From 93a01fbd1116a3f916a1bd4d674e107540777c1c Mon Sep 17 00:00:00 2001 From: Thangaraj Ramesh Date: Fri, 31 May 2024 14:21:36 +0000 Subject: [PATCH 1/4] Symantec Endpoint Security UDI connector Symantec Endpoint Security UDI connector --- .../symantec_endpoint_security/README.md | 698 +++++ .../symantec_endpoint_security/__init__.py | 0 .../configuration/config.json | 44 + .../configuration/lang_en.json | 34 + .../symantec_endpoint_security/entry_point.py | 11 + .../stix_translation/__init__.py | 0 .../stix_translation/json/config_map.json | 338 +++ .../stix_translation/json/from_stix_map.json | 256 ++ .../stix_translation/json/operators.json | 15 + .../json/stix_2_1/from_stix_map.json | 255 ++ .../json/stix_2_1/to_stix_map.json | 2569 ++++++++++++++++ .../stix_translation/json/to_stix_map.json | 2576 +++++++++++++++++ .../stix_translation/query_constructor.py | 498 ++++ .../stix_translation/query_translator.py | 27 + .../stix_translation/transformers.py | 358 +++ .../stix_transmission/__init__.py | 0 .../stix_transmission/api_client.py | 33 + .../stix_transmission/connector.py | 298 ++ .../stix_transmission/error_mapper.py | 35 + .../symantec_supported_stix.md | 496 ++++ .../test_symantec_json_to_stix.py | 522 ++++ .../test_symantec_stix_to_query.py | 604 ++++ .../test/stix_transmission/test_symantec.py | 463 +++ 23 files changed, 10130 insertions(+) create mode 100644 stix_shifter_modules/symantec_endpoint_security/README.md create mode 100644 stix_shifter_modules/symantec_endpoint_security/__init__.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/configuration/config.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/configuration/lang_en.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/entry_point.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/__init__.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/json/config_map.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/json/operators.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/query_translator.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_transmission/__init__.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_transmission/api_client.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md create mode 100644 stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py create mode 100644 stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py diff --git a/stix_shifter_modules/symantec_endpoint_security/README.md b/stix_shifter_modules/symantec_endpoint_security/README.md new file mode 100644 index 000000000..40cb75789 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/README.md @@ -0,0 +1,698 @@ +# Symantec + +## Supported STIX Mappings + +See the [table of mappings](symantec_supported_stix.md) for the STIX objects and operators supported by this connector. + + +**Table of Contents** + +- [Symantec API Endpoints](#symantec-api-endpoints) +- [Curl Command to test the API Endpoints](#curl-command-to-test-api-endpoints) +- [Format for calling stix-shifter from the command line](#format-for-calling-stix-shifter-from-the-command-line) +- [Pattern expression with STIX and CUSTOM attributes - Single Observation](#single-observation) +- [Pattern expression with STIX and CUSTOM attributes - Multiple Observation](#multiple-observation) +- [STIX Execute Query](#stix-execute-query) +- [Types of Attributes](#types-of-attributes) +- [Limitations](#limitations) +- [Observations](#observations) +- [References](#references) +- [List of specific values for STIX attributes](#list-of-specific-values-for-STIX-attributes) +- [STIX pattern for custom attributes and sample values](#STIX-pattern-for-custom-attributes-and-sample-values) + +### Symantec API Endpoints +| Connector Method | Symantec API Endpoint | Method | +|-----|------|------| +| Ping Endpoint | https://< server >/api/v1/oauth2/tokens | POST | +| Token Endpoint | https://< server >/api/v1/oauth2/tokens | POST | +| Results Endpoint | https://< server >/api/v1/event-search | POST | + + +### CURL command to test API Endpoints +#### Ping +``` +curl -X POST https://api.sep.securitycloud.symantec.com/v1/oauth2/tokens -H “accept: application/json” -H “authorization: {{OAuth Credentials value}}" -H “content-type: application/x-www-form-urlencoded” +``` +#### Token +``` +curl -X POST https://api.sep.securitycloud.symantec.com/v1/oauth2/tokens -H “accept: application/json” -H “authorization: {{OAuth Credentials value}}" -H “content-type: application/x-www-form-urlencoded” +``` +#### Results +``` +curl --location --request POST "https://api.sep.securitycloud.symantec.com/v1/event-search" \ +--header "Content-Type: application/json" \ +--header "authorization: {bearer token}" +--data "{ + \"feature_name\": \"ALL\", + \"query\": \"type_id:8020\", + \"start_date\": \"2024-04-12T00:00:00.000+05:30\", + \"end_date\": \"2024-05-11T00:00:00.000+05:30\", + \"product\": \"SAEP\", + \"limit\":2 +}" +``` + +### Format for calling stix-shifter from the command line +``` +python main.py `` `` `` `` +``` +### Pattern expression with STIX and CUSTOM attributes + +#### Single Observation + +#### STIX Translate query to fetch the messages from a specific ipaddress +```shell +translate symantec_endpoint_security query {} "[x-oca-event:x_event_type=8003] START t'2024-04-01T11:00:00.000Z' STOP t'2024-04-10T00:00:00.000Z'" +``` +#### STIX Translate query - output +```json +{ + "queries": [ + { + "feature_name": "ALL", + "product": "SAEP", + "query": "type_id:\"8003\"", + "start_date": "2024-04-01T11:00:00.000+00:00", + "end_date": "2024-04-10T00:00:00.000+00:00" + } + ] +} +``` + +#### STIX Transmit results + +```shell +transmit symantec_endpoint_security "{\"host\":\"api.sep.securitycloud.symantec.com\"}" "{\"auth\":{\"token\":\"TzJJRC5JS2hTQi15lDSzJnLkIzZEt6TFN0NmYxNWNoMGs6MXY1bDUxdDc4cmIzNG0OWMyZDIy\"}}" results "{\"feature_name\":\"ALL\",\"query\":\"type_id:8003\", \"start_date\":\"2024-05-01T00:00:00.000+05:30\", \"end_date\": \"2024-05-06T09:00:00.000+05:30\",\"product\":\"SAEP\",\"limit\":1}" +0 +1 +``` + +#### STIX Transmit results - output +```json +{ + "success": true, + "data": [ + { + "device_os_type_id": 100, + "lineage": [ + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\wininit.exe" + ], + "feature_uid": "1DF0351C-146D-4F07-B155-BF5C7077FF40", + "type": "event_query_results", + "seq_num": 1, + "ref_uid": "1DFB782F-A766-4675-9E54-C054F8B2BAAA", + "legacy_product_uid": "ad66b334-9eb8-bf35-3f4e-f172b06200b0", + "id": 5, + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9", + "feature_name": "DETECTION_RESPONSE", + "device_group": "Default/TestEDRGroup", + "product_name": "Symantec Endpoint Security", + "version": "1.0.0", + "command_uid": "", + "device_ip": "1.1.1.1", + "device_vhost": 12, + "user_name": "SYSTEM", + "timezone": 0, + "device_domain": "WORKGROUP", + "product_ver": "14.3.10148.8000", + "is_npvdi_client": false, + "device_name": "HOST_NAME", + "category_id": 5, + "device_networks": [ + { + "ipv4": "1.1.1.1", + "ipv6": "xx00:0000:0000:0000:00xx:xx0x:0000:00x0", + "mac": "0x:1x:11:11:0x:11" + } + ], + "device_os_name": "Windows Server 2019 Datacenter Edition", + "type_id": 8003, + "actor": { + "session_id": 0, + "pid": 1880, + "uid": "C03AA311-0907-F1EF-848A-EAEACDB378C2", + "tid": 1132, + "start_time": "2024-05-03T04:44:04.920Z", + "cmd_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "integrity_id": 6, + "file": { + "type_id": 1, + "created": "2022-09-14T16:17:52.744Z", + "modified": "2022-09-14T16:17:52.744Z", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "sha2": "2b105fb111b1bcd111b1111111b3a11c60b111eef1111d3bb0099e1111aaf6b", + "size": 51736, + "signature_company_name": "Microsoft Windows Publisher", + "signature_value_ids": [ + 3, + 5 + ], + "security_descriptor": "O:S-1-5-5-0-11111G:SYD:(A;;0x1fffff;;;S-1-5-5-0-71241)(A;;0x1400;;;BA)S:AI", + "normalized_path": "CSIDL_SYSTEM\\svchost.exe", + "path": "c:\\windows\\system32\\svchost.exe", + "uid": "281474976968790", + "name": "svchost.exe", + "folder": "c:\\windows\\system32", + "original_name": "svchost.exe", + "signature_level_id": 60 + }, + "user": { + "name": "SYSTEM", + "sid": "S-1-5-11", + "domain": "NT AUTHORITY" + }, + "cmd_line_raw_length": 57 + }, + "device_mac": "0x:1x:11:11:0x:11", + "device_uid": "X4oOxiAoQO6SuZAfO6lm4Q", + "org_unit_uid": "_RE5UsoeSKSrteDkP3U2Mw", + "severity_id": 1, + "logging_device_post_time": "2024-05-03T04:56:13.704Z", + "device_time": "2024-05-03T04:56:13.704Z", + "file": { + "path": "c:\\windows\\system32\\tasks\\microsoft\\windows\\windowsupdate\\scheduled start", + "normalized_path": "CSIDL_SYSTEM\\tasks\\microsoft\\windows\\windowsupdate\\scheduled start", + "size": 5208, + "name": "scheduled start", + "folder": "c:\\windows\\system32\\tasks\\microsoft\\windows\\windowsupdate", + "content_type": { + "family_id": 0, + "type_id": 1 + } + }, + "file_result": { + "size": 5034 + }, + "edr_enriched_data": { + "category_name": "Generic Data to be sent to ATP", + "category_id": 201, + "rule_id": 2101451, + "rule_name": "IF.SchtasksChange!g1" + }, + "feature_ver": "edr/1.3.0", + "is_user_present": false, + "event_data_type": "fdr", + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "sid": "S-1-5-18" + }, + "device_os_ver": "10.0.17763", + "policy": { + "uid": "a7124b68-abc1-43a4-8e44-716fb1966646", + "name": "Default Detection and Response Policy", + "version": "1" + }, + "trans_event_raw_length": 2874, + "attacks": [ + { + "technique_uid": "T1053", + "technique_name": "Scheduled Task/Job", + "tactic_ids": [ + 2, + 3, + 4 + ], + "tactic_uids": [ + "TA0002", + "TA0003", + "TA0004" + ], + "sub_technique_name": "Scheduled Task", + "sub_technique_uid": "T1053.005" + } + ], + "customer_uid": "IKhSB-yfRK2xeUR-xyCK2g", + "device_public_ip": "22.22.22.22", + "domain_uid": "B3dKzLSzR9CScPYAGhkgxA", + "time": "2024-05-03T04:56:13.704Z", + "log_time": "2024-05-03T04:56:19.401Z", + "uuid": "8003:778fc080-0909-11ef-e17f-0000061b19b7", + "indexDate": "2024-05-03", + "indexHash": "fdr_4_t2", + "log_name": "c1.fdr_4_t2_2024-05-03", + "es.mapping.id": "uuid", + "epochLogTime": 1714712179401, + "es.mapping.version": "epochLogTime" + } + ] +} +``` + + +#### STIX Translate results + +```json +{ + "type": "bundle", + "id": "bundle--e35ce5e3-6575-4026-a8d7-39227df87836", + "objects": [ + { + "type": "identity", + "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "name": "Symantec Endpoint Security", + "identity_class": "events", + "created": "2023-04-11T16:11:11.878Z", + "modified": "2023-04-11T16:11:11.878Z" + }, + { + "id": "observed-data--186b1e27-0fd5-44c4-a15b-71e7a89c4ea5", + "type": "observed-data", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2024-05-06T11:54:14.689Z", + "modified": "2024-05-06T11:54:14.689Z", + "objects": { + "0": { + "type": "software", + "x_os_type": "Windows", + "name": "Windows Server 2019 Datacenter Edition", + "version": "10.0.17763" + }, + "1": { + "type": "x-oca-event", + "action": "event_query_results", + "outcome": "Command Script Run", + "agent": "DETECTION_RESPONSE", + "provider": "Symantec Endpoint Security", + "x_event_type_version": "1.0.0", + "timezone": 0, + "x_provider_version": "14.3.10148.8000", + "host_ref": "2", + "category": "System Activity", + "x_event_type": 8003, + "process_ref": "6", + "file_ref": "7", + "severity": 15, + "user_ref": "11", + "x_policy_ref": "12", + "created": "2024-05-03T04:56:13.704Z", + "code": "8003:778fc080-0909-11ef-e17f-0000061b19b7" + }, + "2": { + "type": "x-oca-asset", + "x_host_group": "Default/TestEDRGroup", + "ip_refs": [ + "3", + "15" + ], + "hostname": "HOST_NAME", + "mac_refs": [ + "4" + ], + "os_ref": "0" + }, + "3": { + "type": "ipv4-addr", + "value": "1.1.1.1", + "resolves_to_refs": [ + "4" + ] + }, + "4": { + "type": "mac-addr", + "value": "0x:1x:11:11:0x:11" + }, + "6": { + "type": "process", + "pid": 1880, + "x_thread_id": 1132, + "created": "2024-05-03T04:44:04.920Z", + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "binary_ref": "7", + "creator_user_ref": "9" + }, + "7": { + "type": "file", + "x_file_type": "File", + "created": "2022-09-14T16:17:52.744Z", + "modified": "2022-09-14T16:17:52.744Z", + "hashes": { + "MD5": "4xx18x001xx31x5x48x50x99x4xx1761", + "SHA-256": "2b105fb111b1bcd111b1111111b3a11c60b111eef1111d3bb0099e1111aaf6b" + }, + "size": 51736, + "x_signature_company_name": "Microsoft Windows Publisher", + "x_signature_value_ids": [ + 3, + 5 + ], + "name": "svchost.exe", + "parent_directory_ref": "8", + "x_signature_level_id": 60 + }, + "8": { + "type": "directory", + "path": "c:\\windows\\system32" + }, + "9": { + "type": "user-account", + "user_id": "SYSTEM", + "x_user_sid": "S-1-5-11", + "x_user_domain": "NT AUTHORITY" + }, + "10": { + "type": "file", + "parent_directory_ref": "8", + "size": 5208, + "name": "scheduled start", + "x_family_type": "Unknown", + "x_file_type": "Application" + }, + "11": { + "type": "user-account", + "x_user_domain": "NT AUTHORITY", + "user_id": "SYSTEM", + "x_user_sid": "S-1-5-18" + }, + "12": { + "type": "x-symantec-policy", + "name": "Default Detection and Response Policy", + "version": "1" + }, + "14": { + "type": "x-ibm-ttp-tagging", + "extensions": { + "'mitre-attack-ext'": { + "technique_id": "T1053", + "technique_name": "Scheduled Task/Job", + "tactic_id": [ + "TA0002", + "TA0003", + "TA0004" + ] + } + }, + "name": "Scheduled Task/Job" + }, + "15": { + "type": "ipv4-addr", + "value": "22.22.22.22" + } + }, + "last_observed": "2024-05-03T04:56:13.704Z", + "first_observed": "2024-05-03T04:56:13.704Z", + "number_observed": 1 + } + ], + "spec_version": "2.0" +} +``` + +#### Multiple Observation + +```shell +translate +symantec_endpoint_security +query {} +"[x-oca-event:category='Security' AND x-oca-event:action='SCAN'] START t'2024-04-01T11:00:00.000Z' STOP t'2024-04-10T00:00:00.000Z'" +``` + +#### STIX Multiple observation - output +```json +{ + "queries": [ + { + "feature_name": "ALL", + "product": "SAEP", + "query": "(category_id:\"1\") AND (type:\"SCAN\")", + "start_date": "2024-04-01T11:00:00.000+00:00", + "end_date": "2024-04-10T00:00:00.000+00:00" + } + ] +} +``` + +### STIX Execute query +```shell +execute +symantec_endpoint_security +symantec_endpoint_security +"{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"Symantec Endpoint Security\",\"identity_class\":\"events\", \"created\": \"2024-05-01T00:00:00.000Z\",\"modified\": \"2024-05-10T00:00:00.000Z\"}" +"{\"host\":\"api.sep.securitycloud.symantec.com\"}" "{\"auth\":{\"token\":\"TzJJRC5JS2hTDUxdDc4cmIzNGE5NGVjZm50ZmkzcWd2aGh0OWMyZDIy\"}}" +"[x-oca-event:category='Security' AND x-oca-event:action='SCAN'] START t'2024-04-01T11:00:00.000Z' STOP t'2024-04-10T00:00:00.000Z'" +``` + +#### STIX Execute query - output +```json +{ + "type": "bundle", + "id": "bundle--7c7aae92-e863-454e-b7bd-7ca2f04bbc0a", + "objects": [ + { + "type": "identity", + "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "name": "Symantec Endpoint Security", + "identity_class": "events", + "created": "2023-04-11T16:11:11.878Z", + "modified": "2023-04-11T16:11:11.878Z" + }, + { + "id": "observed-data--0e0cd275-588a-4fd1-9213-a267caa8a586", + "type": "observed-data", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2024-05-06T13:21:47.927Z", + "modified": "2024-05-06T13:21:47.927Z", + "objects": { + "0": { + "type": "x-oca-event", + "category": "Security", + "host_ref": "2", + "duration": 0, + "agent": "MALWARE_PROTECTION", + "outcome": "Blocked", + "description": "Scan started on selected drives and folders and all extensions.", + "x_policy_ref": "5", + "x_provider_version": "14.3.10148.8000", + "severity": 15, + "action": "SCAN", + "x_event_type": 8020, + "x_event_type_version": "1.0", + "provider": "Symantec Endpoint Security", + "timezone": 0, + "user_ref": "13", + "created": "2024-05-06T08:33:25Z", + "code": "8020:4e0ef880-0b83-11ef-ea5d-000006df1b0c" + }, + "1": { + "type": "ipv4-addr", + "value": "1.1.1.1", + "resolves_to_refs": [ + "4" + ] + }, + "2": { + "type": "x-oca-asset", + "ip_refs": [ + "1", + "12" + ], + "geo_ref": [ + "3" + ], + "mac_refs": [ + "4" + ], + "hostname": "HOST_NAME", + "x_host_group": "Default/TestDevGroup", + "os_ref": "11" + }, + "3": { + "type": "x-oca-geo", + "name": "Default", + "x_is_on_premises": false + }, + "4": { + "type": "mac-addr", + "value": "11:1X:XX:X1:11:X1" + }, + "5": { + "type": "x-symantec-policy", + "name": "Default Antimalware Policy", + "version": "1" + }, + "7": { + "type": "ipv6-addr", + "value": "xx11::1x1x:11xx:11xx:x1x1", + "resolves_to_refs": [ + "4" + ] + }, + "8": { + "type": "ipv4-addr", + "value": "2.2.2.2", + "resolves_to_refs": [ + "10" + ] + }, + "9": { + "type": "ipv6-addr", + "value": "xx22::22x2:x0xx:22x2:22xx", + "resolves_to_refs": [ + "10" + ] + }, + "10": { + "type": "mac-addr", + "value": "22:X2:22:X2:X2:22" + }, + "11": { + "type": "software", + "name": "Windows Server 2019 Datacenter Edition", + "x_os_type": "Windows" + }, + "12": { + "type": "ipv4-addr", + "value": "3.3.3.3" + }, + "13": { + "type": "user-account", + "user_id": "SYSTEM" + } + }, + "number_observed": 1, + "last_observed": "2024-05-06T08:33:25Z", + "first_observed": "2024-05-06T08:33:25Z" + } + ], + "spec_version": "2.0" +} +``` +### Types of Attributes + +| Type | Description | Example | +|---------------------------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------| +| Dictionary fields | A key value pair attributes. | {"user_name": "SYSTEM"}, {"feature_name": "MALWARE_PROTECTION"} | +| List of dictionary fields | A list containing one or more dictionaries | "device_networks": [{"ipv4": "1.1.1.1", "ipv6": "xx22::2x2x:22xx:22xx:x2x2", "mac": "11:1X:XX:X1:11:X1" }, { "ipv4": "2.2.2.2", "ipv6": "xx11::1x1x:11xx:11xx:x1x1", "mac": "22:X2:22:X2:X2:22"}] | + +### Observations +- The access token expires 60 minutes after being created. + +### Limitations +- The maximum number of API calls for events is limited to 500 per hour. + +### References +- [Symantec Endpoint Security](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud.html) +- [Symantec ICD Schema](https://icd-schema.symantec.com/) +- [Symantec API](https://apidocs.in.securitycloud.symantec.com/) + +### List of specific values for STIX attributes + +### x-oca-event:category specific values +| Searchable Values | +|-------------------| +| Security | +| Application Activity | +| System Activity | + +### x-oca-event:outcome specific values +| Searchable Values | +|-------------------| +| Unknown | +| Blocked | +| Allowed | +| No Action | +| Logged | +| Command Script Run | +| Corrected | +| Partially Corrected | +| Uncorrected | +| Delayed | +| Deleted | +| Quarantined | +| Restored | +| Detected | +| Exonerated | +| Tagged | + +### x-oca-event:x_event_status specific values +| Searchable Values | +|-------------------| +| Unknown | +| Success | +| Failure | +| In Progress | +| Partial Success | + +### x-ibm-finding:finding_type specific values +| Searchable Values | +|-------------------| +| policy | +| threat | + +### x-ibm-finding:x_threat_type_id specific values +| Searchable Values | +|-------------------| +| Malware | +| Behavioral | +| Potentially Unwanted Applications | +| Exploit (PEP) | +| Heuristic | +| Security Risk | + +### file:x_type specific values +| Searchable Values | +|-------------------| +| File | +| Directory | +| Hard Link | +| Mount | +| Node | +| Symbolic Link | +| Named Pipe | +| Socket | +| Device | +| Email | +| Memory File | +| File in container | + +### software:x_os_type specific values +| Searchable Values | +|-------------------| +| Unknown | +| Windows | +| Linux | +| Solaris | +| AIX | +| HP-UX | +| Macintosh | +| iOS | +| Android | +| Windows Mobile | +| iPadOS | +| Other | + +### network-traffic:x_direction, email-message:x_direction specific values +| Searchable Values | +|-------------------| +| Unknown | +| Inbound | +| Outbound | + +### x-kernel-resource.type_id values +| Searchable Values | +|-------------------| +| Unknown | +| Shared mutex | +| System call | +| Named pipe | + +### STIX pattern for custom attributes and sample values +| Description | STIX Pattern | Sample Values | +| --- | --- | --- | +| Network Connection Direction | network-traffic:x_direction | [network-traffic:x_direction = 'Inbound'] | +| The Identifier of the thread associated with the event, as returned by the operating system. | process:x_thread_id | [process:x_thread_id = 1234] | +| The user security identifier (SID). | user-account:x_sid | [user-account:x_sid = 'S-1-1-11'] | +| The file type. | file:x_type | [file:x_type = 'Directory'] | +| The company name on the certificate that signed the file.. | file:x_signature_company_name | [file:x_signature_company_name LIKE 'Amazon'] | +| The general content type of a file. | file:x_content_type | [file:x_content_type = 'Application'] | +| The type of the operating system. | software:x_os_type | [software:x_os_type = 'Windows'] | +| The event type. | x-oca-event:x_event_type | [x-oca-event:x_event_type = 8001] | +| The event type category. | x-oca-event:category | [x-oca-event:category = 'Security'] | +| The outcome of the event. | x-oca-event:outcome | [x-oca-event:outcome = 'Blocked'] | +| The cross-platform event status. | x-oca-event:x_event_status | [x-oca-event:x_event_status = 'Success'] | +| The description of the location. | x-oca-geo:name | [x-oca-geo:name = 'Default'] | +| The name given to the policy. | x-symantec-policy:name | [x-symantec-policy:name = 'Default Detection and Response Policy'] | +| The name of the kernel resource. | x-kernel-resource:name | [x-kernel-resource:name = 'Default name'] | +| The type of the kernel resource. | x-kernel-resource:type_id | [x-kernel-resource:type_id = 'System call'] | +| The name of the peripheral device. | x-peripheral-device:name | [x-peripheral-device:name = 'keyboard'] | \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/__init__.py b/stix_shifter_modules/symantec_endpoint_security/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/stix_shifter_modules/symantec_endpoint_security/configuration/config.json b/stix_shifter_modules/symantec_endpoint_security/configuration/config.json new file mode 100644 index 000000000..65862d1e9 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/configuration/config.json @@ -0,0 +1,44 @@ +{ + "connection": { + "type": { + "displayName": "Symantec Endpoint Security", + "group": "symantec" + }, + "host": { + "type": "text", + "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_:/\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9_:/\\-]*[A-Za-z0-9])$" + }, + "port": { + "type": "number", + "default": 443, + "min": 1, + "max": 65535 + }, + "help": { + "type": "link", + "default": "data-sources.html" + }, + "selfSignedCert": { + "type": "password", + "optional": true + }, + "options": { + "type": "fields", + "api_page_size": { + "default": 1000, + "min": 100, + "max": 1000, + "hidden": true, + "type": "number" + } + } + }, + "configuration": { + "auth": { + "type": "fields", + "oauth_credentials": { + "type": "password" + } + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/configuration/lang_en.json b/stix_shifter_modules/symantec_endpoint_security/configuration/lang_en.json new file mode 100644 index 000000000..72f4ca611 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/configuration/lang_en.json @@ -0,0 +1,34 @@ +{ + "connection": { + "host": { + "label": "Management IP address or hostname", + "description": "Specify the IP address or hostname of the data source" + }, + "port": { + "label": "Host port", + "description": "Set the port number that is associated with the hostname or IP address" + }, + "help": { + "label": "Need additional help?", + "description": "More details on the data source setting can be found in the specified link" + }, + "selfSignedCert": { + "label": "PEM Formatted SSL certificate(s)", + "description": "Provide a self-signed or CA-signed certificate to securely communicate with the data source." + }, + "options": { + "api_page_size": { + "label": "API Page Size", + "description": "Number of records per API call. Valid input range is {{min}} to {{max}}." + } + } + }, + "configuration": { + "auth": { + "oauth_credentials": { + "label": "OAuth Credentials", + "description": "The OAuth Credentials value is used in the Authentication API to generate a bearer token that is used in all API calls." + } + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/entry_point.py b/stix_shifter_modules/symantec_endpoint_security/entry_point.py new file mode 100644 index 000000000..607486410 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/entry_point.py @@ -0,0 +1,11 @@ +from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint + + +class EntryPoint(BaseEntryPoint): + + def __init__(self, connection={}, configuration={}, options={}): + super().__init__(connection, configuration, options) + self.set_async(False) + if connection: + self.setup_transmission_basic(connection, configuration) + self.setup_translation_simple(dialect_default='default') diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/__init__.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/config_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/config_map.json new file mode 100644 index 000000000..ae9bc465e --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/config_map.json @@ -0,0 +1,338 @@ +{ + "int_supported_fields": [ + "actor.file.size", + "actor.pid", + "actor.session.id", + "actor.session_id", + "actor.tid", + "connection.bytes_download", + "connection.bytes_upload", + "connection.dst_port", + "connection.src_port", + "file.size", + "module.size", + "parent.pid", + "policy.type_id", + "policy.version", + "policy.rule_category_id", + "process.file.size", + "process.pid", + "reg_value.type_id", + "session.id", + "startup_app.file.size", + "threat.id", + "actor.tid", + "type_id", + "url.port", + "file.url.port", + "connection.url.port", + "actor.file.signature_value_ids", + "process.file.signature_value_ids", + "startup_app.file.signature_value_ids", + "actor.file.signature_level_id", + "file.signature_level_id", + "parent.file.signature_level_id", + "process.file.signature_level_id", + "directory.signature_level_id", + "startup_app.file.signature_level_id" + + ], + "bool_supported_fields": [ + "actor.user.is_admin", + "actor.session.user.is_admin", + "device_location.on_premises", + "session.is_admin", + "session.user.is_admin", + "session.remote", + "actor.session.remote" + ], + "like_supported_fields": [ + "actor.user.name", + "actor.app_name", + "actor.cmd_line", + "actor.file.folder", + "actor.file.name", + "actor.file.path", + "actor.file.signature_company_name", + "actor.session.user.logon_name", + "actor.session.user.name", + "actor.user.logon_name", + "actor.user.name", + "actor.user.domain", + "attacks.technique_name", + "attacks.technique_uid", + "command_uid", + "device_location.desc", + "device_name", + "device_domain", + "device_group", + "device_os_name", + "device_type", + "directory.folder", + "directory.name", + "directory.path", + "email.header_subject", + "feature_name", + "file.folder", + "file.name", + "file.path", + "kernel.name", + "message", + "module.folder", + "module.name", + "module.path", + "parent.app_name", + "parent.cmd_line", + "parent.file.folder", + "parent.file.name", + "parent.file.path", + "peripheral_device.name", + "policy.name", + "policy.rule_group_name", + "policy.rule_name", + "policy.rules.desc", + "process.app_name", + "process.file.folder", + "process.file.name", + "product_name", + "policy.version", + "reg_key.path", + "reg_value.data", + "reg_value.name", + "session.user.logon_name", + "session.user.name", + "session.user.domain", + "startup_app.cmd_line", + "startup_app.file.folder", + "startup_app.file.name", + "startup_app.file.path", + "threat.name", + "threat.provider", + "type", + "url.text", + "file.url.text", + "connection.url.text", + "url.host", + "file.url.host", + "connection.url.host", + "url.path", + "file.url.path", + "connection.url.path", + "user.name", + "data", + "actor.file.signature_fingerprints.algorithm", + "actor.module.signature_fingerprints.algorithm", + "file.signature_fingerprints.algorithm", + "module.signature_fingerprints.algorithm", + "parent.file.signature_fingerprints.algorithm", + "parent.module.signature_fingerprints.algorithm", + "process.file.signature_fingerprints.algorithm", + "process.module.signature_fingerprints.algorithm", + "directory.signature_fingerprints.algorithm", + "startup_app.file.signature_fingerprints.algorithm", + "actor.file.signature_issuer" + ], + "enum_supported_fields": [ + "severity_id", + "category_id", + "id", + "status_id", + "file.type_id", + "actor.file.type_id", + "actor.module.type_id", + "file.content_type.type_id", + "family_id", + "reason_id", + "threat.risk_id", + "threat.type_id", + "device_os_type_id", + "connection.direction_id", + "email.direction_id", + "kernel.type_id" + ], + "protocol_supported_fields": [ + "connection.protocol_id" + ], + "date_supported_fields": [ + "time", + "actor.file.created", + "parent.file.created", + "process.file.created", + "startup_app.file.created", + "actor.file.modified", + "process.file.modified", + "startup_app.file.modified", + "actor.file.signature_created_date", + "actor.module.signature_created_date", + "file.signature_created_date", + "parent.signature_created_date", + "process.signature_created_date", + "directory.signature_created_date", + "startup_app.file.signature_created_date", + "policy.effective_date", + "actor.start_time", + "process.start_time", + "parent.start_time" + ], + "enum_supported_values": { + "severity_id": { + "0": 0, + "16": 1, + "32": 2, + "48": 3, + "64": 4, + "80": 5, + "100": 6 + }, + "output_category_id": { + "Unknown": 0, + "Security": 1, + "License": 2, + "Application Activity": 3, + "Audit": 4, + "System Activity": 5, + "Diagnostic": 6, + "Evidence of Compromise": 7, + "Information Protection": 8 + }, + "category_id": { + "Security": 1, + "Application Activity": 3, + "System Activity": 5 + }, + "id": { + "Unknown": 0, + "Blocked": 1, + "Allowed": 2, + "No Action": 3, + "Logged": 4, + "Command Script Run": 5, + "Corrected": 6, + "Partially Corrected": 7, + "Uncorrected": 8, + "Delayed": 10, + "Deleted": 11, + "Quarantined": 12, + "Restored": 13, + "Detected": 14, + "Exonerated": 15, + "Tagged": 16 + }, + "status_id": { + "Unknown": 0, + "Success": 1, + "Failure": 2, + "In Progress": 3, + "Partial Success": 4 + }, + "family_id": { + "Unknown": 0, + "Container": 1, + "Document": 2, + "Executable": 3, + "Media": 4 + }, + "file.content_type.type_id": { + "Unknown": 0, + "Application": 1, + "Binary": 2, + "Audio": 3, + "Image": 4, + "Video": 5 + }, + "file.type_id": { + "File": 1, + "Directory": 2, + "Hard Link": 3, + "Mount": 4, + "Node": 5, + "Symbolic Link": 6, + "Named Pipe": 7, + "Socket": 8, + "Device": 9, + "Email": 10, + "Memory File": 11, + "File in container": 12 + }, + "reason_id": { + "unknown": 0, + "policy": 1, + "threat": 2 + }, + "threat.risk_id": { + "0": 0, + "20": 500, + "40": 400, + "60": 300, + "80": 200, + "100": 100 + }, + "threat.type_id": { + "Malware": 1, + "Behavioral": 2, + "Potentially Unwanted Applications": 3, + "Exploit (PEP)": 4, + "Heuristic": 5, + "Security Risk": 6 + }, + "device_os_type_id": { + "Unknown": 0, + "Windows": 100, + "Linux": 200, + "Solaris": 300, + "AIX": 301, + "HP-UX": 302, + "Macintosh": 400, + "iOS": 500, + "Android": 501, + "Windows Mobile": 502, + "iPadOS": 503, + "Other": 1001 + }, + "connection.direction_id" : { + "Unknown": 0, + "Inbound": 1, + "Outbound": 2 + }, + "kernel.type_id": { + "Unknown":0, + "Shared mutex": 1, + "System call" : 2, + "Named pipe": 3 + } + }, + "protocol_supported_values": { + "connection.protocol_id": { + "icmp": 1, + "igmp": 2, + "ggp": 3, + "ip": 4, + "st": 5, + "tcp": 6, + "ucl": 7, + "egp": 8, + "igp": 9, + "udp": 17, + "mux": 18, + "hmp": 20, + "prm": 21, + "rdp": 27, + "irtp": 28, + "sep": 33, + "3pc": 34, + "idpr": 35, + "xtp": 36, + "ddp": 37, + "rvd": 66, + "ippc": 67, + "ipcv": 71, + "cpnx": 72, + "ttp": 84, + "dgp": 86, + "tcf": 87, + "igrp": 88, + "mtp": 92, + "micp": 95 + } + } +} diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json new file mode 100644 index 000000000..5decd42ed --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json @@ -0,0 +1,256 @@ +{ + "ipv4-addr": { + "fields": { + "value": ["device_ip", "connection.src_ip", "connection.dst_ip", "device_public_ip", "device_networks.ipv4", "device_networks.gateway_ip"], + "resolves_to_refs[*].value": ["device_mac", "device_networks.mac"] + } + }, + "ipv6-addr": { + "fields": { + "value": ["device_ip", "connection.src_ip", "connection.dst_ip", "device_networks.ipv6"], + "resolves_to_refs[*].value": ["device_mac", "device_networks.mac"] + } + }, + "mac-addr": { + "fields": { + "value": ["device_mac", "device_networks.mac", "device_networks.gateway_mac"] + } + }, + "network-traffic": { + "fields": { + "src_ref.value": ["connection.src_ip"], + "dst_ref.value": ["connection.dst_ip"], + "dst_port": ["connection.dst_port"], + "src_port": ["connection.src_port"], + "protocols[*]": ["connection.protocol_id"], + "src_byte_count": ["connection.bytes_upload"], + "dst_byte_count": ["connection.bytes_download"], + "x_connection_direction": ["connection.direction_id"] + } + }, + "process": { + "fields": { + "pid": ["actor.pid", "process.pid", "parent.pid"], + "command_line": ["actor.cmd_line","process.cmd_line", "parent.cmd_line", "startup_app.cmd_line"], + "name": ["actor.app_name", "process.app_name", "parent.app_name"], + "created": ["actor.start_time", "process.start_time", "parent.start_time"], + "x_thread_id": ["actor.tid", "process.tid"], + "x_proc_uid": ["actor.uid", "process.uid", "parent.uid"], + "creator_user_ref.user_id": ["actor.user.name", "process.user.name"], + "creator_user_ref.account_login": ["actor.user.logon_name"], + "binary_ref.name": ["actor.file.name", "process.file.name", "parent.file.name", "startup_app.file.name"], + "binary_ref.parent_directory_ref.path": ["actor.file.path", "process.file.path", "parent.file.path", "startup_app.file.path"], + "binary_ref.hashes.MD5": ["actor.file.md5", "process.file.md5", "parent.file.md5","startup_app.file.md5"], + "binary_ref.hashes.'SHA-256'": ["actor.file.sha2", "process.file.sha2", "parent.file.sha2", "startup_app.file.sha2"], + "binary_ref.hashes.'SHA-1'": ["actor.file.c", "process.file.sha1", "parent.file.sha1", "startup_app.file.sha1"], + "binary_ref.size" : ["actor.file.size", "process.file.size", "startup_app.file.size"] + } + }, + "user-account":{ + "fields": { + "user_id": ["user.name","actor.user.name", "session.user.name"], + "account_login": ["actor.user.logon_name", "session.user.logon_name"], + "is_privileged": ["actor.user.is_admin", "session.user.is_admin"], + "x_user_domain": ["actor.user.domain", "session.user.domain"], + "x_user_sid": ["user.sid","actor.user.sid", "session.user.sid"], + "x_user_uid": ["user.uid"] + } + }, + "file": { + "fields": { + "name" :["file.name", "directory.name", "actor.file.name", "parent.file.name", "process.file.name", "module.name", "startup_app.file.name"], + "size" : ["file.size", "actor.file.size", "module.size", "process.file.size", "startup_app.file.size"], + "parent_directory_ref.path": ["file.folder", "directory.folder", "actor.file.folder", "parent.file.folder", "process.file.folder", "module.folder", "startup_app.file.folder"], + "hashes.MD5": ["file.md5", "actor.file.md5", "module.md5", "parent.file.md5", "process.file.md5", "startup_app.file.md5"], + "hashes.'SHA-256'": ["file.sha2", "actor.file.sha2", "module.sha2", "parent.file.sha2", "process.file.sha2", "startup_app.file.sha2"], + "hashes.'SHA-1'": ["file.sha1", "actor.file.sha1", "parent.file.sha1", "process.file.sha1", "startup_app.file.sha1"], + "created": ["actor.file.created", "parent.file.created", "process.file.created", "startup_app.file.created"], + "modified": ["actor.file.modified", "process.file.modified", "startup_app.file.modified"], + "x_file_type": ["file.type_id", "actor.file.type_id", "process.file.type_id"], + "x_rep_score": ["file.rep_score"], + "x_file_version": ["file.version"], + "x_open_mode": ["open_mode"], + "x_signature_company_name": ["actor.file.signature_company_name", "file.signature_company_name", "module.signature_company_name", "parent.file.signature_company_name", "process.file.signature_company_name"], + "x_signature_created_date": ["actor.file.signature_created_date", "actor.module.signature_created_date", "file.signature_created_date", "parent.signature_created_date", "process.signature_created_date", "directory.signature_created_date", "startup_app.file.signature_created_date"], + "x_signature_fingerprints.algorithm": ["actor.file.signature_fingerprints.algorithm", "actor.module.signature_fingerprints.algorithm", "file.signature_fingerprints.algorithm", "module.signature_fingerprints.algorithm", "parent.file.signature_fingerprints.algorithm", "parent.module.signature_fingerprints.algorithm", "process.file.signature_fingerprints.algorithm", "process.module.signature_fingerprints.algorithm", "directory.signature_fingerprints.algorithm", "startup_app.file.signature_fingerprints.algorithm"], + "x_signature_issuer": ["actor.file.signature_issuer"], + "x_signature_level_id": ["actor.file.signature_level_id", "file.signature_level_id", "parent.file.signature_level_id", "process.file.signature_level_id", "directory.signature_level_id", "startup_app.file.signature_level_id"], + "x_signature_serial_number": ["actor.file.signature_serial_number"], + "x_signature_value": ["actor.file.signature_value"], + "x_signature_value_ids": ["actor.file.signature_value_ids", "process.file.signature_value_ids", "startup_app.file.signature_value_ids"], + "x_content_type": ["file.content_type.type_id"] + } + }, + "directory": { + "fields": { + "path": ["file.folder", "directory.folder", "actor.file.folder", "parent.file.folder", "process.file.folder", "module.folder", "startup_app.file.folder"] + } + }, + "email-addr": { + "fields": { + "value": ["email.header_from", "email.header_to"] + } + }, + "email-message": { + "fields": { + "from_ref": ["email.header_from"], + "to_refs[*]": ["email.header_to"], + "subject": ["email.header_subject"], + "x_email_direction": ["email.direction_id"], + "x_email_uid": ["email_uid"] + } + }, + "windows-registry-key": { + "fields": { + "key": ["reg_key.path"], + "values[*].data": ["reg_value.data"], + "values[*].name": ["reg_value.name"], + "values[*].data_type": ["reg_value.type_id"] + } + }, + "software": { + "fields": { + "name": ["device_os_name"], + "version": ["device_os_ver"], + "x_os_type": ["device_os_type_id"], + "x_cmd_line": ["startup_app.cmd_line"], + "x_start_type_id": ["startup_app.start_id"], + "x_config_path": ["config_path"] + } + }, + "url": { + "fields": { + "value": ["url.text", "file.url.text"], + "x_url_host": ["url.host", "file.url.host", "connection.url.host"], + "x_url_path": ["url.path", "file.url.path", "connection.url.path"], + "x_url_port": ["url.port", "file.url.port", "connection.url.port"] + } + }, + "domain-name": { + "fields": { + "value": ["device_domain"] + } + }, + "x-oca-event": { + "fields": { + "code": ["uuid"], + "severity": ["severity_id"], + "category": ["category_id"], + "action": ["type"], + "description": ["message"], + "provider": ["product_name"], + "agent": ["feature_name"], + "outcome": ["id"], + "created": ["time"], + "x_event_status": ["status_id"], + "host_ref.hostname": ["device_name"], + "host_ref.host_type": ["device_type"], + "file_ref.name": ["file.name"], + "process_ref.pid": ["actor.pid"], + "process_ref.name": ["actor.app_name"], + "process_ref.command_line": ["actor.cmd_line"], + "parent_process_ref.pid": ["parent.pid"], + "parent_process_ref.name": ["parent.app_name"], + "parent_process_ref.command_line": ["parent.cmd_line"], + "process_ref.binary_ref.name": ["actor.file.name"], + "process_ref.creator_user_ref.user_id": ["actor.user.name"], + "registry_ref.key": ["reg_key.path", "reg_value.path"], + "url_ref.value": ["url.text"], + "domain_ref.value": ["device_domain"], + "network_ref.protocols[*]": ["connection.protocol_id"], + "user_ref.user_id": ["user.name"], + "x_event_type": ["type_id"], + "x_event_id": ["event_id"], + "x_provider_version": ["product_ver"], + "x_command_uid": ["command_uid"], + "x_event_data": ["data"] + } + }, + "x-oca-asset": { + "fields": { + "hostname": ["device_name"], + "host_type": ["device_type"], + "x_host_group": ["device_group"], + "mac_refs[*].value": ["device_mac"], + "ip_ref[*].value": ["device_ip"], + "os_ref.name": ["device_os_name"], + "os_ref.version": ["device_os_ver"], + "domain_ref.value": ["device_domain"] + } + }, + "x-oca-geo": { + "fields": { + "name": ["device_location.desc"], + "x_is_on_premises": ["device_location.on_premises"] + } + }, + "x-ibm-finding": { + "fields": { + "name": ["threat.name"], + "severity": ["threat.risk_id"], + "alert_id": ["threat.id"], + "finding_type": ["reason_id"], + "x_threat_type_id": ["threat.type_id"], + "x_info_provider": ["threat.provider"], + "ttp_tagging_refs[*].name": ["attacks.technique_name"], + "ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_id": ["attacks.technique_uid"], + "ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_name": ["attacks.technique_name"], + "ttp_tagging_refs[*].extensions.'mitre-attack-ext'.tactic_id": ["attacks.tactic_uids"] + } + }, + "x-ibm-ttp-tagging": { + "fields":{ + "name": ["attacks.technique_name"], + "extensions.'mitre-attack-ext'.tactic_id" : ["attacks.tactic_uids"], + "extensions.'mitre-attack-ext'.technique_id" : ["attacks.technique_uid"], + "extensions.'mitre-attack-ext'.technique_name" : ["attacks.technique_name"] + } + }, + "x-symantec-policy": { + "fields": { + "name": ["policy.name"], + "effective_date": ["policy.effective_date"], + "rule_group_name": ["policy.rule_group_name"], + "rule_name": ["policy.rule_name"], + "rule_category": ["policy.rule_category_id"], + "type_id": ["policy.type_id"], + "rule_description": ["policy.rule_desc"], + "version": ["policy.version"], + "states": ["policy.state_ids"] + } + }, + "x-user-session": { + "fields": { + "id": ["session.id", "actor.session.id"], + "is_admin": ["session.is_admin"], + "is_remote": ["session.remote", "actor.session.remote"], + "user_ref.user_id": ["session.user.name", "actor.session.user.name"], + "user_ref.account_login": ["session.user.logon_name", "actor.session.user.logon_name"], + "user_ref.is_privileged": ["session.user.is_admin", "actor.session.user.is_admin"], + "user_ref.x_domain": ["session.user.domain","actor.session.user.domain"], + "user_ref.x_sid": ["session.user.sid"] + } + }, + "x-kernel-resource": { + "fields": { + "name": ["kernel.name"], + "type_id": ["kernel.type_id"] + } + }, + "x-peripheral-device": { + "fields": { + "class": [ + "peripheral_device.class" + ], + "instance_uid": [ + "peripheral_device.instance_uid" + ], + "name": [ + "peripheral_device.name" + ], + "serial": [ + "peripheral_device.serial" + ] + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/operators.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/operators.json new file mode 100644 index 000000000..38a2f9018 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/operators.json @@ -0,0 +1,15 @@ +{ + "ComparisonExpressionOperators.And": "AND", + "ComparisonExpressionOperators.Or": "OR", + "ComparisonComparators.Equal": ":", + "ComparisonComparators.NotEqual": ":", + "ComparisonComparators.GreaterThan": ":{value TO *}", + "ComparisonComparators.LessThan": ":{* TO value}", + "ComparisonComparators.GreaterThanOrEqual": ":[value TO *}", + "ComparisonComparators.LessThanOrEqual": ":{* TO value]", + "ComparisonComparators.Like": ":value*", + "ComparisonComparators.Matches": ":/value/", + "ComparisonComparators.In": ":(value)", + "ObservationOperators.Or": "OR", + "ObservationOperators.And": "OR" +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json new file mode 100644 index 000000000..7a9c6e5df --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json @@ -0,0 +1,255 @@ +{ + "ipv4-addr": { + "fields": { + "value": ["device_ip", "connection.src_ip", "connection.dst_ip", "device_public_ip", "device_networks.ipv4", "device_networks.gateway_ip"], + "resolves_to_refs[*].value": ["device_mac", "device_networks.mac"] + } + }, + "ipv6-addr": { + "fields": { + "value": ["device_ip", "connection.src_ip", "connection.dst_ip", "device_networks.ipv6"], + "resolves_to_refs[*].value": ["device_mac", "device_networks.mac"] + } + }, + "mac-addr": { + "fields": { + "value": ["device_mac", "device_networks.mac", "device_networks.gateway_mac"] + } + }, + "network-traffic": { + "fields": { + "src_ref.value": ["connection.src_ip"], + "dst_ref.value": ["connection.dst_ip"], + "dst_port": ["connection.dst_port"], + "src_port": ["connection.src_port"], + "protocols[*]": ["connection.protocol_id"], + "src_byte_count": ["connection.bytes_upload"], + "dst_byte_count": ["connection.bytes_download"], + "x_connection_direction": ["connection.direction_id"] + } + }, + "process": { + "fields": { + "pid": ["actor.pid", "process.pid", "parent.pid"], + "command_line": ["actor.cmd_line","process.cmd_line", "parent.cmd_line", "startup_app.cmd_line"], + "created_time": ["actor.start_time", "process.start_time", "parent.start_time"], + "x_thread_id": ["actor.tid", "process.tid"], + "x_proc_uid": ["actor.uid", "process.uid", "parent.uid"], + "creator_user_ref.user_id": ["actor.user.name", "process.user.name"], + "creator_user_ref.account_login": ["actor.user.logon_name"], + "image_ref.name": ["actor.file.name", "process.file.name", "parent.file.name", "startup_app.file.name"], + "image_ref.parent_directory_ref.path": ["actor.file.path", "process.file.path", "parent.file.path", "startup_app.file.path"], + "image_ref.hashes.MD5": ["actor.file.md5", "process.file.md5", "parent.file.md5","startup_app.file.md5"], + "image_ref.hashes.'SHA-256'": ["actor.file.sha2", "process.file.sha2", "parent.file.sha2", "startup_app.file.sha2"], + "image_ref.hashes.'SHA-1'": ["actor.file.c", "process.file.sha1", "parent.file.sha1", "startup_app.file.sha1"], + "image_ref.size" : ["actor.file.size", "process.file.size", "startup_app.file.size"] + } + }, + "user-account":{ + "fields": { + "user_id": ["user.name","actor.user.name", "session.user.name"], + "account_login": ["actor.user.logon_name", "session.user.logon_name"], + "is_privileged": ["actor.user.is_admin", "session.user.is_admin"], + "x_user_domain": ["actor.user.domain", "session.user.domain"], + "x_user_sid": ["user.sid","actor.user.sid", "session.user.sid"], + "x_user_uid": ["user.uid"] + } + }, + "file": { + "fields": { + "name" :["file.name", "directory.name", "actor.file.name", "parent.file.name", "process.file.name", "module.name", "startup_app.file.name"], + "size" : ["file.size", "actor.file.size", "module.size", "process.file.size", "startup_app.file.size"], + "parent_directory_ref.path": ["file.folder", "directory.folder", "actor.file.folder", "parent.file.folder", "process.file.folder", "module.folder", "startup_app.file.folder"], + "hashes.MD5": ["file.md5", "actor.file.md5", "module.md5", "parent.file.md5", "process.file.md5", "startup_app.file.md5"], + "hashes.'SHA-256'": ["file.sha2", "actor.file.sha2", "module.sha2", "parent.file.sha2", "process.file.sha2", "startup_app.file.sha2"], + "hashes.'SHA-1'": ["file.sha1", "actor.file.sha1", "parent.file.sha1", "process.file.sha1", "startup_app.file.sha1"], + "ctime": ["actor.file.created", "parent.file.created", "process.file.created", "startup_app.file.created"], + "mtime": ["actor.file.modified", "process.file.modified", "startup_app.file.modified"], + "x_file_type": ["file.type_id", "actor.file.type_id", "process.file.type_id"], + "x_rep_score": ["file.rep_score"], + "x_file_version": ["file.version"], + "x_open_mode": ["open_mode"], + "x_signature_company_name": ["actor.file.signature_company_name", "file.signature_company_name", "module.signature_company_name", "parent.file.signature_company_name", "process.file.signature_company_name"], + "x_signature_created_date": ["actor.file.signature_created_date", "actor.module.signature_created_date", "file.signature_created_date", "parent.signature_created_date", "process.signature_created_date", "directory.signature_created_date", "startup_app.file.signature_created_date"], + "x_signature_fingerprints.algorithm": ["actor.file.signature_fingerprints.algorithm", "actor.module.signature_fingerprints.algorithm", "file.signature_fingerprints.algorithm", "module.signature_fingerprints.algorithm", "parent.file.signature_fingerprints.algorithm", "parent.module.signature_fingerprints.algorithm", "process.file.signature_fingerprints.algorithm", "process.module.signature_fingerprints.algorithm", "directory.signature_fingerprints.algorithm", "startup_app.file.signature_fingerprints.algorithm"], + "x_signature_issuer": ["actor.file.signature_issuer"], + "x_signature_level_id": ["actor.file.signature_level_id", "file.signature_level_id", "parent.file.signature_level_id", "process.file.signature_level_id", "directory.signature_level_id", "startup_app.file.signature_level_id"], + "x_signature_serial_number": ["actor.file.signature_serial_number"], + "x_signature_value": ["actor.file.signature_value"], + "x_signature_value_ids": ["actor.file.signature_value_ids", "process.file.signature_value_ids", "startup_app.file.signature_value_ids"], + "x_content_type": ["file.content_type.type_id"] + } + }, + "directory": { + "fields": { + "path": ["file.folder", "directory.folder", "actor.file.folder", "parent.file.folder", "process.file.folder", "module.folder", "startup_app.file.folder"] + } + }, + "email-addr": { + "fields": { + "value": ["email.header_from", "email.header_to"] + } + }, + "email-message": { + "fields": { + "from_ref": ["email.header_from"], + "to_refs[*]": ["email.header_to"], + "subject": ["email.header_subject"], + "x_email_direction": ["email.direction_id"], + "x_email_uid": ["email_uid"] + } + }, + "windows-registry-key": { + "fields": { + "key": ["reg_key.path"], + "values[*].data": ["reg_value.data"], + "values[*].name": ["reg_value.name"], + "values[*].data_type": ["reg_value.type_id"] + } + }, + "software": { + "fields": { + "name": ["device_os_name"], + "version": ["device_os_ver"], + "x_os_type": ["device_os_type_id"], + "x_cmd_line": ["startup_app.cmd_line"], + "x_start_type_id": ["startup_app.start_id"], + "x_config_path": ["config_path"] + } + }, + "url": { + "fields": { + "value": ["url.text", "file.url.text"], + "x_url_host": ["url.host", "file.url.host", "connection.url.host"], + "x_url_path": ["url.path", "file.url.path", "connection.url.path"], + "x_url_port": ["url.port", "file.url.port", "connection.url.port"] + } + }, + "domain-name": { + "fields": { + "value": ["device_domain"] + } + }, + "x-oca-event": { + "fields": { + "code": ["uuid"], + "x_severity": ["severity_id"], + "category": ["category_id"], + "x_action": ["type"], + "description": ["message"], + "provider": ["product_name"], + "agent": ["feature_name"], + "outcome": ["id"], + "created": ["time"], + "x_event_status": ["status_id"], + "host_ref.hostname": ["device_name"], + "host_ref.host_type": ["device_type"], + "file_ref.name": ["file.name"], + "process_ref.pid": ["actor.pid"], + "process_ref.name": ["actor.app_name"], + "process_ref.command_line": ["actor.cmd_line"], + "parent_process_ref.pid": ["parent.pid"], + "parent_process_ref.name": ["parent.app_name"], + "parent_process_ref.command_line": ["parent.cmd_line"], + "process_ref.image_ref.name": ["actor.file.name"], + "process_ref.creator_user_ref.user_id": ["actor.user.name"], + "registry_ref.key": ["reg_key.path", "reg_value.path"], + "url_ref.value": ["url.text"], + "domain_ref.value": ["device_domain"], + "network_ref.protocols[*]": ["connection.protocol_id"], + "user_ref.user_id": ["user.name"], + "x_event_type": ["type_id"], + "x_event_id": ["event_id"], + "x_provider_version": ["product_ver"], + "x_command_uid": ["command_uid"], + "x_event_data": ["data"] + } + }, + "x-oca-asset": { + "fields": { + "hostname": ["device_name"], + "host_type": ["device_type"], + "x_host_group": ["device_group"], + "mac_refs[*].value": ["device_mac"], + "ip_ref[*].value": ["device_ip"], + "os_ref.name": ["device_os_name"], + "os_ref.version": ["device_os_ver"], + "domain_ref.value": ["device_domain"] + } + }, + "x-oca-geo": { + "fields": { + "name": ["device_location.desc"], + "x_is_on_premises": ["device_location.on_premises"] + } + }, + "x-ibm-finding": { + "fields": { + "name": ["threat.name"], + "x_severity": ["threat.risk_id"], + "alert_id": ["threat.id"], + "finding_type": ["reason_id"], + "x_threat_type_id": ["threat.type_id"], + "x_info_provider": ["threat.provider"], + "ttp_tagging_refs[*].name": ["attacks.technique_name"], + "ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_id": ["attacks.technique_uid"], + "ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_name": ["attacks.technique_name"], + "ttp_tagging_refs[*].extensions.'mitre-attack-ext'.tactic_id": ["attacks.tactic_uids"] + } + }, + "x-ibm-ttp-tagging": { + "fields":{ + "name": ["attacks.technique_name"], + "extensions.'mitre-attack-ext'.tactic_id" : ["attacks.tactic_uids"], + "extensions.'mitre-attack-ext'.technique_id" : ["attacks.technique_uid"], + "extensions.'mitre-attack-ext'.technique_name" : ["attacks.technique_name"] + } + }, + "x-symantec-policy": { + "fields": { + "name": ["policy.name"], + "effective_date": ["policy.effective_date"], + "rule_group_name": ["policy.rule_group_name"], + "rule_name": ["policy.rule_name"], + "rule_category": ["policy.rule_category_id"], + "type_id": ["policy.type_id"], + "rule_description": ["policy.rule_desc"], + "version": ["policy.version"], + "states": ["policy.state_ids"] + } + }, + "x-user-session": { + "fields": { + "id": ["session.id", "actor.session.id"], + "is_admin": ["session.is_admin"], + "is_remote": ["session.remote", "actor.session.remote"], + "user_ref.user_id": ["session.user.name", "actor.session.user.name"], + "user_ref.account_login": ["session.user.logon_name", "actor.session.user.logon_name"], + "user_ref.is_privileged": ["session.user.is_admin", "actor.session.user.is_admin"], + "user_ref.x_domain": ["session.user.domain","actor.session.user.domain"], + "user_ref.x_sid": ["session.user.sid"] + } + }, + "x-kernel-resource": { + "fields": { + "name": ["kernel.name"], + "type_id": ["kernel.type_id"] + } + }, + "x-peripheral-device": { + "fields": { + "class": [ + "peripheral_device.class" + ], + "instance_uid": [ + "peripheral_device.instance_uid" + ], + "name": [ + "peripheral_device.name" + ], + "serial": [ + "peripheral_device.serial" + ] + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json new file mode 100644 index 000000000..dc5d857f8 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json @@ -0,0 +1,2569 @@ +{ + "uuid": { + "key": "x-oca-event.code", + "object": "event" + }, + "severity_id": { + "key": "x-oca-event.x_severity", + "object": "event", + "transformer": "ToSeverityValue" + }, + "category_id": { + "key": "x-oca-event.category", + "object": "event", + "transformer": "ToCategoryValue" + }, + "feature_name": { + "key": "x-oca-event.agent", + "object": "event" + }, + "time": [ + { + "key": "x-oca-event.created", + "object": "event", + "transformer": "TimestampToAddMilliseconds" + }, + { + "key": "x-oca-event.modified", + "object": "event", + "transformer": "TimestampToAddMilliseconds" + }, + { + "key": "last_observed", + "transformer": "TimestampToAddMilliseconds" + }, + { + "key": "first_observed", + "transformer": "TimestampToAddMilliseconds" + } + ], + "timezone": { + "key": "x-oca-event.timezone", + "object": "event" + }, + "duration": { + "key": "x-oca-event.duration", + "object": "event" + }, + "message": { + "key": "x-oca-event.description", + "object": "event" + }, + "product_name": { + "key": "x-oca-event.provider", + "object": "event" + }, + "id": { + "key": "x-oca-event.outcome", + "object": "event", + "transformer": "ToOutcomeString" + }, + "version": { + "key": "x-oca-event.x_event_type_version", + "object": "event" + }, + "type": { + "key": "x-oca-event.x_action", + "object": "event" + }, + "type_id": { + "key": "x-oca-event.x_event_type", + "object": "event" + }, + "event_id": { + "key": "x-oca-event.x_event_id", + "object": "event" + }, + "data": { + "key": "x-oca-event.x_event_data", + "object": "event" + }, + "product_ver": { + "key": "x-oca-event.x_provider_version", + "object": "event" + }, + "status_id": { + "key": "x-oca-event.x_event_status", + "object": "event", + "transformer": "ToStatusString" + }, + "device_public_ip": [ + { + "key": "ipv4-addr.value", + "object": "public_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": ["public_ip"], + "group": true + } + ], + "device_name": [ + { + "key": "x-oca-asset.hostname", + "object": "host" + }, + { + "key": "x-oca-event.host_ref", + "object": "event", + "references": "host" + } + ], + "device_type": { + "key": "x-oca-asset.host_type", + "object": "host" + }, + "device_group": { + "key": "x-oca-asset.x_host_group", + "object": "host" + }, + "device_domain": [ + { + "key": "domain-name.value", + "object": "host_domain", + "transformer": "ToDomainName" + }, + { + "key": "x-oca-asset.domain_ref", + "object": "host", + "references": "host_domain" + } + ], + "device_location": { + "country": [ + { + "key": "x-oca-geo.country_name", + "object": "host_geo" + }, + { + "key": "x-oca-asset.geo_ref", + "object": "host", + "references": "host_geo" + } + ], + "city": { + "key": "x-oca-geo.city_name", + "object": "host_geo" + }, + "continent": { + "key": "x-oca-geo.continent_name", + "object": "host_geo" + }, + "region": [ + { + "key": "x-oca-geo.region_name", + "object": "host_geo" + }, + { + "key": "x-oca-geo.region_iso_code", + "object": "host_geo" + } + ], + "desc": { + "key": "x-oca-geo.name", + "object": "host_geo" + }, + "coordinates": { + "key": "x-oca-geo.location", + "object": "host_geo" + }, + "on_premises": [ + { + "key": "x-oca-geo.x_is_on_premises", + "object": "host_geo" + }, + { + "key": "x-oca-asset.geo_ref", + "object": "host", + "references": "host_geo" + } + ] + }, + "device_networks": { + "ipv4": { + "key": "ipv4-addr.value", + "object": "device_ip" + }, + "ipv6": { + "key": "ipv6-addr.value", + "object": "device_ip6" + }, + "gateway_ip": { + "key": "ipv4-addr.value", + "object": "gateway_ip" + }, + "mac": [ + { + "key": "mac-addr.value", + "object": "device_mac", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "device_ip", + "references": [ + "device_mac" + ] + }, + { + "key": "ipv6-addr.resolves_to_refs", + "object": "device_ip6", + "references": [ + "device_mac" + ] + } + ], + "gateway_mac": { + "key": "mac-addr.value", + "object": "gateway_mac" + }, + "groupIpReference": { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "device_ip", + "device_ip6", + "gateway_ip" + ], + "group_ref": true + }, + "groupMacReference": { + "key": "x-oca-asset.mac_refs", + "object": "host", + "references": [ + "device_mac", + "gateway_mac" + ], + "group_ref": true + } + }, + "device_ip": [ + { + "key": "ipv4-addr.value", + "object": "device_ip" + }, + { + "key": "ipv6-addr.value", + "object": "device_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": ["device_ip"], + "group": true + } + ], + "device_mac": [ + { + "key": "mac-addr.value", + "object": "device_mac", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "device_ip", + "references": ["device_mac"] + }, + { + "key": "x-oca-asset.mac_refs", + "object": "host", + "references": ["device_mac"] + } + ], + "device_os_type_id": { + "key": "software.x_os_type", + "object": "software", + "transformer": "ToDeviceOsTypeString" + }, + "device_os_name": [ + { + "key": "software.name", + "object": "software" + }, + { + "key": "x-oca-asset.os_ref", + "object": "host", + "references": "software" + } + ], + "device_os_ver": { + "key": "software.version", + "object": "software" + }, + "device_os_lang": { + "key": "software.languages", + "object": "software" + }, + "open_mode": { + "key": "file.x_open_mode", + "object": "file" + }, + "connection": { + "src_ip": [ + { + "key": "ipv4-addr.value", + "object": "src_ip" + }, + { + "key": "ipv6-addr.value", + "object": "src_ip" + }, + { + "key": "network-traffic.src_ref", + "object": "connection", + "references": "src_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_ip" + ], + "group": true + } + ], + "dst_ip": [ + { + "key": "ipv4-addr.value", + "object": "dst_ip" + }, + { + "key": "ipv6-addr.value", + "object": "dst_ip" + }, + { + "key": "network-traffic.dst_ref", + "object": "connection", + "references": "dst_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "dst_ip" + ], + "group": true + } + ], + "dst_port": { + "key": "network-traffic.dst_port", + "object": "connection", + "transformer": "ToInteger" + }, + "src_port": { + "key": "network-traffic.scr_port", + "object": "connection", + "transformer": "ToInteger" + }, + "src_mac": [ + { + "key": "mac-addr.value", + "object": "mac_src", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "src_ip", + "references": ["mac_src"] + } + ], + "dst_mac": [ + { + "key": "mac-addr.value", + "object": "mac_dst", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "dst_ip", + "references": ["mac_dst"] + } + ], + "protocol_id": [ + { + "key": "network-traffic.protocols", + "object": "connection", + "transformer": "ToProtocolKeyWord" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "connection" + } + ], + "bytes_upload": { + "key": "network-traffic.src_byte_count", + "object": "connection" + }, + "bytes_download": { + "key": "network-traffic.dst_byte_count", + "object": "connection" + }, + "direction_id": { + "key": "network-traffic.x_connection_direction", + "object": "connection", + "transformer": "ToDirectionString" + }, + "dst_name": { + "key": "network-traffic.x_dst_name", + "object": "connection" + }, + "src_name": { + "key": "network-traffic.x_src_name", + "object": "connection" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "con_url" + }, + { + "key": "network-traffic.x_url_ref", + "object": "connection", + "references": "con_url" + } + ], + "host": { + "key":"url.x_url_host", + "object": "con_url" + }, + "path": { + "key":"url.x_url_path", + "object": "con_url" + }, + "port": { + "key":"url.x_url_port", + "object": "con_url" + } + } + }, + "proxy_connection": { + "src_ip": [ + { + "key": "ipv4-addr.value", + "object": "src_proxy" + }, + { + "key": "ipv6-addr.value", + "object": "src_proxy" + }, + { + "key": "network-traffic.src_ref", + "object": "proxy_connection", + "references": "src_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_proxy" + ], + "group": true + } + ], + "dst_ip": [ + { + "key": "ipv4-addr.value", + "object": "dst_proxy" + }, + { + "key": "ipv6-addr.value", + "object": "dst_proxy" + }, + { + "key": "network-traffic.dst_ref", + "object": "proxy_connection", + "references": "dst_proxy" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "dst_proxy" + ], + "group": true + } + ], + "dst_port": { + "key": "network-traffic.dst_port", + "object": "proxy_connection" + }, + "src_port": { + "key": "network-traffic.scr_port", + "object": "proxy_connection" + }, + "src_mac": [ + { + "key": "mac-addr.value", + "object": "proxy_mac_src", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "src_proxy", + "references": ["proxy_mac_src"] + } + ], + "dst_mac": [ + { + "key": "mac-addr.value", + "object": "proxy_mac_dst", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "dst_proxy", + "references": ["proxy_mac_dst"] + } + ], + "protocol_id": [ + { + "key": "network-traffic.protocols", + "object": "proxy_connection" + }, + { + "key": "x-oca-event.x_proxy_network_ref", + "object": "event", + "references": "proxy_connection" + } + ], + "bytes_upload": { + "key": "network-traffic.src_byte_count", + "object": "proxy_connection" + }, + "bytes_download": { + "key": "network-traffic.dst_byte_count", + "object": "proxy_connection" + }, + "direction_id": { + "key": "network-traffic.x_connection_direction", + "object": "proxy_connection", + "transformer": "ToDirectionString" + } + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "user" + }, + { + "key": "x-oca-event.user_ref", + "object": "event", + "references": "user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "user" + }, + "uid": { + "key": "user-account.x_user_uid", + "object": "user" + } + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "url" + }, + { + "key": "x-oca-event.url_ref", + "object": "event", + "references": "url" + } + ] + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "file" + }, + { + "key": "process.image_ref", + "object": "actor", + "references": "file" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "file" + } + ], + "size": { + "key": "file.size", + "object": "file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "file" + }, + "version": { + "key": "file.x_file_version", + "object": "file" + }, + "path": [ + { + "key": "directory.path", + "object": "actor_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "file", + "references": "actor_file_dir" + } + ], + "folder": [ + { + "key": "directory.path", + "object": "actor_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "file", + "references": "actor_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "file", + "transformer": "ToFamilyIdString" + }, + "type_id": { + "key": "file.x_content_type", + "object": "file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.ctime", + "object": "file" + }, + "modified": { + "key": "file.mtime", + "object": "file" + }, + "accessed": { + "key": "file.accessed", + "object": "file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "file_url" + }, + { + "key": "file.x_url_ref", + "object": "file", + "references": "file_url" + } + ], + "host": { + "key":"url.x_url_host", + "object": "file_url" + }, + "path": { + "key":"url.x_url_path", + "object": "file_url" + }, + "port": { + "key":"url.x_url_port", + "object": "file_url" + } + } + }, + "directory": { + "name": [ + { + "key": "file.name", + "object": "directory" + }, + { + "key": "process.image_ref", + "object": "actor", + "references": "directory" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "directory" + } + ], + "size": { + "key": "file.size", + "object": "directory" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "directory" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "directory" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "directory" + }, + "type_id": { + "key": "file.x_file_type", + "object": "directory", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "directory" + }, + "version": { + "key": "file.x_file_version", + "object": "directory" + }, + "folder": [ + { + "key": "directory.path", + "object": "dir_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "directory", + "references": "dir_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "directory", + "transformer": "ToFamilyIdString" + }, + "type_id": { + "key": "file.x_content_type", + "object": "directory", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.ctime", + "object": "directory" + }, + "modified": { + "key": "file.mtime", + "object": "directory" + }, + "accessed": { + "key": "file.accessed", + "object": "directory" + }, + "mime_type": { + "key": "file.mime_type", + "object": "directory" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "directory" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "directory" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "directory" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "directory" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "process_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "directory", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "directory" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "directory" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "dir_url" + }, + { + "key": "file.x_url_ref", + "object": "directory", + "references": "dir_url" + } + ], + "host": { + "key":"url.x_url_host", + "object": "dir_url" + }, + "path": { + "key":"url.x_url_path", + "object": "dir_url" + }, + "port": { + "key":"url.x_url_port", + "object": "dir_url" + } + } + }, + "actor": { + "pid": [ + { + "key": "process.pid", + "object": "actor", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event", + "references": "actor" + } + ], + "cmd_line": { + "key": "process.command_line", + "object": "actor" + }, + "start_time": { + "key": "process.created_time", + "object": "actor" + }, + "tid": { + "key": "process.x_thread_id", + "object": "actor" + }, + "uid": { + "key": "process.x_proc_uid", + "object": "actor" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "actor_user" + }, + { + "key": "process.creator_user_ref", + "object": "actor", + "references": "actor_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "actor_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "actor_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "actor_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "actor_user" + } + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "actor_file" + }, + { + "key": "process.image_ref", + "object": "actor", + "references": "actor_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "actor_file" + } + ], + "size": { + "key": "file.size", + "object": "actor_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "actor_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "actor_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "actor_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "actor_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "actor_file" + }, + "version": { + "key": "file.x_file_version", + "object": "actor_file" + }, + "folder": [ + { + "key": "directory.path", + "object": "actor_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "actor_file", + "references": "actor_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "actor_file" + }, + "type_id": { + "key": "file.x_content_type", + "object": "actor_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.ctime", + "object": "actor_file" + }, + "modified": { + "key": "file.mtime", + "object": "actor_file" + }, + "accessed": { + "key": "file.accessed", + "object": "actor_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "actor_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "actor_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "actor_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "actor_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "actor_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "actor_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "actor_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "actor_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "actor_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "actor_url" + }, + { + "key": "file.x_url_ref", + "object": "actor_file", + "references": "actor_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "actor_url" + }, + "path": { + "key": "url.x_url_path", + "object": "actor_url" + }, + "port": { + "key": "url.x_url_port", + "object": "actor_url" + } + } + }, + "module": { + "name": [ + { + "key": "file.name", + "object": "module_dll" + }, + { + "key": "file.dll_ref", + "object": "actor_file", + "references": "module_dll" + } + ], + "size": { + "key": "file.size", + "object": "module_dll" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "module_dll" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "module_dll" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "module_dll" + }, + "type_id": { + "key": "file.x_file_type", + "object": "module_dll", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "module_dll" + }, + "version": { + "key": "file.x_file_version", + "object": "module_dll" + }, + "folder": [ + { + "key": "directory.path", + "object": "module_dll_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "module_dll", + "references": "module_dll_dir" + } + ], + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "module_dll" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "module_dll" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "module_dll" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "module_dll" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "module_dll", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "module_dll", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "module_dll" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "module_dll" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "module_url" + }, + { + "key": "file.x_url_ref", + "object": "module_dll", + "references": "module_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "module_url" + }, + "path": { + "key": "url.x_url_path", + "object": "module_url" + }, + "port": { + "key": "url.x_url_port", + "object": "module_url" + } + } + }, + "session": { + "id": [ + { + "key": "x-user-session.id", + "object": "session" + }, + { + "key": "x-oca-event.x_user_session_ref", + "object": "event", + "references": "session" + } + ], + "is_admin": { + "key": "x-user-session.is_admin", + "object": "session" + }, + "remote": { + "key": "x-user-session.is_remote", + "object": "session" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "session_user" + }, + { + "key": "x-user-session.user_ref", + "object": "session", + "references": "session_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "session_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "session_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "session_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "session_user" + } + } + } + }, + "process": { + "pid": [ + { + "key": "process.pid", + "object": "process", + "transformer": "ToInteger" + }, + { + "key": "process.child_refs", + "object": "actor", + "references": ["process"] + } + ], + "cmd_line": { + "key": "process.command_line", + "object": "process" + }, + "start_time": { + "key": "process.created_time", + "object": "process" + }, + "tid": { + "key": "process.x_thread_id", + "object": "process" + }, + "uid": { + "key": "process.x_proc_uid", + "object": "process" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "process_user" + }, + { + "key": "process.creator_user_ref", + "object": "process", + "references": "process_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "process_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "process_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "process_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "process_user" + } + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "process_file" + }, + { + "key": "process.image_ref", + "object": "process", + "references": "process_file" + } + ], + "size": { + "key": "file.size", + "object": "process_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "process_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "process_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "process_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "process_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "process_file" + }, + "version": { + "key": "file.x_file_version", + "object": "process_file" + }, + "folder": [ + { + "key": "directory.path", + "object": "process_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "process_file", + "references": "process_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "process_file" + }, + "type_id": { + "key": "file.x_content_type", + "object": "process_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.ctime", + "object": "process_file" + }, + "modified": { + "key": "file.mtime", + "object": "process_file" + }, + "accessed": { + "key": "file.accessed", + "object": "process_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "process_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "process_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "process_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "process_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "process_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "process_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "process_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "process_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "process_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "process_url" + }, + { + "key": "file.x_url_ref", + "object": "process_file", + "references": "process_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "process_url" + }, + "path": { + "key": "url.x_url_path", + "object": "process_url" + }, + "port": { + "key": "url.x_url_port", + "object": "process_url" + } + } + } + }, + "parent": { + "pid": [ + { + "key": "process.pid", + "object": "parent_proc", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "actor", + "references": "parent_proc" + } + ], + "cmd_line": { + "key": "process.command_line", + "object": "parent_proc" + }, + "tid": { + "key": "process.x_thread_id", + "object": "parent_proc" + }, + "uid": { + "key": "process.x_proc_uid", + "object": "parent_proc" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "p_user" + }, + { + "key": "process.creator_user_ref", + "object": "parent_proc", + "references": "p_user" + } + ], + "account_login": { + "key": "user-account.account_login", + "object": "p_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "p_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "p_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "p_user" + } + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "parent_proc_file" + }, + { + "key": "process.image_ref", + "object": "parent_proc", + "references": "parent_proc_file" + } + ], + "size": { + "key": "file.size", + "object": "parent_proc_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "parent_proc_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "parent_proc_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "parent_proc_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "parent_proc_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "parent_proc_file" + }, + "version": { + "key": "file.x_file_version", + "object": "parent_proc_file" + }, + "folder": [ + { + "key": "directory.path", + "object": "parent_proc_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "parent_proc_file", + "references": "parent_proc_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "parent_proc_file" + }, + "type_id": { + "key": "file.x_content_type", + "object": "parent_proc_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.ctime", + "object": "parent_proc_file" + }, + "modified": { + "key": "file.mtime", + "object": "parent_proc_file" + }, + "accessed": { + "key": "file.accessed", + "object": "parent_proc_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "parent_proc_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "parent_proc_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "parent_proc_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "parent_proc_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "parent_proc_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "parent_proc_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "parent_proc_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "parent_proc_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "parent_proc_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "parent_proc_url" + }, + { + "key": "file.x_url_ref", + "object": "parent_proc_file", + "references": "parent_proc_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "parent_proc_url" + }, + "path": { + "key": "url.x_url_path", + "object": "parent_proc_url" + }, + "port": { + "key": "url.x_url_port", + "object": "parent_proc_url" + } + } + } + }, + "email": { + "sender_ip": [ + { + "key": "ipv4-addr.value", + "object": "sender_ip" + }, + { + "key": "ipv6-addr.value", + "object": "sender_ip" + }, + { + "key": "email-message.sender_ip_ref", + "object": "email_message", + "references": ["sender_ip"] + } + ], + "header_from": [ + { + "key": "email-addr.value", + "object": "email_from" + }, + { + "key": "email-message.from_ref", + "object": "email_message", + "references": ["email_from"] + }, + { + "key": "email-message.is_multipart", + "object": "email_message", + "value" : true + } + ], + "header_to": [ + { + "key": "email-addr.value", + "object": "email_to" + }, + { + "key": "email-message.to_refs", + "object": "email_message", + "references": ["email_to"] + } + ], + "header_reply_to": [ + { + "key": "email-addr.value", + "object": "email_reply_to" + }, + { + "key": "email-message.additional_header_fields", + "object": "email_message", + "transformer" :"ReplyToDict", + "references": ["email_reply_to"] + } + ], + "smtp_from": [ + { + "key": "email-addr.value", + "object": "email_smtp_from" + }, + { + "key": "email-message.from_ref", + "object": "email_message", + "references": ["email_from"] + } + ], + "smtp_to": [ + { + "key": "email-addr.value", + "object": "email_smtp_to" + }, + { + "key": "email-message.to_refs", + "object": "email_message", + "references": ["email_to"] + } + ], + "header_subject": { + "key": "email-message.subject", + "object": "email_message" + }, + "direction_id": { + "key": "email-message.x_email_direction", + "object": "email_message", + "transformer": "ToDirectionString" + }, + "size": { + "key": "email-message.x_size", + "object": "email_message" + } + }, + "email_uid": { + "key": "email-message.x_email_uid", + "object": "email_message" + }, + "reg_key": { + "path": [ + { + "key": "windows-registry-key.key", + "object": "win_registry" + }, + { + "key": "x-oca-event.registry_ref", + "object": "event", + "references": "win_registry" + } + ], + "last_write": { + "key": "windows-registry-key.modified", + "object": "win_registry" + }, + "is_system": { + "key": "windows-registry-key.x_is_system", + "object": "win_registry" + } + }, + "reg_value": { + "path": [ + { + "key": "windows-registry-key.key", + "object": "win_registry" + }, + { + "key": "x-oca-event.registry_ref", + "object": "event", + "references": "win_registry" + } + ], + "data": { + "key": "windows-registry-key.values.data", + "object": "win_registry", + "group": "registry-value-type" + }, + "name": { + "key": "windows-registry-key.values.name", + "object": "win_registry", + "group": "registry-value-type" + }, + "type_id": { + "key": "windows-registry-key.values.data_type", + "object": "win_registry", + "group": "registry-value-type" + }, + "last_write": { + "key": "windows-registry-key.modified", + "object": "win_registry" + }, + "is_system": { + "key": "windows-registry-key.x_is_system", + "object": "win_registry" + } + }, + "reason_id": { + "key": "x-ibm-finding.finding_type", + "object": "threat", + "transformer": "ToFindingTypeString" + }, + "count": { + "key": "number_observed" + }, + "threat": { + "name": { + "key": "x-ibm-finding.name", + "object": "threat" + }, + "risk_id": { + "key": "x-ibm-finding.x_severity", + "object": "threat", + "transformer": "ToFindingSeverityString" + }, + "type_id": { + "key": "x-ibm-finding.x_threat_type_id", + "object": "threat", + "transformer": "ToThreatTypeString" + }, + "provider": { + "key": "x-ibm-finding.x_info_provider", + "object": "threat" + }, + "id": { + "key": "x-ibm-finding.alert_id", + "object": "threat" + } + }, + "attacks": { + "tactic_uids": { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_id", + "object": "attack", + "transformer": "UnlistIfList" + }, + "technique_uid": { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_id", + "object": "attack" + }, + "technique_name": [ + { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name", + "object": "attack" + }, + { + "key": "x-ibm-ttp-tagging.name", + "object": "attack" + } + ], + "groupReference": { + "key": "x-ibm-finding.ttp_tagging_refs", + "object": "threat", + "references": ["attack"], + "group_ref": true + } + }, + "policy": { + "name": [ + { + "key": "x-symantec-policy.name", + "object": "policy" + }, + { + "key": "x-ibm-finding.x_policy_ref", + "object": "threat", + "references": "policy" + }, + { + "key": "x-oca-event.x_policy_ref", + "object": "event", + "references": "policy" + } + ], + "desc": { + "key": "x-symantec-policy.description", + "object": "policy" + }, + "effective_date": { + "key": "x-symantec-policy.effective_date", + "object": "policy" + }, + "group_name": { + "key": "x-symantec-policy.group_name", + "object": "policy" + }, + "rule_group_name": { + "key": "x-symantec-policy.rule_group_name", + "object": "policy" + }, + "rule_name": { + "key": "x-symantec-policy.rule_name", + "object": "policy" + }, + "rule_category_id": { + "key": "x-symantec-policy.rule_category", + "object": "policy" + }, + "type_id": { + "key": "x-symantec-policy.type_id", + "object": "policy" + }, + "rule_desc": { + "key": "x-symantec-policy.rule_description", + "object": "policy" + }, + "rule_group_desc": { + "key": "x-symantec-policy.rule_group_desc", + "object": "policy" + }, + "version": { + "key": "x-symantec-policy.version", + "object": "policy" + }, + "state_ids": { + "key": "x-symantec-policy.states", + "object": "policy" + } + }, + "change_type_id" : { + "key": "x-symantec-policy.change_type_id", + "object": "policy" + }, + "session": { + "id": [ + { + "key": "x-user-session.id", + "object": "session" + }, + { + "key": "x-oca-event.x_user_session_ref", + "object": "event", + "references": "session" + } + ], + "is_admin": { + "key": "x-user-session.is_admin", + "object": "session" + }, + "remote": { + "key": "x-user-session.is_remote", + "object": "session" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "session_user" + }, + { + "key": "x-user-session.user_ref", + "object": "session", + "references": "session_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "session_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "session_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "session_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "session_user" + } + } + }, + "kernel":{ + "name": [ + { + "key": "x-kernel-resource.name", + "object": "kernel" + }, + { + "key": "x-oca-event.x_kernel_resource_ref", + "object": "event", + "references": "kernel" + } + ], + "type_id": { + "key": "x-kernel-resource.type_id", + "object": "kernel", + "transformer": "ToKernelType" + }, + "system_call": { + "key": "x-kernel-resource.system_call", + "object": "kernel" + } + }, + "certificate": { + "issuer_name": [ + { + "key": "x509-certificate.issuer", + "object": "client-cert" + }, + { + "key": "x-oca-event.x_certificate_ref", + "object": "event", + "references": "client-cert" + } + ], + "serial": { + "key": "x509-certificate.serial_number", + "object": "client-cert" + }, + "start_time": { + "key": "x509-certificate.validity_not_before", + "object": "client-cert" + }, + "end_time": { + "key": "x509-certificate.validity_not_after", + "object": "client-cert" + }, + "version": { + "key": "x509-certificate.version", + "object": "client-cert" + }, + "subject_name": { + "key": "x509-certificate.subject", + "object": "client-cert" + }, + "is_valid": { + "key": "x509-certificate.x_is_valid", + "object": "client-cert" + } + }, + "tls": { + "cipher": { + "key": "x-symantec-tls.cipher", + "object": "tls_obj" + }, + "cipher_size": { + "key": "x-symantec-tls.cipher_size", + "object": "tls_obj" + }, + "cipher_strength": { + "key": "x-symantec-tls.cipher_strength", + "object": "tls_obj" + }, + "is_advertised": { + "key": "x-symantec-tls.is_advertised", + "object": "tls_obj" + }, + "is_used": { + "key": "x-symantec-tls.is_used", + "object": "tls_obj" + }, + "issuer_keyring": { + "key": "x-symantec-tls.issuer_keyring", + "object": "tls_obj" + }, + "key_length": { + "key": "x-symantec-tls.key_length", + "object": "tls_obj" + }, + "tls_policy_id": { + "key": "x-symantec-tls.tls_policy_id", + "object": "tls_obj" + }, + "version": { + "key": "x-symantec-tls.protocol_version", + "object": "tls_obj" + }, + "client_certificate": { + "issuer_name": [ + { + "key": "x509-certificate.issuer", + "object": "client-cert" + }, + { + "key": "x-symantec-tls.client_certificate_ref", + "object": "tls_obj", + "references": "client-cert" + } + ], + "serial": { + "key": "x509-certificate.serial_number", + "object": "client-cert" + }, + "start_time": { + "key": "x509-certificate.validity_not_before", + "object": "client-cert" + }, + "end_time": { + "key": "x509-certificate.validity_not_after", + "object": "client-cert" + }, + "version": { + "key": "x509-certificate.version", + "object": "client-cert" + }, + "subject_name": { + "key": "x509-certificate.subject", + "object": "client-cert" + }, + "is_valid": { + "key": "x509-certificate.x_is_valid", + "object": "client-cert" + } + }, + "server_certificate": { + "issuer_name": [ + { + "key": "x509-certificate.issuer", + "object": "server-cert" + }, + { + "key": "x-symantec-tls.server_certificate_ref", + "object": "tls_obj", + "references": "server-cert" + } + ], + "serial": { + "key": "x509-certificate.serial_number", + "object": "server-cert" + }, + "start_time": { + "key": "x509-certificate.validity_not_before", + "object": "server-cert" + }, + "end_time": { + "key": "x509-certificate.validity_not_after", + "object": "server-cert" + }, + "version": { + "key": "x509-certificate.version", + "object": "server-cert" + }, + "subject_name": { + "key": "x509-certificate.subject", + "object": "server-cert" + }, + "is_valid": { + "key": "x509-certificate.x_is_valid", + "object": "server-cert" + } + } + }, + "container": { + "host_name": { + "key": "", + "object": "container" + }, + "image_name": { + "key": "x-oca-asset.extensions.x-oca-container-ext.image_name", + "object": "container" + }, + "image_uid": { + "key": "x-oca-asset.extensions.x-oca-container-ext.image_id", + "object": "container" + }, + "name": { + "key": "x-oca-asset.extensions.x-oca-container-ext.name", + "object": "container" + }, + "os_name": { + "key": "x-oca-asset.extensions.x-oca-container-ext.os_name", + "object": "container" + }, + "uid": { + "key": "x-oca-asset.extensions.x-oca-container-ext.container_id", + "object": "container" + } + + }, + "module": { + "name": [ + { + "key": "file.name", + "object": "module" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "module" + } + ], + "size": { + "key": "file.size", + "object": "module" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "module" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "module" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "module" + }, + "type_id": { + "key": "file.x_file_type", + "object": "module", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "module" + }, + "version": { + "key": "file.x_file_version", + "object": "module" + }, + "path": [ + { + "key": "directory.path", + "object": "module_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "module", + "references": "module_dir" + } + ], + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "module" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "module" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "module" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "module" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "module", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "module", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "module" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "module" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "module_url" + }, + { + "key": "file.x_url_ref", + "object": "module", + "references": "module_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "module_url" + }, + "path": { + "key": "url.x_url_path", + "object": "module_url" + }, + "port": { + "key": "url.x_url_port", + "object": "module_url" + } + } + }, + "startup_app" : { + "name" : [ + { + "key": "software.name", + "object": "app" + }, + { + "key": "x-oca-event.x_startup_application", + "object": "event" + } + ], + "cmd_line" : { + "key": "software.x_cmd_line", + "object": "app" + }, + "desc" : { + "key": "software.x_app_description", + "object": "app" + }, + "run_state_id" : { + "key": "software.x_service_state_id", + "object": "app" + }, + "start_id" : { + "key": "software.x_start_type_id", + "object": "app" + }, + "type_ids" : { + "key": "software.x_type_ids", + "object": "app" + }, + "vendor" : { + "key": "software.vendor", + "object": "app" + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "app_file" + }, + { + "key": "software.x_file_ref", + "object": "app", + "references": "app_file" + } + ], + "size": { + "key": "file.size", + "object": "app_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "app_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "app_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "app_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "app_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "app_file" + }, + "version": { + "key": "file.x_file_version", + "object": "app_file" + }, + "path": [ + { + "key": "directory.path", + "object": "app_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "app_file", + "references": "app_file_dir" + } + ], + "folder": [ + { + "key": "directory.path", + "object": "app_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "app_file", + "references": "app_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "app_file", + "transformer": "ToFamilyIdString" + }, + "type_id": { + "key": "file.x_content_type", + "object": "app_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.ctime", + "object": "app_file" + }, + "modified": { + "key": "file.mtime", + "object": "app_file" + }, + "accessed": { + "key": "file.accessed", + "object": "app_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "app_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "app_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "app_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "app_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "app_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "app_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "app_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "app_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "app_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "app_url" + }, + { + "key": "file.x_url_ref", + "object": "app_file", + "references": "app_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "app_url" + }, + "path": { + "key": "url.x_url_path", + "object": "app_url" + }, + "port": { + "key": "url.x_url_port", + "object": "app_url" + } + } + } + }, + "config_path" : { + "key": "software.x_config_path", + "object": "app" + }, + "command_name": { + "key": "x-oca-event.x_command_name", + "object": "event" + }, + "command_uid" : { + "key": "x-oca-event.x_command_uid", + "object": "event" + }, + "interpreter" : { + "key": "x-oca-event.x_script_interpreter", + "object": "event" + }, + "peripheral_device" : { + "class": { + "key": "x-peripheral-device.class", + "object": "peripheral" + }, + "name": [ + { + "key": "x-peripheral-device.name", + "object": "peripheral" + }, + { + "key": "x-oca-event.x_peripheral_device_ref", + "object": "event", + "references": "peripheral" + } + ], + "serial": { + "key": "x-peripheral-device.serial", + "object": "peripheral" + }, + "vendor": { + "key": "x-peripheral-device.vendor", + "object": "peripheral" + }, + "model": { + "key": "x-peripheral-device.model", + "object": "peripheral" + }, + "instance_uid": { + "key": "x-peripheral-device.instance_uid", + "object": "peripheral" + } + }, + "dst_endpoint_app": { + "name" : [ + { + "key": "software.name", + "object": "dst_app_service" + }, + { + "key": "x-oca-event.x_dst_app_service_ref", + "object": "event", + "references": "dst_app_service" + } + ], + "operation" : { + "key": "software.x_app_operation", + "object": "dst_app_service" + }, + "groups" : { + "key": "software.x_app_groups", + "object": "dst_app_service" + } + }, + "device_cloud_vm": { + "instance_uid": [ + { + "key": "x-cloud-device.instance_uid", + "object": "cloud_vm" + }, + { + "key": "x-oca-event.x_cloud_device_ref", + "object": "event", + "references": "cloud_vm" + } + ], + "subnet_uid": { + "key": "x-cloud-device.subnet_uid", + "object": "cloud_vm" + }, + "vpc_uid": { + "key": "x-cloud-device.vpc_uid", + "object": "cloud_vm" + }, + "dc_region": { + "key": "x-cloud-device.dc_region", + "object": "cloud_vm" + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json new file mode 100644 index 000000000..5856dadae --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json @@ -0,0 +1,2576 @@ +{ + "uuid": { + "key": "x-oca-event.code", + "object": "event" + }, + "severity_id": { + "key": "x-oca-event.severity", + "object": "event", + "transformer": "ToSeverityValue" + }, + "category_id": { + "key": "x-oca-event.category", + "object": "event", + "transformer": "ToCategoryValue" + }, + "feature_name": { + "key": "x-oca-event.agent", + "object": "event" + }, + "time": [ + { + "key": "x-oca-event.created", + "object": "event", + "transformer": "TimestampToAddMilliseconds" + }, + { + "key": "last_observed", + "transformer": "TimestampToAddMilliseconds" + }, + { + "key": "first_observed", + "transformer": "TimestampToAddMilliseconds" + } + ], + "timezone": { + "key": "x-oca-event.timezone", + "object": "event" + }, + "duration": { + "key": "x-oca-event.duration", + "object": "event" + }, + "message": { + "key": "x-oca-event.description", + "object": "event" + }, + "product_name": { + "key": "x-oca-event.provider", + "object": "event" + }, + "id": { + "key": "x-oca-event.outcome", + "object": "event", + "transformer": "ToOutcomeString" + }, + "version": { + "key": "x-oca-event.x_event_type_version", + "object": "event" + }, + "type": { + "key": "x-oca-event.action", + "object": "event" + }, + "type_id": { + "key": "x-oca-event.x_event_type", + "object": "event" + }, + "event_id": { + "key": "x-oca-event.x_event_id", + "object": "event" + }, + "data": { + "key": "x-oca-event.x_event_data", + "object": "event" + }, + "product_ver": { + "key": "x-oca-event.x_provider_version", + "object": "event" + }, + "status_id": { + "key": "x-oca-event.x_event_status", + "object": "event", + "transformer": "ToStatusString" + }, + "device_public_ip": [ + { + "key": "ipv4-addr.value", + "object": "public_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": ["public_ip"], + "group": true + } + ], + "device_name": [ + { + "key": "x-oca-asset.hostname", + "object": "host" + }, + { + "key": "x-oca-event.host_ref", + "object": "event", + "references": "host" + } + ], + "device_type": { + "key": "x-oca-asset.host_type", + "object": "host" + }, + "device_group": { + "key": "x-oca-asset.x_host_group", + "object": "host" + }, + "device_domain": [ + { + "key": "domain-name.value", + "object": "host_domain", + "transformer": "ToDomainName" + }, + { + "key": "x-oca-asset.domain_ref", + "object": "host", + "references": "host_domain" + } + ], + "device_location": { + "country": [ + { + "key": "x-oca-geo.country_name", + "object": "host_geo" + }, + { + "key": "x-oca-asset.geo_ref", + "object": "host", + "references": "host_geo" + } + ], + "city": { + "key": "x-oca-geo.city_name", + "object": "host_geo" + }, + "continent": { + "key": "x-oca-geo.continent_name", + "object": "host_geo" + }, + "region": [ + { + "key": "x-oca-geo.region_name", + "object": "host_geo" + }, + { + "key": "x-oca-geo.region_iso_code", + "object": "host_geo" + } + ], + "desc": { + "key": "x-oca-geo.name", + "object": "host_geo" + }, + "coordinates": { + "key": "x-oca-geo.location", + "object": "host_geo" + }, + "on_premises": [ + { + "key": "x-oca-geo.x_is_on_premises", + "object": "host_geo" + }, + { + "key": "x-oca-asset.geo_ref", + "object": "host", + "references": "host_geo" + } + ] + }, + "device_networks": { + "ipv4": { + "key": "ipv4-addr.value", + "object": "device_ip" + }, + "ipv6": { + "key": "ipv6-addr.value", + "object": "device_ip6" + }, + "gateway_ip": { + "key": "ipv4-addr.value", + "object": "gateway_ip" + }, + "mac": [ + { + "key": "mac-addr.value", + "object": "device_mac", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "device_ip", + "references": [ + "device_mac" + ] + }, + { + "key": "ipv6-addr.resolves_to_refs", + "object": "device_ip6", + "references": [ + "device_mac" + ] + } + ], + "gateway_mac": { + "key": "mac-addr.value", + "object": "gateway_mac" + }, + "groupIpReference": { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "device_ip", + "device_ip6", + "gateway_ip" + ], + "group_ref": true + }, + "groupMacReference": { + "key": "x-oca-asset.mac_refs", + "object": "host", + "references": [ + "device_mac", + "gateway_mac" + ], + "group_ref": true + } + }, + "device_ip": [ + { + "key": "ipv4-addr.value", + "object": "device_ip" + }, + { + "key": "ipv6-addr.value", + "object": "device_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": ["device_ip"], + "group": true + } + ], + "device_mac": [ + { + "key": "mac-addr.value", + "object": "device_mac", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "device_ip", + "references": ["device_mac"] + }, + { + "key": "x-oca-asset.mac_refs", + "object": "host", + "references": ["device_mac"] + } + ], + "device_os_type_id": { + "key": "software.x_os_type", + "object": "software", + "transformer": "ToDeviceOsTypeString" + }, + "device_os_name": [ + { + "key": "software.name", + "object": "software" + }, + { + "key": "x-oca-asset.os_ref", + "object": "host", + "references": "software" + } + ], + "device_os_ver": { + "key": "software.version", + "object": "software" + }, + "device_os_lang": { + "key": "software.languages", + "object": "software" + }, + "open_mode": { + "key": "file.x_open_mode", + "object": "file" + }, + "connection": { + "src_ip": [ + { + "key": "ipv4-addr.value", + "object": "src_ip" + }, + { + "key": "ipv6-addr.value", + "object": "src_ip" + }, + { + "key": "network-traffic.src_ref", + "object": "connection", + "references": "src_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_ip" + ], + "group": true + } + ], + "dst_ip": [ + { + "key": "ipv4-addr.value", + "object": "dst_ip" + }, + { + "key": "ipv6-addr.value", + "object": "dst_ip" + }, + { + "key": "network-traffic.dst_ref", + "object": "connection", + "references": "dst_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "dst_ip" + ], + "group": true + } + ], + "dst_port": { + "key": "network-traffic.dst_port", + "object": "connection", + "transformer": "ToInteger" + }, + "src_port": { + "key": "network-traffic.scr_port", + "object": "connection", + "transformer": "ToInteger" + }, + "src_mac": [ + { + "key": "mac-addr.value", + "object": "mac_src", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "src_ip", + "references": ["mac_src"] + } + ], + "dst_mac": [ + { + "key": "mac-addr.value", + "object": "mac_dst", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "dst_ip", + "references": ["mac_dst"] + } + ], + "protocol_id": [ + { + "key": "network-traffic.protocols", + "object": "connection", + "transformer": "ToProtocolKeyWord" + }, + { + "key": "x-oca-event.network_ref", + "object": "event", + "references": "connection" + } + ], + "bytes_upload": { + "key": "network-traffic.src_byte_count", + "object": "connection" + }, + "bytes_download": { + "key": "network-traffic.dst_byte_count", + "object": "connection" + }, + "direction_id": { + "key": "network-traffic.x_connection_direction", + "object": "connection", + "transformer": "ToDirectionString" + }, + "dst_name": { + "key": "network-traffic.x_dst_name", + "object": "connection" + }, + "src_name": { + "key": "network-traffic.x_src_name", + "object": "connection" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "con_url" + }, + { + "key": "network-traffic.x_url_ref", + "object": "connection", + "references": "con_url" + } + ], + "host": { + "key":"url.x_url_host", + "object": "con_url" + }, + "path": { + "key":"url.x_url_path", + "object": "con_url" + }, + "port": { + "key":"url.x_url_port", + "object": "con_url" + } + } + }, + "proxy_connection": { + "src_ip": [ + { + "key": "ipv4-addr.value", + "object": "src_proxy" + }, + { + "key": "ipv6-addr.value", + "object": "src_proxy" + }, + { + "key": "network-traffic.src_ref", + "object": "proxy_connection", + "references": "src_ip" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "src_proxy" + ], + "group": true + } + ], + "dst_ip": [ + { + "key": "ipv4-addr.value", + "object": "dst_proxy" + }, + { + "key": "ipv6-addr.value", + "object": "dst_proxy" + }, + { + "key": "network-traffic.dst_ref", + "object": "proxy_connection", + "references": "dst_proxy" + }, + { + "key": "x-oca-asset.ip_refs", + "object": "host", + "references": [ + "dst_proxy" + ], + "group": true + } + ], + "dst_port": { + "key": "network-traffic.dst_port", + "object": "proxy_connection" + }, + "src_port": { + "key": "network-traffic.scr_port", + "object": "proxy_connection" + }, + "src_mac": [ + { + "key": "mac-addr.value", + "object": "proxy_mac_src", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "src_proxy", + "references": ["proxy_mac_src"] + } + ], + "dst_mac": [ + { + "key": "mac-addr.value", + "object": "proxy_mac_dst", + "transformer": "ToFormatMac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "dst_proxy", + "references": ["proxy_mac_dst"] + } + ], + "protocol_id": [ + { + "key": "network-traffic.protocols", + "object": "proxy_connection" + }, + { + "key": "x-oca-event.x_proxy_network_ref", + "object": "event", + "references": "proxy_connection" + } + ], + "bytes_upload": { + "key": "network-traffic.src_byte_count", + "object": "proxy_connection" + }, + "bytes_download": { + "key": "network-traffic.dst_byte_count", + "object": "proxy_connection" + }, + "direction_id": { + "key": "network-traffic.x_connection_direction", + "object": "proxy_connection", + "transformer": "ToDirectionString" + } + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "user" + }, + { + "key": "x-oca-event.user_ref", + "object": "event", + "references": "user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "user" + }, + "uid": { + "key": "user-account.x_user_uid", + "object": "user" + } + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "url" + }, + { + "key": "x-oca-event.url_ref", + "object": "event", + "references": "url" + } + ] + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "file" + }, + { + "key": "process.binary_ref", + "object": "actor", + "references": "file" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "file" + } + ], + "size": { + "key": "file.size", + "object": "file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "file" + }, + "version": { + "key": "file.x_file_version", + "object": "file" + }, + "path": [ + { + "key": "directory.path", + "object": "actor_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "file", + "references": "actor_file_dir" + } + ], + "folder": [ + { + "key": "directory.path", + "object": "actor_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "file", + "references": "actor_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "file", + "transformer": "ToFamilyIdString" + }, + "type_id": { + "key": "file.x_content_type", + "object": "file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.created", + "object": "file" + }, + "modified": { + "key": "file.modified", + "object": "file" + }, + "accessed": { + "key": "file.accessed", + "object": "file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "file_url" + }, + { + "key": "file.x_url_ref", + "object": "file", + "references": "file_url" + } + ], + "host": { + "key":"url.x_url_host", + "object": "file_url" + }, + "path": { + "key":"url.x_url_path", + "object": "file_url" + }, + "port": { + "key":"url.x_url_port", + "object": "file_url" + } + } + }, + "directory": { + "name": [ + { + "key": "file.name", + "object": "directory" + }, + { + "key": "process.binary_ref", + "object": "actor", + "references": "directory" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "directory" + } + ], + "size": { + "key": "file.size", + "object": "directory" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "directory" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "directory" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "directory" + }, + "type_id": { + "key": "file.x_file_type", + "object": "directory", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "directory" + }, + "version": { + "key": "file.x_file_version", + "object": "directory" + }, + "folder": [ + { + "key": "directory.path", + "object": "dir_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "directory", + "references": "dir_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "directory", + "transformer": "ToFamilyIdString" + }, + "type_id": { + "key": "file.x_content_type", + "object": "directory", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.created", + "object": "directory" + }, + "modified": { + "key": "file.modified", + "object": "directory" + }, + "accessed": { + "key": "file.accessed", + "object": "directory" + }, + "mime_type": { + "key": "file.mime_type", + "object": "directory" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "directory" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "directory" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "directory" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "directory" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "process_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "directory", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "directory" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "directory" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "dir_url" + }, + { + "key": "file.x_url_ref", + "object": "directory", + "references": "dir_url" + } + ], + "host": { + "key":"url.x_url_host", + "object": "dir_url" + }, + "path": { + "key":"url.x_url_path", + "object": "dir_url" + }, + "port": { + "key":"url.x_url_port", + "object": "dir_url" + } + } + }, + "actor": { + "pid": [ + { + "key": "process.pid", + "object": "actor", + "transformer": "ToInteger" + }, + { + "key": "x-oca-event.process_ref", + "object": "event", + "references": "actor" + } + ], + "cmd_line": { + "key": "process.command_line", + "object": "actor" + }, + "app_name": { + "key": "process.name", + "object": "actor" + }, + "start_time": { + "key": "process.created", + "object": "actor" + }, + "tid": { + "key": "process.x_thread_id", + "object": "actor" + }, + "uid": { + "key": "process.x_proc_uid", + "object": "actor" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "actor_user" + }, + { + "key": "process.creator_user_ref", + "object": "actor", + "references": "actor_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "actor_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "actor_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "actor_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "actor_user" + } + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "actor_file" + }, + { + "key": "process.binary_ref", + "object": "actor", + "references": "actor_file" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "actor_file" + } + ], + "size": { + "key": "file.size", + "object": "actor_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "actor_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "actor_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "actor_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "actor_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "actor_file" + }, + "version": { + "key": "file.x_file_version", + "object": "actor_file" + }, + "folder": [ + { + "key": "directory.path", + "object": "actor_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "actor_file", + "references": "actor_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "actor_file" + }, + "type_id": { + "key": "file.x_content_type", + "object": "actor_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.created", + "object": "actor_file" + }, + "modified": { + "key": "file.modified", + "object": "actor_file" + }, + "accessed": { + "key": "file.accessed", + "object": "actor_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "actor_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "actor_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "actor_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "actor_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "actor_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "actor_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "actor_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "actor_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "actor_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "actor_url" + }, + { + "key": "file.x_url_ref", + "object": "actor_file", + "references": "actor_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "actor_url" + }, + "path": { + "key": "url.x_url_path", + "object": "actor_url" + }, + "port": { + "key": "url.x_url_port", + "object": "actor_url" + } + } + }, + "module": { + "name": [ + { + "key": "file.name", + "object": "module_dll" + }, + { + "key": "file.dll_ref", + "object": "actor_file", + "references": "module_dll" + } + ], + "size": { + "key": "file.size", + "object": "module_dll" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "module_dll" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "module_dll" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "module_dll" + }, + "type_id": { + "key": "file.x_file_type", + "object": "module_dll", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "module_dll" + }, + "version": { + "key": "file.x_file_version", + "object": "module_dll" + }, + "folder": [ + { + "key": "directory.path", + "object": "module_dll_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "module_dll", + "references": "module_dll_dir" + } + ], + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "module_dll" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "module_dll" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "module_dll" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "module_dll" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "module_dll", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "module_dll", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "module_dll" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "module_dll" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "module_url" + }, + { + "key": "file.x_url_ref", + "object": "module_dll", + "references": "module_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "module_url" + }, + "path": { + "key": "url.x_url_path", + "object": "module_url" + }, + "port": { + "key": "url.x_url_port", + "object": "module_url" + } + } + }, + "session": { + "id": [ + { + "key": "x-user-session.id", + "object": "session" + }, + { + "key": "x-oca-event.x_user_session_ref", + "object": "event", + "references": "session" + } + ], + "is_admin": { + "key": "x-user-session.is_admin", + "object": "session" + }, + "remote": { + "key": "x-user-session.is_remote", + "object": "session" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "session_user" + }, + { + "key": "x-user-session.user_ref", + "object": "session", + "references": "session_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "session_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "session_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "session_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "session_user" + } + } + } + }, + "process": { + "pid": [ + { + "key": "process.pid", + "object": "process", + "transformer": "ToInteger" + }, + { + "key": "process.child_refs", + "object": "actor", + "references": ["process"] + } + ], + "cmd_line": { + "key": "process.command_line", + "object": "process" + }, + "app_name": { + "key": "process.name", + "object": "process" + }, + "start_time": { + "key": "process.created", + "object": "process" + }, + "tid": { + "key": "process.x_thread_id", + "object": "process" + }, + "uid": { + "key": "process.x_proc_uid", + "object": "process" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "process_user" + }, + { + "key": "process.creator_user_ref", + "object": "process", + "references": "process_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "process_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "process_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "process_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "process_user" + } + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "process_file" + }, + { + "key": "process.binary_ref", + "object": "process", + "references": "process_file" + } + ], + "size": { + "key": "file.size", + "object": "process_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "process_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "process_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "process_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "process_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "process_file" + }, + "version": { + "key": "file.x_file_version", + "object": "process_file" + }, + "folder": [ + { + "key": "directory.path", + "object": "process_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "process_file", + "references": "process_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "process_file" + }, + "type_id": { + "key": "file.x_content_type", + "object": "process_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.created", + "object": "process_file" + }, + "modified": { + "key": "file.modified", + "object": "process_file" + }, + "accessed": { + "key": "file.accessed", + "object": "process_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "process_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "process_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "process_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "process_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "process_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "process_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "process_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "process_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "process_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "process_url" + }, + { + "key": "file.x_url_ref", + "object": "process_file", + "references": "process_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "process_url" + }, + "path": { + "key": "url.x_url_path", + "object": "process_url" + }, + "port": { + "key": "url.x_url_port", + "object": "process_url" + } + } + } + }, + "parent": { + "pid": [ + { + "key": "process.pid", + "object": "parent_proc", + "transformer": "ToInteger" + }, + { + "key": "process.parent_ref", + "object": "actor", + "references": "parent_proc" + } + ], + "cmd_line": { + "key": "process.command_line", + "object": "parent_proc" + }, + "app_name": { + "key": "process.name", + "object": "parent_proc" + }, + "tid": { + "key": "process.x_thread_id", + "object": "parent_proc" + }, + "uid": { + "key": "process.x_proc_uid", + "object": "parent_proc" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "p_user" + }, + { + "key": "process.creator_user_ref", + "object": "parent_proc", + "references": "p_user" + } + ], + "account_login": { + "key": "user-account.account_login", + "object": "p_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "p_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "p_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "p_user" + } + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "parent_proc_file" + }, + { + "key": "process.binary_ref", + "object": "parent_proc", + "references": "parent_proc_file" + } + ], + "size": { + "key": "file.size", + "object": "parent_proc_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "parent_proc_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "parent_proc_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "parent_proc_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "parent_proc_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "parent_proc_file" + }, + "version": { + "key": "file.x_file_version", + "object": "parent_proc_file" + }, + "folder": [ + { + "key": "directory.path", + "object": "parent_proc_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "parent_proc_file", + "references": "parent_proc_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "parent_proc_file" + }, + "type_id": { + "key": "file.x_content_type", + "object": "parent_proc_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.created", + "object": "parent_proc_file" + }, + "modified": { + "key": "file.modified", + "object": "parent_proc_file" + }, + "accessed": { + "key": "file.accessed", + "object": "parent_proc_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "parent_proc_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "parent_proc_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "parent_proc_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "parent_proc_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "parent_proc_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "parent_proc_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "parent_proc_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "parent_proc_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "parent_proc_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "parent_proc_url" + }, + { + "key": "file.x_url_ref", + "object": "parent_proc_file", + "references": "parent_proc_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "parent_proc_url" + }, + "path": { + "key": "url.x_url_path", + "object": "parent_proc_url" + }, + "port": { + "key": "url.x_url_port", + "object": "parent_proc_url" + } + } + } + }, + "email": { + "sender_ip": [ + { + "key": "ipv4-addr.value", + "object": "sender_ip" + }, + { + "key": "ipv6-addr.value", + "object": "sender_ip" + }, + { + "key": "email-message.sender_ip_ref", + "object": "email_message", + "references": ["sender_ip"] + } + ], + "header_from": [ + { + "key": "email-addr.value", + "object": "email_from" + }, + { + "key": "email-message.from_ref", + "object": "email_message", + "references": ["email_from"] + }, + { + "key": "email-message.is_multipart", + "object": "email_message", + "value" : true + } + ], + "header_to": [ + { + "key": "email-addr.value", + "object": "email_to" + }, + { + "key": "email-message.to_refs", + "object": "email_message", + "references": ["email_to"] + } + ], + "header_reply_to": [ + { + "key": "email-addr.value", + "object": "email_reply_to" + }, + { + "key": "email-message.additional_header_fields", + "object": "email_message", + "transformer" :"ReplyToDict", + "references": ["email_reply_to"] + } + ], + "smtp_from": [ + { + "key": "email-addr.value", + "object": "email_smtp_from" + }, + { + "key": "email-message.from_ref", + "object": "email_message", + "references": ["email_from"] + } + ], + "smtp_to": [ + { + "key": "email-addr.value", + "object": "email_smtp_to" + }, + { + "key": "email-message.to_refs", + "object": "email_message", + "references": ["email_to"] + } + ], + "header_subject": { + "key": "email-message.subject", + "object": "email_message" + }, + "direction_id": { + "key": "email-message.x_email_direction", + "object": "email_message", + "transformer": "ToDirectionString" + }, + "size": { + "key": "email-message.x_size", + "object": "email_message" + } + }, + "email_uid": { + "key": "email-message.x_email_uid", + "object": "email_message" + }, + "reg_key": { + "path": [ + { + "key": "windows-registry-key.key", + "object": "win_registry" + }, + { + "key": "x-oca-event.registry_ref", + "object": "event", + "references": "win_registry" + } + ], + "last_write": { + "key": "windows-registry-key.modified", + "object": "win_registry" + }, + "is_system": { + "key": "windows-registry-key.x_is_system", + "object": "win_registry" + } + }, + "reg_value": { + "path": [ + { + "key": "windows-registry-key.key", + "object": "win_registry" + }, + { + "key": "x-oca-event.registry_ref", + "object": "event", + "references": "win_registry" + } + ], + "data": { + "key": "windows-registry-key.values.data", + "object": "win_registry", + "group": "registry-value-type" + }, + "name": { + "key": "windows-registry-key.values.name", + "object": "win_registry", + "group": "registry-value-type" + }, + "type_id": { + "key": "windows-registry-key.values.data_type", + "object": "win_registry", + "group": "registry-value-type" + }, + "last_write": { + "key": "windows-registry-key.modified", + "object": "win_registry" + }, + "is_system": { + "key": "windows-registry-key.x_is_system", + "object": "win_registry" + } + }, + "reason_id": { + "key": "x-ibm-finding.finding_type", + "object": "threat", + "transformer": "ToFindingTypeString" + }, + "count": { + "key": "number_observed" + }, + "threat": { + "name": { + "key": "x-ibm-finding.name", + "object": "threat" + }, + "risk_id": { + "key": "x-ibm-finding.severity", + "object": "threat", + "transformer": "ToFindingSeverityString" + }, + "type_id": { + "key": "x-ibm-finding.x_threat_type_id", + "object": "threat", + "transformer": "ToThreatTypeString" + }, + "provider": { + "key": "x-ibm-finding.x_info_provider", + "object": "threat" + }, + "id": { + "key": "x-ibm-finding.alert_id", + "object": "threat" + } + }, + "attacks": { + "tactic_uids": { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.tactic_id", + "object": "attack", + "transformer": "UnlistIfList" + }, + "technique_uid": { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_id", + "object": "attack" + }, + "technique_name": [ + { + "key": "x-ibm-ttp-tagging.extensions.mitre-attack-ext.technique_name", + "object": "attack" + }, + { + "key": "x-ibm-ttp-tagging.name", + "object": "attack" + } + ], + "groupReference": { + "key": "x-ibm-finding.ttp_tagging_refs", + "object": "threat", + "references": ["attack"], + "group_ref": true + } + }, + "policy": { + "name": [ + { + "key": "x-symantec-policy.name", + "object": "policy" + }, + { + "key": "x-ibm-finding.x_policy_ref", + "object": "threat", + "references": "policy" + }, + { + "key": "x-oca-event.x_policy_ref", + "object": "event", + "references": "policy" + } + ], + "desc": { + "key": "x-symantec-policy.description", + "object": "policy" + }, + "effective_date": { + "key": "x-symantec-policy.effective_date", + "object": "policy" + }, + "group_name": { + "key": "x-symantec-policy.group_name", + "object": "policy" + }, + "rule_group_name": { + "key": "x-symantec-policy.rule_group_name", + "object": "policy" + }, + "rule_name": { + "key": "x-symantec-policy.rule_name", + "object": "policy" + }, + "rule_category_id": { + "key": "x-symantec-policy.rule_category", + "object": "policy" + }, + "type_id": { + "key": "x-symantec-policy.type_id", + "object": "policy" + }, + "rule_desc": { + "key": "x-symantec-policy.rule_description", + "object": "policy" + }, + "rule_group_desc": { + "key": "x-symantec-policy.rule_group_desc", + "object": "policy" + }, + "version": { + "key": "x-symantec-policy.version", + "object": "policy" + }, + "state_ids": { + "key": "x-symantec-policy.states", + "object": "policy" + } + }, + "change_type_id" : { + "key": "x-symantec-policy.change_type_id", + "object": "policy" + }, + "session": { + "id": [ + { + "key": "x-user-session.id", + "object": "session" + }, + { + "key": "x-oca-event.x_user_session_ref", + "object": "event", + "references": "session" + } + ], + "is_admin": { + "key": "x-user-session.is_admin", + "object": "session" + }, + "remote": { + "key": "x-user-session.is_remote", + "object": "session" + }, + "user": { + "name": [ + { + "key": "user-account.user_id", + "object": "session_user" + }, + { + "key": "x-user-session.user_ref", + "object": "session", + "references": "session_user" + } + ], + "logon_name": { + "key": "user-account.account_login", + "object": "session_user" + }, + "is_admin": { + "key": "user-account.is_privileged", + "object": "session_user" + }, + "domain": { + "key": "user-account.x_user_domain", + "object": "session_user" + }, + "sid": { + "key": "user-account.x_user_sid", + "object": "session_user" + } + } + }, + "kernel":{ + "name": [ + { + "key": "x-kernel-resource.name", + "object": "kernel" + }, + { + "key": "x-oca-event.x_kernel_resource_ref", + "object": "event", + "references": "kernel" + } + ], + "type_id": { + "key": "x-kernel-resource.type_id", + "object": "kernel", + "transformer": "ToKernelType" + }, + "system_call": { + "key": "x-kernel-resource.system_call", + "object": "kernel" + } + }, + "certificate": { + "issuer_name": [ + { + "key": "x509-certificate.issuer", + "object": "client-cert" + }, + { + "key": "x-oca-event.x_certificate_ref", + "object": "event", + "references": "client-cert" + } + ], + "serial": { + "key": "x509-certificate.serial_number", + "object": "client-cert" + }, + "start_time": { + "key": "x509-certificate.validity_not_before", + "object": "client-cert" + }, + "end_time": { + "key": "x509-certificate.validity_not_after", + "object": "client-cert" + }, + "version": { + "key": "x509-certificate.version", + "object": "client-cert" + }, + "subject_name": { + "key": "x509-certificate.subject", + "object": "client-cert" + }, + "is_valid": { + "key": "x509-certificate.x_is_valid", + "object": "client-cert" + } + }, + "tls": { + "cipher": { + "key": "x-symantec-tls.cipher", + "object": "tls_obj" + }, + "cipher_size": { + "key": "x-symantec-tls.cipher_size", + "object": "tls_obj" + }, + "cipher_strength": { + "key": "x-symantec-tls.cipher_strength", + "object": "tls_obj" + }, + "is_advertised": { + "key": "x-symantec-tls.is_advertised", + "object": "tls_obj" + }, + "is_used": { + "key": "x-symantec-tls.is_used", + "object": "tls_obj" + }, + "issuer_keyring": { + "key": "x-symantec-tls.issuer_keyring", + "object": "tls_obj" + }, + "key_length": { + "key": "x-symantec-tls.key_length", + "object": "tls_obj" + }, + "tls_policy_id": { + "key": "x-symantec-tls.tls_policy_id", + "object": "tls_obj" + }, + "version": { + "key": "x-symantec-tls.protocol_version", + "object": "tls_obj" + }, + "client_certificate": { + "issuer_name": [ + { + "key": "x509-certificate.issuer", + "object": "client-cert" + }, + { + "key": "x-symantec-tls.client_certificate_ref", + "object": "tls_obj", + "references": "client-cert" + } + ], + "serial": { + "key": "x509-certificate.serial_number", + "object": "client-cert" + }, + "start_time": { + "key": "x509-certificate.validity_not_before", + "object": "client-cert" + }, + "end_time": { + "key": "x509-certificate.validity_not_after", + "object": "client-cert" + }, + "version": { + "key": "x509-certificate.version", + "object": "client-cert" + }, + "subject_name": { + "key": "x509-certificate.subject", + "object": "client-cert" + }, + "is_valid": { + "key": "x509-certificate.x_is_valid", + "object": "client-cert" + } + }, + "server_certificate": { + "issuer_name": [ + { + "key": "x509-certificate.issuer", + "object": "server-cert" + }, + { + "key": "x-symantec-tls.server_certificate_ref", + "object": "tls_obj", + "references": "server-cert" + } + ], + "serial": { + "key": "x509-certificate.serial_number", + "object": "server-cert" + }, + "start_time": { + "key": "x509-certificate.validity_not_before", + "object": "server-cert" + }, + "end_time": { + "key": "x509-certificate.validity_not_after", + "object": "server-cert" + }, + "version": { + "key": "x509-certificate.version", + "object": "server-cert" + }, + "subject_name": { + "key": "x509-certificate.subject", + "object": "server-cert" + }, + "is_valid": { + "key": "x509-certificate.x_is_valid", + "object": "server-cert" + } + } + }, + "container": { + "host_name": { + "key": "", + "object": "container" + }, + "image_name": { + "key": "x-oca-asset.extensions.x-oca-container-ext.image_name", + "object": "container" + }, + "image_uid": { + "key": "x-oca-asset.extensions.x-oca-container-ext.image_id", + "object": "container" + }, + "name": { + "key": "x-oca-asset.extensions.x-oca-container-ext.name", + "object": "container" + }, + "os_name": { + "key": "x-oca-asset.extensions.x-oca-container-ext.os_name", + "object": "container" + }, + "uid": { + "key": "x-oca-asset.extensions.x-oca-container-ext.container_id", + "object": "container" + } + + }, + "module": { + "name": [ + { + "key": "file.name", + "object": "module" + }, + { + "key": "x-oca-event.file_ref", + "object": "event", + "references": "module" + } + ], + "size": { + "key": "file.size", + "object": "module" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "module" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "module" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "module" + }, + "type_id": { + "key": "file.x_file_type", + "object": "module", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "module" + }, + "version": { + "key": "file.x_file_version", + "object": "module" + }, + "path": [ + { + "key": "directory.path", + "object": "module_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "module", + "references": "module_dir" + } + ], + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "module" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "module" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "module" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "module" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "module", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "module", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "module" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "module" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "module_url" + }, + { + "key": "file.x_url_ref", + "object": "module", + "references": "module_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "module_url" + }, + "path": { + "key": "url.x_url_path", + "object": "module_url" + }, + "port": { + "key": "url.x_url_port", + "object": "module_url" + } + } + }, + "startup_app" : { + "name" : [ + { + "key": "software.name", + "object": "app" + }, + { + "key": "x-oca-event.x_startup_application", + "object": "event" + } + ], + "cmd_line" : { + "key": "software.x_cmd_line", + "object": "app" + }, + "desc" : { + "key": "software.x_app_description", + "object": "app" + }, + "run_state_id" : { + "key": "software.x_service_state_id", + "object": "app" + }, + "start_id" : { + "key": "software.x_start_type_id", + "object": "app" + }, + "type_ids" : { + "key": "software.x_type_ids", + "object": "app" + }, + "vendor" : { + "key": "software.vendor", + "object": "app" + }, + "file": { + "name": [ + { + "key": "file.name", + "object": "app_file" + }, + { + "key": "software.x_file_ref", + "object": "app", + "references": "app_file" + } + ], + "size": { + "key": "file.size", + "object": "app_file" + }, + "md5": { + "key": "file.hashes.MD5", + "object": "app_file" + }, + "sha1": { + "key": "file.hashes.SHA-1", + "object": "app_file" + }, + "sha2": { + "key": "file.hashes.SHA-256", + "object": "app_file" + }, + "type_id": { + "key": "file.x_file_type", + "object": "app_file", + "transformer": "ToFileTypeString" + }, + "rep_score": { + "key": "file.x_rep_score", + "object": "app_file" + }, + "version": { + "key": "file.x_file_version", + "object": "app_file" + }, + "path": [ + { + "key": "directory.path", + "object": "app_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "app_file", + "references": "app_file_dir" + } + ], + "folder": [ + { + "key": "directory.path", + "object": "app_file_dir" + }, + { + "key": "file.parent_directory_ref", + "object": "app_file", + "references": "app_file_dir" + } + ], + "content_type": { + "family_id": { + "key": "file.x_family_type", + "object": "app_file", + "transformer": "ToFamilyIdString" + }, + "type_id": { + "key": "file.x_content_type", + "object": "app_file", + "transformer": "ToFileContentTypeString" + } + }, + "created": { + "key": "file.created", + "object": "app_file" + }, + "modified": { + "key": "file.modified", + "object": "app_file" + }, + "accessed": { + "key": "file.accessed", + "object": "app_file" + }, + "mime_type": { + "key": "file.mime_type", + "object": "app_file" + }, + "signature_issuer": { + "key": "file.x_signature_issuer", + "object": "app_file" + }, + "signature_value": { + "key": "file.x_signature_value", + "object": "app_file" + }, + "signature_level_id": { + "key": "file.x_signature_level_id", + "object": "app_file" + }, + "signature_serial_number": { + "key": "file.x_signature_serial_number", + "object": "app_file" + }, + "signature_value_ids": { + "key": "file.x_signature_value_ids", + "object": "app_file", + "transformer": "ToListValue" + }, + "signature_created_date": { + "key": "file.x_signature_created_date", + "object": "app_file", + "transformer": "EpochSecondsToTimestamp" + }, + "signature_company_name": { + "key": "file.x_signature_company_name", + "object": "app_file" + }, + "signature_fingerprints": { + "key": "file.x_signature_fingerprints", + "object": "app_file" + }, + "url": { + "text": [ + { + "key": "url.value", + "object": "app_url" + }, + { + "key": "file.x_url_ref", + "object": "app_file", + "references": "app_url" + } + ], + "host": { + "key": "url.x_url_host", + "object": "app_url" + }, + "path": { + "key": "url.x_url_path", + "object": "app_url" + }, + "port": { + "key": "url.x_url_port", + "object": "app_url" + } + } + } + }, + "config_path" : { + "key": "software.x_config_path", + "object": "app" + }, + "command_name": { + "key": "x-oca-event.x_command_name", + "object": "event" + }, + "command_uid" : { + "key": "x-oca-event.x_command_uid", + "object": "event" + }, + "interpreter" : { + "key": "x-oca-event.x_script_interpreter", + "object": "event" + }, + "peripheral_device" : { + "class": { + "key": "x-peripheral-device.class", + "object": "peripheral" + }, + "name": [ + { + "key": "x-peripheral-device.name", + "object": "peripheral" + }, + { + "key": "x-oca-event.x_peripheral_device_ref", + "object": "event", + "references": "peripheral" + } + ], + "serial": { + "key": "x-peripheral-device.serial", + "object": "peripheral" + }, + "vendor": { + "key": "x-peripheral-device.vendor", + "object": "peripheral" + }, + "model": { + "key": "x-peripheral-device.model", + "object": "peripheral" + }, + "instance_uid": { + "key": "x-peripheral-device.instance_uid", + "object": "peripheral" + } + }, + "dst_endpoint_app": { + "name" : [ + { + "key": "software.name", + "object": "dst_app_service" + }, + { + "key": "x-oca-event.x_dst_app_service_ref", + "object": "event", + "references": "dst_app_service" + } + ], + "operation" : { + "key": "software.x_app_operation", + "object": "dst_app_service" + }, + "groups" : { + "key": "software.x_app_groups", + "object": "dst_app_service" + } + }, + "device_cloud_vm": { + "instance_uid": [ + { + "key": "x-cloud-device.instance_uid", + "object": "cloud_vm" + }, + { + "key": "x-oca-event.x_cloud_device_ref", + "object": "event", + "references": "cloud_vm" + } + ], + "subnet_uid": { + "key": "x-cloud-device.subnet_uid", + "object": "cloud_vm" + }, + "vpc_uid": { + "key": "x-cloud-device.vpc_uid", + "object": "cloud_vm" + }, + "dc_region": { + "key": "x-cloud-device.dc_region", + "object": "cloud_vm" + } + } +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py new file mode 100644 index 000000000..b8df862ec --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py @@ -0,0 +1,498 @@ +import re +import json +import copy +from os import path +from datetime import datetime, timedelta +from stix_shifter_utils.utils import logger +from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, \ + ComparisonExpression, ComparisonComparators, Pattern, CombinedComparisonExpression, CombinedObservationExpression, \ + ComparisonExpressionOperators + +logger = logger.set_logger(__name__) + +START_STOP_PATTERN = r"(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z)" +STOP_TIME = datetime.utcnow() +CONFIG_MAP_PATH = "json/config_map.json" + + +class FileNotFoundException(Exception): + pass + + +QUERY_TEMPLATE = { + "feature_name": "ALL", + "product": "SAEP", + "query": "", + "start_date": "", + "end_date": "" +} + + +class QueryStringPatternTranslator: + """ + translate stix pattern to native data source query language + """ + + def __init__(self, pattern: Pattern, data_model_mapper, options): + + logger.info("Symantec Endpoint Security Connector") + self.dmm = data_model_mapper + self.comparator_lookup = self.dmm.map_comparator() + self.config_map = self.load_json(CONFIG_MAP_PATH) + self.pattern = pattern + self.options = options + self.qualified_queries = [] + self.logged = False + self.parse_expression(pattern) + + @staticmethod + def load_json(rel_path_of_file) -> dict: + """ Consumes a json file and returns a dictionary + :param rel_path_of_file: (str) json file path + :return: json: (dict) loaded json """ + _json_path = path.dirname(path.realpath(__file__)) + "/" + rel_path_of_file + try: + if path.exists(_json_path): + with open(_json_path, encoding='utf-8') as f_obj: + return json.load(f_obj) + raise FileNotFoundException + except FileNotFoundException as e: + raise FileNotFoundError(f'{rel_path_of_file} not found') from e + + def _format_set(self, comparator, values, mapped_field_type, expression, mapped_fields_array) -> str: + """ + Formats value in the event of set operation + :param comparator: (str) comparison operator + :param values: (list) list of values + :param mapped_field_type: (str) type of the field + :param expression: (object) ANTLR parsed expression object + :param mapped_fields_array: (list) list of mapped fields + :return formatted value: (string) formatted value for the IN operator + """ + gen = values.element_iterator() + formatted_list = [] + for row in gen: + row = self._check_value_comparator_support(row, expression.comparator, mapped_field_type, + mapped_fields_array) + row = QueryStringPatternTranslator._escape_value(row) + formatted_list.append(f'\"{row}\"') + value = ' OR '.join(formatted_list) + return f'{comparator.replace("value", value)}' + + @staticmethod + def _format_like(comparator, value) -> str: + """ + Formats value in the event of like operator + :param comparator: (str) comparison operator + :param value: (str) input value + :return formatted value: (str) formatted value + """ + # wildcard characters can be applied to single term as per lucene query syntax + if ' ' in value: + raise NotImplementedError(f'LIKE does not support on phrases, supports on single term.' + f' {value} contains multiple terms') + value = QueryStringPatternTranslator._escape_value(value) + return f'{comparator.replace("value", value)}' + + @staticmethod + def _format_match(comparator, value) -> str: + """ + Formats value in the event of matches operator + :param comparator: (str) comparison operator + :param value: (str) input value + :return formatted value: (str) formatted value + """ + value = QueryStringPatternTranslator._escape_value(value) + return f'{comparator.replace("value", value)}' + + @staticmethod + def _format_comparison(comparator, value) -> str: + """ + Formats value in the event of comparison operators + :param comparator: (str) comparison operator + :param value: (str) input value + :return formatted value: (str) formatted value + """ + value = QueryStringPatternTranslator._escape_value(value) + return f'{comparator.replace("value", value)}' + + @staticmethod + def _format_equal(comparator, value, field_type) -> str: + """ + Formats value in the event of equal operator + :param comparator: (str) comparison operator + :param value: (str) input value + :param field_type: (str) operand type + :return formatted value: (str) formatted value + """ + value = QueryStringPatternTranslator._escape_value(value) + return f'{comparator}{value}' if field_type == "date" else f'{comparator}\"{value}\"' + + @staticmethod + def _escape_value(value): + """ + adds escape characters to string type value + :param value: (str) input value + :return formatted value: (str) formatted value + """ + value = str(value).replace('/', '\\/').replace(':', '\\:') + return value + + @staticmethod + def _format_datetime(value) -> int: + """ + Converts timestamp to epoch + :param value: (str) UTC timestamp + :return: converted_time: (str) UTC timestamp + """ + try: + time_pattern = '%Y-%m-%dT%H:%M:%S.%fZ' + if re.search(r"\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}Z", str(value)): # without milliseconds + time_pattern = '%Y-%m-%dT%H:%M:%SZ' + epoch = datetime(1970, 1, 1) + converted_time = int(((datetime.strptime(value, time_pattern) - epoch).total_seconds()) * 1000) + return converted_time + except ValueError: + raise NotImplementedError(f'cannot convert the timestamp {value} to milliseconds') + + @staticmethod + def _parse_time_range(qualifier, time_range) -> list: + """ + Converts qualifier timestamp to epoch + :param qualifier: (str) UTC timestamp + :param time_range: (int) time range in minutes + return: converted_timestamp: (str) list of converted UTC timestamp values + """ + try: + compile_timestamp_regex = re.compile(START_STOP_PATTERN) + if qualifier and compile_timestamp_regex.search(qualifier): + time_range_iterator = compile_timestamp_regex.finditer(qualifier) + time_range_list = [each.group() for each in time_range_iterator] + else: + start_time = STOP_TIME - timedelta(minutes=time_range) + converted_start_time = start_time.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + # limit 3 digit value for millisecond + converted_stop_time = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + time_range_list = [converted_start_time, converted_stop_time] + for index, timestamp in enumerate(time_range_list): + time_range_list[index] = timestamp.replace('Z', '+00:00') + return time_range_list + except (KeyError, IndexError, TypeError) as e: + raise e + + def _get_mapped_field_type(self, mapped_field_array) -> str: + """ + Returns the type of mapped field array + :param mapped_field_array: (list) list of mapped fields + :return: mapped_field_type: (str) type of the field + """ + mapped_field = mapped_field_array[0] + mapped_field_type = "string" + for key, value in self.config_map.items(): + if mapped_field in value and key in ["enum_supported_fields", "like_supported_fields", + "int_supported_fields", "bool_supported_fields", + "protocol_supported_fields", "date_supported_fields"]: + mapped_field_type = key.split('_')[0] + break + return mapped_field_type + + @staticmethod + def _convert_severity_value(value, supported_values): + """ + Returns the type of mapped severity value from supported enum values + :param value: (int) severity value + :param supported_values: (list) supported list of severity enum values + :return: value: matched severity enum value + """ + if value == 0: + return 0 + + keys = supported_values.keys() + int_list = [int(x) for x in keys] + values = [num for num in int_list if num >= value] + value = min(values) + + return value + + def _check_value_comparator_support(self, value, comparator, mapped_field_type, mapped_fields_array) -> str: + """ + checks the comparator and value support. + raise the error for unsupported fields and operators. + :param value: (str) input value + :param comparator: (object) comparison operator + :param mapped_field_type: (str) type of field + :param mapped_fields_array: (list) list of mapped fields + :return value: (str) processed/formatted input value + """ + + if comparator in (ComparisonComparators.Like, ComparisonComparators.Matches) and mapped_field_type != "like": + raise NotImplementedError(f'LIKE/MATCHES operator is not supported for this fields' + f' {",".join(mapped_fields_array)}') + + if mapped_field_type == "enum": + supported_values = self.config_map['enum_supported_values'].get(mapped_fields_array[0], []) + enum_value = None + if 'severity_id' in mapped_fields_array: + if not str(value).isdigit(): + raise NotImplementedError(f"String type input {value} is not supported for integer type field") + if not 0 <= int(value) <= 100: + raise NotImplementedError("Severity allowed range from 0 to 100") + value = self._convert_severity_value(int(value), supported_values) + enum_value = str(value) + value = supported_values.get(str(value)) + if not enum_value and not value: + raise NotImplementedError(f'Unsupported ENUM values provided. {mapped_fields_array[0]} possible ' + f"supported enum values are '{','.join(supported_values)}'") + + if mapped_field_type == "protocol": + supported_values = self.config_map['protocol_supported_values'].get(mapped_fields_array[0], []) + value = supported_values.get(value) + if not value: + raise NotImplementedError(f'Unsupported protocol values provided. {mapped_fields_array[0]} possible ' + f"supported protocol values are '{','.join(supported_values)}'") + + if mapped_field_type == "date": + value = self._format_datetime(value) + value = f'[ {value} TO {value} ]' + if not value: + raise NotImplementedError(f'Unsupported date values provided for {mapped_fields_array[0]}') + + if mapped_field_type != "int": + if comparator in [ComparisonComparators.GreaterThan, ComparisonComparators.GreaterThanOrEqual, + ComparisonComparators.LessThan, ComparisonComparators.LessThanOrEqual]: + raise NotImplementedError('Comparison operators <, >, <=, >= only supports for integer type fields.') + + if mapped_field_type == "int": + if not isinstance(value, int): + raise NotImplementedError(f"String type input {value} is not supported for integer type field") + + if mapped_field_type == "bool": + if value.lower() in ('true', 'false'): + value = value.lower() + else: + raise NotImplementedError('Boolean field supported values are true/false') + + return value + + def _lookup_comparison_operator(self, expression_operator) -> str: + """ + lookup operators support in symantec + :param expression_operator: (object) contains comparison operator + :return (str) comparator + """ + if str(expression_operator) not in self.comparator_lookup: + raise NotImplementedError( + f'Comparison operator {expression_operator.name} unsupported for symantec connector') + return self.comparator_lookup[str(expression_operator)] + + def _eval_comparison_value(self, expression, mapped_field_type, mapped_fields_array) -> str: + """ + Function for parsing comparison expression value + :param expression: (object) ANTLR parsed expression object + :param mapped_field_type: (str) type of field + :param mapped_fields_array: (list) list of mapped fields + :return value: (str) processed/formatted input value + """ + comparator = self._lookup_comparison_operator(expression.comparator) + value = expression.value + # validating value for all the operators other than IN operator. + if expression.comparator != ComparisonComparators.In: + value = self._check_value_comparator_support(value, expression.comparator, mapped_field_type, + mapped_fields_array) + + # formatting the value based on operators. + if expression.comparator == ComparisonComparators.Like: + value = self._format_like(comparator, value) + elif expression.comparator == ComparisonComparators.Matches: + value = self._format_match(comparator, value) + elif expression.comparator == ComparisonComparators.In: + value = self._format_set(comparator, value, mapped_field_type, expression, mapped_fields_array) + elif expression.comparator in [ComparisonComparators.Equal, ComparisonComparators.NotEqual]: + value = self._format_equal(comparator, value, mapped_field_type) + elif expression.comparator in [ComparisonComparators.GreaterThan, ComparisonComparators.GreaterThanOrEqual, + ComparisonComparators.LessThan, ComparisonComparators.LessThanOrEqual]: + value = self._format_comparison(comparator, value) + else: + raise NotImplementedError('Unknown comparator expression operator') + return value + + def _add_qualifier(self, query, qualifier) -> list: + """ + Convert the qualifier into epoch time and append in the query. + params: query: (list) list of queries + params: qualifier: (str) start and stop UTC timestamp + return: query: (list) list of queries attached with timestamp + """ + time_range = QueryStringPatternTranslator._parse_time_range(qualifier, self.options['time_range']) + for row in query: + row['start_date'] = time_range[0] + row['end_date'] = time_range[1] + return query + + @staticmethod + def _parse_mapped_fields(formatted_value, mapped_fields_array, expression) -> list: + """ + parse mapped fields into boolean expression + :param formatted_value: (str) input value + :param mapped_fields_array: (list) list of mapped fields + :param expression: (object) ANTLR parsed expression object + :return: (list) formatted query + """ + comparison_list = [] + comparison_string_new = '' + query = copy.deepcopy(QUERY_TEMPLATE) + for index, field_name in enumerate(mapped_fields_array): + if index > 0: + comparison_string_new += ' OR ' + if expression.negated or expression.comparator == ComparisonComparators.NotEqual: + comparison_string = f'-{field_name}{formatted_value}' + else: + comparison_string = f'{field_name}{formatted_value}' + comparison_string_new += comparison_string + query['query'] = comparison_string_new + comparison_list.append(query) + return comparison_list + + @staticmethod + def check_common_timestamp(query_01, query_02): + """ + Check the queries contains same timestamp + :param query_01: (dict) first query + :param query_02: (dict) second query + :return True or None + """ + if query_01['start_date'] == query_02['start_date'] and query_01['end_date'] == query_02['end_date']: + return True + return None + + def combine_queries(self, expression_01, expression_02, operator) -> list: + """ + Combine the queries using OR, AND operator. + ex: A , B are two queries. + If A OR B having same timestamp it will combine the queries [A OR B] or [A AND B] + otherwise it will be a separate queries [ A , B ] + :param expression_01: (list) first query + :param expression_02: (list) second query + :param operator: (str) operator + :return query: (list) list of combined queries + """ + query_list = [] + + if len(expression_02) == 1: + expression_01, expression_02 = expression_02, expression_01 + + for row_01 in expression_01: + for row_02 in expression_02: + common_timestamp = self.check_common_timestamp(row_01, row_02) + if common_timestamp: + combined_query = f'({row_01["query"]}) {operator} ({row_02["query"]})' + row_01['query'] = combined_query + query_list.append(row_01) + else: + query_list.append(row_02) + if row_01 not in query_list: + query_list.append(row_01) + return query_list + + def _eval_combined_comparison_exp(self, expression) -> list: + """ + Function for parsing combined comparison expression + :param expression: (object) ANTLR parsed expression object + """ + query = [] + operator = self._lookup_comparison_operator(expression.operator) + expression_01 = self._parse_expression(expression.expr1) + expression_02 = self._parse_expression(expression.expr2) + + if not expression_01 or not expression_02: + return query + + if expression.operator == ComparisonExpressionOperators.Or: + query = self.combine_queries(expression_01, expression_02, operator) + elif expression.operator == ComparisonExpressionOperators.And: + query = self.combine_queries(expression_01, expression_02, operator) + return query + + def _eval_combined_observation_exp(self, expression, qualifier=None) -> list: + """ + Function for parsing combined observation expression + :param expression: (object) ANTLR parsed expression object + :param qualifier: (object) timestamp object + """ + expression_01 = self._parse_expression(expression.expr1, qualifier) + expression_02 = self._parse_expression(expression.expr2, qualifier) + operator = self._lookup_comparison_operator(expression.operator) + + query = [] + if expression_01 and expression_02: + query = self.combine_queries(expression_01, expression_02, operator) + elif expression_01: + query = expression_01 + elif expression_02: + query = expression_02 + return query + + def _parse_expression(self, expression, qualifier=None) -> list: + """ + Formation of symantec query from ANTLR parsing expression + :param expression: expression object, ANTLR parsed expression object + :param qualifier: str, default in None + :return :None or list + """ + if isinstance(expression, ComparisonExpression): # Base Case + stix_objects = expression.object_path.split(':') + mapped_fields_array = self.dmm.map_field(stix_objects[0], stix_objects[1]) + mapped_field_type = self._get_mapped_field_type(mapped_fields_array) + value = self._eval_comparison_value(expression, mapped_field_type, mapped_fields_array) + query = self._parse_mapped_fields(value, mapped_fields_array, expression) + return query + + elif isinstance(expression, CombinedComparisonExpression): + return self._eval_combined_comparison_exp(expression) + + elif isinstance(expression, ObservationExpression): + query = self._parse_expression(expression.comparison_expression) + return self._add_qualifier(query, qualifier) + + elif hasattr(expression, 'qualifier') and hasattr(expression, 'observation_expression'): + if isinstance(expression.observation_expression, CombinedObservationExpression): + expression_01 = self._parse_expression(expression.observation_expression.expr1, expression.qualifier) + expression_02 = self._parse_expression(expression.observation_expression.expr2, expression.qualifier) + query = [] + if expression_01 and expression_02: + operator = self._lookup_comparison_operator(expression.observation_expression.operator) + query = self.combine_queries(expression_01, expression_02, operator) + else: + query = self._parse_expression(expression.observation_expression, expression.qualifier) + if qualifier is not None: + query = self._add_qualifier(query, qualifier) + return query + + elif isinstance(expression, CombinedObservationExpression): + return self._eval_combined_observation_exp(expression, qualifier) + elif isinstance(expression, Pattern): + return self._parse_expression(expression.expression) + else: + raise RuntimeError(f'Unknown Recursion Case for expression={expression}, ' + f'type(expression)={type(expression)}') + + def parse_expression(self, pattern: Pattern): + """ + Formation of symantec query from ANTLR parsing expression. + :param pattern: expression object, ANTLR parsed expression object + """ + query_list = self._parse_expression(pattern) + self.qualified_queries = query_list + + +def translate_pattern(pattern: Pattern, data_model_mapping, options) -> list: + """ + Conversion of ANTLR pattern to symantec query + :param pattern: expression object, ANTLR parsed expression object + :param data_model_mapping: DataMapper object, mapping object obtained by parsing json + :param options: dict, time_range defaults to 5 + :return: list, symantec queries + """ + translated_query_strings = QueryStringPatternTranslator(pattern, data_model_mapping, options) + queries = translated_query_strings.qualified_queries + return queries diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_translator.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_translator.py new file mode 100644 index 000000000..c4c8e63a3 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_translator.py @@ -0,0 +1,27 @@ +import logging + +from stix_shifter_utils.modules.base.stix_translation.base_query_translator import BaseQueryTranslator +from . import query_constructor + +logger = logging.getLogger(__name__) + + +class QueryTranslator(BaseQueryTranslator): + + def transform_antlr(self, data, antlr_parsing_object): + """ + Transforms STIX pattern into a different query format. Based on a mapping file + :param antlr_parsing_object: Antlr parsing objects for the STIX pattern + :type antlr_parsing_object: object + :param data: The mapping file path to use as instructions on how to transform the given STIX query into + another format. This should default to something if one isn't passed in + :type data: str (filepath) + :return: transformed query string + :rtype: str + """ + + logger.info("Converting STIX2 Pattern to data source query") + + query_string = query_constructor.translate_pattern( + antlr_parsing_object, self, self.options) + return query_string diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py new file mode 100644 index 000000000..ca1be672d --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py @@ -0,0 +1,358 @@ +import re +from stix_shifter_utils.utils import logger +from datetime import datetime +from stix_shifter_utils.stix_translation.src.utils.transformers import ValueTransformer +from stix_shifter_modules.symantec_endpoint_security.stix_translation.query_constructor import \ + QueryStringPatternTranslator + +LOGGER = logger.set_logger(__name__) +connector = __name__.split('.')[1] + +CONFIG_MAP_PATH = "json/config_map.json" + + +class TransformerUtil: + + @staticmethod + def get_mapped_value(attr_name, value, supported_category='enum_supported_values'): + """ + Retrieves the mapped value from config_map for the specified attribute name and value. + Args: + attr_name (str): The name of the attribute for which to retrieve the mapped value. + (severity_id, category_id) + value (str) : The value to be mapped. + supported_category (str) : supported value type + + Returns: + str: The mapped value corresponding to the provided attribute name and value + otherwise as a string value if it does not exist in map. + + Raises: + ValueError: If the attribute name is not found in the configuration map. + """ + config_map = QueryStringPatternTranslator.load_json(CONFIG_MAP_PATH) + attrib_val_dict = config_map[supported_category].get(attr_name) + + if not attrib_val_dict: + raise ValueError + + inverted_dict = {v: k for k, v in attrib_val_dict.items()} + + if value in inverted_dict: + return inverted_dict[value] + + return str(value) + + +class ToSeverityValue(ValueTransformer): + """ + A value transformer for converting severity_id value + Example: + 0: 0, + 1: 15 + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('severity_id', obj) + + return int(mapped_val) + except ValueError: + LOGGER.error("%s connector error, cannot convert severity value : %s", connector, obj) + raise + + +class ToCategoryValue(ValueTransformer): + """ + A value transformer for converting category value + Example: + 1: "Security", + 2: "License" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('output_category_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert category value : %s", connector, obj) + raise + + +class ToOutcomeString(ValueTransformer): + """ + A value transformer for converting outcome value + Example: + 1: "Blocked", + 2: "Allowed" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert outcome value : %s", connector, obj) + raise + + +class ToStatusString(ValueTransformer): + """ + A value transformer for converting status Id value + Example: + 1: "Success", + 2: "Failure" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('status_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert status id value : %s", connector, obj) + raise + + +class ToFamilyIdString(ValueTransformer): + """ + A value transformer for converting family_id value + Example: + 1: "Container", + 2: "Document" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('family_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert family id value : %s", connector, obj) + raise + + +class ToFileContentTypeString(ValueTransformer): + """ + A value transformer for converting severity value + Example: + 1: "Application", + 2: "Binary" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('file.content_type.type_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert content type id value : %s", connector, obj) + raise + + +class ToFileTypeString(ValueTransformer): + """ + A value transformer for converting severity value + Example: + 1: "File", + 2: "Directory" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('file.type_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert file type value : %s", connector, obj) + raise + + +class ToFindingTypeString(ValueTransformer): + """ + A value transformer for converting severity value + Example: + 1: "policy", + 2: "threat" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('reason_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert finding type value : %s", connector, obj) + raise + + +class ToFindingSeverityString(ValueTransformer): + """ + A value transformer for converting severity value + Example: + 100: 100, + 200: 80 + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('threat.risk_id', obj) + + return int(mapped_val) + except ValueError: + LOGGER.error("%s connector error, cannot convert finding severity value : %s", connector, obj) + raise + + +class ToThreatTypeString(ValueTransformer): + """ + A value transformer for converting severity value + Example: + 1: "Malware", + 2: "Behavioral" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('threat.type_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert threat type value : %s", connector, obj) + raise + + +class ToDeviceOsTypeString(ValueTransformer): + """ + A value transformer for converting Device Os Type id value + Example: + 100: "Windows" + 200: "Linux" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('device_os_type_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert Device OS type value : %s", connector, obj) + raise + + +class ToDirectionString(ValueTransformer): + """ + A value transformer for converting direction_id value + Example: + 0: "Unknown" + 1: "Inbound" + 2: "Outbound" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('connection.direction_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert direction_id value : %s", connector, obj) + raise + + +class ToKernelType(ValueTransformer): + """ + A value transformer for converting kernel type_id value + Example: + 0: "Unknown" + 1: "Shared mutex" + 2: "System call" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('kernel.type_id', obj) + + return mapped_val + except ValueError: + LOGGER.error("%s connector error, cannot convert kernel type_id value : %s", connector, obj) + raise + + +class ToProtocolKeyWord(ValueTransformer): + """ + A value transformer for converting protocol decimal value to keyword value + Example: + 6: "tcp" + 17: "udp" + """ + + @staticmethod + def transform(obj): + try: + mapped_val = TransformerUtil.get_mapped_value('connection.protocol_id', obj, 'protocol_supported_values') + + return [mapped_val] + except ValueError: + LOGGER.error("%s connector error, cannot convert protocol decimal value : %s", connector, obj) + raise + + +class ToFormatMac(ValueTransformer): + + """A value transformer to convert Mac address to STIX Mac address format. + Example: + "12:5A:DE:E5:84:E5" + """ + + @staticmethod + def transform(obj): + try: + return obj.lower() + except ValueError: + LOGGER.error("%s connector error, cannot convert mac value : %s", connector, obj) + raise + + +class TimestampToAddMilliseconds(ValueTransformer): + """ + A value transformer for adding milliseconds if not present in value. + Example: + input: ""2024-05-03T04:27:56Z" + output: "2024-05-03T04:27:56.000Z" + """ + + @staticmethod + def transform(timestamp): + try: + # Regular expression pattern to match th format '%Y-%m-%dT%H:%M:%SZ' without milli seconds + if re.match(r"\d{4}(-\d{2}){2}T\d{2}(:\d{2}){2}Z", str(timestamp)): + dt = datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ') + timestamp = datetime.strftime(dt, '%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + return timestamp + except ValueError: + LOGGER.error(f"Cannot convert the timestamp {timestamp} to add milliseconds") + + +class ToListValue(ValueTransformer): + """A value transformer that converts a single value into a list.""" + + @staticmethod + def transform(obj): + if not isinstance(obj, list): + obj = [obj] + return obj diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/__init__.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/api_client.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/api_client.py new file mode 100644 index 000000000..3e1c92de2 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/api_client.py @@ -0,0 +1,33 @@ +import json +from stix_shifter_utils.stix_transmission.utils.RestApiClientAsync import RestApiClientAsync + + +class APIClient: + QUERY_ENDPOINT = "v1/event-search" + TOKEN_ENDPOINT = "v1/oauth2/tokens" + + def __init__(self, connection, configuration): + self.auth = configuration.get('auth') + self.headers = {"Content-Type": "application/json"} + self.client = RestApiClientAsync(connection.get('host'), headers=self.headers, + cert_verify=connection.get('selfSignedCert')) + self.result_limit = connection['options'].get('result_limit') + self.timeout = connection['options'].get('timeout') + self.api_page_size = connection['options'].get('api_page_size') + + async def get_search_results(self, query, token): + """ + Get results from Data Source + :param query: Data Source Query + :param token: Authentication token + :return: Response Object + """ + self.headers['Authorization'] = "Bearer " + token + return await self.client.call_api(self.QUERY_ENDPOINT, 'POST', headers=self.headers, data=json.dumps(query), + timeout=self.timeout) + + async def generate_token(self): + """Get Authorization token""" + self.headers['Authorization'] = 'Basic ' + self.auth['oauth_credentials'] + resp = await self.client.call_api(self.TOKEN_ENDPOINT, 'POST', headers=self.headers, timeout=self.timeout) + return resp diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py new file mode 100644 index 000000000..5b0dc2a66 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py @@ -0,0 +1,298 @@ +from stix_shifter_utils.modules.base.stix_transmission.base_json_sync_connector import BaseJsonSyncConnector +from stix_shifter_utils.utils.error_response import ErrorResponder +from stix_shifter_utils.utils import logger +from .api_client import APIClient +import json +import re + +SYMANTEC_MAX_QUERY_RESULTS = 10000 +QUERY_TIME_FORMAT = r"(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+?Z)" + + +class InvalidMetadataException(Exception): + pass + + +class Connector(BaseJsonSyncConnector): + + def __init__(self, connection, configuration): + self.api_client = APIClient(connection, configuration) + self.logger = logger.set_logger(__name__) + self.connector = __name__.split('.')[1] + + async def create_results_connection(self, query, offset, length, metadata=None): + """ + Fetching the results using query, offset and length + :param query: str, Data Source query + :param offset: str, Offset value + :param length: str, Length value + :param metadata: dict + :return: return_obj, dict + Symantec Endpoint Security API has result limit of maximum 10,000 results from the API call. + The maximum page size is 1000. Hence, 10 API calls will be made to get 10,000 results. + If the query has results more than 10,000 , then to fetch those records, the following steps are done:- + 1. Get the timestamp of the last record. + 2. Get the count of events with that timestamp. + 3. Set the above values in metadata + 4. Create a new query with start_date, next from above timestamp and event_count. + 5. Skip the records with the same timestamp using the 'next' value in metadata. + """ + data = [] + try: + offset = int(offset) + length = int(length) + start_index, end_index = self.get_start_end_index(offset, length, metadata) + # Adjusting the end index if it exceeds the result limit. + if self.api_client.result_limit < end_index: + end_index = self.api_client.result_limit + + # Generating token + token, return_obj = await self.__get_token() + if return_obj: + return return_obj + + if not isinstance(query, dict): + query = json.loads(query) + + query['limit'] = self.api_client.api_page_size + query['next'] = offset + + # Update query start_date and next values from metadata to get more than 10k results. + if metadata: + self.update_query_from_metadata(query, metadata) + + while start_index < end_index: + self.set_query_limit_value(query) + response_wrapper = await self.api_client.get_search_results(query, token) + response_dict, return_obj = self.handle_api_response(response_wrapper) + if return_obj: + return return_obj + length = self.get_length(offset, length, start_index, query['limit']) + return_obj['success'] = True + processed_data = response_dict['events'][:length] + data += processed_data + processed_data_count = len(processed_data) + start_index += processed_data_count + query['next'] = self.get_next_index(start_index, metadata) + remaining_data = response_dict['events'][length:] + metadata_event_count = metadata.get('start_date_event_count') if metadata else 0 + # If reached the limit of 10,000, resetting the start_date and next for query. + if (offset + len(data) + metadata_event_count) % SYMANTEC_MAX_QUERY_RESULTS == 0 and processed_data: + metadata = self.get_metadata(response_dict['events'][:length]) + self.update_query_from_metadata(query, metadata) + + # if the current page results are not fully utilized or doesn't have a next page. + if remaining_data or not response_dict.get('next'): + break + # Adjust the length for the next slicing. + length -= processed_data_count + return_obj = self.handle_data(data, return_obj) + if metadata: + # setting metadata with last event from the data to avoid duplicate events from next batch call + return_obj['metadata'] = self.get_metadata(data) + + except Exception as ex: + return_obj = self.handle_api_exception(None, str(ex)) + + return return_obj + + async def ping_connection(self): + """ + Ping the endpoint + Generating authentication token and confirms connectivity to the product. + :return: return_object, dict + """ + token, return_obj = await self.__get_token() + if token: + return_obj['success'] = True + return return_obj + + async def __get_token(self): + """ + Generate new token + :return: token, string + return_obj, dict + """ + response_wrapper = await self.api_client.generate_token() + response_dict, return_obj = self.handle_api_response(response_wrapper) + token = response_dict.get('access_token') + return token, return_obj + + def handle_api_exception(self, code=None, response_txt=''): + """ + create the exception response + :param code, int + :param response_txt, str + :return: return_obj, dict + """ + return_obj = {} + message = None + + # setting code 401 for 400 code if it is authentication failure. + if "Invalid Client token" in str(response_txt) or 'Credential mismatch' in str(response_txt): + code = 401 + + # setting code 403 for 400 code if it is an invalid query. + if 'Invalid query' in str(response_txt): + code = 403 + + if not message: + message = str(response_txt) + + response_dict = {'code': code, 'message': message} + self.logger.error('%s error while fetching results: %s', self.connector, message) + ErrorResponder.fill_error(return_obj, response_dict, ['message'], connector=self.connector) + return return_obj + + def handle_api_response(self, response_wrapper): + """ + Handling response codes + :param response_wrapper, object + :return: response_dict, dict + return_obj, dict + """ + response_dict = {} + return_obj = {} + response = response_wrapper.read().decode('utf-8') + if response.startswith('{') and response.endswith('}'): + response_dict = json.loads(response) + + if response_wrapper.code != 200: + response_dict['message'] = response_dict.get('message', '') + if response_dict.get('fault'): + response_dict['message'] = response_dict.get('fault', '').get('faultstring', '') + return_obj = self.handle_api_exception(response_wrapper.code, response_dict.get('message', '')) + + return response_dict, return_obj + + @staticmethod + def handle_data(data, return_obj): + """ + Process the data + :param data, list + :param return_obj, dict + :return: return_obj, dict + """ + if data: + data = Connector.get_results_data(data) + return_obj['data'] = data if data else [] + else: + if not return_obj.get('error') and return_obj.get('success') is not False: + return_obj['success'] = True + return_obj['data'] = [] + return return_obj + + @staticmethod + def update_query_from_metadata(query, metadata): + """ + Update query 'start_date' and 'next' values from metadata. + Skipping the event with the same time stamp by adding the 'start_date_event_count' from metadata. + :param query, (dict) datasource query + :param metadata, (dict) metadata with start data and count of the events with start data + """ + if metadata: + if isinstance(metadata, dict) and metadata.get('start_date_event_count') and metadata.get('start_date'): + query['next'] = int(metadata.get('start_date_event_count', 0)) + query['start_date'] = metadata.get('start_date') + else: + # raise exception when metadata doesnt contain page_index and start_date + raise InvalidMetadataException(metadata) + + @staticmethod + def get_metadata(event_data): + """ + Set query 'start_date' and 'next' values and metadata query start date event count + and start_date fields. + :param event_data, (list) datasource search events + :return metadata, (dict) new metadata fields + """ + start_date = event_data[-1].get('time') + event_count = Connector.get_next_start_time_event_count(event_data) + # Converting timestamp if not in ''%Y-%m-%dT%H:%M:%S.%fZ' format + pattern = re.compile(QUERY_TIME_FORMAT) + if not pattern.match(start_date): + start_date.replace('Z', '.000Z') + metadata = {'start_date_event_count': event_count, + 'start_date': start_date} + return metadata + + @staticmethod + def get_next_index(processed_event_count, metadata): + """ + Get the 'next' field value( starting index) for the data source API to get next set of records + :param processed_event_count, (int) Total events processed + :param metadata, + return: next_index (int), next index for the query. + """ + next_index = processed_event_count % SYMANTEC_MAX_QUERY_RESULTS + # Skip duplicate events + if metadata: + next_index = next_index + metadata.get('start_date_event_count', 0) + return next_index + + @staticmethod + def get_next_start_time_event_count(events): + """ + Get the count of events having the same end timestamp from the list of events.- + :param events, (list) Datasource events sorted by default with time. + return: event_count (int) + """ + event_count = 0 + if events: + end_timestamp = events[-1].get('time') + end_index = len(events) - 1 + while end_index >= 0: + if end_timestamp == events[end_index].get('time'): + event_count += 1 + end_index -= 1 + else: + break + return event_count + + def set_query_limit_value(self, query): + """ + Update the query limit value if it is beyond 10K + param Query, (dict) API query. + """ + if query.get('next') + query.get('limit') >= SYMANTEC_MAX_QUERY_RESULTS: + query['limit'] = SYMANTEC_MAX_QUERY_RESULTS - (query.get('next')) + else: + query['limit'] = self.api_client.api_page_size + + @staticmethod + def get_start_end_index(offset, length, metadata): + """ + start and end indexes + """ + start_index, end_index = offset, offset + length + if metadata: + start_index, end_index = 0, length + return start_index, end_index + + def get_length(self, offset, length, start_index, limit): + """ + Length of the results required, + resetting length value if required results is lesser than length provided + """ + results_length = length + if offset + limit > self.api_client.result_limit: + results_length = self.api_client.result_limit - offset + elif start_index + limit > self.api_client.result_limit: + results_length = self.api_client.result_limit - start_index + return results_length + + @staticmethod + def get_results_data(response): + """ + Preprocessing the response. + :param response: list + :return response: list + """ + for record in response: + # If device_os_name is not present set value None to other related attributes, + # as device_os_name is required attribute for software stix object. + if record.get('device_os_name', '') is (None or ''): + record['device_os_type_id'] = None + record['device_os_ver'] = None + record['device_os_lang'] = None + return response diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py new file mode 100644 index 000000000..8afa1d3c5 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py @@ -0,0 +1,35 @@ +from stix_shifter_utils.utils.error_mapper_base import ErrorMapperBase +from stix_shifter_utils.utils.error_response import ErrorCode +from stix_shifter_utils.utils import logger + +error_mapping = { + 400: ErrorCode.TRANSMISSION_INVALID_PARAMETER, + 401: ErrorCode.TRANSMISSION_AUTH_CREDENTIALS, + 403: ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR, + 404: ErrorCode.TRANSMISSION_CONNECT, + 408: ErrorCode.TRANSMISSION_CONNECT, + 500: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE +} + + +class ErrorMapper: + logger = logger.set_logger(__name__) + DEFAULT_ERROR = ErrorCode.TRANSMISSION_MODULE_DEFAULT_ERROR + + @staticmethod + def set_error_code(json_data, return_obj, connector=None): + code = None + try: + code = int(json_data['code']) + except Exception: + pass + + error_code = ErrorMapper.DEFAULT_ERROR + + if code in error_mapping: + error_code = error_mapping.get(code) + + if error_code == ErrorMapper.DEFAULT_ERROR: + ErrorMapper.logger.error("failed to map: %s", str(json_data)) + + ErrorMapperBase.set_error_code(return_obj, error_code, connector=connector) diff --git a/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md b/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md new file mode 100644 index 000000000..858a7725c --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md @@ -0,0 +1,496 @@ +##### Updated on 05/08/24 +## Symantec +### Results STIX Domain Objects +* Identity +* Observed Data +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparison) | AND | +| OR (Comparison) | OR | +| = | : | +| != | : | +| > | :{value TO \*} | +| >= | :\[value TO \*} | +| < | :{* TO value} | +| <= | :{* TO value] | +| IN | :(value) | +| LIKE | :value* | +| MATCHES | :/value/ | +| OR (Observation) | OR | +| AND (Observation) | OR | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **ipv4-addr**:value | device_ip, connection.src_ip, connection.dst_ip, device_public_ip, device_networks.ipv4, device_networks.gateway_ip | +| **ipv4-addr**:resolves_to_refs[*].value | device_mac, device_networks.mac | +| **ipv6-addr**:value | device_ip, connection.src_ip, connection.dst_ip, device_networks.ipv6 | +| **ipv6-addr**:resolves_to_refs[*].value | device_mac, device_networks.mac | +| **mac-addr**:value | device_mac, device_networks.mac, device_networks.gateway_mac | +| **network-traffic**:src_ref.value | connection.src_ip | +| **network-traffic**:dst_ref.value | connection.dst_ip | +| **network-traffic**:dst_port | connection.dst_port | +| **network-traffic**:src_port | connection.src_port | +| **network-traffic**:protocols[*] | connection.protocol_id | +| **network-traffic**:src_byte_count | connection.bytes_upload | +| **network-traffic**:dst_byte_count | connection.bytes_download | +| **network-traffic**:x_connection_direction | connection.direction_id | +| **process**:pid | actor.pid, process.pid, parent.pid | +| **process**:command_line | actor.cmd_line, process.cmd_line, parent.cmd_line, startup_app.cmd_line | +| **process**:name | actor.app_name, process.app_name, parent.app_name | +| **process**:created | actor.start_time, process.start_time, parent.start_time | +| **process**:x_thread_id | actor.tid, process.tid | +| **process**:x_proc_uid | actor.uid, process.uid, parent.uid | +| **process**:creator_user_ref.user_id | actor.user.name, process.user.name | +| **process**:creator_user_ref.account_login | actor.user.logon_name | +| **process**:binary_ref.name | actor.file.name, process.file.name, parent.file.name, startup_app.file.name | +| **process**:binary_ref.parent_directory_ref.path | actor.file.path, process.file.path, parent.file.path, startup_app.file.path | +| **process**:binary_ref.hashes.MD5 | actor.file.md5, process.file.md5, parent.file.md5, startup_app.file.md5 | +| **process**:binary_ref.hashes.'SHA-256' | actor.file.sha2, process.file.sha2, parent.file.sha2, startup_app.file.sha2 | +| **process**:binary_ref.hashes.'SHA-1' | actor.file.c, process.file.sha1, parent.file.sha1, startup_app.file.sha1 | +| **process**:binary_ref.size | actor.file.size, process.file.size, startup_app.file.size | +| **user-account**:user_id | user.name, actor.user.name, session.user.name | +| **user-account**:account_login | actor.user.logon_name, session.user.logon_name | +| **user-account**:is_privileged | actor.user.is_admin, session.user.is_admin | +| **user-account**:x_user_domain | actor.user.domain, session.user.domain | +| **user-account**:x_user_sid | user.sid, actor.user.sid, session.user.sid | +| **user-account**:x_user_uid | user.uid | +| **file**:name | file.name, directory.name, actor.file.name, parent.file.name, process.file.name, module.name, startup_app.file.name | +| **file**:size | file.size, actor.file.size, module.size, process.file.size, startup_app.file.size | +| **file**:parent_directory_ref.path | file.folder, directory.folder, actor.file.folder, parent.file.folder, process.file.folder, module.folder, startup_app.file.folder | +| **file**:hashes.MD5 | file.md5, actor.file.md5, module.md5, parent.file.md5, process.file.md5, startup_app.file.md5 | +| **file**:hashes.'SHA-256' | file.sha2, actor.file.sha2, module.sha2, parent.file.sha2, process.file.sha2, startup_app.file.sha2 | +| **file**:hashes.'SHA-1' | file.sha1, actor.file.sha1, parent.file.sha1, process.file.sha1, startup_app.file.sha1 | +| **file**:created | actor.file.created, parent.file.created, process.file.created, startup_app.file.created | +| **file**:modified | actor.file.modified, process.file.modified, startup_app.file.modified | +| **file**:x_file_type | file.type_id, actor.file.type_id, process.file.type_id | +| **file**:x_rep_score | file.rep_score | +| **file**:x_file_version | file.version | +| **file**:x_open_mode | open_mode | +| **file**:x_signature_company_name | actor.file.signature_company_name, file.signature_company_name, module.signature_company_name, parent.file.signature_company_name, process.file.signature_company_name | +| **file**:x_signature_created_date | actor.file.signature_created_date, actor.module.signature_created_date, file.signature_created_date, parent.signature_created_date, process.signature_created_date, directory.signature_created_date, startup_app.file.signature_created_date | +| **file**:x_signature_fingerprints.algorithm | actor.file.signature_fingerprints.algorithm, actor.module.signature_fingerprints.algorithm, file.signature_fingerprints.algorithm, module.signature_fingerprints.algorithm, parent.file.signature_fingerprints.algorithm, parent.module.signature_fingerprints.algorithm, process.file.signature_fingerprints.algorithm, process.module.signature_fingerprints.algorithm, directory.signature_fingerprints.algorithm, startup_app.file.signature_fingerprints.algorithm | +| **file**:x_signature_issuer | actor.file.signature_issuer | +| **file**:x_signature_level_id | actor.file.signature_level_id, file.signature_level_id, parent.file.signature_level_id, process.file.signature_level_id, directory.signature_level_id, startup_app.file.signature_level_id | +| **file**:x_signature_serial_number | actor.file.signature_serial_number | +| **file**:x_signature_value | actor.file.signature_value | +| **file**:x_signature_value_ids | actor.file.signature_value_ids, process.file.signature_value_ids, startup_app.file.signature_value_ids | +| **file**:x_content_type | file.content_type.type_id | +| **directory**:path | file.folder, directory.folder, actor.file.folder, parent.file.folder, process.file.folder, module.folder, startup_app.file.folder | +| **email-addr**:value | email.header_from, email.header_to | +| **email-message**:from_ref | email.header_from | +| **email-message**:to_refs[*] | email.header_to | +| **email-message**:subject | email.header_subject | +| **email-message**:x_email_direction | email.direction_id | +| **email-message**:x_email_uid | email_uid | +| **windows-registry-key**:key | reg_key.path | +| **windows-registry-key**:values[*].data | reg_value.data | +| **windows-registry-key**:values[*].name | reg_value.name | +| **windows-registry-key**:values[*].data_type | reg_value.type_id | +| **software**:name | device_os_name | +| **software**:version | device_os_ver | +| **software**:x_os_type | device_os_type_id | +| **software**:x_cmd_line | startup_app.cmd_line | +| **software**:x_start_type_id | startup_app.start_id | +| **software**:x_config_path | config_path | +| **url**:value | url.text, file.url.text | +| **url**:x_url_host | url.host, file.url.host, connection.url.host | +| **url**:x_url_path | url.path, file.url.path, connection.url.path | +| **url**:x_url_port | url.port, file.url.port, connection.url.port | +| **domain-name**:value | device_domain | +| **x-oca-event**:code | uuid | +| **x-oca-event**:severity | severity_id | +| **x-oca-event**:category | category_id | +| **x-oca-event**:action | type | +| **x-oca-event**:description | message | +| **x-oca-event**:provider | product_name | +| **x-oca-event**:agent | feature_name | +| **x-oca-event**:outcome | id | +| **x-oca-event**:created | time | +| **x-oca-event**:x_event_status | status_id | +| **x-oca-event**:host_ref.hostname | device_name | +| **x-oca-event**:host_ref.host_type | device_type | +| **x-oca-event**:file_ref.name | file.name | +| **x-oca-event**:process_ref.pid | actor.pid | +| **x-oca-event**:process_ref.name | actor.app_name | +| **x-oca-event**:process_ref.command_line | actor.cmd_line | +| **x-oca-event**:parent_process_ref.pid | parent.pid | +| **x-oca-event**:parent_process_ref.name | parent.app_name | +| **x-oca-event**:parent_process_ref.command_line | parent.cmd_line | +| **x-oca-event**:process_ref.binary_ref.name | actor.file.name | +| **x-oca-event**:process_ref.creator_user_ref.user_id | actor.user.name | +| **x-oca-event**:registry_ref.key | reg_key.path, reg_value.path | +| **x-oca-event**:url_ref.value | url.text | +| **x-oca-event**:domain_ref.value | device_domain | +| **x-oca-event**:network_ref.protocols[*] | connection.protocol_id | +| **x-oca-event**:user_ref.user_id | user.name | +| **x-oca-event**:x_event_type | type_id | +| **x-oca-event**:x_event_id | event_id | +| **x-oca-event**:x_provider_version | product_ver | +| **x-oca-event**:x_command_uid | command_uid | +| **x-oca-event**:x_event_data | data | +| **x-oca-asset**:hostname | device_name | +| **x-oca-asset**:host_type | device_type | +| **x-oca-asset**:x_host_group | device_group | +| **x-oca-asset**:mac_refs[*].value | device_mac | +| **x-oca-asset**:ip_ref[*].value | device_ip | +| **x-oca-asset**:os_ref.name | device_os_name | +| **x-oca-asset**:os_ref.version | device_os_ver | +| **x-oca-asset**:domain_ref.value | device_domain | +| **x-oca-geo**:name | device_location.desc | +| **x-oca-geo**:x_is_on_premises | device_location.on_premises | +| **x-ibm-finding**:name | threat.name | +| **x-ibm-finding**:severity | threat.risk_id | +| **x-ibm-finding**:alert_id | threat.id | +| **x-ibm-finding**:finding_type | reason_id | +| **x-ibm-finding**:x_threat_type_id | threat.type_id | +| **x-ibm-finding**:x_info_provider | threat.provider | +| **x-ibm-finding**:ttp_tagging_refs[*].name | attacks.technique_name | +| **x-ibm-finding**:ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_id | attacks.technique_uid | +| **x-ibm-finding**:ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_name | attacks.technique_name | +| **x-ibm-finding**:ttp_tagging_refs[*].extensions.'mitre-attack-ext'.tactic_id | attacks.tactic_uids | +| **x-ibm-ttp-tagging**:name | attacks.technique_name | +| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.tactic_id | attacks.tactic_uids | +| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.technique_id | attacks.technique_uid | +| **x-ibm-ttp-tagging**:extensions.'mitre-attack-ext'.technique_name | attacks.technique_name | +| **x-symantec-policy**:name | policy.name | +| **x-symantec-policy**:effective_date | policy.effective_date | +| **x-symantec-policy**:rule_group_name | policy.rule_group_name | +| **x-symantec-policy**:rule_name | policy.rule_name | +| **x-symantec-policy**:rule_category | policy.rule_category_id | +| **x-symantec-policy**:type_id | policy.type_id | +| **x-symantec-policy**:rule_description | policy.rule_desc | +| **x-symantec-policy**:version | policy.version | +| **x-symantec-policy**:states | policy.state_ids | +| **x-user-session**:id | session.id, actor.session.id | +| **x-user-session**:is_admin | session.is_admin | +| **x-user-session**:is_remote | session.remote, actor.session.remote | +| **x-user-session**:user_ref.user_id | session.user.name, actor.session.user.name | +| **x-user-session**:user_ref.account_login | session.user.logon_name, actor.session.user.logon_name | +| **x-user-session**:user_ref.is_privileged | session.user.is_admin, actor.session.user.is_admin | +| **x-user-session**:user_ref.x_domain | session.user.domain, actor.session.user.domain | +| **x-user-session**:user_ref.x_sid | session.user.sid | +| **x-kernel-resource**:name | kernel.name | +| **x-kernel-resource**:type_id | kernel.type_id | +| **x-peripheral-device**:class | peripheral_device.class | +| **x-peripheral-device**:instance_uid | peripheral_device.instance_uid | +| **x-peripheral-device**:name | peripheral_device.name | +| **x-peripheral-device**:serial | peripheral_device.serial | +|
| | +### Supported STIX Objects and Properties for Query Results +| STIX Object | STIX Property | Data Source Field | +|--|--|--| +| ipv4-addr | value | device_ip | +| ipv4-addr | value | connection.src_ip | +| ipv4-addr | value | connection.dst_ip | +| ipv4-addr | value | device_public_ip | +| ipv4-addr | value | device_networks.ipv4 | +| ipv4-addr | value | device_networks.gateway_ip | +| ipv4-addr | resolves_to_refs[*].value | device_mac | +| ipv4-addr | resolves_to_refs[*].value | device_networks.mac | +|
| | | +| ipv6-addr | value | device_ip | +| ipv6-addr | value | connection.src_ip | +| ipv6-addr | value | connection.dst_ip | +| ipv6-addr | value | device_networks.ipv6 | +| ipv6-addr | resolves_to_refs[*].value | device_mac | +| ipv6-addr | resolves_to_refs[*].value | device_networks.mac | +|
| | | +| mac-addr | value | device_mac | +| mac-addr | value | device_networks.mac | +| mac-addr | value | device_networks.gateway_mac | +|
| | | +| network-traffic | src_ref.value | connection.src_ip | +| network-traffic | dst_ref.value | connection.dst_ip | +| network-traffic | dst_port | connection.dst_port | +| network-traffic | src_port | connection.src_port | +| network-traffic | protocols[*] | connection.protocol_id | +| network-traffic | src_byte_count | connection.bytes_upload | +| network-traffic | dst_byte_count | connection.bytes_download | +| network-traffic | x_connection_direction | connection.direction_id | +|
| | | +| process | pid | actor.pid | +| process | pid | process.pid | +| process | pid | parent.pid | +| process | command_line | actor.cmd_line | +| process | command_line | process.cmd_line | +| process | command_line | parent.cmd_line | +| process | command_line | startup_app.cmd_line | +| process | name | actor.app_name | +| process | name | process.app_name | +| process | name | parent.app_name | +| process | created | actor.start_time | +| process | created | process.start_time | +| process | created | parent.start_time | +| process | x_thread_id | actor.tid | +| process | x_thread_id | process.tid | +| process | x_proc_uid | actor.uid | +| process | x_proc_uid | process.uid | +| process | x_proc_uid | parent.uid | +| process | creator_user_ref.user_id | actor.user.name | +| process | creator_user_ref.user_id | process.user.name | +| process | creator_user_ref.account_login | actor.user.logon_name | +| process | binary_ref.name | actor.file.name | +| process | binary_ref.name | process.file.name | +| process | binary_ref.name | parent.file.name | +| process | binary_ref.name | startup_app.file.name | +| process | binary_ref.parent_directory_ref.path | actor.file.path | +| process | binary_ref.parent_directory_ref.path | process.file.path | +| process | binary_ref.parent_directory_ref.path | parent.file.path | +| process | binary_ref.parent_directory_ref.path | startup_app.file.path | +| process | binary_ref.hashes.MD5 | actor.file.md5 | +| process | binary_ref.hashes.MD5 | process.file.md5 | +| process | binary_ref.hashes.MD5 | parent.file.md5 | +| process | binary_ref.hashes.MD5 | startup_app.file.md5 | +| process | binary_ref.hashes.'SHA-256' | actor.file.sha2 | +| process | binary_ref.hashes.'SHA-256' | process.file.sha2 | +| process | binary_ref.hashes.'SHA-256' | parent.file.sha2 | +| process | binary_ref.hashes.'SHA-256' | startup_app.file.sha2 | +| process | binary_ref.hashes.'SHA-1' | actor.file.c | +| process | binary_ref.hashes.'SHA-1' | process.file.sha1 | +| process | binary_ref.hashes.'SHA-1' | parent.file.sha1 | +| process | binary_ref.hashes.'SHA-1' | startup_app.file.sha1 | +| process | binary_ref.size | actor.file.size | +| process | binary_ref.size | process.file.size | +| process | binary_ref.size | startup_app.file.size | +|
| | | +| user-account | user_id | user.name | +| user-account | user_id | actor.user.name | +| user-account | user_id | session.user.name | +| user-account | account_login | actor.user.logon_name | +| user-account | account_login | session.user.logon_name | +| user-account | is_privileged | actor.user.is_admin | +| user-account | is_privileged | session.user.is_admin | +| user-account | x_user_domain | actor.user.domain | +| user-account | x_user_domain | session.user.domain | +| user-account | x_user_sid | user.sid | +| user-account | x_user_sid | actor.user.sid | +| user-account | x_user_sid | session.user.sid | +| user-account | x_user_uid | user.uid | +|
| | | +| file | name | file.name | +| file | name | directory.name | +| file | name | actor.file.name | +| file | name | parent.file.name | +| file | name | process.file.name | +| file | name | module.name | +| file | name | startup_app.file.name | +| file | size | file.size | +| file | size | actor.file.size | +| file | size | module.size | +| file | size | process.file.size | +| file | size | startup_app.file.size | +| file | parent_directory_ref.path | file.folder | +| file | parent_directory_ref.path | directory.folder | +| file | parent_directory_ref.path | actor.file.folder | +| file | parent_directory_ref.path | parent.file.folder | +| file | parent_directory_ref.path | process.file.folder | +| file | parent_directory_ref.path | module.folder | +| file | parent_directory_ref.path | startup_app.file.folder | +| file | hashes.MD5 | file.md5 | +| file | hashes.MD5 | actor.file.md5 | +| file | hashes.MD5 | module.md5 | +| file | hashes.MD5 | parent.file.md5 | +| file | hashes.MD5 | process.file.md5 | +| file | hashes.MD5 | startup_app.file.md5 | +| file | hashes.'SHA-256' | file.sha2 | +| file | hashes.'SHA-256' | actor.file.sha2 | +| file | hashes.'SHA-256' | module.sha2 | +| file | hashes.'SHA-256' | parent.file.sha2 | +| file | hashes.'SHA-256' | process.file.sha2 | +| file | hashes.'SHA-256' | startup_app.file.sha2 | +| file | hashes.'SHA-1' | file.sha1 | +| file | hashes.'SHA-1' | actor.file.sha1 | +| file | hashes.'SHA-1' | parent.file.sha1 | +| file | hashes.'SHA-1' | process.file.sha1 | +| file | hashes.'SHA-1' | startup_app.file.sha1 | +| file | created | actor.file.created | +| file | created | parent.file.created | +| file | created | process.file.created | +| file | created | startup_app.file.created | +| file | modified | actor.file.modified | +| file | modified | process.file.modified | +| file | modified | startup_app.file.modified | +| file | x_file_type | file.type_id | +| file | x_file_type | actor.file.type_id | +| file | x_file_type | process.file.type_id | +| file | x_rep_score | file.rep_score | +| file | x_file_version | file.version | +| file | x_open_mode | open_mode | +| file | x_signature_company_name | actor.file.signature_company_name | +| file | x_signature_company_name | file.signature_company_name | +| file | x_signature_company_name | module.signature_company_name | +| file | x_signature_company_name | parent.file.signature_company_name | +| file | x_signature_company_name | process.file.signature_company_name | +| file | x_signature_created_date | actor.file.signature_created_date | +| file | x_signature_created_date | actor.module.signature_created_date | +| file | x_signature_created_date | file.signature_created_date | +| file | x_signature_created_date | parent.signature_created_date | +| file | x_signature_created_date | process.signature_created_date | +| file | x_signature_created_date | directory.signature_created_date | +| file | x_signature_created_date | startup_app.file.signature_created_date | +| file | x_signature_fingerprints.algorithm | actor.file.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | actor.module.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | file.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | module.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | parent.file.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | parent.module.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | process.file.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | process.module.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | directory.signature_fingerprints.algorithm | +| file | x_signature_fingerprints.algorithm | startup_app.file.signature_fingerprints.algorithm | +| file | x_signature_issuer | actor.file.signature_issuer | +| file | x_signature_level_id | actor.file.signature_level_id | +| file | x_signature_level_id | file.signature_level_id | +| file | x_signature_level_id | parent.file.signature_level_id | +| file | x_signature_level_id | process.file.signature_level_id | +| file | x_signature_level_id | directory.signature_level_id | +| file | x_signature_level_id | startup_app.file.signature_level_id | +| file | x_signature_serial_number | actor.file.signature_serial_number | +| file | x_signature_value | actor.file.signature_value | +| file | x_signature_value_ids | actor.file.signature_value_ids | +| file | x_signature_value_ids | process.file.signature_value_ids | +| file | x_signature_value_ids | startup_app.file.signature_value_ids | +| file | x_content_type | file.content_type.type_id | +|
| | | +| directory | path | file.folder | +| directory | path | directory.folder | +| directory | path | actor.file.folder | +| directory | path | parent.file.folder | +| directory | path | process.file.folder | +| directory | path | module.folder | +| directory | path | startup_app.file.folder | +|
| | | +| email-addr | value | email.header_from | +| email-addr | value | email.header_to | +|
| | | +| email-message | from_ref | email.header_from | +| email-message | to_refs[*] | email.header_to | +| email-message | subject | email.header_subject | +| email-message | x_email_direction | email.direction_id | +| email-message | x_email_uid | email_uid | +|
| | | +| windows-registry-key | key | reg_key.path | +| windows-registry-key | values[*].data | reg_value.data | +| windows-registry-key | values[*].name | reg_value.name | +| windows-registry-key | values[*].data_type | reg_value.type_id | +|
| | | +| software | name | device_os_name | +| software | version | device_os_ver | +| software | x_os_type | device_os_type_id | +| software | x_cmd_line | startup_app.cmd_line | +| software | x_start_type_id | startup_app.start_id | +| software | x_config_path | config_path | +|
| | | +| url | value | url.text | +| url | value | file.url.text | +| url | x_url_host | url.host | +| url | x_url_host | file.url.host | +| url | x_url_host | connection.url.host | +| url | x_url_path | url.path | +| url | x_url_path | file.url.path | +| url | x_url_path | connection.url.path | +| url | x_url_port | url.port | +| url | x_url_port | file.url.port | +| url | x_url_port | connection.url.port | +|
| | | +| domain-name | value | device_domain | +|
| | | +| x-oca-event | code | uuid | +| x-oca-event | severity | severity_id | +| x-oca-event | category | category_id | +| x-oca-event | action | type | +| x-oca-event | description | message | +| x-oca-event | provider | product_name | +| x-oca-event | agent | feature_name | +| x-oca-event | outcome | id | +| x-oca-event | created | time | +| x-oca-event | x_event_status | status_id | +| x-oca-event | host_ref.hostname | device_name | +| x-oca-event | host_ref.host_type | device_type | +| x-oca-event | file_ref.name | file.name | +| x-oca-event | process_ref.pid | actor.pid | +| x-oca-event | process_ref.name | actor.app_name | +| x-oca-event | process_ref.command_line | actor.cmd_line | +| x-oca-event | parent_process_ref.pid | parent.pid | +| x-oca-event | parent_process_ref.name | parent.app_name | +| x-oca-event | parent_process_ref.command_line | parent.cmd_line | +| x-oca-event | process_ref.binary_ref.name | actor.file.name | +| x-oca-event | process_ref.creator_user_ref.user_id | actor.user.name | +| x-oca-event | registry_ref.key | reg_key.path | +| x-oca-event | registry_ref.key | reg_value.path | +| x-oca-event | url_ref.value | url.text | +| x-oca-event | domain_ref.value | device_domain | +| x-oca-event | network_ref.protocols[*] | connection.protocol_id | +| x-oca-event | user_ref.user_id | user.name | +| x-oca-event | x_event_type | type_id | +| x-oca-event | x_event_id | event_id | +| x-oca-event | x_provider_version | product_ver | +| x-oca-event | x_command_uid | command_uid | +| x-oca-event | x_event_data | data | +|
| | | +| x-oca-asset | hostname | device_name | +| x-oca-asset | host_type | device_type | +| x-oca-asset | x_host_group | device_group | +| x-oca-asset | mac_refs[*].value | device_mac | +| x-oca-asset | ip_ref[*].value | device_ip | +| x-oca-asset | os_ref.name | device_os_name | +| x-oca-asset | os_ref.version | device_os_ver | +| x-oca-asset | domain_ref.value | device_domain | +|
| | | +| x-oca-geo | name | device_location.desc | +| x-oca-geo | x_is_on_premises | device_location.on_premises | +|
| | | +| x-ibm-finding | name | threat.name | +| x-ibm-finding | severity | threat.risk_id | +| x-ibm-finding | alert_id | threat.id | +| x-ibm-finding | finding_type | reason_id | +| x-ibm-finding | x_threat_type_id | threat.type_id | +| x-ibm-finding | x_info_provider | threat.provider | +| x-ibm-finding | ttp_tagging_refs[*].name | attacks.technique_name | +| x-ibm-finding | ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_id | attacks.technique_uid | +| x-ibm-finding | ttp_tagging_refs[*].extensions.'mitre-attack-ext'.technique_name | attacks.technique_name | +| x-ibm-finding | ttp_tagging_refs[*].extensions.'mitre-attack-ext'.tactic_id | attacks.tactic_uids | +|
| | | +| x-ibm-ttp-tagging | name | attacks.technique_name | +| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.tactic_id | attacks.tactic_uids | +| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.technique_id | attacks.technique_uid | +| x-ibm-ttp-tagging | extensions.'mitre-attack-ext'.technique_name | attacks.technique_name | +|
| | | +| x-symantec-policy | name | policy.name | +| x-symantec-policy | effective_date | policy.effective_date | +| x-symantec-policy | rule_group_name | policy.rule_group_name | +| x-symantec-policy | rule_name | policy.rule_name | +| x-symantec-policy | rule_category | policy.rule_category_id | +| x-symantec-policy | type_id | policy.type_id | +| x-symantec-policy | rule_description | policy.rule_desc | +| x-symantec-policy | version | policy.version | +| x-symantec-policy | states | policy.state_ids | +|
| | | +| x-user-session | id | session.id | +| x-user-session | id | actor.session.id | +| x-user-session | is_admin | session.is_admin | +| x-user-session | is_remote | session.remote | +| x-user-session | is_remote | actor.session.remote | +| x-user-session | user_ref.user_id | session.user.name | +| x-user-session | user_ref.user_id | actor.session.user.name | +| x-user-session | user_ref.account_login | session.user.logon_name | +| x-user-session | user_ref.account_login | actor.session.user.logon_name | +| x-user-session | user_ref.is_privileged | session.user.is_admin | +| x-user-session | user_ref.is_privileged | actor.session.user.is_admin | +| x-user-session | user_ref.x_domain | session.user.domain | +| x-user-session | user_ref.x_domain | actor.session.user.domain | +| x-user-session | user_ref.x_sid | session.user.sid | +|
| | | +| x-kernel-resource | name | kernel.name | +| x-kernel-resource | type_id | kernel.type_id | +|
| | | +| x-peripheral-device | class | peripheral_device.class | +| x-peripheral-device | instance_uid | peripheral_device.instance_uid | +| x-peripheral-device | name | peripheral_device.name | +| x-peripheral-device | serial | peripheral_device.serial | +|
| | | \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py new file mode 100644 index 000000000..fd139cab1 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py @@ -0,0 +1,522 @@ +""" test script to perform unit test case for symantec translate results """ +import unittest +from stix_shifter_modules.symantec_endpoint_security.entry_point import EntryPoint +from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator +from stix_shifter_utils.stix_translation.src.utils.transformer_utils import get_module_transformers + +MODULE = "symantec_endpoint_security" +entry_point = EntryPoint() +map_data = entry_point.get_results_translator().map_data +data_source = { + "type": "identity", + "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "name": "symantec endpoint security", + "identity_class": "events" +} +options = {} + +symantec_sample_response = [{ + "device_os_type_id": 100, + "lineage": [ + "C:\\Windows\\System32\\svchost.exe", + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\wininit.exe" + ], + "feature_uid": "1DF0351C-146D-4F07-B155-BF5C7077FF40", + "type": "event_query_results", + "seq_num": 24, + "ref_uid": "DC931153-3860-4E7D-9A96-378662BC51F3", + "legacy_product_uid": "ad66b334-9eb8-bf35-3f4e-f172b06200b0", + "id": 1, + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9", + "feature_name": "DETECTION_RESPONSE", + "device_group": "Default/TestEDRGroup", + "product_name": "Symantec Endpoint Security", + "version": "1.0.0", + "command_uid": "", + "device_ip": "10.10.10.10", + "device_vhost": 12, + "timezone": 0, + "device_domain": "WORKGROUP", + "product_ver": "14.3.10148.8000", + "is_npvdi_client": "false", + "device_name": "HOST_NAME", + "category_id": 5, + "device_networks": [ + { + "ipv4": "10.10.10.10", + "ipv6": "fe00:0000:0000:0000:000f:df0a:0000:00d0", + "mac": "0a:0f:00:00:0c:00" + } + ], + "device_os_name": "Windows Server 2019 Datacenter Edition", + "type_id": 8001, + "actor": { + "session_id": 0, + "pid": 1880, + "uid": "C03AA311-0907-F1EF-848A-EAEACDB378C2", + "tid": 5472, + "start_time": "2024-05-03T04:44:04.920Z", + "cmd_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "integrity_id": 6, + "file": { + "type_id": 1, + "created": "2022-09-14T16:17:52.744Z", + "modified": "2022-09-14T16:17:52.744Z", + "md5": "0dd00f000ac00d0f00f00f00e0aa0000", + "sha2": "2b105fb153b1bcd619b00000000b3a93c60b000eef6837d3bb0099e4207aaf6b", + "size": 51736, + "signature_company_name": "Microsoft Windows Publisher", + "signature_value_ids": [ + 3, + 5 + ], + "security_descriptor": "O:S-1-1-1-0-71241G:SYD:(A;;0x1fffff;;;S-1-1-1-0-71241)(A;;0x1400;;;BA)S:AI", + "normalized_path": "CSIDL_SYSTEM\\svchost.exe", + "path": "c:\\windows\\system32\\svchost.exe", + "uid": "281474976968790", + "name": "svchost.exe", + "folder": "c:\\windows\\system32", + "original_name": "svchost.exe", + "signature_level_id": 60 + }, + "user": { + "name": "SYSTEM", + "sid": "S-1-1-11", + "domain": "NT AUTHORITY" + }, + "cmd_line_raw_length": 57 + }, + "device_mac": "0a:0f:00:00:0c:00", + "device_uid": "X4oOxiAoQO6SuZAfO6lm4Q", + "org_unit_uid": "_RE5UsoeSKSrteDkP3U2Mw", + "severity_id": 1, + "logging_device_post_time": "2024-05-03T06:49:06.299Z", + "device_time": "2024-05-03T06:49:06.302Z", + "user_name": "SYSTEM", + "process": { + "session_id": 0, + "pid": 5396, + "uid": "C03AB60B-0907-F1EF-848A-EAEACDB378C2", + "start_time": "2024-05-03T06:49:06.302Z", + "cmd_line": "\"C:\\Windows\\system32\\usoclient.exe\" StartScan", + "integrity_id": 6, + "file": { + "type_id": 1, + "created": "2020-03-18T06:42:21.265Z", + "modified": "2020-03-18T06:42:21.265Z", + "md5": "39750d00d000000b000adbb917f7b000", + "sha2": "df0000cdc3c6f000000aaf2d4407c4e8aaa000000a00000fb4688e2bd099db85", + "size": 48128, + "signature_company_name": "Microsoft Windows", + "signature_value_ids": [ + 3, + 5 + ], + "security_descriptor": "O:SYG:SYD:(A;;0x1fffff;;;SY)(A;;RC;;;OW)" + "(A;;0x1fffff;;;S-1-1-10-0000092361-0000024937-000023819-0000237918-00005745)S:AI", + "normalized_path": "CSIDL_SYSTEM\\usoclient.exe", + "path": "c:\\windows\\system32\\usoclient.exe", + "uid": "281474976969093", + "name": "usoclient.exe", + "folder": "c:\\windows\\system32", + "original_name": "UsoClient", + "signature_level_id": 60 + }, + "user": { + "name": "SYSTEM", + "sid": "S-1-1-11", + "domain": "NT AUTHORITY" + }, + "cmd_line_raw_length": 45 + }, + "edr_enriched_data": { + "category_name": "Generic Data to be sent to ATP", + "category_id": 201, + "rule_id": 2101450, + "rule_name": "IF.SchtasksLaunch!g2" + }, + "feature_ver": "edr/1.3.0", + "is_user_present": "false", + "event_data_type": "fdr", + "user": { + "name": "SYSTEM" + }, + "device_os_ver": "10.0.17763", + "policy": { + "uid": "a7124b68-abc1-43a4-8e44-716fb1966646", + "name": "Default Detection and Response Policy", + "version": "1" + }, + "trans_event_raw_length": 3436, + "attacks": [ + { + "technique_uid": "T1053", + "technique_name": "Scheduled Task/Job", + "tactic_ids": [ + 2, + 3, + 4 + ], + "tactic_uids": [ + "TA0002", + "TA0003", + "TA0004" + ] + } + ], + "customer_uid": "IKhSB-yfRK2xeUR-xyCK2g", + "device_public_ip": "22.22.22.22", + "domain_uid": "B3dKzLSzR9CScPYAGhkgxA", + "time": "2024-05-03T06:49:06.302Z", + "log_time": "2024-05-03T06:49:24.770Z", + "uuid": "8001:3c5831e0-0919-11ef-cf18-000006b4f3c8", + "indexDate": "2024-05-03", + "indexHash": "fdr_4_t2", + "log_name": "c1.fdr_4_t2_2024-05-03", + "es.mapping.id": "uuid", + "epochLogTime": 1714718964770, + "es.mapping.version": "epochLogTime" +}] + +symantec_policy_sample_response = [{ + "category_id": 3, + "change_type_id": 1, + "curr_location": {"desc": "Default", "on_premises": False}, + "device_ip": "172.1.1.1", + "device_location": {"desc": "Default", "on_premises": False}, + "device_time": 1714710446334, + "feature_name": "AGENT_FRAMEWORK", + "feature_uid": "8CAC5E54-xxxxxxxx-5D956D1821E4", + "id": 4, + "message": "Location changed. [Previous]: [Current]: Default", + "message_id": "0x1207020E", + "policy": {"name": "Default System Policy", "uid": "f6e97ddb-eb48-4a1f-a862-d9895ec6d7dc", + "version": "1"}, + "prev_location": {"desc": "", "on_premises": False}, + "raw_data": "", + "severity_id": 1, + "status_detail": "Smc", + "status_id": 1, + "type": "POLICY_CHANGE", + "type_id": 4, + "version": "1.0", + "composite": 2, + "device_domain": "WORKGROUP", + "device_group": "Default/TestDevGroup", + "device_name": "XZ-ABC", + "device_networks": [{"ipv4": "172.1.1.1", "ipv6": "fe80::1111:1111:1111:a6d7", "mac": "12:AA:AA:AA:AA:AA"}, + {"ipv4": "192.1.1.1", "ipv6": "fe80::2222:2222:2222:22fd", "mac": "86:AA:AA:AA:AA:AA"}], + "device_os_name": "Windows Server 2019 Datacenter Edition", + "device_uid": "9Texxxxx5Q", + "org_unit_uid": "KKqxxxxxxxxxxxySg", + "product_data": {"sep_domain_uid": "", "sep_hw_uid": "D47E4AAAAAAAAAAAAAE"}, + "product_name": "Symantec Endpoint Security", + "product_uid": "31BAAAAAAAAAAAAAAAAAD7B9", + "product_ver": "14.3.10148.8000", + "stic_hw_uid": "DB3AAAAAA-49AF-72A1-1169-AAAAAAAAD40", + "stic_uid": "19AAAAAA-999C-43CD-BFDF-AAAAAAAAAA8", + "timezone": 0, + "user_name": "Administrator", + "customer_uid": "IKxxx-xxxxxxxx-xyCK2g", + "device_public_ip": "54.1.1.1", + "domain_uid": "B3dKxxxxxxxxkgxA", + "event_data_type": "sep", + "user": {"name": "Administrator"}, + "device_os_type_id": 100, + "time": "2024-05-03T04:27:26.334Z", + "log_time": "2024-05-03T04:34:57.379Z", + "uuid": "4:71eeeeee-0905-11ef-f724-000001eeeec3", + "indexDate": "2024-05-03", + "indexHash": "event_service_4_t2", + "log_name": "c1.event_service_4_t2_2024-05-03", + "es.mapping.id": "uuid", "epochLogTime": 1714710897379, "es.mapping.version": "epochLogTime"}] + +symantec_threat_sample_response = [{ + "category_id": 1, + "content_ver": "Version: 2024-05-03 rev. 002; Sequence: 240503002", + "count": 1, + "cybox": {"files": [{"company_name": "KnowBe4, Inc.", + "folder": "C:\\Users\\Administrator\\Downloads\\Ransom App", + "name": "SimulatorSetup.exe", + "normalized_path": "CSIDL_PROFILE\\downloads\\ransom app\\simulatorsetup.exe", + "path": "C:\\Users\\Administrator\\Downloads\\Ransom App\\SimulatorSetup.exe", + "product_name": "KnowBe4 Rns Simulator", + "rep_discovered_band": 365, "rep_prevalence": 71, "rep_score": -105, + "sha2": "815B99BD82F3685F97F9A2DD24A434C1749D5A5C9097F2B6BCEA42F69EE01A05", + "signature_company_name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "signature_created_date": 1677490376, + "signature_issuer": "KnowBe4 Inc.", "signature_value": 1099520606215, + "signature_value_ids": [1, 2, 3, 17, 20], "size": 181872248, + "type_id": 1, "version": "2.4.1.2"}]}, + "device_end_time": 1714740874000, + "device_ip": "172.31.30.222", + "device_location": {"desc": "Default", "on_premises": False}, + "device_time": 1714740874000, + "feature_name": "MALWARE_PROTECTION", + "feature_uid": "A36AAAAA-4F03-42DE-B55F-39AAAAAA89C8", + "file": {"company_name": "KnowBe4, Inc.", + "content_type": {"family_id": 3}, + "folder": "C:\\Users\\Administrator\\Downloads\\Ransom App", + "name": "SimulatorSetup.exe", + "normalized_path": "CSIDL_PROFILE\\downloads\\ransom app\\simulatorsetup.exe", + "path": "C:\\Users\\Administrator\\Downloads\\Ransom App\\SimulatorSetup.exe", + "product_name": "KnowBe4 Rns Simulator", + "rep_discovered_band": 365, + "rep_prevalence": 71, + "rep_score": -105, + "sha2": "815B99BD82F3685F97F9A2DD24A434C1749D5A5C9097F2B6BCEA42F69EE02AA5", + "signature_company_name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "signature_created_date": 1677490376, + "signature_fingerprints": [{"algorithm": "sha1", "value": "21EC32614C2BE32ADD9E2056CAA28CAB5A7FEEEA"}], + "signature_issuer": "KnowBe4 Inc.", "signature_serial_number": "0E44DA59C6985D40A6040C9D9AAAAAAA", + "signature_value": 1099520606215, + "signature_value_ids": [1, 2, 3, 17, 20], + "size": 181872248, "type_id": 1, "version": "2.4.1.2"}, + "id": 12, "policy": {"name": "Default Antimalware Policy", "rule_category_id": 1, + "uid": "5afbaaaa-d1fe-4104-b43b-63aaaaaaaa5b", "version": "1"}, + "quarantine_uid": "179830784", + "reason_id": 2, + "ref_uid": "f7caaaa-92d8-4908-8d51-bd7aaaaaa87", + "scan_uid": "", + "severity_id": 1, + "threat": {"id": 42878, "name": "Trojan.Gen.MBT", "risk_id": 100, "type_id": 1}, + "type": "HOST_FILE_DETECTION", "type_id": 8031, "user_name": "SYSTEM", "version": "1.0", "composite": 2, + "device_domain": "WORKGROUP", "device_group": "Default/TestEDRGroup", "device_name": "AMAZ-XXXXXX", + "device_networks": [{"ipv4": "172.2.3.3", "ipv6": "fe80::3333:3333:3333:99d5", "mac": "0A:BB:BB:BB:BB:75"}, + {"ipv4": "169.4.4.4", "ipv6": "fe80::4444:4444:4444:31cf", "mac": "86:CC:CC:CC:CC:89"}], + "device_os_name": "Windows Server 2019 Datacenter Edition", + "device_uid": "X4oOxiXXXXXXXXXX4Q", "org_unit_uid": "_RE5UsXXXXXXMw", + "product_data": {"sep_domain_uid": "", "sep_hw_uid": "AD66B3BBBBBBBBBBBBBB200B0"}, + "product_name": "Symantec Endpoint Security", + "product_uid": "31B0AAAA-0229-49E8-94C5-48AAAAAAA7B9", "product_ver": "14.3.10148.8000", + "stic_hw_uid": "9FBC61111-5BC6-E087-DC55-1411111111C5", + "stic_uid": "92EE1111-2C77-4401-9A10-4911111111CE", "timezone": 0, + "customer_uid": "IKhSB-xxxxxxxx-xyxxxx", "device_public_ip": "10.1.1.1", + "domain_uid": "B3dxxxxxxxxgxA", + "event_data_type": "sep", "user": {"name": "SYSTEM"}, "device_os_type_id": 100, "time": "2024-05-03T12:54:34Z", + "end_time": "2024-05-03T12:54:34.000Z", + "log_time": "2024-05-03T12:54:41.184Z", + "uuid": "8031:4a456100-094c-11ef-c4f3-0000029ebed4", + "indexDate": "2024-05-03", "indexHash": "event_service_4_t2", + "log_name": "c1.event_service_4_t2_2024-05-03", + "es.mapping.id": "uuid", "epochLogTime": 1714740881184, "es.mapping.version": "epochLogTime"}] + +symantec_file_sample_response = [{ + "file": {"path": "c:\\programdata\\apv2\\logs\\cybereasonactiveprobe.log.0.gz", + "normalized_path": "CSIDL_COMMON_APPDATA\\apv2\\logs\\cybereasonactiveprobe.log.0.gz", + "attributes": 128, + "attribute_ids": 6, + "security_descriptor": "O:BAG:SYD:AI(A;ID;FR;;;WD)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)", + "size": 250931, + "name": "cybereasonactiveprobe.log.0.gz", + "folder": "c:\\programdata\\apv2\\logs", + "content_type": {"family_id": 0, "type_id": 1}}}] + +symantec_network_sample_response = [{ + "connection": {"src_ip": "::", "src_port": "59418", "dst_port": "0", "protocol_id": 17, "dst_ip": "0.0.0.0"}, + "state_id": 0, + "id": 1, + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9", + "raw_data": {"PID": "3844", "ProcessName": "svchost.exe", "Protocol": "UDP", "LocalAddress": "::", + "LocalPort": "59418", "RemoteAddress": "0.0.0.0", "RemotePort": "0", "State": '', + "EvidenceType": '', "IsDefault": False, "IsSuspicious": False}}] + + +class TestSymantecResultsToStix(unittest.TestCase): + """ + class to perform unit test case for symantec translate results + """ + + @staticmethod + def get_first(itr, constraint): + """ return the obj in the itr if constraint is true """ + return next((obj for obj in itr if constraint(obj)), None) + + @staticmethod + def get_first_of_type(itr, typ): + """ check whether the object belongs to respective stix object """ + return TestSymantecResultsToStix.get_first(itr, lambda o: isinstance(o, dict) and o.get('type') == typ) + + @staticmethod + def get_observed_data_objects(data): + result_bundle = json_to_stix_translator.convert_to_stix( + data_source, map_data, data, get_module_transformers(MODULE), options) + result_bundle_objects = result_bundle['objects'] + + result_bundle_identity = result_bundle_objects[0] + assert result_bundle_identity['type'] == data_source['type'] + observed_data = result_bundle_objects[1] + + assert 'objects' in observed_data + return observed_data['objects'] + + def test_ipv4_addr_json_to_stix(self): + """test ipv4-addr stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + ipv4_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'ipv4-addr') + ipv6_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'ipv6-addr') + assert ipv4_obj is not None + assert (ipv4_obj.keys() == {'type', 'value', 'resolves_to_refs'}) + assert ipv4_obj['type'] == 'ipv4-addr' + assert ipv4_obj['value'] == '10.10.10.10' + assert ipv6_obj['value'] == 'fe00:0000:0000:0000:000f:df0a:0000:00d0' + + def test_mac_addr_json_to_stix(self): + """test mac-addr stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + mac_addr_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'mac-addr') + assert mac_addr_obj is not None + assert (mac_addr_obj.keys() == {'type', 'value'}) + assert mac_addr_obj['type'] == 'mac-addr' + assert mac_addr_obj['value'] == '0a:0f:00:00:0c:00' + + def test_file_json_to_stix(self): + """test file stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + file_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'file') + assert file_obj is not None + assert (file_obj.keys() == {'type', 'x_file_type', 'created', 'modified', 'hashes', 'size', + 'x_signature_company_name', 'x_signature_value_ids', 'name', + 'parent_directory_ref', 'x_signature_level_id'}) + assert file_obj['type'] == 'file' + assert file_obj['name'] == 'svchost.exe' + assert file_obj['size'] == 51736 + + def test_process_json_to_stix(self): + """test process stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + process_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'process') + assert process_obj is not None + assert (process_obj.keys() == {'type', 'pid', 'x_proc_uid', 'x_thread_id', 'created', + 'command_line', 'binary_ref', 'creator_user_ref', 'child_refs'}) + assert process_obj['type'] == 'process' + assert process_obj['pid'] == 1880 + assert process_obj['command_line'] == 'C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule' + + def test_user_account_json_to_stix(self): + """test user-account stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + user_account_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'user-account') + assert user_account_obj is not None + assert (user_account_obj.keys() == {'type', 'user_id', 'x_user_sid', 'x_user_domain'}) + assert user_account_obj['type'] == 'user-account' + assert user_account_obj['user_id'] == 'SYSTEM' + + def test_directory_json_to_stix(self): + """test directory stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + directory_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'directory') + assert directory_obj is not None + assert (directory_obj.keys() == {'type', 'path'}) + assert directory_obj['type'] == 'directory' + assert directory_obj['path'] == 'c:\\windows\\system32' + + def test_x_ibm_ttp_tagging_obj_json_to_stix(self): + """test x-ibm-ttp-tagging stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + x_ibm_ttp_tagging_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-ibm-ttp-tagging') + assert x_ibm_ttp_tagging_obj is not None + assert (x_ibm_ttp_tagging_obj.keys() == {'type', 'extensions', 'name'}) + assert x_ibm_ttp_tagging_obj['type'] == 'x-ibm-ttp-tagging' + assert x_ibm_ttp_tagging_obj['name'] == 'Scheduled Task/Job' + assert x_ibm_ttp_tagging_obj['extensions'] is not None + ibm_tagging = x_ibm_ttp_tagging_obj['extensions']['mitre-attack-ext'] + assert ibm_tagging['technique_id'] == 'T1053' + assert ibm_tagging['tactic_id'] == 'TA0002' + + def test_x_symantec_policy_obj_json_to_stix(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-symantec-policy') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'name', 'version'}) + assert x_symantec_info_obj['type'] == 'x-symantec-policy' + assert x_symantec_info_obj['name'] == 'Default Detection and Response Policy' + assert x_symantec_info_obj['version'] == '1' + + def test_x_oca_asset_obj_json_to_stix(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-oca-asset') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'x_host_group', 'ip_refs', 'domain_ref', 'hostname', + 'mac_refs', 'os_ref'}) + assert x_symantec_info_obj['type'] == 'x-oca-asset' + assert x_symantec_info_obj['hostname'] == 'HOST_NAME' + assert x_symantec_info_obj['os_ref'] == '0' + + def test_software_obj_json_to_stix(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'software') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'name', 'version', 'x_os_type'}) + assert x_symantec_info_obj['type'] == 'software' + assert x_symantec_info_obj['name'] == 'Windows Server 2019 Datacenter Edition' + assert x_symantec_info_obj['version'] == '10.0.17763' + assert x_symantec_info_obj['x_os_type'] == 'Windows' + + def test_x_oca_event_obj_json_to_stix_malware(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'action', 'outcome', 'agent', 'provider', + 'x_event_type_version', 'timezone', 'x_provider_version', 'host_ref', + 'category', 'x_event_type', 'process_ref', 'file_ref', 'severity', + 'user_ref', 'x_policy_ref', 'created', 'code'}) + assert x_symantec_info_obj['type'] == 'x-oca-event' + assert x_symantec_info_obj['action'] == 'event_query_results' + assert x_symantec_info_obj['category'] == 'System Activity' + assert x_symantec_info_obj['severity'] == 16 + assert x_symantec_info_obj['outcome'] == 'Blocked' + assert x_symantec_info_obj['x_event_type'] == 8001 + + def test_x_oca_event_obj_json_to_stix(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_policy_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'category', 'agent', 'outcome', 'description', 'x_policy_ref', + 'severity', 'x_event_status', 'action', 'x_event_type', + 'x_event_type_version', 'host_ref', 'provider', 'x_provider_version', + 'timezone', 'user_ref', 'created', 'code'}) + assert x_symantec_info_obj['type'] == 'x-oca-event' + assert x_symantec_info_obj['action'] == 'POLICY_CHANGE' + assert x_symantec_info_obj['category'] == 'Application Activity' + assert x_symantec_info_obj['severity'] == 16 + assert x_symantec_info_obj['outcome'] == 'Logged' + assert x_symantec_info_obj['x_event_type'] == 4 + + def test_x_ibm_finding_obj_json_to_stix(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_threat_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'x_policy_ref', 'finding_type', 'alert_id', 'name', + 'severity', 'x_threat_type_id'}) + assert x_symantec_info_obj['type'] == 'x-ibm-finding' + assert x_symantec_info_obj['alert_id'] == 42878 + assert x_symantec_info_obj['severity'] == 100 + assert x_symantec_info_obj['name'] == 'Trojan.Gen.MBT' + assert x_symantec_info_obj['x_threat_type_id'] == 'Malware' + + def test_file_type_id_json_to_stix(self): + """test file stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_file_sample_response) + file_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'file') + assert file_obj is not None + assert (file_obj.keys() == {'type', 'parent_directory_ref', 'size', 'name', 'x_family_type', 'x_content_type'}) + assert file_obj['type'] == 'file' + assert file_obj['size'] == 250931 + assert file_obj['x_content_type'] == 'Application' + + def test_network_json_to_stix(self): + """test file stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_network_sample_response) + network_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'network-traffic') + assert network_obj is not None + assert (network_obj.keys() == {'type', 'src_ref', 'scr_port', 'dst_port', 'protocols', 'dst_ref'}) + assert network_obj['type'] == 'network-traffic' + assert network_obj['scr_port'] == 59418 diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py new file mode 100644 index 000000000..63e8e6e1d --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py @@ -0,0 +1,604 @@ +from stix_shifter.stix_translation import stix_translation +import unittest + +translation = stix_translation.StixTranslation() + + +def _remove_timestamp_from_query(queries): + if isinstance(queries, list): + query_list = [] + for query in queries: + query.pop("start_date") + query.pop("end_date") + query_list.append(query) + return query_list + + +class TestQueryTranslator(unittest.TestCase): + """ + class to perform unit test case symantec translate query + """ + if __name__ == "__main__": + unittest.main() + + def _test_query_assertions(self, query, queries): + """ + to assert each query in the list against expected result + """ + self.assertIsInstance(queries, list) + self.assertIsInstance(query, dict) + self.assertIsInstance(query['queries'], list) + for index, each_query in enumerate(query.get('queries'), start=0): + self.assertEqual(each_query, queries[index]) + + def test_equal_operator(self): + stix_pattern = "[ipv4-addr:value = '111.11.1.111'] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': 'device_ip:"111.11.1.111" OR connection.src_ip:"111.11.1.111" OR ' + 'connection.dst_ip:"111.11.1.111" OR device_public_ip:"111.11.1.111" OR ' + 'device_networks.ipv4:"111.11.1.111" OR device_networks.gateway_ip:"111.11.1.111"', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_not_equal_operator(self): + stix_pattern = "[ipv6-addr:value != '1234:a5a6:78910:1111:2222:3333'] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '-device_ip:"1234\\:a5a6\\:78910\\:1111\\:2222\\:3333" OR' + ' -connection.src_ip:"1234\\:a5a6\\:78910\\:1111\\:2222\\:3333" OR' + ' -connection.dst_ip:"1234\\:a5a6\\:78910\\:1111\\:2222\\:3333" OR' + ' -device_networks.ipv6:"1234\\:a5a6\\:78910\\:1111\\:2222\\:3333"', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_gt_operator(self): + stix_pattern = "[network-traffic:dst_port > 22] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.dst_port:{22 TO *}', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_gt_eq_operator(self): + stix_pattern = "[network-traffic:dst_port >= 22] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.dst_port:[22 TO *}', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_lt_operator(self): + stix_pattern = "[network-traffic:src_port < 22] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.src_port:{* TO 22}', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_lt_eq_operator(self): + stix_pattern = "[network-traffic:src_port <= 22] START t'2024-05-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.src_port:{* TO 22]', + 'start_date': '2024-05-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_IN_operator(self): + stix_pattern = "[network-traffic:protocols[*] IN ('tcp', 'udp')] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.protocol_id:("6" OR "17")', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_like_operator(self): + stix_pattern = "[user-account:user_id LIKE 'SYSTEM'] START t'2024-05-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'user.name:SYSTEM* OR actor.user.name:SYSTEM*' + ' OR session.user.name:SYSTEM*', + 'start_date': '2024-05-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_matches_operator(self): + stix_pattern = "[process:name MATCHES 'host[a-z].exe'] START t'2024-05-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': 'actor.app_name:/host[a-z].exe/ OR process.app_name:/host[a-z].exe/ OR' + ' parent.app_name:/host[a-z].exe/', + 'start_date': '2024-05-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_bool_operator(self): + stix_pattern = "[x-oca-geo:x_is_on_premises = 'true'] START t'2024-05-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'device_location.on_premises:"true"', + 'start_date': '2024-05-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_date_supported_properries(self): + stix_pattern = "[file:created = '2024-03-19T04:43:06.377Z'] START t'2024-05-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': 'actor.file.created:[ 1710823386377 TO 1710823386377 ] OR ' + 'parent.file.created:[ 1710823386377 TO 1710823386377 ] OR ' + 'process.file.created:[ 1710823386377 TO 1710823386377 ] OR ' + 'startup_app.file.created:[ 1710823386377 TO 1710823386377 ]', + 'start_date': '2024-05-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_not_supported_properties_for_like(self): + stix_pattern = "[mac-addr:value LIKE '11:aa:aa:11:11:11'] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is query['success'] + assert 'not_implemented' == query['code'] + assert query['error'] == 'symantec_endpoint_security connector error => wrong parameter : LIKE/MATCHES ' \ + 'operator is not supported for this fields device_mac,device_networks.mac,' \ + 'device_networks.gateway_mac' + + def test_directory_path(self): + stix_pattern = "[directory:path = 'C:\\\\users\\\\administrator\\\\local\\\\data']" \ + "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': 'file.folder:"C\\:\\users\\administrator\\local\\data" OR' + ' directory.folder:"C\\:\\users\\administrator\\local\\data" OR' + ' actor.file.folder:"C\\:\\users\\administrator\\local\\data" OR' + ' parent.file.folder:"C\\:\\users\\administrator\\local\\data" OR' + ' process.file.folder:"C\\:\\users\\administrator\\local\\data" OR' + ' module.folder:"C\\:\\users\\administrator\\local\\data" OR' + ' startup_app.file.folder:"C\\:\\users\\administrator\\local\\data"', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_enum_operator(self): + stix_pattern = "[x-oca-event:severity = 15] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'severity_id:"1"', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_int_operator(self): + stix_pattern = "[process:pid > 1235] START t'2023-11-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': 'actor.pid:{1235 TO *} OR process.pid:{1235 TO *} OR parent.pid:{1235 TO *}', + 'start_date': '2023-11-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_event_date_attribute(self): + stix_pattern = "[x-oca-event:created = '2024-05-21T13:27:21.526Z'] " \ + "START t'2024-05-01T11:00:00.000Z' STOP t'2024-05-23T00:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{ + "feature_name": "ALL", + "product": "SAEP", + "query": "time:[ 1716298041526 TO 1716298041526 ]", + "start_date": "2024-05-01T11:00:00.000+00:00", + "end_date": "2024-05-23T00:00:00.000+00:00" + }] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_file_date_attribute(self): + stix_pattern = "[file:created = '2024-03-19T04:43:06.377Z'] " \ + "START t'2024-05-01T11:00:00.000Z' STOP t'2024-05-23T00:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{ + "feature_name": "ALL", + "product": "SAEP", + "query": "actor.file.created:[ 1710823386377 TO 1710823386377 ] OR " + "parent.file.created:[ 1710823386377 TO 1710823386377 ] OR " + "process.file.created:[ 1710823386377 TO 1710823386377 ] OR " + "startup_app.file.created:[ 1710823386377 TO 1710823386377 ]", + "start_date": "2024-05-01T11:00:00.000+00:00", + "end_date": "2024-05-23T00:00:00.000+00:00" + }] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_protocol_attribute(self): + stix_pattern = "[network-traffic:protocols[*]='udp'] " \ + "START t'2024-03-15T16:43:26.000Z' STOP t'2024-05-25T06:23:26.003Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{ + "feature_name": "ALL", + "product": "SAEP", + "query": "connection.protocol_id:\"17\"", + "start_date": "2024-03-15T16:43:26.000+00:00", + "end_date": "2024-05-25T06:23:26.003+00:00" + }] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_combined_comparison_AND_operator(self): + stix_pattern = "[network-traffic:dst_port = 445 AND (process:pid = 1010 AND user-account:user_id LIKE " \ + "'Administrator')]START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '(connection.dst_port:"445") AND ' + '((actor.pid:"1010" OR process.pid:"1010" OR parent.pid:"1010") AND' + ' (user.name:Administrator* OR actor.user.name:Administrator* OR' + ' session.user.name:Administrator*))', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_combined_comparison_OR_operator(self): + stix_pattern = "[process:pid = 1010 OR user-account:user_id LIKE 'Administrator']START " \ + "t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '(actor.pid:"1010" OR process.pid:"1010" OR parent.pid:"1010") OR' + ' (user.name:Administrator* OR actor.user.name:Administrator* OR' + ' session.user.name:Administrator*)', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_combined_comparison_OR_AND_operators(self): + stix_pattern = "[(x-oca-event:severity = 15 OR x-oca-event:category = 'Security') AND " \ + "(x-oca-asset:host_type = 'server' AND x-symantec-policy:name = 'default')]" \ + " START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '((severity_id:"1") OR (category_id:"1")) AND' + ' ((device_type:"server") AND (policy.name:"default"))', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_combined_comparison(self): + stix_pattern = "[x-ibm-finding:x_threat_type_id = 'Malware' OR " \ + "(x-symantec-policy:name = 'malware_detection' AND" \ + " x-ibm-ttp-tagging:name = 'Drive by Compromise') OR" \ + " (x-user-session:is_remote = 'true' AND network-traffic:src_port = 22)]" \ + "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '((threat.type_id:"1") OR ((policy.name:"malware_detection") AND ' + '(attacks.technique_name:"Drive by Compromise"))) OR ' + '((session.remote:"true" OR actor.session.remote:"true") AND (connection.src_port:"22"))', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_IN_operator_split_query(self): + stix_pattern = "[file:hashes.'SHA-256' IN ('ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" \ + "', 'ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B'," \ + "'BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A', " \ + "'BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B'," \ + "'CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B'," \ + "'DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B'," \ + "'EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B'," \ + "'FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B'," \ + "'FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C'," \ + "'FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E'," \ + "'FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F'," \ + "'FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G'," \ + "'BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ + "'DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A')] START " \ + "t'2024-05-01T11:00:00.000Z' STOP t'2024-05-06T11:54:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': 'file.sha2:("ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A") OR ' + 'actor.file.sha2:(' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A") OR ' + 'module.sha2:(' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A") OR ' + 'parent.file.sha2:(' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A") OR ' + 'process.file.sha2:(' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A") OR ' + 'startup_app.file.sha2:(' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"CBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"EBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142B" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142C" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142E" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142F" OR ' + '"FBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142G" OR ' + '"BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A" OR ' + '"DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A")', + 'start_date': '2024-05-01T11:00:00.000+00:00', 'end_date': '2024-05-06T11:54:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_multiple_observation_AND_operator(self): + stix_pattern = "([ipv4-addr:value = '1.1.1.1'] AND [file:name = 'cmd.exe'])START " \ + "t'2024-05-01T01:56:00.000Z' STOP t'2024-05-01T01:57:00.003Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '(file.name:"cmd.exe" OR directory.name:"cmd.exe" OR actor.file.name:"cmd.exe" OR ' + 'parent.file.name:"cmd.exe" OR process.file.name:"cmd.exe" OR module.name:"cmd.exe" OR ' + 'startup_app.file.name:"cmd.exe") OR ' + '(device_ip:"1.1.1.1" OR connection.src_ip:"1.1.1.1" OR connection.dst_ip:"1.1.1.1" OR ' + 'device_public_ip:"1.1.1.1" OR device_networks.ipv4:"1.1.1.1" OR ' + 'device_networks.gateway_ip:"1.1.1.1")', + 'start_date': '2024-05-01T01:56:00.000+00:00', 'end_date': '2024-05-01T01:57:00.003+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_multiple_observation_OR_operator(self): + stix_pattern = "([x-oca-event:severity = 15] OR [x-oca-asset:host_type = 'server'])" \ + "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': '(device_type:"server") OR (severity_id:"1")', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_multiple_observation_with_combined_comparison(self): + stix_pattern = "([x-oca-asset:host_type = 'server' AND x-symantec-policy:name = 'default'] OR " \ + "[mac-addr:value = '11:aa:aa:11:11:11'])" \ + "START t'2024-05-01T01:56:00.000Z' STOP t'2024-05-01T01:57:00.003Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '(device_mac:"11\\:aa\\:aa\\:11\\:11\\:11" OR ' + 'device_networks.mac:"11\\:aa\\:aa\\:11\\:11\\:11" OR' + ' device_networks.gateway_mac:"11\\:aa\\:aa\\:11\\:11\\:11") OR ' + '((device_type:"server") AND (policy.name:"default"))', + 'start_date': '2024-05-01T01:56:00.000+00:00', 'end_date': '2024-05-01T01:57:00.003+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_combine_multiple_observation_with_same_date(self): + stix_pattern = "([(software:name IN ('Windows 10', 'iOS', 'Android')] OR " \ + "[(domain-name:value='internal.ec2.com')])START t'2024-01-01T01:56:00.000Z' " \ + "STOP t'2024-05-01T01:57:00.003Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', + 'query': '(device_domain:"internal.ec2.com") OR ' + '(device_os_name:("Windows 10" OR "iOS" OR "Android"))', + 'start_date': '2024-01-01T01:56:00.000+00:00', 'end_date': '2024-05-01T01:57:00.003+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_split_multiple_observation_OR_operator(self): + """This case is to test proper parenthesis for date, if observation are not enclosed, + split into 2 queries + """ + stix_pattern = "[x-oca-event:severity = 15] OR [x-oca-asset:host_type = 'server']" \ + "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + query['queries'] = _remove_timestamp_from_query(query['queries']) + queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'severity_id:"1"', + 'start_date': '2024-05-16T03:18:59.120+00:00', 'end_date': '2024-05-16T03:23:59.120+00:00'}, + {'feature_name': 'ALL', 'product': 'SAEP', 'query': 'device_type:"server"', + 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] + queries = _remove_timestamp_from_query(queries) + self._test_query_assertions(query, queries) + + def test_invalid_MATCHES_operator(self): + stix_pattern = "[user-account:is_privileged MATCHES 'true'] START t'2024-05-14T16:43:26.000Z' STOP " \ + "t'2024-05-15T16:43:26.003Z'" + query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is query['success'] + assert 'not_implemented' == query['code'] + assert query['error'] == "symantec_endpoint_security connector error => wrong parameter : LIKE/MATCHES " \ + "operator is not supported for this fields actor.user.is_admin,session.user.is_admin" + + def test_invalid_int_input(self): + stix_pattern = "[process:pid = '123456789123'] START t'2024-02-15T16:43:26.000Z' STOP " \ + "t'2024-05-14T16:43:26.003Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'not_implemented' == result['code'] + assert result['error'] == 'symantec_endpoint_security connector error => wrong parameter : String type input' \ + ' 123456789123 is not supported for integer type field' + + def test_invalid_enum_value(self): + stix_pattern = "[x-oca-event:category = 'TEST'] START t'2024-05-15T16:43:26.000Z' STOP " \ + "t'2024-05-16T16:43:26.003Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'not_implemented' == result['code'] + assert result['error'] == "symantec_endpoint_security connector error => wrong parameter : Unsupported ENUM " \ + "values provided. category_id possible supported enum values are " \ + "'Security,Application Activity,System Activity'" + + def test_invalid_timestamp(self): + stix_pattern = "[network-traffic:dst_port = 'symantec'] START t'Q000-01-01T01:56:00.000Z' " \ + "STOP t'2024-01-01T01:57:00.003Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'translation_error' == result['code'] + assert result['error'] == "symantec_endpoint_security connector error => STIX translation " \ + "error: Invalid STIX timestamp None" + + def test_invalid_mapping_value(self): + stix_pattern = "[file:type LIKE 'cmd.exe']START t'2024-05-01T01:56:00.000Z' STOP t'2024-05-06T01:57:00.003Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'mapping_error' == result['code'] + assert result['error'] == "symantec_endpoint_security connector error => data mapping error : Unable to map " \ + "the following STIX objects and properties: [\'file:type\'] to data source fields" + + def test_severity_range(self): + stix_pattern = "[x-oca-event:severity = 200]START t'2024-05-01T01:56:00.000Z' STOP " \ + "t'2024-05-06T01:57:00.003Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'not_implemented' == result['code'] + assert result[ + 'error'] == "symantec_endpoint_security connector error => wrong parameter : Severity allowed" \ + " range from 0 to 100" + + def test_not_supported_operators(self): + stix_pattern = "[network-traffic:dst_port ISSUBSET '445'] START t'2023-11-01T11:00:00.000Z' STOP " \ + "t'2023-12-06T11:54:00.000Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'mapping_error' == result['code'] + assert result['error'] == "symantec_endpoint_security connector error => data mapping error : Unable to map" \ + " the following STIX Operators: [IsSubSet] to data source fields" + + def test_invalid_like_values(self): + stix_pattern = "[user-account:user_id LIKE 'LOCAL SERVICE'] START t'2024-05-01T11:00:00.000Z' " \ + "STOP t'2024-05-06T11:54:00.000Z'" + result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) + assert False is result['success'] + assert 'not_implemented' == result['code'] + assert result['error'] == "symantec_endpoint_security connector error => wrong parameter : LIKE does not " \ + "support on phrases, supports on single term. LOCAL SERVICE contains multiple terms" diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py new file mode 100644 index 000000000..41b20ce42 --- /dev/null +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py @@ -0,0 +1,463 @@ +from stix_shifter_modules.symantec_endpoint_security.entry_point import EntryPoint +import unittest +from unittest.mock import patch +from stix_shifter.stix_transmission import stix_transmission +import json +from stix_shifter.stix_transmission.stix_transmission import run_in_thread +from tests.utils.async_utils import get_mock_response + + +class SymantecMockResponse: + """ class for symantec mock response""" + + def __init__(self, code, data, headers): + self.code = code + self.content = data + self.headers = headers + + def read(self): + return bytearray(self.content, 'utf-8') + + +class TestSymantecConnection(unittest.TestCase, object): + mocked_ping_response = { + "access_token": "eyJraWQiOiI3b9TCMsn_0AONWzahwHjHwSdyOq2NqDCcviaV-T5W2A5Bu5197Q", + "token_type": "Bearer", + "expires_in": 3600 + } + + mock_token_response = { + "access_token": "eyJraWQiOiI3b9TCMsn_0AONWzahwHjHwSdyOq2NqDCcviaV-T5W2A5Bu5197Q", + "token_type": "Bearer", + "expires_in": 3600 + } + + mocked_response = { + "total": 14952, + "events": [ + { + "device_os_type_id": 100, + "lineage": [ + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\wininit.exe" + ], + "feature_uid": "1DF0351C-146D-4F07-B155-BF5C7077FF40", + "type": "event_query_results", + "seq_num": 1, + "ref_uid": "1A45B466-EA3C-4101-A570-4FD3C19C51DD", + "legacy_product_uid": "ad66b334-9eb8-bf35-3f4e-f172b06200b0", + "id": 1, + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BD7B9", + "feature_name": "DETECTION_RESPONSE", + "device_group": "Default/TestEDRGroup", + "product_name": "Symantec Endpoint Security", + "version": "1.0.0", + "command_uid": "", + "device_ip": "1.1.1.1", + "device_vhost": 12, + "user_name": "SYSTEM", + "timezone": 0, + "device_domain": "WORKGROUP", + "product_ver": "14.3.10148.8000", + "device_name": "HOST_NAME", + "category_id": 5, + "device_networks": [ + { + "ipv4": "1.1.1.1", + "ipv6": "xx00:0000:0000:0000:000x:xx0x:0000:00x0", + "mac": "0x:0x:00:00:0x:00" + } + ], + "device_os_name": "Windows Server 2019 Datacenter Edition", + "type_id": 8001, + "actor": { + "session_id": 0, + "pid": 836, + "uid": "C03AA2F5-0907-F1EF-848A-EAEACDB378C2", + "tid": 5092, + "start_time": "2024-05-03T04:44:03.418Z", + "cmd_line": "C:\\Windows\\system32\\services.exe", + "integrity_id": 6, + "file": { + "type_id": 1, + "created": "2024-03-20T09:45:38.416Z", + "modified": "2024-03-20T09:45:38.447Z", + "md5": "0x000x0xx0x0000000x0xx00xxx0x00x00", + "sha2": "222e222c222b2b2222e2dd22d2df222222222cc2222222222ed22222b22d22b", + "size": 686968, + "signature_company_name": "Microsoft Windows Publisher", + "signature_value_ids": [ + 3, + 5 + ], + "security_descriptor": "O:BAG:SYD:(A;;0x1fffff;;;SY)(A;;0x121411;;;BA)S:AI", + "normalized_path": "CSIDL_SYSTEM\\services.exe", + "path": "c:\\windows\\system32\\services.exe", + "uid": "281474977475580", + "name": "services.exe", + "folder": "c:\\windows\\system32", + "original_name": "services.exe", + "signature_level_id": 60 + }, + "user": { + "name": "SYSTEM", + "sid": "X-1-1-11", + "domain": "NT AUTHORITY" + }, + "cmd_line_raw_length": 32 + }, + "device_mac": "1x:1x:11:11:1x:11", + "device_uid": "X4oOxiAoQO6SuZAfO6lm4Q", + "org_unit_uid": "_RE5UsoeSKSrteDkP3U2Mw", + "severity_id": 1, + "logging_device_post_time": "2024-05-03T04:55:21.550Z", + "device_time": "2024-05-03T04:55:21.553Z", + "process": { + "session_id": 0, + "pid": 4012, + "uid": "C03AACCB-0907-F1EF-848A-EAEACDB378C2", + "start_time": "2024-05-03T04:55:21.553Z", + "cmd_line": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc", + "integrity_id": 6, + "file": { + "type_id": 1, + "created": "2022-09-14T16:17:52.744Z", + "modified": "2022-09-14T16:17:52.744Z", + "md5": "1xx11x111xx11x1x11x11x11x1xx1111", + "sha2": "3x333xx333x3xxx333x33333333x3x33x33x333xxx3333x3xx3333x3333xxx3x", + "size": 51736, + "signature_company_name": "Microsoft Windows Publisher", + "signature_value_ids": [ + 3, + 5 + ], + "security_descriptor": "O:S-1-1-1-0-1894134G:SYD:" + "(A;;0x1fffff;;;S-1-1-1-0-1894134)(A;;0x1400;;;BA)S:AI", + "normalized_path": "CSIDL_SYSTEM\\svchost.exe", + "path": "c:\\windows\\system32\\svchost.exe", + "uid": "281474976968790", + "name": "svchost.exe", + "folder": "c:\\windows\\system32", + "original_name": "svchost.exe", + "signature_level_id": 60 + }, + "user": { + "name": "SYSTEM", + "sid": "S-1-1-11", + "domain": "NT AUTHORITY" + }, + "cmd_line_raw_length": 77 + }, + "edr_enriched_data": { + "category_name": "Process Launch", + "category_id": 2, + "event_group_id": "A3FA2AA2-B890-4074-814A-072F53BF83BF", + "suspicion_score": 0, + "rule_id": 1351, + "rule_name": "eGenericProcessLaunch", + "rule_description": "Generic process launch event" + }, + "feature_ver": "edr/1.3.0", + "event_data_type": "fdr", + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM", + "sid": "S-1-1-11" + }, + "device_os_ver": "10.0.17763", + "policy": { + "uid": "a7124b68-abc1-43a4-8e44-716fb1966646", + "name": "Default Detection and Response Policy", + "version": "1" + }, + "trans_event_raw_length": 3493, + "attacks": [ + { + "technique_uid": "T1569", + "technique_name": "System Services", + "tactic_ids": [ + 2 + ], + "tactic_uids": [ + "TA0002" + ], + "sub_technique_name": "Service Execution", + "sub_technique_uid": "T1569.002" + } + ], + "customer_uid": "IKhSB-yfRK2xeUR-xyCK2g", + "device_public_ip": "4.4.4.4", + "domain_uid": "B3dKzLSzR9CScPYAGhkgxA", + "time": "2024-05-03T04:55:21.553Z", + "log_time": "2024-05-03T04:56:19.400Z", + "uuid": "8001:587a2410-0909-11ef-deb7-0000061b19b4", + "indexDate": "2024-05-03", + "indexHash": "fdr_4_t2", + "log_name": "c1.fdr_4_t2_2024-05-03", + "es.mapping.id": "uuid", + "epochLogTime": 1714712179400, + "es.mapping.version": "epochLogTime" + } + ], + "next": 1001 + } + + replicated_data = [] + for _ in range(5): + replicated_data += mocked_response['events'] + mocked_response['events'] = replicated_data + invalid_query = {"message": "Invalid query. Search is not allowed on field 'Sdevice_location.desc'"} + + @staticmethod + def connection(): + """format for connection""" + return { + "host": "hostbla", + "port": 443 + } + + @staticmethod + def configuration(): + """format for configuration""" + return { + "auth": { + "oauth_credentials": "auth_token" + } + } + + def test_is_async(self): + """check for synchronous or asynchronous""" + entry_point = EntryPoint(self.connection(), self.configuration()) + check_async = entry_point.is_async() + assert check_async is False + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_get_ping_results(self, mock_ping_response): + """test ping connection""" + mock_ping_response.side_effect = [ + get_mock_response(200, json.dumps(TestSymantecConnection.mock_token_response), 'byte', + headers={'Authorization': "****"}), + get_mock_response(200, json.dumps(TestSymantecConnection.mocked_ping_response), 'byte')] + entry_point = EntryPoint(self.connection(), self.configuration()) + ping_response = run_in_thread(entry_point.ping_connection) + assert ping_response is not None + assert ping_response['success'] is True + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_success_query_results(self, mock_result_response): + """ test success result response""" + query = "{\"feature_name\":\"ALL\",\"query\":\"uuid:4\\\:71f801e0-0905-11ef-f724-000001ce90c3\"," \ + " \"start_date\":\"2024-05-01T00:00:00.000+05:30\", \"end_date\": \"2024-05-09T03:00:00.000+05:30\"," \ + "\"product\":\"SAEP\",\"limit\":1}" + + mock_result_response.side_effect = [ + get_mock_response(200, json.dumps(TestSymantecConnection.mock_token_response), 'byte', + headers={'Authorization': "****"}), + get_mock_response(200, json.dumps(TestSymantecConnection.mocked_response), 'byte')] + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length) + assert result_response is not None + assert result_response['success'] is True + assert 'data' in result_response + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_success_query_results_pagination(self, mock_result_response): + """ test success pagination result response""" + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + mock_result_response.side_effect = [ + get_mock_response(200, json.dumps(TestSymantecConnection.mock_token_response), 'byte', + headers={'Authorization': "****"}), + get_mock_response(200, json.dumps(TestSymantecConnection.mocked_response), 'byte'), + get_mock_response(200, json.dumps(TestSymantecConnection.mocked_response), 'byte')] + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 10 + result_response = transmission.results(query, offset, length) + assert result_response is not None + assert result_response['success'] is True + assert 'data' in result_response + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_ping_invalid_host(self, mock_result_response): + """Test Invalid host for ping""" + mock_result_response.side_effect = Exception("client_connector_error") + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + ping_response = transmission.ping() + assert ping_response is not None + assert ping_response['success'] is False + assert "client_connector_error" in ping_response['error'] + assert ping_response['code'] == "service_unavailable" + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_ping_invalid_url(self, mock_results_response): + """Test invalid host for ping""" + error = json.dumps({"fault": {"faultstring": "Unable to identify proxy for host: secure and " + "url: \\/v1\\/oauth2\\/token", + "detail": {"errorcode": "messaging.adaptors.http.flow.ApplicationNotFound"}}}) + mock_results_response.return_value = get_mock_response(404, error, 'byte') + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + ping_response = transmission.ping() + assert ping_response is not None + assert ping_response['success'] is False + assert ping_response['code'] == "service_unavailable" + assert "Unable to identify proxy for host" in ping_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_ping_invalid_auth(self, mock_results_response): + """Test invalid authentication for ping""" + error = json.dumps({"message": "No client_id found [M2ID.XuSKt5Q3Rb6wSujIS9Rh7Q.PJblnny1Q4G26epFnNsnWg." + "201ol7b749n8446694c3hid7a7]"}) + mock_results_response.return_value = get_mock_response(401, error, 'byte') + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + ping_response = transmission.ping() + assert ping_response is not None + assert ping_response['success'] is False + assert ping_response['code'] == "authentication_fail" + assert "No client_id found" in ping_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_results_invalid_query(self, mock_result_response): + """Test invalid query for results""" + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + mock_result_response.side_effect = [ + get_mock_response(200, json.dumps(TestSymantecConnection.mock_token_response), 'byte', + headers={'Authorization': "****"}), + get_mock_response(400, json.dumps(TestSymantecConnection.invalid_query), 'byte')] + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length) + assert result_response is not None + assert result_response['success'] is False + assert result_response['code'] == "invalid_query" + assert 'Invalid query' in result_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_results_invalid_url(self, mock_results_response): + """Test invalid url for results""" + error = json.dumps({"fault": {"faultstring": "Unable to identify proxy for host: secure and" + " url: \\/v1\\/oauth2\\/token", + "detail": {"errorcode": "messaging.adaptors.http.flow.ApplicationNotFound"}}}) + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + + mock_results_response.return_value = get_mock_response(404, error, 'byte') + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length) + assert result_response is not None + assert result_response['success'] is False + assert result_response['code'] == "service_unavailable" + assert 'Unable to identify proxy for host' in result_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_time_out_exception_for_results(self, mock_result_response): + """Test timeout exception for results""" + mock_result_response.side_effect = Exception("timeout_error") + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length) + assert result_response is not None + assert result_response['success'] is False + assert 'error' in result_response + assert 'timeout_error' in result_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_server_time_out_exception_for_results(self, mock_result_response): + """Test timeout exception for results""" + mock_result_response.side_effect = Exception("server timeout_error (2 sec)") + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length) + assert result_response is not None + assert result_response['success'] is False + assert 'error' in result_response + assert 'server timeout_error (2 sec)' in result_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_time_out_exception_for_ping(self, mock_ping_response): + """Test timeout exception for ping""" + mock_ping_response.side_effect = Exception("timeout_error") + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + result_response = transmission.ping() + assert result_response is not None + assert result_response['success'] is False + assert 'error' in result_response + assert 'timeout_error' in result_response['error'] + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_success_query_with_metadata_parameter(self, mock_result_response): + """ test success result response with metadata parameter""" + metadata = { + "start_date": "2024-05-03T04:55:21.553Z", + "start_date_event_count": 1 + } + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + mock_result_response.side_effect = [ + get_mock_response(200, json.dumps(TestSymantecConnection.mock_token_response), 'byte', + headers={'Authorization': "****"}), + get_mock_response(200, json.dumps(TestSymantecConnection.mocked_response), 'byte')] + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length, metadata) + assert result_response is not None + assert result_response['success'] is True + assert 'data' in result_response + + @patch('stix_shifter_utils.stix_transmission.utils.RestApiClientAsync.RestApiClientAsync.call_api') + def test_with_invalid_metadata_parameter(self, mock_result_response): + """ test invalid metadata parameter""" + metadata = {'mext_page': '123a'} + query = "{\"feature_name\": \"ALL\",\"product\": \"SAEP\", " \ + "\"query\": \"device_name:HOST_NAME\"," \ + "\"start_date\": \"2024-05-01T11:00:00.000+00:00\", \"end_date\": \"2024-05-13T04:00:00.000+00:00\"," \ + "\"limit\":1000, \"next\":1}" + mock_result_response.side_effect = [ + get_mock_response(200, json.dumps(TestSymantecConnection.mock_token_response), 'byte', + headers={'Authorization': "****"}), + get_mock_response(200, json.dumps(TestSymantecConnection.mocked_response), 'byte')] + transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), + self.configuration()) + offset = 0 + length = 1 + result_response = transmission.results(query, offset, length, metadata) + assert result_response is not None + assert result_response['success'] is False + assert "{'mext_page': '123a'}" in result_response['error'] + assert result_response['code'] == "unknown" From f65914dc748f4c1c7cb7c73c5a4323884ae53cca Mon Sep 17 00:00:00 2001 From: Thangaraj Ramesh Date: Thu, 6 Jun 2024 15:08:20 +0000 Subject: [PATCH 2/4] Updated transmit code and minor code obfuscation fixes Minor updated to transmit metadata and small fixes for query with path --- .../symantec_endpoint_security/README.md | 4 +- .../stix_translation/query_constructor.py | 13 ++++-- .../stix_transmission/connector.py | 40 +++++-------------- .../test_symantec_json_to_stix.py | 20 +++++----- .../test_symantec_stix_to_query.py | 20 +++++----- .../test/stix_transmission/test_symantec.py | 6 +-- 6 files changed, 46 insertions(+), 57 deletions(-) diff --git a/stix_shifter_modules/symantec_endpoint_security/README.md b/stix_shifter_modules/symantec_endpoint_security/README.md index 40cb75789..0b56c3a99 100644 --- a/stix_shifter_modules/symantec_endpoint_security/README.md +++ b/stix_shifter_modules/symantec_endpoint_security/README.md @@ -695,4 +695,6 @@ symantec_endpoint_security | The name given to the policy. | x-symantec-policy:name | [x-symantec-policy:name = 'Default Detection and Response Policy'] | | The name of the kernel resource. | x-kernel-resource:name | [x-kernel-resource:name = 'Default name'] | | The type of the kernel resource. | x-kernel-resource:type_id | [x-kernel-resource:type_id = 'System call'] | -| The name of the peripheral device. | x-peripheral-device:name | [x-peripheral-device:name = 'keyboard'] | \ No newline at end of file +| The name of the peripheral device. | x-peripheral-device:name | [x-peripheral-device:name = 'keyboard'] | +| The command line used to launch the startup application, service, process or job. | process:command_line | [process:command_line = 'C:\\Windows\\system32\\services.exe']| +| The registry key object describes a Windows registry key. | windows-registry-key:key | [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\'] | \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py index b8df862ec..730565f67 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py @@ -102,7 +102,12 @@ def _format_match(comparator, value) -> str: :param value: (str) input value :return formatted value: (str) formatted value """ - value = QueryStringPatternTranslator._escape_value(value) + # Escape value as necessary first + value = value.replace('\\', '\\\\').replace('/', '\\/') + # Lucene regex anchors are not supported, remove ^ and $ + value = value[1:] if value.startswith('^') else value + value = value[:-1] if value.endswith('$') else value + return f'{comparator.replace("value", value)}' @staticmethod @@ -114,7 +119,7 @@ def _format_comparison(comparator, value) -> str: :return formatted value: (str) formatted value """ value = QueryStringPatternTranslator._escape_value(value) - return f'{comparator.replace("value", value)}' + return f'{comparator.replace("value", str(value))}' @staticmethod def _format_equal(comparator, value, field_type) -> str: @@ -135,7 +140,9 @@ def _escape_value(value): :param value: (str) input value :return formatted value: (str) formatted value """ - value = str(value).replace('/', '\\/').replace(':', '\\:') + if isinstance(value, str): + value = value.replace('/', '\\/').replace('\\', '\\\\').replace('\"', '\\"').replace('(', '\\(').replace(')', '\\)').replace(':', '\\:') + value = value.replace('-', '\\-') return value @staticmethod diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py index 5b0dc2a66..a2008c0f9 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py @@ -41,7 +41,8 @@ async def create_results_connection(self, query, offset, length, metadata=None): try: offset = int(offset) length = int(length) - start_index, end_index = self.get_start_end_index(offset, length, metadata) + start_index = offset + end_index = offset + length # Adjusting the end index if it exceeds the result limit. if self.api_client.result_limit < end_index: end_index = self.api_client.result_limit @@ -59,15 +60,14 @@ async def create_results_connection(self, query, offset, length, metadata=None): # Update query start_date and next values from metadata to get more than 10k results. if metadata: - self.update_query_from_metadata(query, metadata) - + self.update_query_from_metadata(query, offset, metadata) + is_query_start_date_updated = False while start_index < end_index: self.set_query_limit_value(query) response_wrapper = await self.api_client.get_search_results(query, token) response_dict, return_obj = self.handle_api_response(response_wrapper) if return_obj: return return_obj - length = self.get_length(offset, length, start_index, query['limit']) return_obj['success'] = True processed_data = response_dict['events'][:length] data += processed_data @@ -79,7 +79,8 @@ async def create_results_connection(self, query, offset, length, metadata=None): # If reached the limit of 10,000, resetting the start_date and next for query. if (offset + len(data) + metadata_event_count) % SYMANTEC_MAX_QUERY_RESULTS == 0 and processed_data: metadata = self.get_metadata(response_dict['events'][:length]) - self.update_query_from_metadata(query, metadata) + self.update_query_from_metadata(query, 0, metadata) + is_query_start_date_updated = True # if the current page results are not fully utilized or doesn't have a next page. if remaining_data or not response_dict.get('next'): @@ -89,7 +90,7 @@ async def create_results_connection(self, query, offset, length, metadata=None): return_obj = self.handle_data(data, return_obj) if metadata: # setting metadata with last event from the data to avoid duplicate events from next batch call - return_obj['metadata'] = self.get_metadata(data) + return_obj['metadata'] = self.get_metadata(data) if is_query_start_date_updated else metadata except Exception as ex: return_obj = self.handle_api_exception(None, str(ex)) @@ -183,16 +184,17 @@ def handle_data(data, return_obj): return return_obj @staticmethod - def update_query_from_metadata(query, metadata): + def update_query_from_metadata(query, offset, metadata): """ Update query 'start_date' and 'next' values from metadata. Skipping the event with the same time stamp by adding the 'start_date_event_count' from metadata. :param query, (dict) datasource query + param offset, int :param metadata, (dict) metadata with start data and count of the events with start data """ if metadata: if isinstance(metadata, dict) and metadata.get('start_date_event_count') and metadata.get('start_date'): - query['next'] = int(metadata.get('start_date_event_count', 0)) + query['next'] = offset % SYMANTEC_MAX_QUERY_RESULTS + int(metadata.get('start_date_event_count', 0)) query['start_date'] = metadata.get('start_date') else: # raise exception when metadata doesnt contain page_index and start_date @@ -259,28 +261,6 @@ def set_query_limit_value(self, query): else: query['limit'] = self.api_client.api_page_size - @staticmethod - def get_start_end_index(offset, length, metadata): - """ - start and end indexes - """ - start_index, end_index = offset, offset + length - if metadata: - start_index, end_index = 0, length - return start_index, end_index - - def get_length(self, offset, length, start_index, limit): - """ - Length of the results required, - resetting length value if required results is lesser than length provided - """ - results_length = length - if offset + limit > self.api_client.result_limit: - results_length = self.api_client.result_limit - offset - elif start_index + limit > self.api_client.result_limit: - results_length = self.api_client.result_limit - start_index - return results_length - @staticmethod def get_results_data(response): """ diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py index fd139cab1..719e2a9e3 100644 --- a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py @@ -187,7 +187,7 @@ "device_location": {"desc": "Default", "on_premises": False}, "device_time": 1714710446334, "feature_name": "AGENT_FRAMEWORK", - "feature_uid": "8CAC5E54-xxxxxxxx-5D956D1821E4", + "feature_uid": "1DF0351C-146D-4FFF-BBBB-BF5C7077FF40", "id": 4, "message": "Location changed. [Previous]: [Current]: Default", "message_id": "0x1207020E", @@ -208,19 +208,19 @@ "device_networks": [{"ipv4": "172.1.1.1", "ipv6": "fe80::1111:1111:1111:a6d7", "mac": "12:AA:AA:AA:AA:AA"}, {"ipv4": "192.1.1.1", "ipv6": "fe80::2222:2222:2222:22fd", "mac": "86:AA:AA:AA:AA:AA"}], "device_os_name": "Windows Server 2019 Datacenter Edition", - "device_uid": "9Texxxxx5Q", + "device_uid": "X4oOxiAoQO6SuZAfO6lm5Q", "org_unit_uid": "KKqxxxxxxxxxxxySg", "product_data": {"sep_domain_uid": "", "sep_hw_uid": "D47E4AAAAAAAAAAAAAE"}, "product_name": "Symantec Endpoint Security", - "product_uid": "31BAAAAAAAAAAAAAAAAAD7B9", + "product_uid": "31B0C880-0229-49E8-94C5-48D56B1BDCCC", "product_ver": "14.3.10148.8000", - "stic_hw_uid": "DB3AAAAAA-49AF-72A1-1169-AAAAAAAAD40", - "stic_uid": "19AAAAAA-999C-43CD-BFDF-AAAAAAAAAA8", + "stic_hw_uid": "DB3AAAAAA-49AF-72A1-1169-AAAAAAAAD420", + "stic_uid": "19AAAAAAA-999C-43CD-BFDF-AAAAAAAAAA81", "timezone": 0, "user_name": "Administrator", - "customer_uid": "IKxxx-xxxxxxxx-xyCK2g", + "customer_uid": "IKxxx-xxxxxxxxx-xyCK2g", "device_public_ip": "54.1.1.1", - "domain_uid": "B3dKxxxxxxxxkgxA", + "domain_uid": "B3dKxxxxxxxxkgxABBBBBB", "event_data_type": "sep", "user": {"name": "Administrator"}, "device_os_type_id": 100, @@ -286,14 +286,14 @@ "device_networks": [{"ipv4": "172.2.3.3", "ipv6": "fe80::3333:3333:3333:99d5", "mac": "0A:BB:BB:BB:BB:75"}, {"ipv4": "169.4.4.4", "ipv6": "fe80::4444:4444:4444:31cf", "mac": "86:CC:CC:CC:CC:89"}], "device_os_name": "Windows Server 2019 Datacenter Edition", - "device_uid": "X4oOxiXXXXXXXXXX4Q", "org_unit_uid": "_RE5UsXXXXXXMw", + "device_uid": "X4oOxiAoQO6SuZAfO6lm6Q", "org_unit_uid": "_RE5UsXXXXXXMw", "product_data": {"sep_domain_uid": "", "sep_hw_uid": "AD66B3BBBBBBBBBBBBBB200B0"}, "product_name": "Symantec Endpoint Security", "product_uid": "31B0AAAA-0229-49E8-94C5-48AAAAAAA7B9", "product_ver": "14.3.10148.8000", "stic_hw_uid": "9FBC61111-5BC6-E087-DC55-1411111111C5", "stic_uid": "92EE1111-2C77-4401-9A10-4911111111CE", "timezone": 0, - "customer_uid": "IKhSB-xxxxxxxx-xyxxxx", "device_public_ip": "10.1.1.1", - "domain_uid": "B3dxxxxxxxxgxA", + "customer_uid": "IKhSB-xxxxxxxxx-xyxxxx", "device_public_ip": "10.1.1.1", + "domain_uid": "B3dKxxxxxxxxkgxABBBBAA", "event_data_type": "sep", "user": {"name": "SYSTEM"}, "device_os_type_id": 100, "time": "2024-05-03T12:54:34Z", "end_time": "2024-05-03T12:54:34.000Z", "log_time": "2024-05-03T12:54:41.184Z", diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py index 63e8e6e1d..91bdaadd0 100644 --- a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py @@ -171,13 +171,13 @@ def test_directory_path(self): query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', - 'query': 'file.folder:"C\\:\\users\\administrator\\local\\data" OR' - ' directory.folder:"C\\:\\users\\administrator\\local\\data" OR' - ' actor.file.folder:"C\\:\\users\\administrator\\local\\data" OR' - ' parent.file.folder:"C\\:\\users\\administrator\\local\\data" OR' - ' process.file.folder:"C\\:\\users\\administrator\\local\\data" OR' - ' module.folder:"C\\:\\users\\administrator\\local\\data" OR' - ' startup_app.file.folder:"C\\:\\users\\administrator\\local\\data"', + 'query': 'file.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data" OR' + ' directory.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data" OR' + ' actor.file.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data" OR' + ' parent.file.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data" OR' + ' process.file.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data" OR' + ' module.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data" OR' + ' startup_app.file.folder:"C\\:\\\\users\\\\administrator\\\\local\\\\data"', 'start_date': '2024-05-01T00:00:00.000+00:00', 'end_date': '2024-05-01T11:00:00.000+00:00'}] queries = _remove_timestamp_from_query(queries) self._test_query_assertions(query, queries) @@ -503,7 +503,7 @@ def test_multiple_observation_with_combined_comparison(self): self._test_query_assertions(query, queries) def test_combine_multiple_observation_with_same_date(self): - stix_pattern = "([(software:name IN ('Windows 10', 'iOS', 'Android')] OR " \ + stix_pattern = "([software:name IN ('Windows 10', 'iOS', 'Android')] OR " \ "[(domain-name:value='internal.ec2.com')])START t'2024-01-01T01:56:00.000Z' " \ "STOP t'2024-05-01T01:57:00.003Z'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) @@ -559,8 +559,8 @@ def test_invalid_enum_value(self): "'Security,Application Activity,System Activity'" def test_invalid_timestamp(self): - stix_pattern = "[network-traffic:dst_port = 'symantec'] START t'Q000-01-01T01:56:00.000Z' " \ - "STOP t'2024-01-01T01:57:00.003Z'" + stix_pattern = "[network-traffic:dst_port = 'symantec'] " \ + "START t'Q000-01-01T01:56:00.000Z' STOP t'2024-01-01T01:57:00.003Z'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'translation_error' == result['code'] diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py index 41b20ce42..a0208e1bf 100644 --- a/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py @@ -68,7 +68,7 @@ class TestSymantecConnection(unittest.TestCase, object): "mac": "0x:0x:00:00:0x:00" } ], - "device_os_name": "Windows Server 2019 Datacenter Edition", + "device_os_name": "", "type_id": 8001, "actor": { "session_id": 0, @@ -277,8 +277,8 @@ def test_success_query_results_pagination(self, mock_result_response): get_mock_response(200, json.dumps(TestSymantecConnection.mocked_response), 'byte')] transmission = stix_transmission.StixTransmission('symantec_endpoint_security', self.connection(), self.configuration()) - offset = 0 - length = 10 + offset = 9999 + length = 1 result_response = transmission.results(query, offset, length) assert result_response is not None assert result_response['success'] is True From 7b338824bc64fec455cdf3b3c8a48c398690d988 Mon Sep 17 00:00:00 2001 From: Thangaraj Ramesh Date: Tue, 25 Jun 2024 12:01:02 +0000 Subject: [PATCH 3/4] Updated with review comments Removed some extension from mapping and handled exception for invalid json response. --- .../symantec_endpoint_security/README.md | 3 ++- .../stix_translation/json/from_stix_map.json | 12 +++--------- .../json/stix_2_1/from_stix_map.json | 12 +++--------- .../json/stix_2_1/to_stix_map.json | 17 +++++++++++++---- .../stix_translation/json/to_stix_map.json | 17 +++++++++++++---- .../stix_transmission/connector.py | 8 +++++--- .../stix_transmission/error_mapper.py | 3 ++- 7 files changed, 41 insertions(+), 31 deletions(-) diff --git a/stix_shifter_modules/symantec_endpoint_security/README.md b/stix_shifter_modules/symantec_endpoint_security/README.md index 0b56c3a99..58f77c879 100644 --- a/stix_shifter_modules/symantec_endpoint_security/README.md +++ b/stix_shifter_modules/symantec_endpoint_security/README.md @@ -566,7 +566,8 @@ symantec_endpoint_security | List of dictionary fields | A list containing one or more dictionaries | "device_networks": [{"ipv4": "1.1.1.1", "ipv6": "xx22::2x2x:22xx:22xx:x2x2", "mac": "11:1X:XX:X1:11:X1" }, { "ipv4": "2.2.2.2", "ipv6": "xx11::1x1x:11xx:11xx:x1x1", "mac": "22:X2:22:X2:X2:22"}] | ### Observations -- The access token expires 60 minutes after being created. +- Attribute "x-oca-asset.host_type" mapped to data source attribute "device_type" is currently not + available for value "Server" in Symantec Endpoint Security client version (14.3 RU8) and may be available in future versions. ### Limitations - The maximum number of API calls for events is limited to 500 per hour. diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json index 5decd42ed..11e6434cb 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json @@ -2,7 +2,7 @@ "ipv4-addr": { "fields": { "value": ["device_ip", "connection.src_ip", "connection.dst_ip", "device_public_ip", "device_networks.ipv4", "device_networks.gateway_ip"], - "resolves_to_refs[*].value": ["device_mac", "device_networks.mac"] + "resolves_to_refs[*].value": ["device_mac", "device_networks.mac", "device_networks.gateway_mac"] } }, "ipv6-addr": { @@ -112,18 +112,12 @@ "fields": { "name": ["device_os_name"], "version": ["device_os_ver"], - "x_os_type": ["device_os_type_id"], - "x_cmd_line": ["startup_app.cmd_line"], - "x_start_type_id": ["startup_app.start_id"], - "x_config_path": ["config_path"] + "x_os_type": ["device_os_type_id"] } }, "url": { "fields": { - "value": ["url.text", "file.url.text"], - "x_url_host": ["url.host", "file.url.host", "connection.url.host"], - "x_url_path": ["url.path", "file.url.path", "connection.url.path"], - "x_url_port": ["url.port", "file.url.port", "connection.url.port"] + "value": ["url.text", "file.url.text", "connection.url.text"] } }, "domain-name": { diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json index 7a9c6e5df..aa9517992 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json @@ -2,7 +2,7 @@ "ipv4-addr": { "fields": { "value": ["device_ip", "connection.src_ip", "connection.dst_ip", "device_public_ip", "device_networks.ipv4", "device_networks.gateway_ip"], - "resolves_to_refs[*].value": ["device_mac", "device_networks.mac"] + "resolves_to_refs[*].value": ["device_mac", "device_networks.mac", "device_networks.gateway_mac"] } }, "ipv6-addr": { @@ -111,18 +111,12 @@ "fields": { "name": ["device_os_name"], "version": ["device_os_ver"], - "x_os_type": ["device_os_type_id"], - "x_cmd_line": ["startup_app.cmd_line"], - "x_start_type_id": ["startup_app.start_id"], - "x_config_path": ["config_path"] + "x_os_type": ["device_os_type_id"] } }, "url": { "fields": { - "value": ["url.text", "file.url.text"], - "x_url_host": ["url.host", "file.url.host", "connection.url.host"], - "x_url_path": ["url.path", "file.url.path", "connection.url.path"], - "x_url_port": ["url.port", "file.url.port", "connection.url.port"] + "value": ["url.text", "file.url.text", "connection.url.text"] } }, "domain-name": { diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json index dc5d857f8..d5dd4d0b0 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json @@ -214,10 +214,19 @@ ] } ], - "gateway_mac": { - "key": "mac-addr.value", - "object": "gateway_mac" - }, + "gateway_mac": [ + { + "key": "mac-addr.value", + "object": "gateway_mac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "gateway_ip", + "references": [ + "gateway_mac" + ] + } + ], "groupIpReference": { "key": "x-oca-asset.ip_refs", "object": "host", diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json index 5856dadae..b321fbca8 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json @@ -209,10 +209,19 @@ ] } ], - "gateway_mac": { - "key": "mac-addr.value", - "object": "gateway_mac" - }, + "gateway_mac": [ + { + "key": "mac-addr.value", + "object": "gateway_mac" + }, + { + "key": "ipv4-addr.resolves_to_refs", + "object": "gateway_ip", + "references": [ + "gateway_mac" + ] + } + ], "groupIpReference": { "key": "x-oca-asset.ip_refs", "object": "host", diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py index a2008c0f9..b32db88bb 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py @@ -59,8 +59,7 @@ async def create_results_connection(self, query, offset, length, metadata=None): query['next'] = offset # Update query start_date and next values from metadata to get more than 10k results. - if metadata: - self.update_query_from_metadata(query, offset, metadata) + self.update_query_from_metadata(query, offset, metadata) is_query_start_date_updated = False while start_index < end_index: self.set_query_limit_value(query) @@ -154,9 +153,12 @@ def handle_api_response(self, response_wrapper): """ response_dict = {} return_obj = {} + response = response_wrapper.read().decode('utf-8') - if response.startswith('{') and response.endswith('}'): + try: response_dict = json.loads(response) + except ValueError as e: + response_dict['message'] = response if response_wrapper.code != 200: response_dict['message'] = response_dict.get('message', '') diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py index 8afa1d3c5..99c0d2757 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py @@ -8,7 +8,8 @@ 403: ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR, 404: ErrorCode.TRANSMISSION_CONNECT, 408: ErrorCode.TRANSMISSION_CONNECT, - 500: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE + 500: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE, + 503: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE } From b077649c20e963b335a520e3df361e0187f0b148 Mon Sep 17 00:00:00 2001 From: Thangaraj Ramesh Date: Fri, 28 Jun 2024 15:33:31 +0000 Subject: [PATCH 4/4] Updated code as per review comments Updated code as per review comments: - x509-certificate stix object added for signature related fields. - Added custom messages for error handling. --- .../symantec_events_16052024.json | 410 ++++++++++++++++++ .../symantec_endpoint_security/README.md | 24 +- .../stix_translation/json/from_stix_map.json | 24 +- .../json/stix_2_1/from_stix_map.json | 24 +- .../json/stix_2_1/to_stix_map.json | 368 +++++++++------- .../stix_translation/json/to_stix_map.json | 368 +++++++++------- .../stix_translation/query_constructor.py | 25 ++ .../stix_translation/transformers.py | 16 + .../stix_transmission/connector.py | 67 ++- .../stix_transmission/error_mapper.py | 3 +- .../symantec_supported_stix.md | 127 +++--- .../test_symantec_json_to_stix.py | 23 +- .../test_symantec_stix_to_query.py | 112 ++--- .../test/stix_transmission/test_symantec.py | 8 +- 14 files changed, 1108 insertions(+), 491 deletions(-) create mode 100644 data/cybox/symantec_endpoint_security/symantec_events_16052024.json diff --git a/data/cybox/symantec_endpoint_security/symantec_events_16052024.json b/data/cybox/symantec_endpoint_security/symantec_events_16052024.json new file mode 100644 index 000000000..a309a1abf --- /dev/null +++ b/data/cybox/symantec_endpoint_security/symantec_events_16052024.json @@ -0,0 +1,410 @@ +{ + "type": "bundle", + "id": "bundle--4be73729-74d1-4079-8679-0096a4fae7da", + "objects": [ + { + "type": "identity", + "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "name": "Symantec Endpoint Security", + "identity_class": "events", + "created": "2023-04-11T16:11:11.878Z", + "modified": "2023-04-11T16:11:11.878Z" + }, + { + "id": "observed-data--2a3a92d8-76bb-4770-a550-e5b48b460522", + "type": "observed-data", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2024-05-17T05:39:31.397Z", + "modified": "2024-05-17T05:39:31.397Z", + "objects": { + "0": { + "type": "x-oca-event", + "category": "Application Activity", + "x_feature_name": "AGENT_FRAMEWORK", + "outcome": "Allowed", + "description": "An update for Virus and Spyware Definitions SDS Win64 (Reduced) from LiveUpdate was successfully installed. The new sequence number is 240502019.\r\n\r\nContent was downloaded from HTTPS://liveupdate.symantecliveupdate.com/1714698245jtun_emtsepn64c3sdsencful.7z.", + "severity": 16, + "x_event_status": "Success", + "action": "UPDATE", + "x_event_type": 3, + "x_event_type_version": "1.0", + "host_ref": "2", + "provider": "Symantec Endpoint Security", + "x_provider_version": "14.3.10148.8000", + "timezone": 0, + "user_ref": "11", + "created": "2024-05-03T04:28:27.634Z", + "code": "3:9681a520-0905-11ef-c338-000001ce90c9" + }, + "1": { + "type": "ipv4-addr", + "value": "10.10.10.10", + "resolves_to_refs": [ + "5" + ] + }, + "2": { + "type": "x-oca-asset", + "ip_refs": [ + "1", + "10" + ], + "geo_ref": "3", + "x_host_group": "Default/TestDevGroup", + "hostname": "HOST_NAME", + "mac_refs": [ + "5", + "8" + ], + "os_ref": "9" + }, + "3": { + "type": "x-oca-geo", + "name": "Default", + "x_is_on_premises": false + }, + "4": { + "type": "ipv6-addr", + "value": "fe00::0d0d:00cf:00ba:a0d0", + "resolves_to_refs": [ + "5" + ] + }, + "5": { + "type": "mac-addr", + "value": "00:0a:de:e0:00:e0" + }, + "6": { + "type": "ipv4-addr", + "value": "20.20.20.20", + "resolves_to_refs": [ + "8" + ] + }, + "7": { + "type": "ipv6-addr", + "value": "fe00::00c0:e0ad:00f0:00fd", + "resolves_to_refs": [ + "8" + ] + }, + "8": { + "type": "mac-addr", + "value": "00:c0:00:b0:c0:00" + }, + "9": { + "type": "software", + "name": "Windows Server 2019 Datacenter Edition", + "x_os_type": "Windows" + }, + "10": { + "type": "ipv4-addr", + "value": "44.44.44.44" + }, + "11": { + "type": "user-account", + "user_id": "Administrator" + } + }, + "last_observed": "2024-05-03T04:28:27.634Z", + "first_observed": "2024-05-03T04:28:27.634Z", + "number_observed": 1 + }, + { + "id": "observed-data--70072127-5726-473d-9380-a9b1ff2f33a6", + "type": "observed-data", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2024-06-27T09:44:24.987Z", + "modified": "2024-06-27T09:44:24.987Z", + "objects": { + "0": { + "type": "x-oca-event", + "category": "Security", + "x_feature_name": "MALWARE_PROTECTION", + "file_ref": "4", + "outcome": "Quarantined", + "x_policy_ref": "8", + "severity": 16, + "action": "HOST_FILE_DETECTION", + "x_event_type": 8031, + "x_event_type_version": "1.0", + "host_ref": "2", + "provider": "Symantec Endpoint Security", + "x_provider_version": "14.3.10148.8000", + "timezone": 0, + "user_ref": "18", + "created": "2024-05-03T12:54:34.000Z", + "code": "8031:4a456100-094c-11ef-c4f3-0000029ebed4" + }, + "1": { + "type": "ipv4-addr", + "value": "10.10.10.10", + "resolves_to_refs": [ + "12" + ] + }, + "2": { + "type": "x-oca-asset", + "ip_refs": [ + "1", + "17" + ], + "geo_ref": "3", + "domain_ref": "10", + "x_host_group": "Default/TestEDRGroup", + "hostname": "AMAZ-XXXXXX", + "mac_refs": [ + "12", + "15" + ], + "os_ref": "16" + }, + "3": { + "type": "x-oca-geo", + "name": "Default", + "x_is_on_premises": false + }, + "4": { + "type": "file", + "x_family_type": "Executable", + "parent_directory_ref": "5", + "name": "SimulatorSetup.exe", + "x_rep_score": -105, + "hashes": { + "SHA-256": "de00a0e00000005375dc1ac000006066000d9ffc7d73628ef4fe1b1b000ab00c" + }, + "x_certificate_ref": "7", + "size": 181872248, + "x_file_type": "File", + "x_file_version": "2.4.1.2" + }, + "5": { + "type": "directory", + "path": "C:\\Users\\Administrator\\Downloads\\Ransom App" + }, + "7": { + "type": "x509-certificate", + "x_signature_company_name": "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "validity_not_before": "2023-02-27T09:32:56.000Z", + "hashes": { + "sha1": "21AA32614C2BE32AAA9E2056CAA28CAB5A7AAAAA" + }, + "issuer": "knowbe4 inc.", + "serial_number": "0E44DA59C6985D40A6000C9D9AAAAAAA", + "x_signature_value": 1099520606215, + "x_signature_value_ids": [ + 1, + 2, + 3, + 17, + 20 + ] + }, + "8": { + "type": "x-symantec-policy", + "name": "Default Antimalware Policy", + "rule_category": 1, + "version": "1" + }, + "9": { + "type": "x-ibm-finding", + "x_policy_ref": "8", + "finding_type": "threat", + "alert_id": 42878, + "name": "Trojan.Gen.MBT", + "severity": 100, + "x_threat_type_id": "Malware" + }, + "10": { + "type": "domain-name", + "value": "workgroup" + }, + "11": { + "type": "ipv6-addr", + "value": "fe80::3333:3333:3333:99d5", + "resolves_to_refs": [ + "12" + ] + }, + "12": { + "type": "mac-addr", + "value": "0a:bb:bb:bb:bb:75" + }, + "13": { + "type": "ipv4-addr", + "value": "4.4.4.4", + "resolves_to_refs": [ + "15" + ] + }, + "14": { + "type": "ipv6-addr", + "value": "fe80::4444:4444:4444:31cf", + "resolves_to_refs": [ + "15" + ] + }, + "15": { + "type": "mac-addr", + "value": "86:cc:cc:cc:cc:89" + }, + "16": { + "type": "software", + "name": "Windows Server 2019 Datacenter Edition", + "x_os_type": "Windows" + }, + "17": { + "type": "ipv4-addr", + "value": "10.1.1.1" + }, + "18": { + "type": "user-account", + "user_id": "SYSTEM" + } + }, + "number_observed": 1, + "last_observed": "2024-05-03T12:54:34.000Z", + "first_observed": "2024-05-03T12:54:34.000Z" + }, + { + "id": "observed-data--6699deed-268e-456f-a8c4-aa24660dc77b", + "type": "observed-data", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2024-05-17T05:39:31.443Z", + "modified": "2024-05-17T05:39:31.443Z", + "objects": { + "0": { + "type": "software", + "x_os_type": "Windows", + "name": "Windows Server 2019 Datacenter Edition", + "version": "10.0.17763" + }, + "1": { + "type": "x-oca-event", + "action": "event_query_results", + "outcome": "Logged", + "x_feature_name": "DETECTION_RESPONSE", + "provider": "Symantec Endpoint Security", + "x_event_type_version": "1.0.0", + "timezone": 0, + "x_provider_version": "14.3.10148.8000", + "host_ref": "2", + "category": "System Activity", + "x_event_type": 8018, + "process_ref": "6", + "file_ref": "7", + "severity": 16, + "user_ref": "10", + "x_policy_ref": "11", + "x_event_data": "{ $_.DeviceID -eq 'XENBUS\\VEN_XS0001&DEV_VBD&REV_00000001\\_' -or $_.DeviceClass -eq 'Net' -and ( $_.Manufacturer -like 'Intel*' -or $_.Manufacturer -eq 'Citrix Systems, Inc.' -or $_.Manufacturer -eq 'Amazon Inc.' -or $_.Manufacturer -eq 'Amazon Web Services, Inc.' )}", + "created": "2024-05-09T03:46:52.529Z", + "code": "8018:c5c95610-0db6-11ef-cede-00002e029b7b" + }, + "2": { + "type": "x-oca-asset", + "x_host_group": "Default/TestEDRGroup", + "ip_refs": [ + "3", + "15" + ], + "hostname": "HOST_NAME", + "mac_refs": [ + "5" + ], + "os_ref": "0" + }, + "3": { + "type": "ipv4-addr", + "value": "10.10.10.10", + "resolves_to_refs": [ + "5" + ] + }, + "4": { + "type": "ipv6-addr", + "value": "fe00:0000:0000:0000:000f:df0a:0000:00d0", + "resolves_to_refs": [ + "5" + ] + }, + "5": { + "type": "mac-addr", + "value": "0a:0f:00:00:0c:00" + }, + "6": { + "type": "process", + "name": "PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.17763.1", + "pid": 3148, + "x_process_uid": "A477490A-0DB6-F1EF-848E-EAEACDB378C2", + "x_process_tid": 3592, + "created": "2024-05-09T03:46:48.154Z", + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"Get-CimInstance Win32_PnPSignedDriver | Where-Object { $_.DeviceID -eq 'XENBUS\\VEN_XS0001&DEV_VBD&REV_00000001\\_' -or $_.DeviceClass -eq 'Net' -and ( $_.Manufacturer -like 'Intel*' -or $_.Manufacturer -eq 'Citrix Systems, Inc.' -or $_.Manufacturer -eq 'Amazon Inc.' -or $_.Manufacturer -eq 'Amazon Web Services, Inc.' )}\" \"| Select-Object\" \"Description, DriverVersion\" \"| ConvertTo-Json -Depth 3\"", + "binary_ref": "7", + "creator_user_ref": "9" + }, + "7": { + "type": "file", + "x_file_type": "File", + "created": "2018-09-15T07:14:14.454Z", + "modified": "2018-09-15T07:14:14.454Z", + "hashes": { + "MD5": "0000f60b1000074eb17c0f4dddefe000", + "SHA-256": "de00a0e00000005375dc1ac000006066000d9ffc7d73628ef4fe1b1b000ab00c" + }, + "size": 448000, + "name": "powershell.exe", + "parent_directory_ref": "8" + }, + "8": { + "type": "directory", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "9": { + "type": "user-account", + "user_id": "SYSTEM", + "x_user_sid": "S-1-1-11", + "x_user_domain": "NT AUTHORITY" + }, + "10": { + "type": "user-account", + "user_id": "SYSTEM" + }, + "11": { + "type": "x-symantec-policy", + "name": "Default Detection and Response Policy", + "version": "1" + }, + "13": { + "type": "x-ibm-ttp-tagging", + "extensions": { + "mitre-attack-ext": { + "technique_id": "T1059", + "technique_name": "Command and Scripting Interpreter", + "tactic_id": "TA0002" + } + }, + "name": "Command and Scripting Interpreter" + }, + "14": { + "type": "x-ibm-ttp-tagging", + "extensions": { + "mitre-attack-ext": { + "technique_id": "T1059", + "technique_name": "Command and Scripting Interpreter", + "tactic_id": "TA0002" + } + }, + "name": "Command and Scripting Interpreter" + }, + "15": { + "type": "ipv4-addr", + "value": "44.44.44.44" + } + }, + "last_observed": "2024-05-09T03:46:52.529Z", + "first_observed": "2024-05-09T03:46:52.529Z", + "number_observed": 1 + } + ], + "spec_version": "2.0" +} \ No newline at end of file diff --git a/stix_shifter_modules/symantec_endpoint_security/README.md b/stix_shifter_modules/symantec_endpoint_security/README.md index 58f77c879..7c474e020 100644 --- a/stix_shifter_modules/symantec_endpoint_security/README.md +++ b/stix_shifter_modules/symantec_endpoint_security/README.md @@ -143,19 +143,13 @@ transmit symantec_endpoint_security "{\"host\":\"api.sep.securitycloud.symantec. "md5": "4dd18f001ac31d5f48f50f99e4aa1761", "sha2": "2b105fb111b1bcd111b1111111b3a11c60b111eef1111d3bb0099e1111aaf6b", "size": 51736, - "signature_company_name": "Microsoft Windows Publisher", - "signature_value_ids": [ - 3, - 5 - ], "security_descriptor": "O:S-1-5-5-0-11111G:SYD:(A;;0x1fffff;;;S-1-5-5-0-71241)(A;;0x1400;;;BA)S:AI", "normalized_path": "CSIDL_SYSTEM\\svchost.exe", "path": "c:\\windows\\system32\\svchost.exe", "uid": "281474976968790", "name": "svchost.exe", "folder": "c:\\windows\\system32", - "original_name": "svchost.exe", - "signature_level_id": 60 + "original_name": "svchost.exe" }, "user": { "name": "SYSTEM", @@ -273,7 +267,7 @@ transmit symantec_endpoint_security "{\"host\":\"api.sep.securitycloud.symantec. "type": "x-oca-event", "action": "event_query_results", "outcome": "Command Script Run", - "agent": "DETECTION_RESPONSE", + "x_feature_name": "DETECTION_RESPONSE", "provider": "Symantec Endpoint Security", "x_event_type_version": "1.0.0", "timezone": 0, @@ -316,7 +310,7 @@ transmit symantec_endpoint_security "{\"host\":\"api.sep.securitycloud.symantec. "6": { "type": "process", "pid": 1880, - "x_thread_id": 1132, + "x_process_tid": 1132, "created": "2024-05-03T04:44:04.920Z", "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", "binary_ref": "7", @@ -332,14 +326,8 @@ transmit symantec_endpoint_security "{\"host\":\"api.sep.securitycloud.symantec. "SHA-256": "2b105fb111b1bcd111b1111111b3a11c60b111eef1111d3bb0099e1111aaf6b" }, "size": 51736, - "x_signature_company_name": "Microsoft Windows Publisher", - "x_signature_value_ids": [ - 3, - 5 - ], "name": "svchost.exe", - "parent_directory_ref": "8", - "x_signature_level_id": 60 + "parent_directory_ref": "8" }, "8": { "type": "directory", @@ -459,7 +447,7 @@ symantec_endpoint_security "category": "Security", "host_ref": "2", "duration": 0, - "agent": "MALWARE_PROTECTION", + "x_feature_name": "MALWARE_PROTECTION", "outcome": "Blocked", "description": "Scan started on selected drives and folders and all extensions.", "x_policy_ref": "5", @@ -682,7 +670,7 @@ symantec_endpoint_security | Description | STIX Pattern | Sample Values | | --- | --- | --- | | Network Connection Direction | network-traffic:x_direction | [network-traffic:x_direction = 'Inbound'] | -| The Identifier of the thread associated with the event, as returned by the operating system. | process:x_thread_id | [process:x_thread_id = 1234] | +| The Identifier of the thread associated with the event, as returned by the operating system. | process:x_process_tid | [process:x_process_tid = 1234] | | The user security identifier (SID). | user-account:x_sid | [user-account:x_sid = 'S-1-1-11'] | | The file type. | file:x_type | [file:x_type = 'Directory'] | | The company name on the certificate that signed the file.. | file:x_signature_company_name | [file:x_signature_company_name LIKE 'Amazon'] | diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json index 11e6434cb..41273c3ae 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/from_stix_map.json @@ -34,8 +34,8 @@ "command_line": ["actor.cmd_line","process.cmd_line", "parent.cmd_line", "startup_app.cmd_line"], "name": ["actor.app_name", "process.app_name", "parent.app_name"], "created": ["actor.start_time", "process.start_time", "parent.start_time"], - "x_thread_id": ["actor.tid", "process.tid"], - "x_proc_uid": ["actor.uid", "process.uid", "parent.uid"], + "x_process_tid": ["actor.tid", "process.tid"], + "x_process_uid": ["actor.uid", "process.uid", "parent.uid"], "creator_user_ref.user_id": ["actor.user.name", "process.user.name"], "creator_user_ref.account_login": ["actor.user.logon_name"], "binary_ref.name": ["actor.file.name", "process.file.name", "parent.file.name", "startup_app.file.name"], @@ -70,15 +70,19 @@ "x_rep_score": ["file.rep_score"], "x_file_version": ["file.version"], "x_open_mode": ["open_mode"], - "x_signature_company_name": ["actor.file.signature_company_name", "file.signature_company_name", "module.signature_company_name", "parent.file.signature_company_name", "process.file.signature_company_name"], - "x_signature_created_date": ["actor.file.signature_created_date", "actor.module.signature_created_date", "file.signature_created_date", "parent.signature_created_date", "process.signature_created_date", "directory.signature_created_date", "startup_app.file.signature_created_date"], - "x_signature_fingerprints.algorithm": ["actor.file.signature_fingerprints.algorithm", "actor.module.signature_fingerprints.algorithm", "file.signature_fingerprints.algorithm", "module.signature_fingerprints.algorithm", "parent.file.signature_fingerprints.algorithm", "parent.module.signature_fingerprints.algorithm", "process.file.signature_fingerprints.algorithm", "process.module.signature_fingerprints.algorithm", "directory.signature_fingerprints.algorithm", "startup_app.file.signature_fingerprints.algorithm"], - "x_signature_issuer": ["actor.file.signature_issuer"], + "x_content_type": ["file.content_type.type_id"] + } + }, + "x509-certificate": { + "fields": { + "issuer": ["actor.file.signature_issuer"], + "serial_number": ["actor.file.signature_serial_number"], + "validity_not_before": ["actor.file.signature_created_date", "actor.module.signature_created_date", "file.signature_created_date", "parent.signature_created_date", "process.signature_created_date", "directory.signature_created_date", "startup_app.file.signature_created_date"], + "signature_algorithm": ["actor.file.signature_fingerprints.algorithm", "actor.module.signature_fingerprints.algorithm", "file.signature_fingerprints.algorithm", "module.signature_fingerprints.algorithm", "parent.file.signature_fingerprints.algorithm", "parent.module.signature_fingerprints.algorithm", "process.file.signature_fingerprints.algorithm", "process.module.signature_fingerprints.algorithm", "directory.signature_fingerprints.algorithm", "startup_app.file.signature_fingerprints.algorithm"], "x_signature_level_id": ["actor.file.signature_level_id", "file.signature_level_id", "parent.file.signature_level_id", "process.file.signature_level_id", "directory.signature_level_id", "startup_app.file.signature_level_id"], - "x_signature_serial_number": ["actor.file.signature_serial_number"], + "x_signature_company_name": ["actor.file.signature_company_name", "file.signature_company_name", "module.signature_company_name", "parent.file.signature_company_name", "process.file.signature_company_name"], "x_signature_value": ["actor.file.signature_value"], - "x_signature_value_ids": ["actor.file.signature_value_ids", "process.file.signature_value_ids", "startup_app.file.signature_value_ids"], - "x_content_type": ["file.content_type.type_id"] + "x_signature_value_ids": ["actor.file.signature_value_ids", "process.file.signature_value_ids", "startup_app.file.signature_value_ids"] } }, "directory": { @@ -133,7 +137,7 @@ "action": ["type"], "description": ["message"], "provider": ["product_name"], - "agent": ["feature_name"], + "x_feature_name": ["feature_name"], "outcome": ["id"], "created": ["time"], "x_event_status": ["status_id"], diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json index aa9517992..0c23067b9 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/from_stix_map.json @@ -33,8 +33,8 @@ "pid": ["actor.pid", "process.pid", "parent.pid"], "command_line": ["actor.cmd_line","process.cmd_line", "parent.cmd_line", "startup_app.cmd_line"], "created_time": ["actor.start_time", "process.start_time", "parent.start_time"], - "x_thread_id": ["actor.tid", "process.tid"], - "x_proc_uid": ["actor.uid", "process.uid", "parent.uid"], + "x_process_tid": ["actor.tid", "process.tid"], + "x_process_uid": ["actor.uid", "process.uid", "parent.uid"], "creator_user_ref.user_id": ["actor.user.name", "process.user.name"], "creator_user_ref.account_login": ["actor.user.logon_name"], "image_ref.name": ["actor.file.name", "process.file.name", "parent.file.name", "startup_app.file.name"], @@ -69,15 +69,19 @@ "x_rep_score": ["file.rep_score"], "x_file_version": ["file.version"], "x_open_mode": ["open_mode"], - "x_signature_company_name": ["actor.file.signature_company_name", "file.signature_company_name", "module.signature_company_name", "parent.file.signature_company_name", "process.file.signature_company_name"], - "x_signature_created_date": ["actor.file.signature_created_date", "actor.module.signature_created_date", "file.signature_created_date", "parent.signature_created_date", "process.signature_created_date", "directory.signature_created_date", "startup_app.file.signature_created_date"], - "x_signature_fingerprints.algorithm": ["actor.file.signature_fingerprints.algorithm", "actor.module.signature_fingerprints.algorithm", "file.signature_fingerprints.algorithm", "module.signature_fingerprints.algorithm", "parent.file.signature_fingerprints.algorithm", "parent.module.signature_fingerprints.algorithm", "process.file.signature_fingerprints.algorithm", "process.module.signature_fingerprints.algorithm", "directory.signature_fingerprints.algorithm", "startup_app.file.signature_fingerprints.algorithm"], - "x_signature_issuer": ["actor.file.signature_issuer"], + "x_content_type": ["file.content_type.type_id"] + } + }, + "x509-certificate": { + "fields": { + "issuer": ["actor.file.signature_issuer"], + "serial_number": ["actor.file.signature_serial_number"], + "validity_not_before": ["actor.file.signature_created_date", "actor.module.signature_created_date", "file.signature_created_date", "parent.signature_created_date", "process.signature_created_date", "directory.signature_created_date", "startup_app.file.signature_created_date"], + "signature_algorithm": ["actor.file.signature_fingerprints.algorithm", "actor.module.signature_fingerprints.algorithm", "file.signature_fingerprints.algorithm", "module.signature_fingerprints.algorithm", "parent.file.signature_fingerprints.algorithm", "parent.module.signature_fingerprints.algorithm", "process.file.signature_fingerprints.algorithm", "process.module.signature_fingerprints.algorithm", "directory.signature_fingerprints.algorithm", "startup_app.file.signature_fingerprints.algorithm"], "x_signature_level_id": ["actor.file.signature_level_id", "file.signature_level_id", "parent.file.signature_level_id", "process.file.signature_level_id", "directory.signature_level_id", "startup_app.file.signature_level_id"], - "x_signature_serial_number": ["actor.file.signature_serial_number"], + "x_signature_company_name": ["actor.file.signature_company_name", "file.signature_company_name", "module.signature_company_name", "parent.file.signature_company_name", "process.file.signature_company_name"], "x_signature_value": ["actor.file.signature_value"], - "x_signature_value_ids": ["actor.file.signature_value_ids", "process.file.signature_value_ids", "startup_app.file.signature_value_ids"], - "x_content_type": ["file.content_type.type_id"] + "x_signature_value_ids": ["actor.file.signature_value_ids", "process.file.signature_value_ids", "startup_app.file.signature_value_ids"] } }, "directory": { @@ -132,7 +136,7 @@ "x_action": ["type"], "description": ["message"], "provider": ["product_name"], - "agent": ["feature_name"], + "x_feature_name": ["feature_name"], "outcome": ["id"], "created": ["time"], "x_event_status": ["status_id"], diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json index d5dd4d0b0..49b7b6b79 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/stix_2_1/to_stix_map.json @@ -14,7 +14,7 @@ "transformer": "ToCategoryValue" }, "feature_name": { - "key": "x-oca-event.agent", + "key": "x-oca-event.x_feature_name", "object": "event" }, "time": [ @@ -694,39 +694,48 @@ "key": "file.mime_type", "object": "file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509", + "transformer": "ToFormatMac" + }, + { + "key": "file.x_certificate_ref", + "object": "file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -839,39 +848,47 @@ "key": "file.mime_type", "object": "directory" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "directory" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "directory", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "directory" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "directory" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "directory" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "process_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "directory", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "directory" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "directory" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -921,11 +938,11 @@ "object": "actor" }, "tid": { - "key": "process.x_thread_id", + "key": "process.x_process_tid", "object": "actor" }, "uid": { - "key": "process.x_proc_uid", + "key": "process.x_process_uid", "object": "actor" }, "user": { @@ -1041,39 +1058,47 @@ "key": "file.mime_type", "object": "actor_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "actor_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "actor_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "actor_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "actor_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "actor_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "actor_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "actor_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "actor_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "actor_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -1153,39 +1178,48 @@ "references": "module_dll_dir" } ], - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "module_dll" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509", + "transformer": "ToFormatMac" + }, + { + "key": "file.x_certificate_ref", + "object": "module_dll", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "module_dll" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "module_dll" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "module_dll" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "module_dll", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "module_dll", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "module_dll" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "module_dll" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -1286,11 +1320,11 @@ "object": "process" }, "tid": { - "key": "process.x_thread_id", + "key": "process.x_process_tid", "object": "process" }, "uid": { - "key": "process.x_proc_uid", + "key": "process.x_process_uid", "object": "process" }, "user": { @@ -1401,39 +1435,47 @@ "key": "file.mime_type", "object": "process_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "process_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "process_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "process_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "process_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "process_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "process_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "process_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "process_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "process_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -1480,11 +1522,11 @@ "object": "parent_proc" }, "tid": { - "key": "process.x_thread_id", + "key": "process.x_process_tid", "object": "parent_proc" }, "uid": { - "key": "process.x_proc_uid", + "key": "process.x_process_uid", "object": "parent_proc" }, "user": { @@ -1595,39 +1637,47 @@ "key": "file.mime_type", "object": "parent_proc_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "parent_proc_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "parent_proc_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "parent_proc_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "parent_proc_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "parent_proc_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "parent_proc_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "parent_proc_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "parent_proc_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "parent_proc_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -2233,39 +2283,47 @@ "references": "module_dir" } ], - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "module" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "module", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "module" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "module" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "module" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "module", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "module", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "module" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "module" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -2419,39 +2477,47 @@ "key": "file.mime_type", "object": "app_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "app_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "app_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "app_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "app_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "app_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "app_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "app_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "app_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "app_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json index b321fbca8..476d36677 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/json/to_stix_map.json @@ -14,7 +14,7 @@ "transformer": "ToCategoryValue" }, "feature_name": { - "key": "x-oca-event.agent", + "key": "x-oca-event.x_feature_name", "object": "event" }, "time": [ @@ -689,39 +689,48 @@ "key": "file.mime_type", "object": "file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509", + "transformer": "ToFormatMac" + }, + { + "key": "file.x_certificate_ref", + "object": "file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -834,39 +843,47 @@ "key": "file.mime_type", "object": "directory" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "directory" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "directory", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "directory" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "directory" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "directory" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "process_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "directory", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "directory" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "directory" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -920,11 +937,11 @@ "object": "actor" }, "tid": { - "key": "process.x_thread_id", + "key": "process.x_process_tid", "object": "actor" }, "uid": { - "key": "process.x_proc_uid", + "key": "process.x_process_uid", "object": "actor" }, "user": { @@ -1040,39 +1057,47 @@ "key": "file.mime_type", "object": "actor_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "actor_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "actor_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "actor_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "actor_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "actor_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "actor_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "actor_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "actor_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "actor_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -1152,39 +1177,48 @@ "references": "module_dll_dir" } ], - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "module_dll" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509", + "transformer": "ToFormatMac" + }, + { + "key": "file.x_certificate_ref", + "object": "module_dll", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "module_dll" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "module_dll" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "module_dll" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "module_dll", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "module_dll", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "module_dll" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "module_dll" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -1289,11 +1323,11 @@ "object": "process" }, "tid": { - "key": "process.x_thread_id", + "key": "process.x_process_tid", "object": "process" }, "uid": { - "key": "process.x_proc_uid", + "key": "process.x_process_uid", "object": "process" }, "user": { @@ -1404,39 +1438,47 @@ "key": "file.mime_type", "object": "process_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "process_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "process_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "process_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "process_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "process_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "process_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "process_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "process_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "process_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -1487,11 +1529,11 @@ "object": "parent_proc" }, "tid": { - "key": "process.x_thread_id", + "key": "process.x_process_tid", "object": "parent_proc" }, "uid": { - "key": "process.x_proc_uid", + "key": "process.x_process_uid", "object": "parent_proc" }, "user": { @@ -1602,39 +1644,47 @@ "key": "file.mime_type", "object": "parent_proc_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "parent_proc_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "parent_proc_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "parent_proc_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "parent_proc_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "parent_proc_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "parent_proc_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "parent_proc_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "parent_proc_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "parent_proc_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -2240,39 +2290,47 @@ "references": "module_dir" } ], - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "module" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "module", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "module" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "module" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "module" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "module", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "module", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "module" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "module" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ @@ -2426,39 +2484,47 @@ "key": "file.mime_type", "object": "app_file" }, - "signature_issuer": { - "key": "file.x_signature_issuer", - "object": "app_file" - }, + "signature_issuer": [ + { + "key": "x509-certificate.issuer", + "object": "x509" + }, + { + "key": "file.x_certificate_ref", + "object": "app_file", + "references": "x509" + } + ], "signature_value": { - "key": "file.x_signature_value", - "object": "app_file" + "key": "x509-certificate.x_signature_value", + "object": "x509" }, "signature_level_id": { - "key": "file.x_signature_level_id", - "object": "app_file" + "key": "x509-certificate.x_signature_level_id", + "object": "x509" }, "signature_serial_number": { - "key": "file.x_signature_serial_number", - "object": "app_file" + "key": "x509-certificate.serial_number", + "object": "x509" }, "signature_value_ids": { - "key": "file.x_signature_value_ids", - "object": "app_file", + "key": "x509-certificate.x_signature_value_ids", + "object": "x509", "transformer": "ToListValue" }, "signature_created_date": { - "key": "file.x_signature_created_date", - "object": "app_file", + "key": "x509-certificate.validity_not_before", + "object": "x509", "transformer": "EpochSecondsToTimestamp" }, "signature_company_name": { - "key": "file.x_signature_company_name", - "object": "app_file" + "key": "x509-certificate.x_signature_company_name", + "object": "x509" }, "signature_fingerprints": { - "key": "file.x_signature_fingerprints", - "object": "app_file" + "key": "x509-certificate.hashes", + "object": "x509", + "transformer": "ToAlgorithmHashes" }, "url": { "text": [ diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py index 730565f67..57f73ff97 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/query_constructor.py @@ -13,12 +13,18 @@ START_STOP_PATTERN = r"(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z)" STOP_TIME = datetime.utcnow() CONFIG_MAP_PATH = "json/config_map.json" +SYMANTEC_EVENT_RETENTION_PERIOD = 30 class FileNotFoundException(Exception): pass +class StartStopQualifierValueException(Exception): + """ Start Stop qualifier exception """ + pass + + QUERY_TEMPLATE = { "feature_name": "ALL", "product": "SAEP", @@ -187,6 +193,24 @@ def _parse_time_range(qualifier, time_range) -> list: except (KeyError, IndexError, TypeError) as e: raise e + @staticmethod + def _check_time_range_values(time_range): + """ + checks for valid start time. + :param time_range: list + """ + start_date = datetime.strptime(time_range[0].replace('+00:00', 'Z'), '%Y-%m-%dT%H:%M:%S.%fZ') + end_date = datetime.strptime(time_range[1].replace('+00:00', 'Z'), '%Y-%m-%dT%H:%M:%S.%fZ') + + if start_date > end_date: + raise StartStopQualifierValueException(f"Start time should be lesser than Stop time") + if end_date > datetime.utcnow(): + raise StartStopQualifierValueException(f"End time should be lesser than the current time") + + if start_date < (datetime.utcnow() - timedelta(days=SYMANTEC_EVENT_RETENTION_PERIOD)): + raise StartStopQualifierValueException(f"Start date {start_date} is older than the event retention period of " + f"{SYMANTEC_EVENT_RETENTION_PERIOD} days") + def _get_mapped_field_type(self, mapped_field_array) -> str: """ Returns the type of mapped field array @@ -331,6 +355,7 @@ def _add_qualifier(self, query, qualifier) -> list: return: query: (list) list of queries attached with timestamp """ time_range = QueryStringPatternTranslator._parse_time_range(qualifier, self.options['time_range']) + QueryStringPatternTranslator._check_time_range_values(time_range) for row in query: row['start_date'] = time_range[0] row['end_date'] = time_range[1] diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py b/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py index ca1be672d..9dbb73b8b 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_translation/transformers.py @@ -356,3 +356,19 @@ def transform(obj): if not isinstance(obj, list): obj = [obj] return obj + +class ToAlgorithmHashes(ValueTransformer): + """A value transformer that converts hashes to stix hashes format. + Example: + input : [{"algorithm": "sha1", "value": "21EE32614E2EE32EEE9E2056EEE28EEE5E7EEEEA"}] + output: {"sha1": "21EE32614E2EE32EEE9E2056EEE28EEE5E7EEEEA"} + """ + + @staticmethod + def transform(obj): + try: + if isinstance(obj, list): + obj = {item["algorithm"]: item["value"] for item in obj} + return obj + except ValueError: + LOGGER.error(f"Cannot convert the hashes {obj} to hashes format") diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py index b32db88bb..a2f92c714 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/connector.py @@ -88,8 +88,10 @@ async def create_results_connection(self, query, offset, length, metadata=None): length -= processed_data_count return_obj = self.handle_data(data, return_obj) if metadata: - # setting metadata with last event from the data to avoid duplicate events from next batch call - return_obj['metadata'] = self.get_metadata(data) if is_query_start_date_updated else metadata + # metadata will not be set if result limit reached or no more events from the query. + if (offset + len(return_obj['data'])) < self.api_client.result_limit and start_index == end_index: + # setting metadata with last event from the data to avoid duplicate events from next batch call + return_obj['metadata'] = self.get_metadata(data) if is_query_start_date_updated else metadata except Exception as ex: return_obj = self.handle_api_exception(None, str(ex)) @@ -130,12 +132,18 @@ def handle_api_exception(self, code=None, response_txt=''): # setting code 401 for 400 code if it is authentication failure. if "Invalid Client token" in str(response_txt) or 'Credential mismatch' in str(response_txt): + message = "Invalid oauth_credentials." code = 401 # setting code 403 for 400 code if it is an invalid query. if 'Invalid query' in str(response_txt): code = 403 + # setting code 429 with the custom message. + if 'Max retries exceeded. too_many_requests with max retry' in str(response_txt): + message = "Too many request were made in the last hour. This API is limited to 500 requests per hour." + code = 429 + if not message: message = str(response_txt) @@ -263,6 +271,50 @@ def set_query_limit_value(self, query): else: query['limit'] = self.api_client.api_page_size + @staticmethod + def set_attributes(record): + """ + Preprocesses signature-related attributes in the provided response list. If standard attributes corresponding + to an x509-certificate object are not present, custom attributes are set to None, as an x509-certificate object + requires at least one standard attribute (signature_issuer, signature_serial_number, signature_created_date, + signature_fingerprints). + + :param response: A list containing signature attributes. + :return response: The modified list after preprocessing. + """ + if record.get('signature_issuer') is None and \ + record.get('signature_serial_number') is None and \ + record.get('signature_created_date') is None and \ + record.get('signature_fingerprints') is None: + if record.get('signature_value'): + record['signature_value'] = None + if record.get('signature_level_id'): + record['signature_level_id'] = None + if record.get('signature_value_ids'): + record['signature_value_ids'] = None + if record.get('signature_company_name'): + record['signature_company_name'] = None + + return record + + @staticmethod + def process_data(record, keys): + """ + Process items corresponding to keys which are present in the record. + + :param response: list + :param keys: key element of record + :return response: list + """ + if keys[1]: + if record.get(keys[0]) and record.get(keys[0]).get(keys[1]): + record[keys[0]][keys[1]] = Connector.set_attributes(record[keys[0]][keys[1]]) + else: + if record.get(keys[0]): + record[keys[0]] = Connector.set_attributes(record[keys[0]]) + + return record + @staticmethod def get_results_data(response): """ @@ -277,4 +329,15 @@ def get_results_data(response): record['device_os_type_id'] = None record['device_os_ver'] = None record['device_os_lang'] = None + + # If the dict containing signature related attributes is present, + # then data needs some preprocessing. Check the following items in record for + # signature related attributes. + item_list = [('file', None), ('directory', None), ('actor', 'file'), + ('actor', 'module'), ('process', 'file'), ('parent', 'file'), + ('module', None), ('startup_app', 'file')] + + for item in item_list: + record = Connector.process_data(record, item) + return response diff --git a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py index 99c0d2757..7e1745c4b 100644 --- a/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py +++ b/stix_shifter_modules/symantec_endpoint_security/stix_transmission/error_mapper.py @@ -9,7 +9,8 @@ 404: ErrorCode.TRANSMISSION_CONNECT, 408: ErrorCode.TRANSMISSION_CONNECT, 500: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE, - 503: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE + 503: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE, + 429: ErrorCode.TRANSMISSION_TOO_MANY_REQUESTS } diff --git a/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md b/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md index 858a7725c..7df1bb526 100644 --- a/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md +++ b/stix_shifter_modules/symantec_endpoint_security/symantec_supported_stix.md @@ -27,7 +27,7 @@ | STIX Object and Property | Mapped Data Source Fields | |--|--| | **ipv4-addr**:value | device_ip, connection.src_ip, connection.dst_ip, device_public_ip, device_networks.ipv4, device_networks.gateway_ip | -| **ipv4-addr**:resolves_to_refs[*].value | device_mac, device_networks.mac | +| **ipv4-addr**:resolves_to_refs[*].value | device_mac, device_networks.mac, device_networks.gateway_mac | | **ipv6-addr**:value | device_ip, connection.src_ip, connection.dst_ip, device_networks.ipv6 | | **ipv6-addr**:resolves_to_refs[*].value | device_mac, device_networks.mac | | **mac-addr**:value | device_mac, device_networks.mac, device_networks.gateway_mac | @@ -43,8 +43,8 @@ | **process**:command_line | actor.cmd_line, process.cmd_line, parent.cmd_line, startup_app.cmd_line | | **process**:name | actor.app_name, process.app_name, parent.app_name | | **process**:created | actor.start_time, process.start_time, parent.start_time | -| **process**:x_thread_id | actor.tid, process.tid | -| **process**:x_proc_uid | actor.uid, process.uid, parent.uid | +| **process**:x_process_tid | actor.tid, process.tid | +| **process**:x_process_uid | actor.uid, process.uid, parent.uid | | **process**:creator_user_ref.user_id | actor.user.name, process.user.name | | **process**:creator_user_ref.account_login | actor.user.logon_name | | **process**:binary_ref.name | actor.file.name, process.file.name, parent.file.name, startup_app.file.name | @@ -71,15 +71,15 @@ | **file**:x_rep_score | file.rep_score | | **file**:x_file_version | file.version | | **file**:x_open_mode | open_mode | -| **file**:x_signature_company_name | actor.file.signature_company_name, file.signature_company_name, module.signature_company_name, parent.file.signature_company_name, process.file.signature_company_name | -| **file**:x_signature_created_date | actor.file.signature_created_date, actor.module.signature_created_date, file.signature_created_date, parent.signature_created_date, process.signature_created_date, directory.signature_created_date, startup_app.file.signature_created_date | -| **file**:x_signature_fingerprints.algorithm | actor.file.signature_fingerprints.algorithm, actor.module.signature_fingerprints.algorithm, file.signature_fingerprints.algorithm, module.signature_fingerprints.algorithm, parent.file.signature_fingerprints.algorithm, parent.module.signature_fingerprints.algorithm, process.file.signature_fingerprints.algorithm, process.module.signature_fingerprints.algorithm, directory.signature_fingerprints.algorithm, startup_app.file.signature_fingerprints.algorithm | -| **file**:x_signature_issuer | actor.file.signature_issuer | -| **file**:x_signature_level_id | actor.file.signature_level_id, file.signature_level_id, parent.file.signature_level_id, process.file.signature_level_id, directory.signature_level_id, startup_app.file.signature_level_id | -| **file**:x_signature_serial_number | actor.file.signature_serial_number | -| **file**:x_signature_value | actor.file.signature_value | -| **file**:x_signature_value_ids | actor.file.signature_value_ids, process.file.signature_value_ids, startup_app.file.signature_value_ids | | **file**:x_content_type | file.content_type.type_id | +| **x509-certificate**:issuer | actor.file.signature_issuer | +| **x509-certificate**:serial_number | actor.file.signature_serial_number | +| **x509-certificate**:validity_not_before | actor.file.signature_created_date, actor.module.signature_created_date, file.signature_created_date, parent.signature_created_date, process.signature_created_date, directory.signature_created_date, startup_app.file.signature_created_date | +| **x509-certificate**:signature_algorithm | actor.file.signature_fingerprints.algorithm, actor.module.signature_fingerprints.algorithm, file.signature_fingerprints.algorithm, module.signature_fingerprints.algorithm, parent.file.signature_fingerprints.algorithm, parent.module.signature_fingerprints.algorithm, process.file.signature_fingerprints.algorithm, process.module.signature_fingerprints.algorithm, directory.signature_fingerprints.algorithm, startup_app.file.signature_fingerprints.algorithm | +| **x509-certificate**:x_signature_level_id | actor.file.signature_level_id, file.signature_level_id, parent.file.signature_level_id, process.file.signature_level_id, directory.signature_level_id, startup_app.file.signature_level_id | +| **x509-certificate**:x_signature_company_name | actor.file.signature_company_name, file.signature_company_name, module.signature_company_name, parent.file.signature_company_name, process.file.signature_company_name | +| **x509-certificate**:x_signature_value | actor.file.signature_value | +| **x509-certificate**:x_signature_value_ids | actor.file.signature_value_ids, process.file.signature_value_ids, startup_app.file.signature_value_ids | | **directory**:path | file.folder, directory.folder, actor.file.folder, parent.file.folder, process.file.folder, module.folder, startup_app.file.folder | | **email-addr**:value | email.header_from, email.header_to | | **email-message**:from_ref | email.header_from | @@ -94,13 +94,7 @@ | **software**:name | device_os_name | | **software**:version | device_os_ver | | **software**:x_os_type | device_os_type_id | -| **software**:x_cmd_line | startup_app.cmd_line | -| **software**:x_start_type_id | startup_app.start_id | -| **software**:x_config_path | config_path | -| **url**:value | url.text, file.url.text | -| **url**:x_url_host | url.host, file.url.host, connection.url.host | -| **url**:x_url_path | url.path, file.url.path, connection.url.path | -| **url**:x_url_port | url.port, file.url.port, connection.url.port | +| **url**:value | url.text, file.url.text, connection.url.text | | **domain-name**:value | device_domain | | **x-oca-event**:code | uuid | | **x-oca-event**:severity | severity_id | @@ -108,7 +102,7 @@ | **x-oca-event**:action | type | | **x-oca-event**:description | message | | **x-oca-event**:provider | product_name | -| **x-oca-event**:agent | feature_name | +| **x-oca-event**:x_feature_name | feature_name | | **x-oca-event**:outcome | id | | **x-oca-event**:created | time | | **x-oca-event**:x_event_status | status_id | @@ -192,6 +186,7 @@ | ipv4-addr | value | device_networks.gateway_ip | | ipv4-addr | resolves_to_refs[*].value | device_mac | | ipv4-addr | resolves_to_refs[*].value | device_networks.mac | +| ipv4-addr | resolves_to_refs[*].value | device_networks.gateway_mac | |
| | | | ipv6-addr | value | device_ip | | ipv6-addr | value | connection.src_ip | @@ -226,11 +221,11 @@ | process | created | actor.start_time | | process | created | process.start_time | | process | created | parent.start_time | -| process | x_thread_id | actor.tid | -| process | x_thread_id | process.tid | -| process | x_proc_uid | actor.uid | -| process | x_proc_uid | process.uid | -| process | x_proc_uid | parent.uid | +| process | x_process_tid | actor.tid | +| process | x_process_tid | process.tid | +| process | x_process_uid | actor.uid | +| process | x_process_uid | process.uid | +| process | x_process_uid | parent.uid | | process | creator_user_ref.user_id | actor.user.name | | process | creator_user_ref.user_id | process.user.name | | process | creator_user_ref.account_login | actor.user.logon_name | @@ -321,42 +316,43 @@ | file | x_rep_score | file.rep_score | | file | x_file_version | file.version | | file | x_open_mode | open_mode | -| file | x_signature_company_name | actor.file.signature_company_name | -| file | x_signature_company_name | file.signature_company_name | -| file | x_signature_company_name | module.signature_company_name | -| file | x_signature_company_name | parent.file.signature_company_name | -| file | x_signature_company_name | process.file.signature_company_name | -| file | x_signature_created_date | actor.file.signature_created_date | -| file | x_signature_created_date | actor.module.signature_created_date | -| file | x_signature_created_date | file.signature_created_date | -| file | x_signature_created_date | parent.signature_created_date | -| file | x_signature_created_date | process.signature_created_date | -| file | x_signature_created_date | directory.signature_created_date | -| file | x_signature_created_date | startup_app.file.signature_created_date | -| file | x_signature_fingerprints.algorithm | actor.file.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | actor.module.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | file.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | module.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | parent.file.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | parent.module.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | process.file.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | process.module.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | directory.signature_fingerprints.algorithm | -| file | x_signature_fingerprints.algorithm | startup_app.file.signature_fingerprints.algorithm | -| file | x_signature_issuer | actor.file.signature_issuer | -| file | x_signature_level_id | actor.file.signature_level_id | -| file | x_signature_level_id | file.signature_level_id | -| file | x_signature_level_id | parent.file.signature_level_id | -| file | x_signature_level_id | process.file.signature_level_id | -| file | x_signature_level_id | directory.signature_level_id | -| file | x_signature_level_id | startup_app.file.signature_level_id | -| file | x_signature_serial_number | actor.file.signature_serial_number | -| file | x_signature_value | actor.file.signature_value | -| file | x_signature_value_ids | actor.file.signature_value_ids | -| file | x_signature_value_ids | process.file.signature_value_ids | -| file | x_signature_value_ids | startup_app.file.signature_value_ids | | file | x_content_type | file.content_type.type_id | |
| | | +| x509-certificate | issuer | actor.file.signature_issuer | +| x509-certificate | serial_number | actor.file.signature_serial_number | +| x509-certificate | validity_not_before | actor.file.signature_created_date | +| x509-certificate | validity_not_before | actor.module.signature_created_date | +| x509-certificate | validity_not_before | file.signature_created_date | +| x509-certificate | validity_not_before | parent.signature_created_date | +| x509-certificate | validity_not_before | process.signature_created_date | +| x509-certificate | validity_not_before | directory.signature_created_date | +| x509-certificate | validity_not_before | startup_app.file.signature_created_date | +| x509-certificate | signature_algorithm | actor.file.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | actor.module.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | file.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | module.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | parent.file.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | parent.module.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | process.file.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | process.module.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | directory.signature_fingerprints.algorithm | +| x509-certificate | signature_algorithm | startup_app.file.signature_fingerprints.algorithm | +| x509-certificate | x_signature_level_id | actor.file.signature_level_id | +| x509-certificate | x_signature_level_id | file.signature_level_id | +| x509-certificate | x_signature_level_id | parent.file.signature_level_id | +| x509-certificate | x_signature_level_id | process.file.signature_level_id | +| x509-certificate | x_signature_level_id | directory.signature_level_id | +| x509-certificate | x_signature_level_id | startup_app.file.signature_level_id | +| x509-certificate | x_signature_company_name | actor.file.signature_company_name | +| x509-certificate | x_signature_company_name | file.signature_company_name | +| x509-certificate | x_signature_company_name | module.signature_company_name | +| x509-certificate | x_signature_company_name | parent.file.signature_company_name | +| x509-certificate | x_signature_company_name | process.file.signature_company_name | +| x509-certificate | x_signature_value | actor.file.signature_value | +| x509-certificate | x_signature_value_ids | actor.file.signature_value_ids | +| x509-certificate | x_signature_value_ids | process.file.signature_value_ids | +| x509-certificate | x_signature_value_ids | startup_app.file.signature_value_ids | +|
| | | | directory | path | file.folder | | directory | path | directory.folder | | directory | path | actor.file.folder | @@ -382,21 +378,10 @@ | software | name | device_os_name | | software | version | device_os_ver | | software | x_os_type | device_os_type_id | -| software | x_cmd_line | startup_app.cmd_line | -| software | x_start_type_id | startup_app.start_id | -| software | x_config_path | config_path | |
| | | | url | value | url.text | | url | value | file.url.text | -| url | x_url_host | url.host | -| url | x_url_host | file.url.host | -| url | x_url_host | connection.url.host | -| url | x_url_path | url.path | -| url | x_url_path | file.url.path | -| url | x_url_path | connection.url.path | -| url | x_url_port | url.port | -| url | x_url_port | file.url.port | -| url | x_url_port | connection.url.port | +| url | value | connection.url.text | |
| | | | domain-name | value | device_domain | |
| | | @@ -406,7 +391,7 @@ | x-oca-event | action | type | | x-oca-event | description | message | | x-oca-event | provider | product_name | -| x-oca-event | agent | feature_name | +| x-oca-event | x_feature_name | feature_name | | x-oca-event | outcome | id | | x-oca-event | created | time | | x-oca-event | x_event_status | status_id | diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py index 719e2a9e3..4f757e6ca 100644 --- a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_json_to_stix.py @@ -377,8 +377,7 @@ def test_file_json_to_stix(self): file_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'file') assert file_obj is not None assert (file_obj.keys() == {'type', 'x_file_type', 'created', 'modified', 'hashes', 'size', - 'x_signature_company_name', 'x_signature_value_ids', 'name', - 'parent_directory_ref', 'x_signature_level_id'}) + 'name', 'parent_directory_ref'}) assert file_obj['type'] == 'file' assert file_obj['name'] == 'svchost.exe' assert file_obj['size'] == 51736 @@ -388,7 +387,7 @@ def test_process_json_to_stix(self): objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) process_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'process') assert process_obj is not None - assert (process_obj.keys() == {'type', 'pid', 'x_proc_uid', 'x_thread_id', 'created', + assert (process_obj.keys() == {'type', 'pid', 'x_process_uid', 'x_process_tid', 'created', 'command_line', 'binary_ref', 'creator_user_ref', 'child_refs'}) assert process_obj['type'] == 'process' assert process_obj['pid'] == 1880 @@ -462,7 +461,7 @@ def test_x_oca_event_obj_json_to_stix_malware(self): objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_sample_response) x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') assert x_symantec_info_obj is not None - assert (x_symantec_info_obj.keys() == {'type', 'action', 'outcome', 'agent', 'provider', + assert (x_symantec_info_obj.keys() == {'type', 'action', 'outcome', 'x_feature_name', 'provider', 'x_event_type_version', 'timezone', 'x_provider_version', 'host_ref', 'category', 'x_event_type', 'process_ref', 'file_ref', 'severity', 'user_ref', 'x_policy_ref', 'created', 'code'}) @@ -478,7 +477,7 @@ def test_x_oca_event_obj_json_to_stix(self): objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_policy_sample_response) x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x-oca-event') assert x_symantec_info_obj is not None - assert (x_symantec_info_obj.keys() == {'type', 'category', 'agent', 'outcome', 'description', 'x_policy_ref', + assert (x_symantec_info_obj.keys() == {'type', 'category', 'x_feature_name', 'outcome', 'description', 'x_policy_ref', 'severity', 'x_event_status', 'action', 'x_event_type', 'x_event_type_version', 'host_ref', 'provider', 'x_provider_version', 'timezone', 'user_ref', 'created', 'code'}) @@ -502,6 +501,20 @@ def test_x_ibm_finding_obj_json_to_stix(self): assert x_symantec_info_obj['name'] == 'Trojan.Gen.MBT' assert x_symantec_info_obj['x_threat_type_id'] == 'Malware' + def test_x509_certificate_obj_json_to_stix(self): + """test x-symantec-info stix object properties""" + objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_threat_sample_response) + x_symantec_info_obj = TestSymantecResultsToStix.get_first_of_type(objects.values(), 'x509-certificate') + assert x_symantec_info_obj is not None + assert (x_symantec_info_obj.keys() == {'type', 'x_signature_company_name', + 'validity_not_before', 'hashes', 'issuer', + 'serial_number', 'x_signature_value', 'x_signature_value_ids'}) + assert x_symantec_info_obj['type'] == 'x509-certificate' + assert x_symantec_info_obj['x_signature_company_name'] == 'DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1' + assert x_symantec_info_obj['issuer'] == 'knowbe4 inc.' + assert x_symantec_info_obj['serial_number'] == '0E44DA59C6985D40A6040C9D9AAAAAAA' + assert x_symantec_info_obj['validity_not_before'] == '2023-02-27T09:32:56.000Z' + def test_file_type_id_json_to_stix(self): """test file stix object properties""" objects = TestSymantecResultsToStix.get_observed_data_objects(symantec_file_sample_response) diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py index 91bdaadd0..668d91c9b 100644 --- a/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_translation/test_symantec_stix_to_query.py @@ -1,5 +1,6 @@ from stix_shifter.stix_translation import stix_translation import unittest +from datetime import datetime, timedelta translation = stix_translation.StixTranslation() @@ -18,6 +19,9 @@ class TestQueryTranslator(unittest.TestCase): """ class to perform unit test case symantec translate query """ + end_time = datetime.strftime(datetime.utcnow(), '%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + start_time = datetime.strftime(datetime.utcnow() - timedelta(days =1), '%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z' + if __name__ == "__main__": unittest.main() @@ -32,8 +36,7 @@ def _test_query_assertions(self, query, queries): self.assertEqual(each_query, queries[index]) def test_equal_operator(self): - stix_pattern = "[ipv4-addr:value = '111.11.1.111'] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[ipv4-addr:value = '111.11.1.111'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -45,8 +48,8 @@ def test_equal_operator(self): self._test_query_assertions(query, queries) def test_not_equal_operator(self): - stix_pattern = "[ipv6-addr:value != '1234:a5a6:78910:1111:2222:3333'] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[ipv6-addr:value != '1234:a5a6:78910:1111:2222:3333'] START t'{self.start_time}' " \ + f"STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -59,8 +62,7 @@ def test_not_equal_operator(self): self._test_query_assertions(query, queries) def test_gt_operator(self): - stix_pattern = "[network-traffic:dst_port > 22] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[network-traffic:dst_port > 22] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.dst_port:{22 TO *}', @@ -69,8 +71,7 @@ def test_gt_operator(self): self._test_query_assertions(query, queries) def test_gt_eq_operator(self): - stix_pattern = "[network-traffic:dst_port >= 22] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[network-traffic:dst_port >= 22] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.dst_port:[22 TO *}', @@ -79,8 +80,7 @@ def test_gt_eq_operator(self): self._test_query_assertions(query, queries) def test_lt_operator(self): - stix_pattern = "[network-traffic:src_port < 22] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[network-traffic:src_port < 22] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.src_port:{* TO 22}', @@ -89,8 +89,7 @@ def test_lt_operator(self): self._test_query_assertions(query, queries) def test_lt_eq_operator(self): - stix_pattern = "[network-traffic:src_port <= 22] START t'2024-05-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[network-traffic:src_port <= 22] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.src_port:{* TO 22]', @@ -99,8 +98,8 @@ def test_lt_eq_operator(self): self._test_query_assertions(query, queries) def test_IN_operator(self): - stix_pattern = "[network-traffic:protocols[*] IN ('tcp', 'udp')] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[network-traffic:protocols[*] IN ('tcp', 'udp')] START t'{self.start_time}' " \ + f"STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'connection.protocol_id:("6" OR "17")', @@ -109,8 +108,7 @@ def test_IN_operator(self): self._test_query_assertions(query, queries) def test_like_operator(self): - stix_pattern = "[user-account:user_id LIKE 'SYSTEM'] START t'2024-05-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[user-account:user_id LIKE 'SYSTEM'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'user.name:SYSTEM* OR actor.user.name:SYSTEM*' @@ -120,8 +118,7 @@ def test_like_operator(self): self._test_query_assertions(query, queries) def test_matches_operator(self): - stix_pattern = "[process:name MATCHES 'host[a-z].exe'] START t'2024-05-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[process:name MATCHES 'host[a-z].exe'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -132,8 +129,7 @@ def test_matches_operator(self): self._test_query_assertions(query, queries) def test_bool_operator(self): - stix_pattern = "[x-oca-geo:x_is_on_premises = 'true'] START t'2024-05-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[x-oca-geo:x_is_on_premises = 'true'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'device_location.on_premises:"true"', @@ -142,8 +138,7 @@ def test_bool_operator(self): self._test_query_assertions(query, queries) def test_date_supported_properries(self): - stix_pattern = "[file:created = '2024-03-19T04:43:06.377Z'] START t'2024-05-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[file:created = '2024-03-19T04:43:06.377Z'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -156,8 +151,7 @@ def test_date_supported_properries(self): self._test_query_assertions(query, queries) def test_not_supported_properties_for_like(self): - stix_pattern = "[mac-addr:value LIKE '11:aa:aa:11:11:11'] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[mac-addr:value LIKE '11:aa:aa:11:11:11'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is query['success'] assert 'not_implemented' == query['code'] @@ -166,8 +160,8 @@ def test_not_supported_properties_for_like(self): 'device_networks.gateway_mac' def test_directory_path(self): - stix_pattern = "[directory:path = 'C:\\\\users\\\\administrator\\\\local\\\\data']" \ - "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + stix_pattern = f"[directory:path = 'C:\\\\users\\\\administrator\\\\local\\\\data']" \ + f"START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -183,8 +177,7 @@ def test_directory_path(self): self._test_query_assertions(query, queries) def test_enum_operator(self): - stix_pattern = "[x-oca-event:severity = 15] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[x-oca-event:severity = 15] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'severity_id:"1"', @@ -193,8 +186,7 @@ def test_enum_operator(self): self._test_query_assertions(query, queries) def test_int_operator(self): - stix_pattern = "[process:pid > 1235] START t'2023-11-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[process:pid > 1235] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -204,8 +196,8 @@ def test_int_operator(self): self._test_query_assertions(query, queries) def test_event_date_attribute(self): - stix_pattern = "[x-oca-event:created = '2024-05-21T13:27:21.526Z'] " \ - "START t'2024-05-01T11:00:00.000Z' STOP t'2024-05-23T00:00:00.000Z'" + stix_pattern = f"[x-oca-event:created = '2024-05-21T13:27:21.526Z'] START t'{self.start_time}'" \ + f" STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{ @@ -219,8 +211,7 @@ def test_event_date_attribute(self): self._test_query_assertions(query, queries) def test_file_date_attribute(self): - stix_pattern = "[file:created = '2024-03-19T04:43:06.377Z'] " \ - "START t'2024-05-01T11:00:00.000Z' STOP t'2024-05-23T00:00:00.000Z'" + stix_pattern = f"[file:created = '2024-03-19T04:43:06.377Z'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{ @@ -237,8 +228,7 @@ def test_file_date_attribute(self): self._test_query_assertions(query, queries) def test_protocol_attribute(self): - stix_pattern = "[network-traffic:protocols[*]='udp'] " \ - "START t'2024-03-15T16:43:26.000Z' STOP t'2024-05-25T06:23:26.003Z'" + stix_pattern = f"[network-traffic:protocols[*]='udp'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{ @@ -253,7 +243,7 @@ def test_protocol_attribute(self): def test_combined_comparison_AND_operator(self): stix_pattern = "[network-traffic:dst_port = 445 AND (process:pid = 1010 AND user-account:user_id LIKE " \ - "'Administrator')]START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + f"'Administrator')] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -266,8 +256,8 @@ def test_combined_comparison_AND_operator(self): self._test_query_assertions(query, queries) def test_combined_comparison_OR_operator(self): - stix_pattern = "[process:pid = 1010 OR user-account:user_id LIKE 'Administrator']START " \ - "t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + stix_pattern = f"[process:pid = 1010 OR user-account:user_id LIKE 'Administrator'] START t'{self.start_time}'" \ + f" STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -281,7 +271,7 @@ def test_combined_comparison_OR_operator(self): def test_combined_comparison_OR_AND_operators(self): stix_pattern = "[(x-oca-event:severity = 15 OR x-oca-event:category = 'Security') AND " \ "(x-oca-asset:host_type = 'server' AND x-symantec-policy:name = 'default')]" \ - " START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + f" START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -296,7 +286,7 @@ def test_combined_comparison(self): "(x-symantec-policy:name = 'malware_detection' AND" \ " x-ibm-ttp-tagging:name = 'Drive by Compromise') OR" \ " (x-user-session:is_remote = 'true' AND network-traffic:src_port = 22)]" \ - "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + f"START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -327,8 +317,8 @@ def test_IN_operator_split_query(self): "'BBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ "'DBDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ "'ABDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A'," \ - "'DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A')] START " \ - "t'2024-05-01T11:00:00.000Z' STOP t'2024-05-06T11:54:00.000Z'" + f"'DDDF0C85B1A39656E616E428FCEFEDC930761ACC5CF2846BBF8E60610016142A')] START t'{self.start_time}' " \ + f"STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -462,8 +452,8 @@ def test_IN_operator_split_query(self): self._test_query_assertions(query, queries) def test_multiple_observation_AND_operator(self): - stix_pattern = "([ipv4-addr:value = '1.1.1.1'] AND [file:name = 'cmd.exe'])START " \ - "t'2024-05-01T01:56:00.000Z' STOP t'2024-05-01T01:57:00.003Z'" + stix_pattern = f"([ipv4-addr:value = '1.1.1.1'] AND [file:name = 'cmd.exe']) START t'{self.start_time}' " \ + f"STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -479,7 +469,7 @@ def test_multiple_observation_AND_operator(self): def test_multiple_observation_OR_operator(self): stix_pattern = "([x-oca-event:severity = 15] OR [x-oca-asset:host_type = 'server'])" \ - "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + f"START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': '(device_type:"server") OR (severity_id:"1")', @@ -490,7 +480,7 @@ def test_multiple_observation_OR_operator(self): def test_multiple_observation_with_combined_comparison(self): stix_pattern = "([x-oca-asset:host_type = 'server' AND x-symantec-policy:name = 'default'] OR " \ "[mac-addr:value = '11:aa:aa:11:11:11'])" \ - "START t'2024-05-01T01:56:00.000Z' STOP t'2024-05-01T01:57:00.003Z'" + f"START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -504,8 +494,7 @@ def test_multiple_observation_with_combined_comparison(self): def test_combine_multiple_observation_with_same_date(self): stix_pattern = "([software:name IN ('Windows 10', 'iOS', 'Android')] OR " \ - "[(domain-name:value='internal.ec2.com')])START t'2024-01-01T01:56:00.000Z' " \ - "STOP t'2024-05-01T01:57:00.003Z'" + f"[(domain-name:value='internal.ec2.com')])START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', @@ -520,7 +509,7 @@ def test_split_multiple_observation_OR_operator(self): split into 2 queries """ stix_pattern = "[x-oca-event:severity = 15] OR [x-oca-asset:host_type = 'server']" \ - "START t'2024-05-01T00:00:00.000Z' STOP t'2024-05-01T11:00:00.000Z'" + f"START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) query['queries'] = _remove_timestamp_from_query(query['queries']) queries = [{'feature_name': 'ALL', 'product': 'SAEP', 'query': 'severity_id:"1"', @@ -531,8 +520,7 @@ def test_split_multiple_observation_OR_operator(self): self._test_query_assertions(query, queries) def test_invalid_MATCHES_operator(self): - stix_pattern = "[user-account:is_privileged MATCHES 'true'] START t'2024-05-14T16:43:26.000Z' STOP " \ - "t'2024-05-15T16:43:26.003Z'" + stix_pattern = f"[user-account:is_privileged MATCHES 'true'] START t'{self.start_time}' STOP t'{self.end_time}'" query = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is query['success'] assert 'not_implemented' == query['code'] @@ -540,8 +528,7 @@ def test_invalid_MATCHES_operator(self): "operator is not supported for this fields actor.user.is_admin,session.user.is_admin" def test_invalid_int_input(self): - stix_pattern = "[process:pid = '123456789123'] START t'2024-02-15T16:43:26.000Z' STOP " \ - "t'2024-05-14T16:43:26.003Z'" + stix_pattern = f"[process:pid = '123456789123'] START t'{self.start_time}' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'not_implemented' == result['code'] @@ -549,8 +536,7 @@ def test_invalid_int_input(self): ' 123456789123 is not supported for integer type field' def test_invalid_enum_value(self): - stix_pattern = "[x-oca-event:category = 'TEST'] START t'2024-05-15T16:43:26.000Z' STOP " \ - "t'2024-05-16T16:43:26.003Z'" + stix_pattern = f"[x-oca-event:category = 'TEST'] START t'{self.start_time}' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'not_implemented' == result['code'] @@ -559,8 +545,7 @@ def test_invalid_enum_value(self): "'Security,Application Activity,System Activity'" def test_invalid_timestamp(self): - stix_pattern = "[network-traffic:dst_port = 'symantec'] " \ - "START t'Q000-01-01T01:56:00.000Z' STOP t'2024-01-01T01:57:00.003Z'" + stix_pattern = f"[network-traffic:dst_port = 'symantec'] START t'2024' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'translation_error' == result['code'] @@ -568,7 +553,7 @@ def test_invalid_timestamp(self): "error: Invalid STIX timestamp None" def test_invalid_mapping_value(self): - stix_pattern = "[file:type LIKE 'cmd.exe']START t'2024-05-01T01:56:00.000Z' STOP t'2024-05-06T01:57:00.003Z'" + stix_pattern = f"[file:type LIKE 'cmd.exe']START t'{self.start_time}' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'mapping_error' == result['code'] @@ -576,8 +561,7 @@ def test_invalid_mapping_value(self): "the following STIX objects and properties: [\'file:type\'] to data source fields" def test_severity_range(self): - stix_pattern = "[x-oca-event:severity = 200]START t'2024-05-01T01:56:00.000Z' STOP " \ - "t'2024-05-06T01:57:00.003Z'" + stix_pattern = f"[x-oca-event:severity = 200]START t'{self.start_time}' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'not_implemented' == result['code'] @@ -586,8 +570,7 @@ def test_severity_range(self): " range from 0 to 100" def test_not_supported_operators(self): - stix_pattern = "[network-traffic:dst_port ISSUBSET '445'] START t'2023-11-01T11:00:00.000Z' STOP " \ - "t'2023-12-06T11:54:00.000Z'" + stix_pattern = f"[network-traffic:dst_port ISSUBSET '445'] START t'{self.start_time}' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'mapping_error' == result['code'] @@ -595,8 +578,7 @@ def test_not_supported_operators(self): " the following STIX Operators: [IsSubSet] to data source fields" def test_invalid_like_values(self): - stix_pattern = "[user-account:user_id LIKE 'LOCAL SERVICE'] START t'2024-05-01T11:00:00.000Z' " \ - "STOP t'2024-05-06T11:54:00.000Z'" + stix_pattern = f"[user-account:user_id LIKE 'LOCAL SERVICE'] START t'{self.start_time}' STOP t'{self.end_time}'" result = translation.translate('symantec_endpoint_security', 'query', '{}', stix_pattern) assert False is result['success'] assert 'not_implemented' == result['code'] diff --git a/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py b/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py index a0208e1bf..1c4eda6b2 100644 --- a/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py +++ b/stix_shifter_modules/symantec_endpoint_security/test/stix_transmission/test_symantec.py @@ -85,19 +85,13 @@ class TestSymantecConnection(unittest.TestCase, object): "md5": "0x000x0xx0x0000000x0xx00xxx0x00x00", "sha2": "222e222c222b2b2222e2dd22d2df222222222cc2222222222ed22222b22d22b", "size": 686968, - "signature_company_name": "Microsoft Windows Publisher", - "signature_value_ids": [ - 3, - 5 - ], "security_descriptor": "O:BAG:SYD:(A;;0x1fffff;;;SY)(A;;0x121411;;;BA)S:AI", "normalized_path": "CSIDL_SYSTEM\\services.exe", "path": "c:\\windows\\system32\\services.exe", "uid": "281474977475580", "name": "services.exe", "folder": "c:\\windows\\system32", - "original_name": "services.exe", - "signature_level_id": 60 + "original_name": "services.exe" }, "user": { "name": "SYSTEM",