diff --git a/adapter-guide/connectors/alertflex_supported_stix.md b/adapter-guide/connectors/alertflex_supported_stix.md index 256cab017..be7895783 100644 --- a/adapter-guide/connectors/alertflex_supported_stix.md +++ b/adapter-guide/connectors/alertflex_supported_stix.md @@ -1,4 +1,21 @@ +##### Updated on 02/04/22 ## Alertflex +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | LIKE | +| IN | IN | +| MATCHES | LIKE | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | file | name | file | diff --git a/adapter-guide/connectors/arcsight_supported_stix.md b/adapter-guide/connectors/arcsight_supported_stix.md index 66a7fb32c..7a13b821c 100644 --- a/adapter-guide/connectors/arcsight_supported_stix.md +++ b/adapter-guide/connectors/arcsight_supported_stix.md @@ -1,4 +1,22 @@ +##### Updated on 02/04/22 ## Micro Focus ArcSight +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | AND | +| OR | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | filePath | diff --git a/adapter-guide/connectors/aws_athena_supported_stix.md b/adapter-guide/connectors/aws_athena_supported_stix.md index 34a0f7854..3b50b936a 100644 --- a/adapter-guide/connectors/aws_athena_supported_stix.md +++ b/adapter-guide/connectors/aws_athena_supported_stix.md @@ -1,4 +1,21 @@ +##### Updated on 02/04/22 ## Amazon Athena +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | INTERSECT | +| OR | UNION | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | LIKE | +| IN | IN | +| MATCHES | REGEXP_LIKE | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | domain-name | resolves_to_refs | resource_instancedetails_networkinterfaces_0_privateipaddress | diff --git a/adapter-guide/connectors/aws_cloud_watch_logs_supported_stix.md b/adapter-guide/connectors/aws_cloud_watch_logs_supported_stix.md index 5fdd7bed9..242c9e135 100644 --- a/adapter-guide/connectors/aws_cloud_watch_logs_supported_stix.md +++ b/adapter-guide/connectors/aws_cloud_watch_logs_supported_stix.md @@ -1,4 +1,21 @@ +##### Updated on 02/04/22 ## Amazon CloudWatch Logs +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | LIKE | +| IN | IN | +| MATCHES | LIKE | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | domain-name | resolves_to_refs | detail_resource_instanceDetails_networkInterfaces_0_privateIpAddress | diff --git a/adapter-guide/connectors/azure_sentinel_supported_stix.md b/adapter-guide/connectors/azure_sentinel_supported_stix.md index 9da05d16b..b90f7d182 100644 --- a/adapter-guide/connectors/azure_sentinel_supported_stix.md +++ b/adapter-guide/connectors/azure_sentinel_supported_stix.md @@ -1,4 +1,21 @@ +##### Updated on 02/04/22 ## Microsoft Azure Sentinel +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | and | +| OR | or | +| > | gt | +| >= | ge | +| < | lt | +| <= | le | +| = | eq | +| != | ne | +| LIKE | contains | +| IN | eq | +| MATCHES | contains | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | path | @@ -46,6 +63,8 @@ | process | pid | processId | | process | pid | registryKeyStates | | <br> | | | +| software | name | destinationServiceName | +| software | name | os | | software | name | applicationName | | software | name | provider | | software | vendor | vendor | @@ -59,48 +78,49 @@ | <br> | | | | windows-registry-key | key | registryKeyStates | | <br> | | | +| x-ibm-finding | dst_application_ref | destinationServiceName | +| x-ibm-finding | createddatetime | createdDateTime | +| x-ibm-finding | description | description | +| x-ibm-finding | src_os_ref.name | os | +| x-ibm-finding | time_observed | lastModifiedDateTime | +| x-ibm-finding | dst_geolocation | destinationLocation | +| x-ibm-finding | dst_ip_ref.value | natDestinationAddress | +| x-ibm-finding | src_ip_ref.value | natSourceAddress | +| x-ibm-finding | src_geolocation | sourceLocation | +| x-ibm-finding | severity | severity | +| x-ibm-finding | name | title | +| x-ibm-finding | src_application_user_ref.user_id | aadUserId | +| x-ibm-finding | src_application_user_ref.type | logonType | +| <br> | | | | x-msazure-sentinel | tenant_id | azureTenantId | | x-msazure-sentinel | subscription_id | azureSubscriptionId | | <br> | | | | x-msazure-sentinel-alert | activityGroupName | activityGroupName | | x-msazure-sentinel-alert | assignedTo | assignedTo | -| x-msazure-sentinel-alert | category | category | -| x-msazure-sentinel-alert | closedDateTime | closedDateTime | -| x-msazure-sentinel-alert | cloudAppStates.destinationServiceName | destinationServiceName | | x-msazure-sentinel-alert | cloudAppStates.destinationServiceIp | destinationServiceIp | | x-msazure-sentinel-alert | cloudAppStates.riskScore | riskScore | | x-msazure-sentinel-alert | comments | comments | | x-msazure-sentinel-alert | confidence | confidence | -| x-msazure-sentinel-alert | createddatetime | createdDateTime | -| x-msazure-sentinel-alert | description | description | | x-msazure-sentinel-alert | detectionids | detectionIds | | x-msazure-sentinel-alert | feedback | feedback | | x-msazure-sentinel-alert | fileStates.riskScore | riskScore | | x-msazure-sentinel-alert | hostStates.isAzureAadJoined | isAzureAadJoined | | x-msazure-sentinel-alert | hostStates.isAzureAadRegistered | isAzureAadRegistered | | x-msazure-sentinel-alert | hostStates.isHybridAzureDomainJoined | isHybridAzureDomainJoined | -| x-msazure-sentinel-alert | hostStates.os | os | | x-msazure-sentinel-alert | hostStates.riskScore | riskScore | -| x-msazure-sentinel-alert | providerid | id | | x-msazure-sentinel-alert | incidentIds | incidentIds | -| x-msazure-sentinel-alert | lastmodifieddatetime | lastModifiedDateTime | | x-msazure-sentinel-alert | malwareStates.category | category | | x-msazure-sentinel-alert | malwareStates.family | family | | x-msazure-sentinel-alert | malwareStates.name | name | | x-msazure-sentinel-alert | malwareStates.severity | severity | | x-msazure-sentinel-alert | malwareStates.wasRunning | wasRunning | -| x-msazure-sentinel-alert | networkConnections.destinationLocation | destinationLocation | | x-msazure-sentinel-alert | networkConnections.direction | direction | | x-msazure-sentinel-alert | networkConnections.domainRegisteredDateTime | domainRegisteredDateTime | | x-msazure-sentinel-alert | networkConnections.localDnsName | localDnsName | -| x-msazure-sentinel-alert | networkConnections.natDestinationAddress | natDestinationAddress | | x-msazure-sentinel-alert | networkConnections.natDestinationPort | natDestinationPort | -| x-msazure-sentinel-alert | networkConnections.natSourceAddress | natSourceAddress | | x-msazure-sentinel-alert | networkConnections.natSourcePort | natSourcePort | | x-msazure-sentinel-alert | networkConnections.riskScore | riskScore | -| x-msazure-sentinel-alert | networkConnections.sourceLocation | sourceLocation | | x-msazure-sentinel-alert | networkConnections.status | status | -| x-msazure-sentinel-alert | networkConnections.urlParameters | urlParameters | | x-msazure-sentinel-alert | processes.integrityLevel | integrityLevel | | x-msazure-sentinel-alert | processes.isElevated | isElevated | | x-msazure-sentinel-alert | recommendedactions | recommendedActions | @@ -111,25 +131,28 @@ | x-msazure-sentinel-alert | registryKeyStates.operation | registryKeyStates | | x-msazure-sentinel-alert | securityresources.resource | resource | | x-msazure-sentinel-alert | securityresources.resourcetype | resourceType | -| x-msazure-sentinel-alert | severity | severity | | x-msazure-sentinel-alert | sourcematerials | sourceMaterials | | x-msazure-sentinel-alert | status | status | | x-msazure-sentinel-alert | tags | tags | -| x-msazure-sentinel-alert | title | title | | x-msazure-sentinel-alert | triggers.name | name | | x-msazure-sentinel-alert | triggers.type | type | | x-msazure-sentinel-alert | triggers.value | value | -| x-msazure-sentinel-alert | userStates.aaduserid | aadUserId | | x-msazure-sentinel-alert | userStates.emailrole | emailRole | | x-msazure-sentinel-alert | userStates.isvpn | isVpn | | x-msazure-sentinel-alert | userStates.logonLocation | logonLocation | -| x-msazure-sentinel-alert | userStates.logonType | logonType | | x-msazure-sentinel-alert | userStates.onpremisessecurityidentifier | onPremisesSecurityIdentifier | | x-msazure-sentinel-alert | userStates.riskScore | riskScore | | x-msazure-sentinel-alert | userStates.useraccounttype | userAccountType | | x-msazure-sentinel-alert | userStates.userPrincipalName | userPrincipalName | -| x-msazure-sentinel-alert | vendorinformation.subprovider | subProvider | | x-msazure-sentinel-alert | vulnerabilityStates.cve | cve | | x-msazure-sentinel-alert | vulnerabilityStates.severity | severity | | x-msazure-sentinel-alert | vulnerabilityStates.wasRunning | wasRunning | | <br> | | | +| x-oca-event | category | category | +| x-oca-event | created | createdDateTime | +| x-oca-event | code | id | +| x-oca-event | domain_ref.value | urlParameters | +| x-oca-event | url_ref.value | urlParameters | +| x-oca-event | action | title | +| x-oca-event | provider | subProvider | +| <br> | | | diff --git a/adapter-guide/connectors/bigfix_supported_stix.md b/adapter-guide/connectors/bigfix_supported_stix.md index 51033fcd9..d836d44da 100644 --- a/adapter-guide/connectors/bigfix_supported_stix.md +++ b/adapter-guide/connectors/bigfix_supported_stix.md @@ -1,4 +1,21 @@ +##### Updated on 02/04/22 ## HCL BigFix +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| = | = | +| != | != | +| LIKE | contains | +| MATCHES | matches | +| > | is greater than | +| >= | is greater than or equal to | +| < | is less than | +| <= | is less than or equal to | +| IN | = | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | file_path | diff --git a/adapter-guide/connectors/carbonblack_supported_stix.md b/adapter-guide/connectors/carbonblack_supported_stix.md index 85a935d0b..4da4dbfc1 100644 --- a/adapter-guide/connectors/carbonblack_supported_stix.md +++ b/adapter-guide/connectors/carbonblack_supported_stix.md @@ -1,4 +1,18 @@ +##### Updated on 02/04/22 ## Carbon Black CB Response +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | or | +| OR | or | +| = | : | +| != | : | +| > | : | +| >= | : | +| < | : | +| <= | : | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | path | diff --git a/adapter-guide/connectors/cbcloud_supported_stix.md b/adapter-guide/connectors/cbcloud_supported_stix.md index b2018c9f4..c4f460324 100644 --- a/adapter-guide/connectors/cbcloud_supported_stix.md +++ b/adapter-guide/connectors/cbcloud_supported_stix.md @@ -1,4 +1,19 @@ +##### Updated on 02/04/22 ## Carbon Black Cloud +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | AND | +| OR | OR | +| = | : | +| != | : | +| > | : | +| >= | : | +| < | : | +| <= | : | +| IN | : | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | process_path | diff --git a/adapter-guide/connectors/crowdstrike_supported_stix.md b/adapter-guide/connectors/crowdstrike_supported_stix.md index e5d99b178..09491f4a0 100644 --- a/adapter-guide/connectors/crowdstrike_supported_stix.md +++ b/adapter-guide/connectors/crowdstrike_supported_stix.md @@ -1,4 +1,18 @@ +##### Updated on 02/04/22 ## CrowdStrike Falcon +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | + | +| OR | , | +| = | : | +| != | :! | +| > | :> | +| >= | :>= | +| < | :< | +| <= | :<= | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | filepath | diff --git a/adapter-guide/connectors/cybereason_supported_stix.md b/adapter-guide/connectors/cybereason_supported_stix.md index 9df33cef5..37e05495f 100644 --- a/adapter-guide/connectors/cybereason_supported_stix.md +++ b/adapter-guide/connectors/cybereason_supported_stix.md @@ -1,244 +1,519 @@ -| STIX Object | STIX Property | Data Source Field | -|--------------------------| ----------------------------------------- | ---------------------------------------- | -| ipv4-addr | value | localAddress | -| ipv4-addr | value | remoteAddress | -| ipv6-addr | value | localAddress | -| ipv6-addr | value | remoteAddress | -| network-traffic | src\_port | localPort | -| network-traffic | dst\_port | remotePort | -| network-traffic | protocols | transportProtocol | -| network-traffic | src\_ref | localAddress | -| network-traffic | dst\_ref | remoteAddress | -| network-traffic | src\_byte\_count | aggregatedTransmittedBytesCount | -| network-traffic | dst\_byte\_count | aggregatedReceivedBytesCount | -| network-traffic | dst\_byte\_count | receivedBytesCount | -| email-addr | value | emailAddress | -| email-addr | value | adMail | -| email-addr | value | adLogonName | -| domain-name | value | domainName | -| domain-name | value | urlDomains | -| domain-name | value | domainFqdn | -| domain-name | value | adDNSHostName | -| domain-name | value | domain | -| domain-name | value | adAssociatedDomain | -| url | value | pacUrl | -| mac-addr | value | macAddressFormat | -| process | command\_line | commandLine | -| process | command\_line | decodedCommandLine | -| process | created | creationTime | -| process | created | firstSeen | -| process | pid | applicablePid | -| process | name | elementDisplayName | -| process | name | parentProcess | -| process | name | execedBy | -| process | creator\_user\_ref.user\_id | user | -| process | parent\_ref.pid | applicablePid | -| process | parent\_ref.name | parentProcess | -| process | binary\_ref.name | elementDisplayName | -| user-account | user\_id | adSid | -| user-account | user\_id | user | -| user-account | user\_id | hostUser | -| user-account | user\_id | elementDisplayName | -| user-account | account\_login | user | -| user-account | account\_login | winLogonDetails | -| user-account | is\_privileged | isAdmin | -| user-account | display\_name | elementDisplayName | -| user-account | display\_name | adDisplayName | -| user-account | display\_name | adCanonicalName | -| file | name | elementDisplayName | -| file | name | originalFileName | -| file | name | file | -| file | name | file | -| file | name | binaryFile | -| file | name | oldBinaryFile | -| file | size | size | -| file | hashes.MD5 | md5String | -| file | hashes.SHA-1 | sha1String | -| file | hashes.SHA-256 | sha256String | -| file | parent\_directory\_ref.path | canonizedPath | -| file | parent\_directory\_ref.path | canonizedPath | -| file | parent\_directory\_ref.path | path | -| file | parent\_directory\_ref.path | path | -| file | parent\_directory\_ref.path | unitFilePath | -| directory | path | canonizedPath | -| directory | path | canonizedPath | -| directory | path | path | -| directory | path | path | -| directory | path | unitFilePath | -| windows-registry-key | key | elementDisplayName | -| windows-registry-key | values | value | -| x-cybereason-file | company\_name | companyName | -| x-cybereason-file | extension\_type | extensionType | -| x-cybereason-file | extension\_type | secondExtensionType | -| x-cybereason-file | classification\_type | maliciousClassificationType | -| x-cybereason-file | description | fileDescription | -| x-cybereason-file | internal\_name | internalName | -| x-cybereason-file | product\_name | productName | -| x-cybereason-file | product\_type | productType | -| x-cybereason-file | product\_version | productVersion | -| x-cybereason-file | version | fileVersion | -| x-cybereason-file | version | originalVersion | -| x-cybereason-file | copyright | legalCopyright | -| x-cybereason-file | build | privateBuild | -| x-cybereason-file | build | specialBuild | -| x-cybereason-file | classification\_link | classificationLink | -| x-cybereason-file | is\_sign\_verified | signatureVerifiedInternalOrExternal | -| x-cybereason-file | signer | signerInternalOrExternal | -| x-cybereason-file | signer | signer | -| x-cybereason-file | is\_file\_signed | signedInternalOrExternal | -| x-cybereason-file | registry\_key | autorun | -| x-cybereason-file | quarantined\_file\_version | fileIsQuarantinedVersion | -| x-cybereason-file | event | fileAccessEvents | -| x-cybereason-file | downloaded\_domain | downloadedFromDomain | -| x-cybereason-file | owner\_machine | ownerMachine | -| x-cybereason-file | mount\_point | mount | -| x-cybereason-file | mounted\_as | mountedAs | -| x-cybereason-file | quarantined\_action | fileIsQuarantined | -| x-cybereason-logonsession | session | clientRemoteSession | -| x-cybereason-logonsession | session | serverRemoteSession | -| x-cybereason-logonsession | user\_id | LUID | -| x-cybereason-logonsession | type | logonType | -| x-cybereason-logonsession | application | logonApplication | -| x-cybereason-logonsession | name | elementDisplayName | -| x-cybereason-logonsession | machine | ownerMachine | -| x-cybereason-logonsession | machine | remoteMachine | -| x-cybereason-logonsession | machine | remoteNetworkMachine | -| x-cybereason-logonsession | processes | processes | -| x-cybereason-logonsession | proxies | proxies | -| x-cybereason-logonsession | ip\_address | sourceIp | -| x-oca-asset | name | elementDisplayName | -| x-oca-asset | name | adDisplayName | -| x-oca-asset | name | adCanonicalName | -| x-oca-asset | os\_version | osVersionType | -| x-oca-asset | platform | platformArchitecture | -| x-oca-asset | os\_type | osType | -| x-oca-asset | timezone | timezoneUTCOffsetMinutes | -| x-oca-asset | mbr\_hash | mbrHashString | -| x-oca-asset | hosts\_file | hostsFile | -| x-oca-asset | company | ownerOrganization | -| x-oca-asset | department\_or\_unit | adOU | -| x-oca-asset | removable\_devices | removableDevices | -| x-oca-asset | last\_communication\_with\_server | timeStampSinceLastConnectionTime | -| x-oca-asset | activity\_time | uptime | -| x-oca-asset | model | deviceModel | -| x-oca-asset | location | adLocation | -| x-oca-asset | network\_interface | networkInterfaces | -| x-cybereason-service | execution | automaticExecution | -| x-cybereason-service | arguments | commandLineArguments | -| x-cybereason-service | description | description | -| x-cybereason-service | name | displayName | -| x-cybereason-service | name | oldServiceStartName | -| x-cybereason-service | name | elementDisplayName | -| x-cybereason-service | name | serviceStartName | -| x-cybereason-service | name | service | -| x-cybereason-service | name | service | -| x-cybereason-service | driver | driver | -| x-cybereason-service | state | serviceState | -| x-cybereason-service | sub\_state | serviceSubState | -| x-cybereason-service | type | serviceType | -| x-cybereason-service | start\_type | startType | -| x-cybereason-service | machine | ownerMachine | -| x-cybereason-connection | name | elementDisplayName | -| x-cybereason-connection | location | remoteAddressCountryName | -| x-cybereason-connection | dns\_query | dnsQuery | -| x-cybereason-connection | direction | direction | -| x-cybereason-connection | port\_type | portType | -| x-cybereason-connection | state | state | -| x-cybereason-connection | remote\_address\_type | remoteAddressInternalExternalLocal | -| x-cybereason-connection | parent\_listening\_socket | parent | -| x-cybereason-connection | classification\_type | remoteAddressMaliciousClassificationType | -| x-cybereason-connection | machine | ownerMachine | -| x-cybereason-connection | machine | remoteMachine | -| x-cybereason-connection | owner\_process | ownerProcess | -| x-cybereason-connection | owner\_process | processName | -| x-cybereason-process | architecture | architecture | -| x-cybereason-process | block\_listed\_domain | unresolvedQueryFromBlackListDomain | -| x-cybereason-process | extension\_type | imageFileExtensionType | -| x-cybereason-process | integrity | integrity | -| x-cybereason-process | thread\_id | tid | -| x-cybereason-process | openedFiles | openedFiles | -| x-cybereason-process | injection\_method | injectionMethod | -| x-cybereason-process | executed\_a\_file\_with\_malicious\_hash | maliciousOpenedFiles | -| x-cybereason-process | machine | ownerMachine | -| x-cybereason-process | connections | connectionsToMaliciousDomain | -| x-cybereason-process | connections | connectionsToBlackListDomain | -| x-cybereason-process | connections | internalConnections | -| x-cybereason-process | connections | connectionsToMalwareAddresses | -| x-cybereason-process | connections | connections | -| x-cybereason-process | connections | outgoingConnections | -| x-cybereason-process | connections | outgoingConnectionsOfHostProcess | -| x-cybereason-process | connections | connectionsOfHostProcess | -| x-cybereason-process | connections | outgoingExternalConnections | -| x-cybereason-process | total\_connections | totalNumberOfConnections | -| x-cybereason-process | powershell\_modules | powerShellModules | -| x-cybereason-process | loaded\_modules | modulesFromTemp | -| x-cybereason-process | loaded\_modules | loadedModules | -| x-cybereason-process | product\_type | productType | -| x-cybereason-process | registry\_events | registryEvents | -| x-cybereason-process | ransomware\_classification\_modules | ransomwareClassificationModules | -| x-cybereason-process | remote\_session | remoteSession | -| x-cybereason-process | resolved\_dns\_domain\_to\_domain | resolvedDnsQueriesDomainToDomain | -| x-cybereason-process | resolved\_dns\_domain\_to\_ip | resolvedDnsQueriesDomainToIp | -| x-cybereason-process | resolved\_dns\_ip\_to\_domain | resolvedDnsQueriesIpToDomain | -| x-cybereason-process | suspicious\_domain\_to\_domain | suspiciousDnsQueryDomainToDomain | -| x-cybereason-process | suspicious\_unresolved\_dns | unresolvedQueryFromSuspiciousDomain | -| x-cybereason-process | suspicious\_external\_connections | suspiciousExternalConnections | -| x-cybereason-process | suspicious\_internal\_connections | suspiciousInternalConnections | -| x-cybereason-process | scheduled\_task | scheduledTask | -| x-cybereason-process | service | service | -| x-cybereason-process | received\_bytes | totalReceivedBytes | -| x-cybereason-process | transmitted\_bytes | totalTransmittedBytes | -| x-cybereason-process | unresolved\_domain\_lookups | unresolvedDnsQueriesFromDomain | -| x-cybereason-process | unresolved\_ip\_lookups | unresolvedDnsQueriesFromIp | -| x-cybereason-process | unresolved\_record\_not\_exist | unresolvedRecordNotExist | -| x-cybereason-process | unwanted\_classification\_modules | unwantedClassificationModules | -| x-cybereason-process | unsigned\_with\_signed\_version\_modules | unsignedWithSignedVersionModules | -| x-cybereason-process | well\_known\_port\_connection | wellKnownPortConnections | -| x-cybereason-process | wmi\_activities | wmiActivities | -| x-cybereason-user | total\_machines | numberOfMachines | -| x-cybereason-user | privileges | privileges | -| x-cybereason-user | security\_id | sid | -| x-cybereason-user | security\_id | adSid | -| x-cybereason-user | company | adCompany | -| x-cybereason-user | country | adCountry | -| x-cybereason-user | country | adTextCountry | -| x-cybereason-user | department | adDepartment | -| x-cybereason-user | member | adMemberOf | -| x-cybereason-user | organization | adOU | -| x-cybereason-user | organizational\_unit | ownerOrganization | -| x-cybereason-user | group\_id | adPrimaryGroupID | -| x-cybereason-user | sam\_account\_name | adSamAccountName | -| x-cybereason-user | logged\_last\_machine | ownerMachine | -| x-cybereason-user | process\_count | newProcessesCount | -| x-cybereason-driver | name | elementDisplayName | -| x-cybereason-driver | service | service | -| x-cybereason-driver | machine | ownerMachine | -| x-oca-event | name | elementDisplayName | -| x-oca-event | name | elementDisplayName | -| x-oca-event | name | elementDisplayName | -| x-oca-event | detection\_event\_user | user | -| x-oca-event | file\_event\_user | ownerUser | -| x-oca-event | connection | connection | -| x-oca-event | detection\_value | detectionValue | -| x-oca-event | detection\_value\_type | detectionValueType | -| x-oca-event | status | decisionStatus | -| x-oca-event | engine | detectionEngine | -| x-oca-event | script\_engine | scriptEngine | -| x-oca-event | domain | domain | -| x-oca-event | process | process | -| x-oca-event | process | registryProcess | -| x-oca-event | process | ownerProcess | -| x-oca-event | collection\_of\_machines | machine | -| x-oca-event | machine | ownerMachine | -| x-oca-event | machine | ownerMachine | -| x-oca-event | machine | ownerMachine | -| x-oca-event | file\_event\_type | fileEventType | -| x-oca-event | data | data | -| x-oca-event | detection\_time | detectionTimesNumber | -| x-oca-event | time | firstTime | -| x-oca-event | time | timestamp | -| x-oca-event | time | firstAccessTime | -| x-oca-event | registry\_entry | registryEntry | -| x-oca-event | data\_type | registryDataType | -| x-oca-event | registry\_entry\_type | registryEntryType | -| x-oca-event | operation\_type | registryOperationType | \ No newline at end of file +##### Updated on 02/04/22 +## Cybereason +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | AND | +| > | GreaterThan | +| >= | GreaterOrEqualsTo | +| < | LessThan | +| <= | LessOrEqualsTo | +| = | Equals | +| != | NotEquals | +| LIKE | ContainsIgnoreCase | +| IN | Equals | +| MATCHES | ContainsIgnoreCase | +| <br> | | +### Supported STIX Objects and Properties +| STIX Object | STIX Property | Data Source Field | +|--|--|--| +| directory | path | correctedPath | +| directory | path | canonizedPath | +| directory | path | path | +| directory | path | unitFilePath | +| <br> | | | +| domain-name | value | domainName | +| domain-name | value | urlDomains | +| domain-name | value | adAssociatedDomain | +| domain-name | value | domainFqdn | +| domain-name | value | adDNSHostName | +| <br> | | | +| email-addr | value | adLogonName | +| email-addr | value | emailAddress | +| email-addr | value | adMail | +| <br> | | | +| file | name | ownerProcess | +| file | name | elementDisplayName | +| file | hashes.SHA-1 | imageFile.sha1String | +| file | hashes.SHA-256 | imageFile.sha256String | +| file | hashes.MD5 | imageFile.md5String | +| file | name | imageFile | +| file | name | parentProcess | +| file | name | execedBy | +| file | hashes.SHA-1 | sha1String | +| file | hashes.MD5 | md5String | +| file | hashes.SHA-256 | sha256String | +| file | created | createdTime | +| file | modified | modifiedTime | +| file | size | size | +| file | parent_directory_ref | correctedPath | +| file | parent_directory_ref | canonizedPath | +| file | parent_directory_ref | path | +| file | extensions.x-cybereason-file.description | fileDescription | +| file | extensions.x-cybereason-file.version | fileVersion | +| file | extensions.x-cybereason-file-product.product_name | productName | +| file | name | originalFileName | +| file | extensions.x-cybereason-file-product.product_version | productVersion | +| file | extensions.x-cybereason-file.is_file_signed | signedInternalOrExternal | +| file | extensions.x-cybereason-file.extension_type | extensionType | +| file | extensions.x-cybereason-file.is_pefile | isPEFile | +| file | extensions.x-cybereason-file-product.copyright | legalCopyright | +| file | extensions.x-cybereason-file.is_sign_verified | signatureVerifiedInternalOrExternal | +| file | extensions.x-cybereason-file.company_name | companyName | +| file | extensions.x-cybereason-file.av_remediation_status | avRemediationStatus | +| file | extensions.x-cybereason-file.signer | signerInternalOrExternal | +| file | extensions.x-cybereason-file.autoruns | autoruns | +| file | extensions.x-cybereason-file.owner_machine | ownerMachine | +| file | extensions.x-cybereason-file.mount | mount | +| file | extensions.x-cybereason-file.registry_key | autorun | +| file | extensions.x-cybereason-file.dual_extension_evidence | dualExtensionEvidence | +| file | extensions.x-cybereason-file.hidden_file_extension_evidence | hiddenFileExtensionEvidence | +| file | extensions.x-cybereason-file.right_to_left_file_extension_evidence | rightToLeftFileExtensionEvidence | +| file | extensions.x-cybereason-file.hacking_tool_classification_evidence | hackingToolClassificationEvidence | +| file | extensions.x-cybereason-file.classification_link | classificationLink | +| file | extensions.x-cybereason-file.executed_by_process_evidence | executedByProcessEvidence | +| file | extensions.x-cybereason-file.has_autorun | hasAutorun | +| file | extensions.x-cybereason-file.is_installer_properties | isInstallerProperties | +| file | extensions.x-cybereason-file.is_from_removable_device | isFromRemovableDevice | +| file | extensions.x-cybereason-file-product.product_type | productType | +| file | extensions.x-cybereason-file.second_extension_type | secondExtensionType | +| file | extensions.x-cybereason-file.temporary_folder_evidence | temporaryFolderEvidence | +| file | extensions.x-cybereason-file.multiple_company_names_evidence | multipleCompanyNamesEvidence | +| file | extensions.x-cybereason-file.multiple_hash_for_unsigned_pe_info_evidence | multipleHashForUnsignedPeInfoEvidence | +| file | extensions.x-cybereason-file.unsigned_has_signed_version_evidence | unsignedHasSignedVersionEvidence | +| file | extensions.x-cybereason-file.classification_comment | classificationComment | +| file | extensions.x-cybereason-file.is_downloaded_from_internet | isDownloadedFromInternet | +| file | extensions.x-cybereason-file.downloaded_domain | downloadedFromDomain | +| file | extensions.x-cybereason-file.downloaded_from_ip_address | downloadedFromIpAddress | +| file | extensions.x-cybereason-file.downloaded_from_url | downloadedFromUrl | +| file | extensions.x-cybereason-file.downloaded_from_url_referrer | downloadedFromUrlReferrer | +| file | extensions.x-cybereason-file.downloaded_from_email_from | downloadedFromEmailFrom | +| file | extensions.x-cybereason-file.downloaded_from_email_message_id | downloadedFromEmailMessageId | +| file | extensions.x-cybereason-file.downloaded_from_email_subject | downloadedFromEmailSubject | +| file | extensions.x-cybereason-file.legal_trademarks | legalTrademarks | +| file | extensions.x-cybereason-file.private_build | privateBuild | +| file | extensions.x-cybereason-file.special_build | specialBuild | +| file | extensions.x-cybereason-file.internal_name | internalName | +| file | extensions.x-cybereason-file.comments | comments | +| file | extensions.x-cybereason-file.application_identifier | applicationIdentifier | +| file | name | registryProcess | +| file | name | process | +| file | name | file | +| file | created | creationTime | +| file | extensions.x-cybereason-file-event.name | elementDisplayName | +| file | extensions.x-cybereason-file-event.machine | ownerMachine | +| file | extensions.x-cybereason-file-event.file_info | fileInfo | +| file | extensions.x-cybereason-file-event.new_path | newPath | +| file | extensions.x-cybereason-file-event.is_hidden | isHidden | +| file | name | binaryFile | +| file | name | oldBinaryFile | +| file | parent_directory_ref | unitFilePath | +| <br> | | | +| ipv4-addr | value | localAddress | +| ipv4-addr | value | remoteAddress | +| ipv4-addr | extensions.x-cybereason-networkinterface.name | elementDisplayName | +| ipv4-addr | extensions.x-cybereason-networkinterface.ip_address | ipAddress | +| ipv4-addr | extensions.x-cybereason-networkinterface.owner_machine | ownerMachine | +| ipv4-addr | extensions.x-cybereason-networkinterface.dns_server | dnsServer | +| ipv4-addr | value | dhcpServer | +| ipv4-addr | resolves_to_refs | macAddressFormat | +| ipv4-addr | extensions.x-cybereason-networkinterface.interface_id | id | +| ipv4-addr | extensions.x-cybereason-networkinterface.proxies | proxies | +| ipv4-addr | value | sourceIp | +| <br> | | | +| ipv6-addr | value | localAddress | +| ipv6-addr | value | remoteAddress | +| ipv6-addr | value | dhcpServer | +| ipv6-addr | value | sourceIp | +| <br> | | | +| mac-addr | value | macAddressFormat | +| <br> | | | +| network-traffic | src_ref | localAddress | +| network-traffic | protocols | transportProtocol | +| network-traffic | dst_ref | remoteAddress | +| network-traffic | dst_port | remotePort | +| network-traffic | src_port | localPort | +| network-traffic | src_byte_count | aggregatedTransmittedBytesCount | +| network-traffic | dst_byte_count | aggregatedReceivedBytesCount | +| network-traffic | start | calculatedCreationTime | +| network-traffic | end | endTime | +| network-traffic | extensions.x-cybereason-connection.direction | direction | +| network-traffic | extensions.x-cybereason-connection.machine | ownerMachine | +| network-traffic | extensions.x-cybereason-connection.port_type | portType | +| network-traffic | extensions.x-cybereason-connection.dns_query | dnsQuery | +| network-traffic | extensions.x-cybereason-connection.port_description | portDescription | +| network-traffic | extensions.x-cybereason-connection.name | elementDisplayName | +| network-traffic | extensions.x-cybereason-connection.state | state | +| network-traffic | extensions.x-cybereason-connection.location | remoteAddressCountryName | +| network-traffic | extensions.x-cybereason-connection.remote_address_type | remoteAddressInternalExternalLocal | +| network-traffic | extensions.x-cybereason-connection.parent_listening_socket | parent | +| network-traffic | extensions.x-cybereason-connection.external_connection | isExternalConnection | +| network-traffic | extensions.x-cybereason-connection.incoming | isIncoming | +| network-traffic | extensions.x-cybereason-connection.well_known_port | isWellKnownPort | +| network-traffic | extensions.x-cybereason-connection.legit_process | isProcessLegit | +| <br> | | | +| process | name | ownerProcess | +| process | binary_ref | ownerProcess | +| process | name | elementDisplayName | +| process | binary_ref | elementDisplayName | +| process | pid | applicablePid | +| process | command_line | commandLine | +| process | created | creationTime | +| process | name | parentProcess | +| process | parent_ref | parentProcess | +| process | creator_user_ref | calculatedUser | +| process | extensions.x-cybereason-process.company_name | imageFile.companyName | +| process | extensions.x-cybereason-process.product_name | imageFile.productName | +| process | extensions.x-cybereason-process.machine | ownerMachine | +| process | extensions.x-cybereason-process.extension_type | imageFileExtensionType | +| process | extensions.x-cybereason-process.integrity | integrity | +| process | extensions.x-cybereason-process.tid | tid | +| process | extensions.x-cybereason-process.is_aggregate | isAggregate | +| process | extensions.x-cybereason-process.is_dot_net_protected | isDotNetProtected | +| process | extensions.x-cybereason-process.multiple_size_for_hash_evidence | multipleSizeForHashEvidence | +| process | extensions.x-cybereason-process.is_verified | isImageFileVerified | +| process | extensions.x-cybereason-process.multiple_company_evidence | imageFileMultipleCompanyNamesEvidence | +| process | extensions.x-cybereason-process.multiple_hash_unsigned_pe_evidence | multipleHashForUnsignedPeInfoEvidence | +| process | extensions.x-cybereason-process.multiple_name_hash_evidence | multipleNameForHashEvidence | +| process | extensions.x-cybereason-process.unknown_evidence | unknownEvidence | +| process | extensions.x-cybereason-process.rare_pe_mismatch_evidence | rareHasPeMismatchEvidence | +| process | extensions.x-cybereason-process.signed_internal_or_external | imageFile.signedInternalOrExternal | +| process | extensions.x-cybereason-process.unknown_unsigned_sign_company | unknownUnsignedBySigningCompany | +| process | extensions.x-cybereason-process.unsigned_evidence | imageFileUnsignedEvidence | +| process | extensions.x-cybereason-process.unsigned_has_signed_version | imageFileUnsignedHasSignedVersionEvidence | +| process | extensions.x-cybereason-process.signer_internal_or_external | imageFile.signerInternalOrExternal | +| process | extensions.x-cybereason-process.architecture | architecture | +| process | extensions.x-cybereason-process.command_line_contains_temp | commandLineContainsTempEvidence | +| process | extensions.x-cybereason-process.has_children | hasChildren | +| process | extensions.x-cybereason-process.has_visible_windows | hasVisibleWindows | +| process | extensions.x-cybereason-process.has_windows | hasWindows | +| process | extensions.x-cybereason-process.is_installer | isInstaller | +| process | extensions.x-cybereason-process.is_identified_product | isIdentifiedProduct | +| process | extensions.x-cybereason-process.has_module_temp_evidence | hasModuleFromTempEvidence | +| process | extensions.x-cybereason-process.non_executable_extension | nonExecutableExtensionEvidence | +| process | extensions.x-cybereason-process.is_not_shell_runner | isNotShellRunner | +| process | extensions.x-cybereason-process.running_from_temp | runningFromTempEvidence | +| process | extensions.x-cybereason-process.shell_elevated_privileges | shellWithElevatedPrivilegesEvidence | +| process | extensions.x-cybereason-process.system_user_evidence | systemUserEvidence | +| process | extensions.x-cybereason-process.unresolved_record_not_exists | multipleUnresolvedRecordNotExistsEvidence | +| process | extensions.x-cybereason-process.non_default_resolver | hasNonDefaultResolverEvidence | +| process | extensions.x-cybereason-process.parent_process_not_admin | parentProcessNotAdminUserEvidence | +| process | extensions.x-cybereason-process.parent_process_removable_device | parentProcessFromRemovableDeviceEvidence | +| process | extensions.x-cybereason-process.autorun | autorun | +| process | extensions.x-cybereason-process.children_created_thread | childrenCreatedByThread | +| process | extensions.x-cybereason-process.elevated_privilege_children | elevatedPrivilegeChildren | +| process | extensions.x-cybereason-process.hacker_tool_children | hackerToolChildren | +| process | extensions.x-cybereason-process.host_process | hostProcess | +| process | extensions.x-cybereason-process.hosted_children | hostedChildren | +| process | extensions.x-cybereason-process.injected_children | injectedChildren | +| process | extensions.x-cybereason-process.loaded_modules | loadedModules | +| process | extensions.x-cybereason-process.logon_session | logonSession | +| process | extensions.x-cybereason-process.remote_session | remoteSession | +| process | extensions.x-cybereason-process.service | service | +| process | name | execedBy | +| process | extensions.x-cybereason-process.low_ttl_dns_queries | lowTtlDnsQueries | +| process | extensions.x-cybereason-process.non_default_resolver_queries | nonDefaultResolverQueries | +| process | extensions.x-cybereason-process.resolved_dns_domain_to_domain | resolvedDnsQueriesDomainToDomain | +| process | extensions.x-cybereason-process.resolved_dns_domain_to_ip | resolvedDnsQueriesDomainToIp | +| process | extensions.x-cybereason-process.resolved_dns_ip_to_domain | resolvedDnsQueriesIpToDomain | +| process | extensions.x-cybereason-process.unresolved_record_not_exist | unresolvedRecordNotExist | +| process | extensions.x-cybereason-process.unresolved_domain_lookups | unresolvedDnsQueriesFromDomain | +| process | extensions.x-cybereason-process.unresolved_ip_lookups | unresolvedDnsQueriesFromIp | +| process | extensions.x-cybereason-process.modules_not_db_list | modulesNotInLoaderDbList | +| process | extensions.x-cybereason-process.modules_from_temp | modulesFromTemp | +| process | extensions.x-cybereason-process.unsigned_signed_version_module | unsignedWithSignedVersionModules | +| process | extensions.x-cybereason-process.unwanted_classification_modules | unwantedClassificationModules | +| process | extensions.x-cybereason-process.external_connection_evidence | hasRareExternalConnectionEvidence | +| process | extensions.x-cybereason-process.remote_address_evidence | hasRareRemoteAddressEvidence | +| process | extensions.x-cybereason-process.high_volume_external_outgoing_connection | hasAbsoluteHighVolumeExternalOutgoingConnectionEvidence | +| process | extensions.x-cybereason-process.high_data_volume_transmitted_by_unknown_process | highDataVolumeTransmittedByUnknownProcess | +| process | extensions.x-cybereason-process.high_number_internal_outgoing_embryonic_connections_evidence | absoluteHighNumberOfInternalOutgoingEmbryonicConnectionsEvidence | +| process | extensions.x-cybereason-process.low_ttl_dns_query_evidence | hasLowTtlDnsQueryEvidence | +| process | extensions.x-cybereason-process.high_unresolved_to_resolved_rate_evidence | highUnresolvedToResolvedRateEvidence | +| process | extensions.x-cybereason-process.many_unresolved_record_not_exists_evidence | manyUnresolvedRecordNotExistsEvidence | +| process | extensions.x-cybereason-process.child_known_hacker_tool_evidence | hasChildKnownHackerToolEvidence | +| process | extensions.x-cybereason-process.hacking_tool_non_tool_runner_evidence | hackingToolOfNonToolRunnerEvidence | +| process | extensions.x-cybereason-process.rare_child_process_known_hacker_tool_evidence | hasRareChildProcessKnownHackerToolEvidence | +| process | extensions.x-cybereason-process.deleted_parent_process_evidence | deletedParentProcessEvidence | +| process | extensions.x-cybereason-process.dual_extension_name_evidence | dualExtensionNameEvidence | +| process | extensions.x-cybereason-process.hidden_file_extension_evidence | hiddenFileExtensionEvidence | +| process | extensions.x-cybereason-process.right_to_left_file_extension_evidence | rightToLeftFileExtensionEvidence | +| process | extensions.x-cybereason-process.screen_saver_with_children_evidence | screenSaverWithChildrenEvidence | +| process | extensions.x-cybereason-process.has_pe_floating_code_evidence | hasPeFloatingCodeEvidence | +| process | extensions.x-cybereason-process.has_section_mismatch_evidence | hasSectionMismatchEvidence | +| process | extensions.x-cybereason-process.detected_injected_evidence | detectedInjectedEvidence | +| process | extensions.x-cybereason-process.detected_injecting_evidence | detectedInjectingEvidence | +| process | extensions.x-cybereason-process.detected_injecting_to_protected_process_evidence | detectedInjectingToProtectedProcessEvidence | +| process | extensions.x-cybereason-process.has_injected_children | hasInjectedChildren | +| process | extensions.x-cybereason-process.hosting_injected_thread_evidence | hostingInjectedThreadEvidence | +| process | extensions.x-cybereason-process.injected_protected_process_evidence | injectedProtectedProcessEvidence | +| process | extensions.x-cybereason-process.injection_method | injectionMethod | +| process | extensions.x-cybereason-process.is_hosting_injected_thread | isHostingInjectedThread | +| process | extensions.x-cybereason-process.high_internal_outgoing_evidence | highInternalOutgoingEmbryonicConnectionRateEvidence | +| process | extensions.x-cybereason-process.high_number_of_internal_connections_evidence | highNumberOfInternalConnectionsEvidence | +| process | extensions.x-cybereason-process.new_processes_above_threshold_evidence | newProcessesAboveThresholdEvidence | +| process | extensions.x-cybereason-process.has_rare_internal_connection_evidence | hasRareInternalConnectionEvidence | +| process | extensions.x-cybereason-process.elevating_privileges_to_child_evidence | elevatingPrivilegesToChildEvidence | +| process | extensions.x-cybereason-process.parent_process_not_system_user_evidence | parentProcessNotSystemUserEvidence | +| process | extensions.x-cybereason-process.privilege_escalation_evidence | privilegeEscalationEvidence | +| process | extensions.x-cybereason-process.first_execution_of_downloaded_process_evidence | firstExecutionOfDownloadedProcessEvidence | +| process | extensions.x-cybereason-process.has_autorun | hasAutorun | +| process | extensions.x-cybereason-process.new_process_evidence | newProcessEvidence | +| process | extensions.x-cybereason-process.ransomware_auto_remediation_suspended | ransomwareAutoRemediationSuspended | +| process | extensions.x-cybereason-process.total_num_of_instances | totalNumOfInstances | +| process | extensions.x-cybereason-process.last_minute_num_of_instances | lastMinuteNumOfInstances | +| process | extensions.x-cybereason-process.last_seen_time_stamp | lastSeenTimeStamp | +| process | extensions.x-cybereason-process.wmi_query_strings | wmiQueryStrings | +| process | extensions.x-cybereason-process.is_executed_by_wmi | isExectuedByWmi | +| process | extensions.x-cybereason-process.absolute_high_number_of_internal_connections | absoluteHighNumberOfInternalConnectionsEvidence | +| process | extensions.x-cybereason-process.is_downloaded_from_internet | imageFile.isDownloadedFromInternet | +| process | extensions.x-cybereason-process.downloaded_from_domain | imageFile.downloadedFromDomain | +| process | extensions.x-cybereason-process.downloaded_from_ip_address | imageFile.downloadedFromIpAddress | +| process | extensions.x-cybereason-process.user_id | imageFile.downloadedFromUrl | +| process | extensions.x-cybereason-process.downloaded_from_url_referrer | imageFile.downloadedFromUrlReferrer | +| process | extensions.x-cybereason-process.downloaded_from_email_from | imageFile.downloadedFromEmailFrom | +| process | extensions.x-cybereason-process.downloaded_from_email_message_id | imageFile.downloadedFromEmailMessageId | +| process | extensions.x-cybereason-process.downloaded_from_email_subject | imageFile.downloadedFromEmailSubject | +| process | extensions.x-cybereason-process.rpc_requests | rpcRequests | +| process | extensions.x-cybereason-process.icon_base64 | iconBase64 | +| process | extensions.x-cybereason-process.matched_white_list_rule_ids | matchedWhiteListRuleIds | +| process | name | registryProcess | +| process | binary_ref | registryProcess | +| process | name | process | +| process | binary_ref | process | +| process | created | process.creationTime | +| process | created | firstSeen | +| process | created | firstAccessTime | +| <br> | | | +| url | value | pacUrl | +| <br> | | | +| user-account | user_id | calculatedUser | +| user-account | user_id | hostUser | +| user-account | user_id | elementDisplayName | +| user-account | display_name | elementDisplayName | +| user-account | user_id | username | +| user-account | is_privileged | isAdmin | +| user-account | account_created | adCreated | +| user-account | extensions.x-cybereason-user.domain | domain | +| user-account | extensions.x-cybereason-user.organizational_unit | ownerOrganization.name | +| user-account | extensions.x-cybereason-user.last_logged_machine | ownerMachine | +| user-account | extensions.x-cybereason-user.is_local_system | isLocalSystem | +| user-account | extensions.x-cybereason-user.department | adDepartment | +| user-account | extensions.x-cybereason-user.country | adCountry | +| user-account | extensions.x-cybereason-user.company | adCompany | +| user-account | extensions.x-cybereason-user.total_machines | numberOfMachines | +| user-account | extensions.x-cybereason-user.password_age_days | passwordAgeDays | +| user-account | extensions.x-cybereason-user.privileges | privileges | +| user-account | extensions.x-cybereason-user.comment | comment | +| user-account | extensions.x-cybereason-user.canonical_name | adCanonicalName | +| user-account | display_name | adDisplayName | +| user-account | extensions.x-cybereason-user.member_of | adMemberOf | +| user-account | extensions.x-cybereason-user.organization | adOU | +| user-account | extensions.x-cybereason-user.group_id | adPrimaryGroupID | +| user-account | extensions.x-cybereason-user.sam_account_name | adSamAccountName | +| user-account | extensions.x-cybereason-user.title | adTitle | +| user-account | extensions.x-cybereason-user.sid | sid | +| user-account | extensions.x-cybereason-user.has_power_tool | hasPowerTool | +| user-account | extensions.x-cybereason-user.unusual_process_ext_connection | hasRareProcessWithExternalConnections | +| user-account | user_id | user | +| user-account | user_id | adSid | +| user-account | account_login | user | +| <br> | | | +| windows-registry-key | extensions.x-cybereason-registry-event.name | elementDisplayName | +| windows-registry-key | extensions.x-cybereason-registry-event.registry_operation_type | registryOperationType | +| windows-registry-key | extensions.x-cybereason-registry-event.first_seen | firstTime | +| windows-registry-key | extensions.x-cybereason-registry-event.last_seen | timestamp | +| windows-registry-key | extensions.x-cybereason-registry-event.detection_time_number | detectionTimesNumber | +| windows-registry-key | key | registryEntry | +| windows-registry-key | extensions.x-cybereason-registry-event.owner_machine | ownerMachine | +| windows-registry-key | key | elementDisplayName | +| windows-registry-key | extensions.x-cybereason-registryentry.value | value | +| windows-registry-key | extensions.x-cybereason-registryentry.depend_in_file | dependInFile | +| windows-registry-key | extensions.x-cybereason-registryentry.owner_machine | ownerMachine | +| windows-registry-key | extensions.x-cybereason-registryentry.is_pointing_to_tmp | isPointingToTemp | +| windows-registry-key | extensions.x-cybereason-registryentry.registry_entry | registryEntry | +| windows-registry-key | extensions.x-cybereason-registryentry.end_time | endTime | +| <br> | | | +| x-cybereason-connection | has_external_connection | hasExternalConnection | +| x-cybereason-connection | external_connection_known_port | hasExternalConnectionToWellKnownPortEvidence | +| x-cybereason-connection | has_incoming_connection | hasIncomingConnection | +| x-cybereason-connection | has_internal_connection | hasInternalConnection | +| x-cybereason-connection | mail_connection_for_non_mail_process | hasMailConnectionForNonMailProcessEvidence | +| x-cybereason-connection | has_listening_connection | hasListeningConnection | +| x-cybereason-connection | has_outgoing_connection | hasOutgoingConnection | +| x-cybereason-connection | has_unresolved_dns_query | hasUnresolvedDnsQueriesFromDomain | +| x-cybereason-connection | connections | connections | +| x-cybereason-connection | external_connections | externalConnections | +| x-cybereason-connection | absolute_high_vol_external_connections | absoluteHighVolumeExternalConnections | +| x-cybereason-connection | incoming_connections | incomingConnections | +| x-cybereason-connection | incoming_external_connections | incomingExternalConnections | +| x-cybereason-connection | incoming_internal_connections | incomingInternalConnections | +| x-cybereason-connection | internal_connections | internalConnections | +| x-cybereason-connection | listening_connections | listeningConnections | +| x-cybereason-connection | local_connections | localConnections | +| x-cybereason-connection | mail_connections | mailConnections | +| x-cybereason-connection | outgoing_connections | outgoingConnections | +| x-cybereason-connection | outgoing_external_connections | outgoingExternalConnections | +| x-cybereason-connection | outgoing_internal_connections | outgoingInternalConnections | +| x-cybereason-connection | well_known_port_connections | wellKnownPortConnections | +| <br> | | | +| x-cybereason-detectionevent | process_name | process.calculatedName | +| x-cybereason-detectionevent | user | process.calculatedUser | +| x-cybereason-detectionevent | end_time | process.endTime | +| x-cybereason-detectionevent | classification_type | process.imageFile.maliciousClassificationType | +| <br> | | | +| x-cybereason-driver | file_ref | file | +| x-cybereason-driver | name | elementDisplayName | +| x-cybereason-driver | machine | ownerMachine | +| x-cybereason-driver | service | service | +| x-cybereason-driver | end_time | endTime | +| x-cybereason-driver | new_driver_evidence | newDriverEvidence | +| <br> | | | +| x-cybereason-logonsession | name | elementDisplayName | +| x-cybereason-logonsession | processes | processes | +| x-cybereason-logonsession | owner_machine | ownerMachine | +| x-cybereason-logonsession | remote_machine | remoteMachine | +| x-cybereason-logonsession | logon_type | logonType | +| x-cybereason-logonsession | creation_time | creationTime | +| x-cybereason-logonsession | last_seen | lastSeenTime | +| x-cybereason-logonsession | application | logonApplication | +| x-cybereason-logonsession | end_time | endTime | +| <br> | | | +| x-cybereason-malops | malops | hasMalops | +| x-cybereason-malops | suspicions | hasSuspicions | +| x-cybereason-malops | related_to_malop | relatedToMalop | +| x-cybereason-malops | malware_process | isProcessMalware | +| x-cybereason-malops | has_malops | hasMalops | +| x-cybereason-malops | has_suspicions | hasSuspicions | +| x-cybereason-malops | malicious_tool_suspicion | knownMaliciousToolSuspicion | +| x-cybereason-malops | malware_suspicion | knownMalwareSuspicion | +| x-cybereason-malops | unwanted_suspicion | knownUnwantedSuspicion | +| x-cybereason-malops | malicious_hash_evidence | isMaliciousByHashEvidence | +| x-cybereason-malops | unwanted_module_suspicion | unwantedModuleSuspicion | +| x-cybereason-malops | has_classification | hasClassification | +| x-cybereason-malops | non_shell_runner_suspicion | shellOfNonShellRunnerSuspicion | +| x-cybereason-malops | parent_process_not_hierarchy_suspicion | parentProcessNotMatchHierarchySuspicion | +| x-cybereason-malops | connections_to_malicious_domain | connectionsToMaliciousDomain | +| x-cybereason-malops | connections_to_malware_addresses | connectionsToMalwareAddresses | +| x-cybereason-malops | absolute_high_vol_malicious_address_connections | absoluteHighVolumeMaliciousAddressConnections | +| x-cybereason-malops | suspicious_external_connections | suspiciousExternalConnections | +| x-cybereason-malops | suspicious_internal_connections | suspiciousInternalConnections | +| x-cybereason-malops | suspicious_domain_to_domain | suspiciousDnsQueryDomainToDomain | +| x-cybereason-malops | suspicious_unresolved_dns | unresolvedQueryFromSuspiciousDomain | +| x-cybereason-malops | dns_query_from_suspicious_domain | dnsQueryFromSuspiciousDomain | +| x-cybereason-malops | dns_query_to_suspicious_domain | dnsQueryToSuspiciousDomain | +| x-cybereason-malops | malicious_tool_classification_modules | maliciousToolClassificationModules | +| x-cybereason-malops | malware_classification_modules | malwareClassificationModules | +| x-cybereason-malops | access_to_malware_address_infected_process | accessToMalwareAddressInfectedProcess | +| x-cybereason-malops | connecting_to_bad_reputation_address_suspicion | connectingToBadReputationAddressSuspicion | +| x-cybereason-malops | has_malicious_connection_evidence | hasMaliciousConnectionEvidence | +| x-cybereason-malops | has_suspicious_external_connection_suspicion | hasSuspiciousExternalConnectionSuspicion | +| x-cybereason-malops | high_number_of_external_connections_suspicion | highNumberOfExternalConnectionsSuspicion | +| x-cybereason-malops | non_default_resolver_suspicion | nonDefaultResolverSuspicion | +| x-cybereason-malops | suspicious_mail_connections | suspiciousMailConnections | +| x-cybereason-malops | access_to_malware_address | accessToMalwareAddressByUnknownProcess | +| x-cybereason-malops | high_volume_connection_to_malicious_address | hasAbsoluteHighVolumeConnectionToMaliciousAddressEvidence | +| x-cybereason-malops | high_data_transmitted_suspicion | highDataTransmittedSuspicion | +| x-cybereason-malops | high_data_volume_transmitted_to_malicious_address_suspicion | highDataVolumeTransmittedToMaliciousAddressSuspicion | +| x-cybereason-malops | dga_suspicion | dgaSuspicion | +| x-cybereason-malops | hacking_tool_non_tool_runner_suspicion | hackingToolOfNonToolRunnerSuspicion | +| x-cybereason-malops | malicious_tool_module_suspicion | maliciousToolModuleSuspicion | +| x-cybereason-malops | malware_module_suspicion | malwareModuleSuspicion | +| x-cybereason-malops | suspicions_screen_saver_evidence | suspicionsScreenSaverEvidence | +| x-cybereason-malops | malicious_injecting_code_suspicion | maliciousInjectingCodeSuspicion | +| x-cybereason-malops | injected_code_suspicion | maliciousInjectedCodeSuspicion | +| x-cybereason-malops | pe_execution_suspicion | maliciousPeExecutionSuspicion | +| x-cybereason-malops | suspicious_internal_connection | hasSuspiciousInternalConnectionEvidence | +| x-cybereason-malops | marked_for_prevention | markedForPrevention | +| x-cybereason-malops | scanning_process_suspicion | scanningProcessSuspicion | +| x-cybereason-malops | malicious_classification_type | imageFile.maliciousClassificationType | +| x-cybereason-malops | execution_prevented | executionPrevented | +| x-cybereason-malops | is_white_list_classification | isWhiteListClassification | +| x-cybereason-malops | classification_type | maliciousClassificationType | +| x-cybereason-malops | classification_blocking | classificationBlocking | +| x-cybereason-malops | has_malicious_process | hasMaliciousProcess | +| x-cybereason-malops | has_suspicious_process | hasSuspiciousProcess | +| x-cybereason-malops | running_malicious_process_evidence | runningMaliciousProcessEvidence | +| x-cybereason-malops | is_isolated | isIsolated | +| x-cybereason-malops | suspicious_process_or_file | isSuspiciousOrHasSuspiciousProcessOrFile | +| x-cybereason-malops | malicious_tools | maliciousTools | +| x-cybereason-malops | malicious_processes | maliciousProcesses | +| x-cybereason-malops | suspicious_processes | suspiciousProcesses | +| <br> | | | +| x-cybereason-proxy | name | elementDisplayName | +| x-cybereason-proxy | discovery_type | discoveryType | +| x-cybereason-proxy | host | host | +| x-cybereason-proxy | ip_address | ipAddress | +| x-cybereason-proxy | pac_url | pacUrl | +| x-cybereason-proxy | port | port | +| <br> | | | +| x-cybereason-service | name | elementDisplayName | +| x-cybereason-service | file_ref | binaryFile | +| x-cybereason-service | file_ref | oldBinaryFile | +| x-cybereason-service | machine | ownerMachine | +| x-cybereason-service | start_name | serviceStartName | +| x-cybereason-service | arguments | commandLineArguments | +| x-cybereason-service | description | description | +| x-cybereason-service | display_name | displayName | +| x-cybereason-service | end_time | endTime | +| x-cybereason-service | is_active | isActive | +| x-cybereason-service | start_type | startType | +| x-cybereason-service | state | serviceState | +| x-cybereason-service | sub_state | serviceSubState | +| x-cybereason-service | auto_restart_service | isAutoRestartService | +| x-cybereason-service | new_service_evidence | newServiceEvidence | +| x-cybereason-service | rare_service_evidence | rareServiceEvidence | +| x-cybereason-service | type | serviceType | +| x-cybereason-service | driver | driver | +| <br> | | | +| x-oca-asset | user_ref | username | +| x-oca-asset | active_probe_connected | ownerMachine.isActiveProbeConnected | +| x-oca-asset | os_version | ownerMachine.osVersionType | +| x-oca-asset | name | elementDisplayName | +| x-oca-asset | mount_points | mountPoints | +| x-oca-asset | processes | processes | +| x-oca-asset | services | services | +| x-oca-asset | logon_sessions | logonSessions | +| x-oca-asset | has_removable_device | hasRemovableDevice | +| x-oca-asset | timezone | timezoneUTCOffsetMinutes | +| x-oca-asset | version_type | osVersionType | +| x-oca-asset | platform | platformArchitecture | +| x-oca-asset | mbr_hash | mbrHashString | +| x-oca-asset | os_type | osType | +| x-oca-asset | owner_organization | ownerOrganization | +| x-oca-asset | pylum_id | pylumId | +| x-oca-asset | department_or_unit | adOU | +| x-oca-asset | ad_organization | adOrganization | +| x-oca-asset | name | adCanonicalName | +| x-oca-asset | ad_company | adCompany | +| x-oca-asset | department | adDepartment | +| x-oca-asset | name | adDisplayName | +| x-oca-asset | location | adLocation | +| x-oca-asset | machine_role | adMachineRole | +| x-oca-asset | description | adDescription | +| x-oca-asset | free_disk_space | freeDiskSpace | +| x-oca-asset | total_disk_space | totalDiskSpace | +| x-oca-asset | free_memory | freeMemory | +| x-oca-asset | total_memory | totalMemory | +| x-oca-asset | cpu_count | cpuCount | +| x-oca-asset | is_laptop | isLaptop | +| x-oca-asset | model | deviceModel | +| x-oca-asset | is_active_probe_connected | isActiveProbeConnected | +| x-oca-asset | activity_time | uptime | +| x-oca-asset | last_communication_with_server | timeStampSinceLastConnectionTime | +| <br> | | | +| x-oca-event | network_ref | transportProtocol | +| x-oca-event | file_ref | elementDisplayName | +| x-oca-event | name | elementDisplayName | +| x-oca-event | user_ref | user | +| x-oca-event | engine | detectionEngine | +| x-oca-event | status | decisionStatus | +| x-oca-event | detection_value | detectionValue | +| x-oca-event | machine | ownerMachine | +| x-oca-event | detection_value_type | detectionValueType | +| x-oca-event | file_event_type | fileEventType | +| x-oca-event | src_ref | sourceIp | +| <br> | | | +| x-windows-registry-value-type | data_type | registryDataType | +| x-windows-registry-value-type | data | data | +| <br> | | | diff --git a/adapter-guide/connectors/datadog_supported_stix.md b/adapter-guide/connectors/datadog_supported_stix.md index 7b74ba24f..c7a44c111 100644 --- a/adapter-guide/connectors/datadog_supported_stix.md +++ b/adapter-guide/connectors/datadog_supported_stix.md @@ -1,5 +1,14 @@ -##### Updated on 10/29/21 +##### Updated on 02/04/22 ## Datadog +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| = | : | +| IN | : | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | artifact | payload_bin | text | diff --git a/adapter-guide/connectors/elastic_ecs_supported_stix.md b/adapter-guide/connectors/elastic_ecs_supported_stix.md index d8c9c5ada..597ef56c4 100644 --- a/adapter-guide/connectors/elastic_ecs_supported_stix.md +++ b/adapter-guide/connectors/elastic_ecs_supported_stix.md @@ -1,5 +1,23 @@ -##### Updated on 10/29/21 +##### Updated on 02/04/22 ## Elasticsearch ECS +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| > | :> | +| >= | :>= | +| < | :< | +| <= | :<= | +| = | : | +| != | NOT | +| LIKE | : | +| IN | : | +| MATCHES | : | +| ISSUBSET | : | +| ISSUPERSET | : | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | artifact | payload_bin | original | diff --git a/adapter-guide/connectors/guardium_supported_stix.md b/adapter-guide/connectors/guardium_supported_stix.md index e293c9fd7..9dc49c02c 100644 --- a/adapter-guide/connectors/guardium_supported_stix.md +++ b/adapter-guide/connectors/guardium_supported_stix.md @@ -1,4 +1,13 @@ +##### Updated on 02/04/22 ## IBM Guardium Data Protection +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| = | = | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | artifact | payload_bin | Payload | diff --git a/adapter-guide/connectors/msatp_supported_stix.md b/adapter-guide/connectors/msatp_supported_stix.md index f28a1ee55..432839a96 100644 --- a/adapter-guide/connectors/msatp_supported_stix.md +++ b/adapter-guide/connectors/msatp_supported_stix.md @@ -1,4 +1,21 @@ +##### Updated on 02/04/22 ## Microsoft Defender for Endpoint +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | or | +| OR | or | +| = | == | +| != | != | +| LIKE | contains | +| MATCHES | matches | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| IN | in~ | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | InitiatingProcessFolderPath | diff --git a/adapter-guide/connectors/onelogin_supported_stix.md b/adapter-guide/connectors/onelogin_supported_stix.md index ebe246989..fa1385753 100644 --- a/adapter-guide/connectors/onelogin_supported_stix.md +++ b/adapter-guide/connectors/onelogin_supported_stix.md @@ -1,5 +1,13 @@ -##### Updated on 09/28/21 +##### Updated on 02/04/22 ## OneLogin +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | or | +| = | = | +| OR | or | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | ipv4-addr | value | ipaddr | diff --git a/adapter-guide/connectors/proofpoint_supported_stix.md b/adapter-guide/connectors/proofpoint_supported_stix.md index 086b5ee59..39bfdfb70 100644 --- a/adapter-guide/connectors/proofpoint_supported_stix.md +++ b/adapter-guide/connectors/proofpoint_supported_stix.md @@ -1,5 +1,21 @@ -##### Updated on 10/29/21 +##### Updated on 02/04/22 ## Proofpoint (SIEM API) +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | LIKE | +| IN | IN | +| MATCHES | LIKE | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | email-addr | value | ccAddresses | diff --git a/adapter-guide/connectors/qradar_supported_stix.md b/adapter-guide/connectors/qradar_supported_stix.md index f8017e26b..2fc7a7cf1 100644 --- a/adapter-guide/connectors/qradar_supported_stix.md +++ b/adapter-guide/connectors/qradar_supported_stix.md @@ -1,5 +1,22 @@ -##### Updated on 11/09/21 +##### Updated on 02/04/22 ## IBM QRadar +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | LIKE | +| IN | IN | +| MATCHES | MATCHES | +| ISSUBSET | INCIDR | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | artifact | payload_bin | UTF8(payload) | @@ -14,6 +31,8 @@ | directory | path | "File Path" | | directory | path | Image | | directory | path | ParentImage | +| directory | path | TargetImage | +| directory | path | SourceImage | | directory | path | ServiceFileName | | <br> | | | | domain-name | value | UrlHost | @@ -34,12 +53,12 @@ | file | parent_directory_ref | Image | | file | name | ParentImage | | file | parent_directory_ref | ParentImage | -| file | name | ServiceFileName | -| file | parent_directory_ref | ServiceFileName | | file | name | TargetImage | | file | parent_directory_ref | TargetImage | | file | name | SourceImage | | file | parent_directory_ref | SourceImage | +| file | name | ServiceFileName | +| file | parent_directory_ref | ServiceFileName | | <br> | | | | ipv4-addr | value | identityip | | ipv4-addr | value | destinationaddress | @@ -83,7 +102,6 @@ | process | creator_user_ref | username | | process | binary_ref | Image | | process | binary_ref | ParentImage | -| process | binary_ref | TargetImage | | process | parent_ref | ParentImage | | process | command_line | "Process CommandLine" | | process | command_line | ParentCommandLine | @@ -92,6 +110,8 @@ | process | pid | "Process ID" | | process | pid | "Parent Process ID" | | process | parent_ref | "Parent Process ID" | +| process | binary_ref | TargetImage | +| process | binary_ref | SourceImage | | process | extensions.windows-service-ext.service_dll_refs | ServiceFileName | | <br> | | | | software | name | applicationname | @@ -125,6 +145,7 @@ | x-oca-asset | hostname | identityhostname | | x-oca-asset | ip_refs | sourceaddress | | x-oca-asset | mac_refs | sourcemac | +| x-oca-asset | hostname | "Machine ID" | | <br> | | | | x-oca-event | user_ref | username | | x-oca-event | outcome | CATEGORYNAME(category) | @@ -155,8 +176,10 @@ | x-oca-event | parent_process_ref | "Parent Process ID" | | x-oca-event | registry_ref | ObjectName | | x-oca-event | registry_ref | "Registry Value Name" | +| x-oca-event | process_ref | SourceImage | | x-oca-event | original_ref | Message | | x-oca-event | original | Message | +| x-oca-event | host_ref | "Machine ID" | | <br> | | | | x-qradar | category_id | category | | x-qradar | high_level_category_id | highlevelcategory | diff --git a/adapter-guide/connectors/secretserver_supported_stix.md b/adapter-guide/connectors/secretserver_supported_stix.md index 5751a34ec..ec9749073 100644 --- a/adapter-guide/connectors/secretserver_supported_stix.md +++ b/adapter-guide/connectors/secretserver_supported_stix.md @@ -1,5 +1,21 @@ -##### Updated on 09/28/21 +##### Updated on 02/04/22 ## Secret Server +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | OR | +| OR | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | LIKE | +| IN | IN | +| MATCHES | LIKE | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | ipv4-addr | value | IpAddress | diff --git a/adapter-guide/connectors/splunk_supported_stix.md b/adapter-guide/connectors/splunk_supported_stix.md index d8a167f7a..b80e099d2 100644 --- a/adapter-guide/connectors/splunk_supported_stix.md +++ b/adapter-guide/connectors/splunk_supported_stix.md @@ -1,5 +1,23 @@ -##### Updated on 09/28/21 +##### Updated on 02/04/22 ## Splunk Enterprise Security +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | encoders.like | +| IN | encoders.set | +| MATCHES | encoders.matches | +| AND | {expr1} OR {expr2} | +| OR | {expr1} OR {expr2} | +| ISSUBSET | = | +| FOLLOWEDBY | latest=[search {expr2} | append [makeresults 1 | eval _time=0] | head 1 | return $_time] | where {expr1} | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | artifact | payload_bin | _raw | diff --git a/adapter-guide/connectors/sumologic_supported_stix.md b/adapter-guide/connectors/sumologic_supported_stix.md index c628abcc9..b87a1317b 100644 --- a/adapter-guide/connectors/sumologic_supported_stix.md +++ b/adapter-guide/connectors/sumologic_supported_stix.md @@ -1,5 +1,13 @@ -##### Updated on 10/29/21 +##### Updated on 02/04/22 ## Sumo Logic +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | AND | +| OR | OR | +| = | = | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | artifact | payload_bin | _raw | diff --git a/adapter-guide/connectors/trendmicro_vision_one_supported_stix.md b/adapter-guide/connectors/trendmicro_vision_one_supported_stix.md index ba4b2b127..bc24583ae 100644 --- a/adapter-guide/connectors/trendmicro_vision_one_supported_stix.md +++ b/adapter-guide/connectors/trendmicro_vision_one_supported_stix.md @@ -1,4 +1,15 @@ +##### Updated on 02/04/22 ## Trend Micro Vision One +### Supported STIX Operators +| STIX Operator | Data Source Operator | +|--|--| +| AND | AND | +| OR | OR | +| = | : | +| != | : | +| LIKE | : | +| <br> | | +### Supported STIX Objects and Properties | STIX Object | STIX Property | Data Source Field | |--|--|--| | directory | path | objectFilePath | diff --git a/stix_shifter/scripts/supported_property_exporter.py b/stix_shifter/scripts/supported_property_exporter.py index dbf0fa9a6..ce1b23258 100644 --- a/stix_shifter/scripts/supported_property_exporter.py +++ b/stix_shifter/scripts/supported_property_exporter.py @@ -17,7 +17,7 @@ "cbcloud": "Carbon Black Cloud", "elastic_ecs": "Elasticsearch ECS", "msatp": "Microsoft Defender for Endpoint", - "security_advisor": "IBM Cloud Security Advisor", + # "security_advisor": "IBM Cloud Security Advisor", "guardium": "IBM Guardium Data Protection", "aws_cloud_watch_logs": "Amazon CloudWatch Logs", "azure_sentinel": "Microsoft Azure Sentinel", @@ -31,10 +31,30 @@ "sumologic": "Sumo Logic", "datadog": "Datadog", "proofpoint": "Proofpoint (SIEM API)", - "infoblox": "Infoblox BloxOne Threat Defense", + # "infoblox": "Infoblox BloxOne Threat Defense", "cybereason": "Cybereason" } +STIX_OPERATORS ={ + "ComparisonExpressionOperators.And": "AND", + "ComparisonExpressionOperators.Or": "OR", + "ComparisonComparators.GreaterThan": ">", + "ComparisonComparators.GreaterThanOrEqual": ">=", + "ComparisonComparators.LessThan": "<", + "ComparisonComparators.LessThanOrEqual": "<=", + "ComparisonComparators.Equal": "=", + "ComparisonComparators.NotEqual": "!=", + "ComparisonComparators.Like": "LIKE", + "ComparisonComparators.In": "IN", + "ComparisonComparators.Matches": "MATCHES", + "ComparisonComparators.IsSubSet": "ISSUBSET", + "ComparisonComparators.IsSuperSet": "ISSUPERSET", + "ComparisonComparators.Exists": "EXISTS", + "ObservationOperators.Or": "OR", + "ObservationOperators.And": "AND", + "ObservationOperators.FollowedBy": "FOLLOWEDBY" +} + now = datetime.now() UPDATED_AT = now.strftime("%D") @@ -57,8 +77,12 @@ def __main__(): for index, (key, module) in enumerate(CONNECTORS.items()): try: filepath = path.abspath(path.join(TRANSLATION_MODULE_PATH, key, "stix_translation/json", "to_stix_map.json")) - json_file = open(filepath) - loaded_json = json.loads(json_file.read()) + to_stix_json_file = open(filepath) + loaded_to_stix_json = json.loads(to_stix_json_file.read()) + filepath = path.abspath(path.join(TRANSLATION_MODULE_PATH, key, "stix_translation/json", "operators.json")) + operators_json_file = open(filepath) + loaded_operators_json = json.loads(operators_json_file.read()) + except(Exception): print("Error for {} module".format(key)) continue @@ -70,12 +94,13 @@ def __main__(): fields_json_file = open(fields_filepath) loaded_fields_json = json.loads(fields_json_file.read()) aliased_data_fields = loaded_fields_json.get('default') # array of fields + fields_json_file.close() except(Exception): print("Error for {} module".format(key)) continue - stix_attribute_collection = _parse_attributes(loaded_json, key, {}) - json_file.close() + stix_attribute_collection = _parse_attributes(loaded_to_stix_json, key, {}) + stix_operator_collection = _parse_operators(loaded_operators_json, {}) supported_stix_file_path = path.abspath(path.join(ADAPTER_GUIDE_PATH, "connectors", "{}_supported_stix.md".format(key))) supported_stix_file = open(supported_stix_file_path, "w") @@ -83,18 +108,26 @@ def __main__(): output_string += "##### Updated on " + UPDATED_AT + "\n" output_string += "## " + module + "\n" table_of_contents += "- [{}]({})\n".format(module, "connectors/{}_supported_stix.md".format(key)) - sorted_objects = json.dumps(stix_attribute_collection, sort_keys=True) - sorted_objects = json.loads(sorted_objects) + output_string += "### Supported STIX Operators\n" + output_string += "| STIX Operator | Data Source Operator |\n" + output_string += "|--|--|\n" + for stix_operator, ds_operator in stix_operator_collection.items(): + output_string += "| {} | {} |\n".format(stix_operator, ds_operator) + output_string += "| <br> | |\n" + operators_json_file.close() + sorted_attribute_objects = json.dumps(stix_attribute_collection, sort_keys=True) + sorted_attribute_objects = json.loads(sorted_attribute_objects) + output_string += "### Supported STIX Objects and Properties\n" output_string += "| STIX Object | STIX Property | Data Source Field |\n" output_string += "|--|--|--|\n" - for stix_object, property_list in sorted_objects.items(): + for stix_object, property_list in sorted_attribute_objects.items(): for index, prop in enumerate(property_list): stix_property, data_field = prop.split(":") if aliased_data_fields: data_field = _get_data_field(data_field, aliased_data_fields) output_string += "| {} | {} | {} |\n".format(stix_object, stix_property, data_field) output_string += "| <br> | | |\n" - + to_stix_json_file.close() supported_stix_file.write(output_string) supported_stix_file.close() table_of_contents_file.write(table_of_contents) @@ -141,6 +174,11 @@ def _parse_attributes(element, module, stix_attribute_collection, data_source_fi # print("COLLECTION {}".format(stix_attribute_collection)) return stix_attribute_collection +def _parse_operators(element, operator_collection): + for key, value in element.items(): + operator_collection[STIX_OPERATORS[key]] = value + return operator_collection + if __name__ == "__main__":