "hostbla"
+                "client_email": "hostbla",
+                "private_key": "privatebla"
             }
         }
 
@@ -179,7 +179,6 @@ def test_result_with_metadata_in_response(self, mock_http):
         mock_http.side_effect = [mocked_result_response, mocked_delete_response]
         connection_with_result_limit = {
             "host": "hostbla",
-            "selfSignedCert": "hostbla",
             "options": {"result_limit": 3}
         }
         transmission = stix_transmission.StixTransmission('gcp_chronicle', connection_with_result_limit,