Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mapping azure_sentinel UDI connector #710

Merged
merged 8 commits into from
Dec 13, 2021
Merged

Mapping azure_sentinel UDI connector #710

merged 8 commits into from
Dec 13, 2021

Conversation

JingqiuDu
Copy link
Contributor

No description provided.

@CLAassistant
Copy link

CLAassistant commented Oct 12, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

@JingqiuDu JingqiuDu self-assigned this Oct 12, 2021
@JingqiuDu JingqiuDu requested a review from mdazam1942 October 12, 2021 14:01
@codecov
Copy link

codecov bot commented Oct 13, 2021
edited
Loading

Codecov Report

Merging #710 (c6ef67a) into develop (93b6a7d) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop     #710      +/-   ##
===========================================
- Coverage    63.32%   63.30%   -0.02%     
===========================================
  Files          425      425              
  Lines        36805    36834      +29     
===========================================
+ Hits         23306    23318      +12     
- Misses       13499    13516      +17
Impacted Files Coverage Δ
...ix_translation/test_azure_sentinel_json_to_stix.py 37.57% <100.00%> (+0.18%) ⬆️
...x_translation/test_azure_sentinel_stix_to_query.py 84.66% <100.00%> (-6.88%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 93b6a7d...c6ef67a. Read the comment docs.

@delliott90 delliott90 self-requested a review October 13, 2021 12:23
delliott90
delliott90 reviewed Oct 13, 2021
View reviewed changes
stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json Outdated
},
"cloudAppStates": {
"destinationServiceName": {
"key": "x-msazure-sentinel-alert.cloudAppStates.destinationServiceName",
"object": "alert"
"key": "x-ibm-finding.dst_application_ref.name",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reference mappings in the to-stix file should point to the actual object. Using a sourceip mapping as an example:

"sourceip": [
    {
      "key": "ipv4-addr.value",
      "object": "src_ip"
    },
    {
      "key": "network-traffic.src_ref",
      "object": "nt",
      "references": "src_ip"
    },

So destinationServiceName should be creating a software:name entry and a reference to the software object from the x-ibm-finding object.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stix-shifter/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json

Line 48 in 39666c3

"destinationServiceName": [

I added this

"destinationServiceName": [
        {
        "key":"software.name",
        "object":"software"
        },
        {
        "key":"x-ibm-finding.dst_application_ref",
        "object":"finding",
        "references":"software"
        }
      ],

does that make sense?

delliott90
delliott90 reviewed Oct 13, 2021
View reviewed changes
stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json Outdated
"object": "finding"
},
{
"key": "x-oca-event.outcome",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would outcome and category be the same value in x-oca-event?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed x-oca-event.outcome

@JingqiuDu JingqiuDu requested a review from delliott90 October 14, 2021 01:58
mdazam1942
mdazam1942 reviewed Nov 17, 2021
View reviewed changes
stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json Outdated
"key": "x-msazure-sentinel-alert.closedDateTime",
"object": "alert"
"key": "x-ibm-finding.closedDateTime",
"object": "finding"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think closedDateTime should be mapped to last_observed

"closedDateTime": {
      "key": "last_observed",
      "cybox": false
    }

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also remove last_observed from eventDateTime field and make it like this-

"eventDateTime": {
      "key": "first_observed",
      "cybox": false
    }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, see

stix-shifter/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json

Line 39 in 59997e2

"closedDateTime":{

stix-shifter/stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json

Line 2 in 59997e2

"eventDateTime": [

mdazam1942
mdazam1942 reviewed Nov 17, 2021
View reviewed changes
stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json Outdated
"key": "x-msazure-sentinel-alert.closedDateTime",
"object": "alert"
"key": "x-ibm-finding.closedDateTime",
"object": "finding"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also remove last_observed from eventDateTime field and make it like this-

"eventDateTime": {
      "key": "first_observed",
      "cybox": false
    }

stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json Show resolved Hide resolved
@mdazam1942
Copy link
Member

@JingqiuDu can you please resolve the conflicts?

mdazam1942
mdazam1942 reviewed Nov 23, 2021
View reviewed changes
stix_shifter_modules/azure_sentinel/stix_translation/json/to_stix_map.json Outdated
"key": "x-oca-event.category",
"object": "event"
}
],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks redundant to map category to both x-ibm-finding and x-oca-event object

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it should be removed from the finding object and left with the event object.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@JingqiuDu JingqiuDu force-pushed the SEC18213azuremappingchanges branch from 59997e2 to bd9b787 Compare November 27, 2021 23:27
@JingqiuDu
Copy link
Contributor Author

@JingqiuDu can you please resolve the conflicts?

conficts resovled

@JingqiuDu JingqiuDu force-pushed the SEC18213azuremappingchanges branch from 9c9b507 to c6ef67a Compare December 10, 2021 14:02
@delliott90 delliott90 merged commit 4a6c3a9 into develop Dec 13, 2021
@delliott90 delliott90 deleted the SEC18213azuremappingchanges branch December 13, 2021 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcoccoli pcoccoli pcoccoli left review comments

@mdazam1942 mdazam1942 mdazam1942 approved these changes

@delliott90 delliott90 delliott90 approved these changes

Assignees

@JingqiuDu JingqiuDu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JingqiuDu @CLAassistant @mdazam1942 @delliott90 @pcoccoli