-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditional mappings #1362
Comments
A possible additional use case is for |
Is your feature request related to a problem? Please describe.
stix-shifter "to_stix_map" mappings are currently "dumb", meaning that they map a native result field to a STIX property regardless of any sort of context. This causes problems sometimes, like with QRadar always creating a
network-traffic
object (as shown in #205 (comment)).Describe the solution you'd like
Each mapping could support a "condition" field where the conditions required for the mapping to be valid are described with simple boolean logic. No "condition" field would mean the mapping is always valid, in order to maintain backwards compatibility.
As an example, QRadar's "sourceip" field could be mapped like this:
I've added the "condition" to the
network-traffic.src_ref
mapping. Without the condition, every QRadar result will create anetwork-traffic
object, event if the event is not describing an actual network connection. In the example, anetwork-traffic
object would only get created for certain Windows events that correspond to actual network connections being made.This example is only for illustration, because it's specific to Windows events. For the real QRadar mapping, QRadar high-level categories should probably be used as suggested in #205.
Describe alternatives you've considered
I don't have any alternatives at the moment.
Additional context
N/A
The text was updated successfully, but these errors were encountered: