Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added Darktrace UDI connector. #896

Merged
merged 24 commits into from
May 12, 2022
Merged

Added Darktrace UDI connector. #896

merged 24 commits into from
May 12, 2022

Conversation

lakshmi51974368
Copy link
Contributor

Added Darktrace UDI connector.

@lakshmi51974368
Added Darktrace UDI connector.
a13adc3 
Added Darktrace UDI connector.
@codecov
Copy link

codecov bot commented Apr 12, 2022
edited
Loading

Codecov Report

Merging #896 (75a9628) into develop (336ca33) will increase coverage by 0.05%.
The diff coverage is 95.84%.

@@             Coverage Diff             @@
##           develop     #896      +/-   ##
===========================================
+ Coverage    64.65%   64.70%   +0.05%     
===========================================
  Files          506      517      +11     
  Lines        47017    48583    +1566     
===========================================
+ Hits         30399    31437    +1038     
- Misses       16618    17146     +528
Impacted Files Coverage Δ
...modules/darktrace/stix_translation/transformers.py 73.91% <85.00%> (ø)
...es/darktrace/stix_translation/query_constructor.py 78.60% <90.95%> (ø)
...r_modules/darktrace/stix_transmission/connector.py 78.66% <92.91%> (ø)
...t/stix_translation/test_darktrace_stix_to_query.py 72.39% <96.98%> (ø)
...st/stix_translation/test_darktrace_json_to_stix.py 46.24% <98.50%> (ø)
stix_shifter_modules/darktrace/entry_point.py 100.00% <100.00%> (ø)
...les/darktrace/stix_translation/query_translator.py 81.81% <100.00%> (ø)
...s/darktrace/stix_translation/results_translator.py 100.00% <100.00%> (ø)
..._modules/darktrace/stix_transmission/api_client.py 78.72% <100.00%> (ø)
...odules/darktrace/stix_transmission/error_mapper.py 90.90% <100.00%> (ø)
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 336ca33...75a9628. Read the comment docs.

lakshmi51974368 and others added 17 commits April 13, 2022 07:33
@lakshmi51974368
darktrace - mock responses added to test service unavailable functions
d2eb07b 
darktrace - mock responses added to test service unavailable functions
@lakshmi51974368
file renamed test_darktrace to test_darktrace_transmission
21cde04 
file renamed test_darktrace to test_darktrace_transmission
@lakshmi51974368
transmission test file added.
0060353 
transmission test file added.
@lakshmi51974368
Updated test_darktrace.py
2c9d729 
Updated test_darktrace.py
@lakshmi51974368
Update test_darktrace.py
e718c0a 
Updated test_darktrace.py
@lakshmi51974368
fixing the code coverage issue
63254d8 
fixing the code coverage issue
@lakshmi51974368
Fixing the code coverage issue
f899bbc 
Fixing the code coverage issue
@lakshmi51974368
Fixed the code coverage issue
cf558c9 
Fixed the code coverage issue
@lakshmi51974368
Merge branch 'opencybersecurityalliance:develop' into darktrace_v1
0c01b42
@lakshmi51974368
Updated the mappings as per Sentinelone review comments.
39568d1 
Updated the mappings as per Sentinelone review comments.
Addressed minor operator(LIKE, MATCHES) related issues.
@lakshmi51974368
Revert "Updated the mappings as per Sentinelone review comments."
fe9bf74 
This reverts commit 39568d1.
@lakshmi51974368
Review comments addressed from sentinelone.
4b145be 
Review comments addressed from sentinelone.
@lakshmi51974368
fixing the code coverage issue.
79b6551 
fixing the code coverage issue.
@lakshmi51974368
fixing the code coverage issue.
207e512 
fixing the code coverage issue.
@lakshmi51974368
Merge branch 'opencybersecurityalliance:develop' into darktrace_v1
3711706
@lakshmi51974368
from_stix mappings updated based on sentinelone review comments.
b3db3fe 
from_stix mappings updated based on sentinelone review comments.
Added the custom fields in the extension.
@mdazam1942
Merge branch 'develop' into darktrace_v1
04c9b50
lakshmi51974368 and others added 3 commits May 3, 2022 07:27
@lakshmi51974368
PR comments fixed.
d7fef75 
PR comments fixed.
1. result_limit max value only present in config.json.
2. result_limit description removed form lang.json.
3. In connector.py removed the code, to remove the empty fields in response.
4. Removed delete_query_connection function.
@mdazam1942
Merge branch 'develop' into darktrace_v1
de2fc14
@mdazam1942
Merge branch 'develop' into darktrace_v1
e500401
mdazam1942
mdazam1942 reviewed May 6, 2022
View reviewed changes
Copy link
Member

@mdazam1942 mdazam1942 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see some extra parentheses used in the translated queries. for example-
[file:name = 'some_file.exe' OR file:name = 'ttest']
Translates into -
((@fields.filename:\"ttest\") OR (@fields.filename:\"some_file.exe\")) AND (@fields.epochdate :>1651864110.097 AND @fields.epochdate :<1651864410.097))

Unless the api asks for those extra parentheses, I think you can optimize the use of parentheses () for example the above can be optimized into -

(@fields.filename:\"ttest\" OR @fields.filename:\"some_file.exe\") AND (@fields.epochdate :>1651864110.097 AND @fields.epochdate :<1651864410.097)

@lakshmi51974368
PR comments fixed. Unwanted parentheses removed and mapping updated.
e3f9d32 
Unwanted parentheses removed.
Mapping updated as per suggestion(SSL fields are mapped under x509-certificate).
@lakshmi51974368
Copy link
Contributor Author

I see some extra parentheses used in the translated queries. for example- [file:name = 'some_file.exe' OR file:name = 'ttest'] Translates into - ((@fields.filename:\"ttest\") OR (@fields.filename:\"some_file.exe\")) AND (@fields.epochdate :>1651864110.097 AND @fields.epochdate :<1651864410.097))

Unless the api asks for those extra parentheses, I think you can optimize the use of parentheses () for example the above can be optimized into -

(@fields.filename:\"ttest\" OR @fields.filename:\"some_file.exe\") AND (@fields.epochdate :>1651864110.097 AND @fields.epochdate :<1651864410.097)

Fixed the above the issue:

  1. Unwanted parentheses for single query statement is removed.
  2. Overall query parentheses is not removed. ex:(query)
    Note: Query consists of multiple statements with AND and OR operators, parentheses are required as per API requirement.

Current code change will give a below results.
((@fields.filename:"ttest" OR @fields.filename:"some_file.exe") AND
(@fields.epochdate :>1652075635.723 AND @fields.epochdate :<1652075935.723))

@mdazam1942 mdazam1942 merged commit 36d71c1 into opencybersecurityalliance:develop May 12, 2022
delliott90 pushed a commit that referenced this pull request Jul 5, 2022
@lakshmi51974368 @delliott90
Added Darktrace UDI connector. (#896)
527b3fc
delliott90 pushed a commit that referenced this pull request Jul 5, 2022
@lakshmi51974368 @delliott90
Added Darktrace UDI connector. (#896)
10edb2b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdazam1942 mdazam1942 mdazam1942 approved these changes

@delliott90 delliott90 delliott90 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lakshmi51974368 @delliott90 @mdazam1942