From 15db64dbb027363a0224b4ea87ec5f223c779a71 Mon Sep 17 00:00:00 2001
From: Kane Brennan <Kane.Brennan@ibm.com>
Date: Fri, 5 May 2023 15:02:25 +0100
Subject: [PATCH 1/2] Remove Zero Values from Results

---
 .../stix_translation/results_translator.py    | 28 +++++++++++++++++++
 .../test_qradar_json_to_stix.py               | 27 +++++++++++++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/stix_shifter_modules/qradar/stix_translation/results_translator.py b/stix_shifter_modules/qradar/stix_translation/results_translator.py
index c0292c4eb..4d992bb65 100644
--- a/stix_shifter_modules/qradar/stix_translation/results_translator.py
+++ b/stix_shifter_modules/qradar/stix_translation/results_translator.py
@@ -22,4 +22,32 @@ def translate_results(self, data_source, data):
       if result.get('flowdestinationpayload'):
         result['mime_type_flowdestinationpayload'] = 'application/octet-stream'
 
+      if result.get('sourceip'):
+        if result['sourceip'] == '0.0.0.0':
+          result['sourceip'] = None
+
+      if result.get('destinationip'):
+        if result['destinationip'] == '0.0.0.0':
+          result['destinationip'] = None
+
+      if result.get('sourcemac'):
+        if result['sourcemac'] == '00:00:00:00:00:00' or result['sourcemac'] == '00-00-00-00-00-00':
+          result['sourcemac'] = None
+
+      if result.get('destinationmac'):
+        if result['destinationmac'] == '00:00:00:00:00:00' or result['destinationmac'] == '00-00-00-00-00-00':
+          result['destinationmac'] = None
+
+      if result.get('identityip'):
+        if result['identityip'] == '0.0.0.0':
+          result['identityip'] = None
+
+      if result.get('sourcev6'):
+        if result['sourcev6'] == '0:0:0:0:0:0:0:0':
+          result['sourcev6'] = None
+
+      if result.get('destinationv6'):
+        if result['destinationv6'] == '0:0:0:0:0:0:0:0':
+          result['destinationv6'] = None
+
     return super().translate_results(data_source, results)
\ No newline at end of file
diff --git a/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py b/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py
index d2bd59041..8dcd87cb0 100644
--- a/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py
+++ b/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py
@@ -633,4 +633,29 @@ def test_epoch_exponent_notation(self):
         finding = TestTransform.get_first_of_type(objects.values(), 'x-ibm-finding')
 
         assert(finding['start'] == START_TIMESTAMP)
-        assert(finding['end'] == END_TIMESTAMP)
\ No newline at end of file
+        assert(finding['end'] == END_TIMESTAMP)
+
+    def test_zero_value_filtering(self):
+
+        data = [{
+            "qidname": "Information Message",
+            "sourceip": "0.0.0.0",
+            "destinationip": "0.0.0.0",
+            "sourcemac": "00-00-00-00-00-00",
+            "destinationmac": "00-00-00-00-00-00",
+            "identityip": "0.0.0.0",
+            "sourcev6": "0:0:0:0:0:0:0:0",
+            "destinationv6": "0:0:0:0:0:0:0:0",
+        }]
+
+        result_bundle = run_in_thread(entry_point.translate_results, DATA_SOURCE, data)
+        observed_data = result_bundle['objects'][1]
+        objects = observed_data['objects']
+        ipv4_addr = TestTransform.get_first_of_type(objects.values(), 'ipv4-addr')
+        assert(ipv4_addr is None) 
+        ipv6_addr = TestTransform.get_first_of_type(objects.values(), 'ipv6-addr')
+        assert(ipv6_addr is None)
+        mac_addr = TestTransform.get_first_of_type(objects.values(), 'mac-addr')
+        assert(mac_addr is None)
+        x_oca_event = TestTransform.get_first_of_type(objects.values(), 'x-oca-event')
+        assert(x_oca_event['action'] == "Information Message")
\ No newline at end of file

From 1cde361b309ce4d0ad5327c3057798134b309efb Mon Sep 17 00:00:00 2001
From: Kane Brennan <Kane.Brennan@ibm.com>
Date: Wed, 10 May 2023 16:04:36 +0100
Subject: [PATCH 2/2] Check for no refs in network-traffic for unit test

---
 .../tests/stix_translation/test_qradar_json_to_stix.py   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py b/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py
index 8dcd87cb0..759457b0f 100644
--- a/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py
+++ b/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py
@@ -646,11 +646,14 @@ def test_zero_value_filtering(self):
             "identityip": "0.0.0.0",
             "sourcev6": "0:0:0:0:0:0:0:0",
             "destinationv6": "0:0:0:0:0:0:0:0",
+            "sourceport": "1234",
+            "destinationport": "1234"
         }]
 
         result_bundle = run_in_thread(entry_point.translate_results, DATA_SOURCE, data)
         observed_data = result_bundle['objects'][1]
         objects = observed_data['objects']
+
         ipv4_addr = TestTransform.get_first_of_type(objects.values(), 'ipv4-addr')
         assert(ipv4_addr is None) 
         ipv6_addr = TestTransform.get_first_of_type(objects.values(), 'ipv6-addr')
@@ -658,4 +661,8 @@ def test_zero_value_filtering(self):
         mac_addr = TestTransform.get_first_of_type(objects.values(), 'mac-addr')
         assert(mac_addr is None)
         x_oca_event = TestTransform.get_first_of_type(objects.values(), 'x-oca-event')
-        assert(x_oca_event['action'] == "Information Message")
\ No newline at end of file
+        assert(x_oca_event['action'] == "Information Message")
+        network_traffic = TestTransform.get_first_of_type(objects.values(), 'network-traffic')
+        assert(network_traffic is not None)
+        assert('src_ref' not in network_traffic)
+        assert('dst_ref' not in network_traffic)
\ No newline at end of file