QRadar - Remove Zero Values from IP and Mac Results

[KaneBrennan132]

Addition of checks for the JSON results for zero values amongst the IP and mac addresses as this data is irrelevant it should be filtered out in order to provide more correct results in smaller size. Sets them to None.

Addition of Unit test for theses values.

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.01 🎉

Comparison is base (05e7dd7) 85.44% compared to head (7e4e466) 85.45%.

❗ Current head 7e4e466 differs from pull request most recent head 493134d. Consider uploading reports for the commit 493134d to get more accurate results

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #1468      +/-   ##
===========================================
+ Coverage    85.44%   85.45%   +0.01%     
===========================================
  Files          618      618              
  Lines        46888    46926      +38     
===========================================
+ Hits         40064    40102      +38     
  Misses        6824     6824              

Impacted Files	Coverage Δ
...ules/qradar/stix_translation/results_translator.py	92.10% <100.00%> (+9.75%)	⬆️
...tests/stix_translation/test_qradar_json_to_stix.py	100.00% <100.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[delliott90]

These tests are good. Can you confirm that in these cases, the network-traffic object isn't referencing a missing ipv4 or ipv6 object (as either src_ref or dst_ref) because it was only contained zeros?

[KaneBrennan132]

The network-traffic object does not referencing a missing ipv4 or ipv6 object (as either src_ref or dst_ref) after these changes. As an example I can provide an example from my testing.

Here is an example from before the changes:
{ "id": "observed-data--98a6d37c-4eea-4a8b-9cd1-338dd585001e", "type": "observed-data", "created_by_ref": "identity--5f7315e6-f5da-4a0c-9418-1a205b31a9cb", "created": "2023-04-24T09:22:09.303Z", "modified": "2023-04-24T09:22:09.303Z", "objects": { "0": { "type": "x-oca-event", "action": "Deny protocol src", "outcome": "Firewall Deny", "category": [ "Access" ], "provider": "Cisco Firewall Services Module (FWSM)", "agent": "FWSM @ 127.0.0.1", "created": "2023-04-24T08:59:09.008Z", "network_ref": "4", "host_ref": "5", "original_ref": "10" }, "1": { "type": "x-qradar", "qid": 3503015, "category_id": 4003, "high_level_category_id": 4000, "log_source_id": 262, "device_type": 31, "direction": "R2R", "credibility": 5, "relevance": 1, "cre_event_list": [ "100022", "100090", "100153", "100135", "100093", "100241", "100249", "100246", "104955", "107055", "100211", "100207", "100205" ], "domain_id": 0, "domain_name": "Default Domain", "has_offense": "false" }, "2": { "type": "x-ibm-finding", "start": "2023-04-24T08:59:09.008Z", "end": "2023-04-24T08:59:09.008Z", "src_ip_ref": "3", "dst_ip_ref": "7", "event_count": 1, "finding_type": "event", "magnitude": 4, "severity": 6, "src_geolocation": "other", "dst_geolocation": "other", "rule_names": [ "BB:ProtocolDefinition: Windows Protocols", "BB:NetworkDefinition: Honeypot like Addresses", "BB:CategoryDefinition: Suspicious Event Categories", "BB:CategoryDefinition: Suspicious Events", "BB:CategoryDefinition: Firewall or ACL Denies", "BB:DeviceDefinition: FW / Router / Switch", "BB:NetworkDefinition: Darknet Addresses", "Load Basic Building Blocks", "BB:UBA : Common Log Source Filters", "BB:UBA : Access Denies", "Source Asset Weight is Low", "Source Address is a Bogon IP", "Destination Asset Weight is Low" ] }, "3": { "type": "ipv4-addr", "value": "0.0.0.0", "resolves_to_refs": [ "6" ] }, "4": { "type": "network-traffic", "src_ref": "3", "src_port": 1234, "dst_ref": "7", "dst_port": 1234, "protocols": [ "udp" ] }, "6": { "type": "mac-addr", "value": "00:00:00:00:00:00" }, "7": { "type": "ipv4-addr", "value": "0.0.0.0", "resolves_to_refs": [ "8" ] }, "8": { "type": "mac-addr", "value": "00:00:00:00:00:00" }, "9": { "type": "ipv4-addr", "value": "0.0.0.0" }, "10": { "type": "artifact", "payload_bin": "JUZXU00tNC0xMDYwMjM6IERlbnkgdWRwIHNyYyBvdXRzaWRlOjAuMC4wLjAvMTIzNCBkc3QgaW5zaWRlLTEwNDowLjAuMC4wLzEyMzQgYnkgYWNjZXNzLWdyb3VwICJJTlNJREVfT1VUIg0K", "mime_type": "text/plain" } }, "first_observed": "2023-04-24T08:59:09.008Z", "last_observed": "2023-04-24T08:59:09.008Z", "number_observed": 1 }

After the changes, the bundle is now like this:

{ "id": "observed-data--e9bc98c9-3c21-4cc1-8f47-0a482e1ab671", "type": "observed-data", "created_by_ref": "identity--2f68d422-8ed9-4d90-a1c2-4d72db5cbb67", "created": "2023-04-24T09:04:51.393Z", "modified": "2023-04-24T09:04:51.393Z", "objects": { "0": { "type": "x-oca-event", "action": "Deny protocol src", "outcome": "Firewall Deny", "category": [ "Access" ], "provider": "Cisco Firewall Services Module (FWSM)", "agent": "FWSM @ 127.0.0.1", "created": "2023-04-24T08:59:09.008Z", "original_ref": "4" }, "1": { "type": "x-qradar", "qid": 3503015, "category_id": 4003, "high_level_category_id": 4000, "log_source_id": 262, "device_type": 31, "direction": "R2R", "credibility": 5, "relevance": 1, "cre_event_list": [ "100022", "100090", "100153", "100135", "100093", "100241", "100249", "100246", "104955", "107055", "100211", "100207", "100205" ], "domain_id": 0, "domain_name": "Default Domain", "has_offense": "false" }, "2": { "type": "x-ibm-finding", "start": "2023-04-24T08:59:09.008Z", "end": "2023-04-24T08:59:09.008Z", "event_count": 1, "finding_type": "event", "magnitude": 4, "severity": 6, "src_geolocation": "other", "dst_geolocation": "other", "rule_names": [ "BB:ProtocolDefinition: Windows Protocols", "BB:NetworkDefinition: Honeypot like Addresses", "BB:CategoryDefinition: Suspicious Event Categories", "BB:CategoryDefinition: Suspicious Events", "BB:CategoryDefinition: Firewall or ACL Denies", "BB:DeviceDefinition: FW / Router / Switch", "BB:NetworkDefinition: Darknet Addresses", "Load Basic Building Blocks", "BB:UBA : Common Log Source Filters", "BB:UBA : Access Denies", "Source Asset Weight is Low", "Source Address is a Bogon IP", "Destination Asset Weight is Low" ] }, "3": { "type": "network-traffic", "src_port": 1234, "dst_port": 1234, "protocols": [ "udp" ] }, "4": { "type": "artifact", "payload_bin": "JUZXU00tNC0xMDYwMjM6IERlbnkgdWRwIHNyYyBvdXRzaWRlOjAuMC4wLjAvMTIzNCBkc3QgaW5zaWRlLTEwNDowLjAuMC4wLzEyMzQgYnkgYWNjZXNzLWdyb3VwICJJTlNJREVfT1VUIg0K", "mime_type": "text/plain" } }, "first_observed": "2023-04-24T08:59:09.008Z", "last_observed": "2023-04-24T08:59:09.008Z", "number_observed": 1 }

The network-traffic object does not reference any missing ipv4 object after the changes.

I'll add to the test to check that there are no references.