def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'computer_identity': '1626351170-xlcr.hcl.local',
'subQueryID': 1,
'sha256hash':
'89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp',
'file_name': 'big42E1.tmp',
'file_size': '770',
'type': 'file',
'timestamp': '1567046172',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_object = observed_data['x_com_bigfix_relevance']
assert custom_object.keys() == {'computer_identity'}
assert custom_object[
'computer_identity'] == '1626351170-xlcr.hcl.local'
def translate_results(self, data_source, data, options, mapping=None):
"""
Translates JSON data into STIX results based on a mapping file
:param data: JSON formatted data to translate into STIX format
:type data: str
:param mapping: The mapping file path to use as instructions on how to translate the given JSON data to STIX.
Defaults the path to whatever is passed into the constructor for JSONToSTIX (This should be the to_stix_map.json in the module's json directory)
:type mapping: str (filepath)
:return: STIX formatted results
:rtype: str
"""
self.mapping = options['mapping'] if 'mapping' in options else {}
try:
json_data = json.loads(data)
data_source = json.loads(data_source)
except Exception:
raise LoadJsonResultsException()
if (not self.mapping):
map_file = open(self.default_mapping_file_path).read()
map_data = json.loads(map_file)
else:
map_data = self.mapping
try:
results = json_to_stix_translator.convert_to_stix(
data_source, map_data, json_data,
transformers.get_all_transformers(), options, self.callback)
except Exception as ex:
raise TranslationResultException(
"Error when converting results to STIX: {}".format(ex))
return json.dumps(results, indent=4, sort_keys=False)
def test_cybox_observables(self):
data = {
'author_id': 'IBMid-123',
'author_email': '*****@*****.**',
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'user-account')
assert (curr_obj is not None), 'user-account object type not found'
assert (curr_obj.keys() == {'type', 'user_id'})
assert (curr_obj['user_id'] == data['author_id'])
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'email-addr')
assert (curr_obj is not None), 'eamil-addr object type not found'
assert (curr_obj.keys() == {'type', 'value'})
assert (curr_obj['value'] == data['author_email'])
def test_common_prop(self):
data = {"starttime": 1531169112, "eventcount": 5}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == data_source['type'])
assert (result_bundle_identity['id'] == data_source['id'])
assert (result_bundle_identity['name'] == data_source['name'])
assert (result_bundle_identity['identity_class'] ==
data_source['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
assert (observed_data['number_observed'] == 5)
assert (observed_data['created'] is not None)
assert (observed_data['modified'] is not None)
assert (observed_data['first_observed'] is not None)
assert (observed_data['last_observed'] is not None)
def translate_results(self, data_source, data, options, mapping=None):
"""
Translates JSON data into STIX results based on a mapping file
:param data: JSON formatted data to translate into STIX format
:type data: str
:param mapping: The mapping file path to use as instructions on how to translate the given JSON data to STIX.
Defaults the path to whatever is passed into the constructor for JSONToSTIX (This should be the to_stix_map.json in the module's json directory)
:type mapping: str (filepath)
:return: STIX formatted results
:rtype: str
"""
self.mapping = options['mapping'] if 'mapping' in options else {}
json_data = json.loads(data)
data_source = json.loads(data_source)
if (not self.mapping):
map_file = open(self.mapping_filepath).read()
map_data = json.loads(map_file)
else:
map_data = self.mapping
results = json_to_stix_translator.convert_to_stix(
data_source, map_data, json_data,
transformers.get_all_transformers(), options)
if len(results['objects']) - 1 == len(json_data):
for i in range(1, len(results['objects'])):
results['objects'][i]['number_observed'] = 1
else:
raise RuntimeError(
"Incorrect number of result objects after translation. Found: {}, expected: {}."
.format(len(results['objects']) - 1, len(json_data)))
return json.dumps(results, indent=4, sort_keys=False)
def test_common_prop(self):
data = {"computer_identity": "12369754-bigdata4545.canlab.ibm.com", "subQueryID": 1, "start_time": "1541424881", "type": "process", "process_name": "systemd", "process_id": "1",
"sha256hash": "9c74c625b2aba7a2e8d8a42e2e94715c355367f7cbfa9bd5404ba52b726792a6", "sha1hash": "916933045c5c91ebcaa325e7f8302f3a732a0a3d", "md5hash": "28a9beb86c4d4c31ba572805bea8494f", "file_path": "/usr/lib/systemd/systemd"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
print(json.dumps(result_bundle, indent=2))
assert(result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert(result_bundle_identity['type'] == data_source['type'])
assert(result_bundle_identity['id'] == data_source['id'])
assert(result_bundle_identity['name'] == data_source['name'])
assert(result_bundle_identity['identity_class']
== data_source['identity_class'])
observed_data = result_bundle_objects[1]
print(observed_data)
assert(observed_data['id'] is not None)
assert(observed_data['type'] == "observed-data")
assert(observed_data['created_by_ref'] == result_bundle_identity['id'])
assert(observed_data['created'] is not None)
assert(observed_data['first_observed'] is not None)
assert(observed_data['last_observed'] is not None)
def test_mac_addr_json_to_stix(self):
"""
to test network stix object properties
"""
data = {
'computer_identity': '1625765403-BIGFIX01',
'subQueryID': 1,
'local_address': '192.168.36.146',
'mac': '0a-65-a4-7f-ad-88',
'type': 'Address'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None, 'process object type not found'
assert network_obj.keys() == {'type', 'src_ref'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
def test_network_cim_to_stix(self):
count = 2
time = "2018-08-21T15:11:55.000+00:00"
user = "******"
dest_ip = "127.0.0.1"
dest_port = "8090"
src_ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
src_port = "8080"
transport = "http"
data = {
"event_count": count,
"_time": time,
"user": user,
"dest_ip": dest_ip,
"dest_port": dest_port,
"src_ip": src_ip,
"src_port": src_port,
"protocol": transport
}
print(data)
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
nt_obj = TestTransform.get_first_of_type(objects.values(),
'network-traffic')
assert (nt_obj is not None), 'network-traffic object type not found'
assert (nt_obj.keys() == {
'type', 'src_port', 'dst_port', 'src_ref', 'dst_ref', 'protocols'
})
assert (nt_obj['src_port'] == 8080)
assert (nt_obj['dst_port'] == 8090)
assert (nt_obj['protocols'] == ['http'])
ip_ref = nt_obj['dst_ref']
assert (ip_ref
in objects), f"dst_ref with key {nt_obj['dst_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == dest_ip)
ip_ref = nt_obj['src_ref']
assert (ip_ref
in objects), f"src_ref with key {nt_obj['src_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value'})
assert (ip_obj['type'] == 'ipv6-addr')
assert (ip_obj['value'] == src_ip)
def __init__(self, pattern: Pattern, data_model_mapper):
self.dmm = data_model_mapper
self.pattern = pattern
# Now report_params_passed is a JSON object which is pointing to an array of JSON Objects (report_params_array)
self.report_params_passed = {}
self.report_params_array = []
self.report_params_array_size = 0
self.translated = self.parse_expression(pattern)
self.transformers = transformers.get_all_transformers()
# Read reference data
basepath = path.dirname(__file__)
filepath = path.abspath(
path.join(basepath, "json", "reference_data_types4Query.json"))
self.REFERENCE_DATA_TYPES = json.loads(open(filepath).read())
# Read report definition data
filepath = path.abspath(
path.join(basepath, "json", "guardium_reports_def.json"))
self.REPORT_DEF = json.loads(open(filepath).read())
# Read report definition data
filepath = path.abspath(
path.join(basepath, "json", "guardium_report_params_map.json"))
self.REPORT_PARAMS_MAP = json.loads(open(filepath).read())
def test_certificate_cim_to_stix(self):
count = 1
time = "2018-08-21T15:11:55.000+00:00"
serial = "1234"
version = "1"
sig_algorithm = "md5WithRSAEncryption"
key_algorithm = "rsaEncryption"
issuer = "C=US, ST=California, O=www.example.com, OU=new, CN=new"
subject = "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]"
ssl_hash = "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f"
data = {
"event_count": count,
"_time": time,
"ssl_serial": serial,
"ssl_version": version,
"ssl_signature_algorithm": sig_algorithm,
"ssl_issuer": issuer,
"ssl_subject": subject,
"ssl_hash": ssl_hash,
"ssl_publickey_algorithm": key_algorithm
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
# Test objects in Stix observable data model after transform
cert_obj = TestTransform.get_first_of_type(objects.values(),
'x509-certificate')
assert (cert_obj is not None), 'x509-certificate object type not found'
assert (cert_obj.keys() == {
'type', 'serial_number', 'version', "signature_algorithm",
"subject_public_key_algorithm", "issuer", "subject", "hashes"
})
assert (cert_obj['serial_number'] == "1234")
assert (cert_obj['version'] == "1")
assert (cert_obj['signature_algorithm'] == "md5WithRSAEncryption")
assert (cert_obj['issuer'] ==
"C=US, ST=California, O=www.example.com, OU=new, CN=new")
assert (
cert_obj['subject'] ==
"C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]"
)
assert (cert_obj['subject_public_key_algorithm'] == "rsaEncryption")
assert (
cert_obj['hashes']['SHA-256'] ==
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f")
assert (objects.keys() == set(map(str, range(0, 1))))
def test_common_prop(self):
"""
to test the common stix object properties
"""
data = {
'createTime': '2019-10-31T11:15:55.099615Z',
'updateTime': '2019-10-31T11:15:55.099635Z',
'occurence_count': 1
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source[
'identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['first_observed'] is not None
assert (observed_data['first_observed'] == data['createTime'])
assert observed_data['last_observed'] is not None
assert (observed_data['last_observed'] == data['updateTime'])
assert observed_data['number_observed'] is not None
assert (observed_data['number_observed'] == data['occurence_count'])
def test_network_json_to_stix_negative(self):
"""
to test negative test case for stix object
"""
data = {
'computer_identity': '550872812-WIN-N11M78AV7BP',
'subQueryID': 1,
'local_address': '192.168.36.10',
'local_port': '139',
'remote_port': '-1',
'process_name': 'System',
'process_id': '4',
'start_time': '1565875693',
'protocol': 'tcp'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, data, transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'file')
assert network_obj is None
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'ProcessCreationEvents': {
'EventTime': '2019-09-20T06:57:11.8218304Z',
'MachineId': '8330ed311f1b21b861d63448984eb2632cc9c07c',
'ComputerName': 'desktop-536bt46',
'ActionType': 'ProcessCreated',
'FileName': 'consent.exe',
'FolderPath': 'C:\\Windows\\System32\\consent.exe',
'SHA1': '9329b2362078de27242dd4534f588af3264bf0bf',
'SHA256':
'8f112431143a22baaafb448eefd63bf90e7691c890ac69a296574fd07ba03ec6',
'MD5': '27992d7ebe51aec655a088de88bad5c9',
'ProcessId': 20948,
'ProcessCommandLine': 'consent.exe 10088 288 000001CB3AA92A80',
'ProcessIntegrityLevel': 'System',
'ProcessTokenElevation': 'TokenElevationTypeDefault',
'ProcessCreationTime': '2019-09-20T06:57:11.8212034Z',
'AccountDomain': 'nt authority',
'AccountName': 'system',
'AccountSid': 'S-1-5-18',
'LogonId': 999,
'InitiatingProcessAccountDomain': 'nt authority',
'InitiatingProcessAccountName': 'system',
'InitiatingProcessAccountSid': 'S-1-5-18',
'InitiatingProcessLogonId': 999,
'InitiatingProcessIntegrityLevel': 'System',
'InitiatingProcessTokenElevation': 'TokenElevationTypeDefault',
'InitiatingProcessSHA1':
'a1385ce20ad79f55df235effd9780c31442aa234',
'InitiatingProcessMD5': '8a0a29438052faed8a2532da50455756',
'InitiatingProcessFileName': 'svchost.exe',
'InitiatingProcessId': 10088,
'InitiatingProcessCommandLine':
'svchost.exe -k netsvcs -p -s Appinfo',
'InitiatingProcessCreationTime': '2019-09-18T05:56:15.268893Z',
'InitiatingProcessFolderPath':
'c:\\windows\\system32\\svchost.exe',
'InitiatingProcessParentId': 856,
'InitiatingProcessParentFileName': 'services.exe',
'InitiatingProcessParentCreationTime':
'2019-09-17T14:54:59.5778638Z',
'ReportId': 12048,
'rn': 1,
'event_count': '1'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_object = observed_data['x_com_msatp']
assert custom_object.keys() == {'computer_name', 'machine_id'}
assert custom_object['computer_name'] == 'desktop-536bt46'
def test_vpc_flow_network_json_to_stix(self):
"""to test network stix object properties"""
data = {
'vpcflow': {
'@timestamp':
'2019-10-20 10:43:09.000',
'srcAddr':
'54.239.29.61',
'dstAddr':
'172.31.88.63',
'srcPort':
'443',
'dstPort':
'53866',
'protocol':
'tcp',
'start':
'1571568189',
'end':
'1571568248',
'accountId':
'979326520502',
'interfaceId':
'eni-02e70b8e842c70a2f',
'@ptr':
'CloKIQodOTc5MzI2NTIwNTAyOlVTRWFzdDFfRmxvd0xvZ3MQBxI1GhgCBc2q4EYAAAACFMuFggAF2sO4QAAAAWIgA'
'SjoyP/F3i0wyPyNxt4tOCxA7TFI0ClQzyIQJRgB',
'event_count':
1
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestAwsResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {
'type', 'src_ref', 'dst_ref', 'src_port', 'dst_port', 'protocols',
'start', 'end'
}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
assert network_obj['dst_ref'] == '2'
assert network_obj['src_port'] == 443
assert network_obj['dst_port'] == 53866
assert network_obj['protocols'] == ['tcp']
assert network_obj['start'] == '2019-10-20T10:43:09.000Z'
assert network_obj['end'] == '2019-10-20T10:44:08.000Z'
def test_unmapped_attribute_alone(self):
data = {"unmapped": "nothing to see here"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert('objects' in observed_data)
objects = observed_data['objects']
assert(objects == {})
def test_email_cim_to_stix(self):
count = 3
time = "2018-08-21T15:11:55.000+00:00"
src_user = "******"
subject = "Test Subject"
multi = "False"
data = {
"event_count": count,
"_time": time,
"src_user": src_user,
"subject": subject,
"is_multipart": multi
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
msg_obj = TestTransform.get_first_of_type(objects.values(),
'email-message')
assert (msg_obj is not None), 'email-message object type not found'
assert (msg_obj.keys() == {
'type', 'subject', 'sender_ref', 'from_ref', 'is_multipart'
})
assert (msg_obj['subject'] == "Test Subject")
assert (msg_obj['is_multipart'] == False)
sender_ref = msg_obj['sender_ref']
assert (sender_ref in objects
), f"sender_ref with key {msg_obj['sender_ref']} not found"
addr_obj = objects[sender_ref]
assert (addr_obj.keys() == {'type', 'value'})
assert (addr_obj['type'] == 'email-addr')
assert (addr_obj['value'] == src_user)
from_ref = msg_obj['from_ref']
assert (
sender_ref
in objects), f"from_ref with key {msg_obj['from_ref']} not found"
addr_obj = objects[from_ref]
assert (addr_obj.keys() == {'type', 'value'})
assert (addr_obj['type'] == 'email-addr')
assert (addr_obj['value'] == src_user)
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'author_accountId': 'test_id_1',
'name': 'test_id_1/providers/sec_adv/occurrences/853092',
'id': '853092',
'noteName': 'test_id_1/providers/sec_adv/notes/cert_mngr',
'updateTime': '2019-10-31T11:15:55.099635Z',
'createTime': '2019-10-31T11:15:55.099615Z',
'shortDescription': 'testing data tranlation',
'providerId': 'sec_adv',
'providerName': 'test_id_1/providers/sec_adv',
'longDescription': 'testing data tranlation',
'context_accountId': 'test_id_1',
'context_resourceName': 'mycluster',
'reportedBy_id': 'cert_mngr',
'reportedBy_title': 'Security Advisor',
'finding_severity': 'MEDIUM',
'finding_certainty': 'HIGH',
'occurence_count': 1
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_props = observed_data['x_author']
assert (custom_props['author_accountId'] == data['author_accountId'])
custom_props = observed_data['x_finding']
assert (custom_props['name'] == data['name'])
assert (custom_props['noteName'] == data['noteName'])
assert (custom_props['shortDescription'] == data['shortDescription'])
assert (custom_props['longDescription'] == data['longDescription'])
assert (custom_props['context_accountId'] == data['context_accountId'])
assert (custom_props['context_resourceName'] ==
data['context_resourceName'])
assert (custom_props['finding_severity'] == data['finding_severity'])
assert (custom_props['finding_certainty'] == data['finding_certainty'])
custom_props = observed_data['x_provider']
assert (custom_props['providerId'] == data['providerId'])
assert (custom_props['providerName'] == data['providerName'])
assert (custom_props['reportedBy_id'] == data['reportedBy_id'])
assert (custom_props['reportedBy_title'] == data['reportedBy_title'])
def test_unmapped_attribute_with_mapped_attribute():
message = "\"GET /blog HTTP/1.1\" 200 2571"
data = {"message": message, "unmapped": "nothing to see here"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
assert objects == {}
curr_obj = TestAzureSentinelResultsToStix.get_first_of_type(
objects.values(), 'message')
assert (curr_obj is None), 'url object type not found'
def test_unmapped_attribute_with_mapped_attribute(self):
url = "https://example.com"
data = {"url": url, "unmapped": "nothing to see here"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert('objects' in observed_data)
objects = observed_data['objects']
assert(objects != {})
curr_obj = TestTransform.get_first_of_type(objects.values(), 'url')
assert(curr_obj is not None), 'url object type not found'
assert(curr_obj.keys() == {'type', 'value'})
assert(curr_obj['value'] == url)
def test_custom_props(self):
data = {"logsourceid": 126, "qid": 55500004,
"identityip": "0.0.0.0", "magnitude": 4, "logsourcename": "someLogSourceName"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
observed_data = result_bundle['objects'][1]
assert('x_com_ibm_ariel' in observed_data)
custom_props = observed_data['x_com_ibm_ariel']
assert(custom_props['identity_ip'] == data['identityip'])
assert(custom_props['log_source_id'] == data['logsourceid'])
assert(custom_props['qid'] == data['qid'])
assert(custom_props['magnitude'] == data['magnitude'])
assert(custom_props['log_source_name'] == data['logsourcename'])
def test_file_json_to_stix(self):
"""
to test file stix object properties
"""
data = {
'computer_identity': '1626351170-xlcr.hcl.local',
'subQueryID': 1,
'sha256hash':
'89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp',
'file_name': 'big42E1.tmp',
'file_size': '770',
'type': 'file',
'timestamp': '1567046172',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
file_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'file')
assert file_obj is not None, 'file object type not found'
assert file_obj.keys() == {
'type', 'hashes', 'parent_directory_ref', 'name', 'size'
}
assert file_obj['type'] == 'file'
assert file_obj['name'] == 'big42E1.tmp'
assert file_obj['hashes'] == {
'SHA-256':
'89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'SHA-1': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'MD5': '958d9ba84826e48094e361102a272fd6'
}
assert file_obj['parent_directory_ref'] == '1'
assert file_obj['size'] == 770
def test_process_json_to_stix(self):
"""
to test process stix object properties
"""
data = {
'computer_identity': '13476923-archlinux',
'subQueryID': 1,
'sha256hash':
'2f2f74f4083b95654a742a56a6c7318f3ab378c94b69009ceffc200fbc22d4d8',
'sha1hash': '0c8e8b1d4eb31e1e046fea1f1396ff85068a4c4a',
'md5hash': '148fd5f2a448b69a9f21d4c92098c4ca',
'file_path': '/usr/lib/systemd/systemd',
'process_ppid': '0',
'process_user': '******',
'timestamp': '1565616101',
'process_name': 'systemd',
'process_id': '1',
'file_size': '1468376',
'type': 'process',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
process_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'process')
assert process_obj is not None, 'process object type not found'
assert process_obj.keys() == {
'type', 'binary_ref', 'parent_ref', 'creator_user_ref', 'name',
'pid'
}
assert process_obj['type'] == 'process'
assert process_obj['name'] == 'systemd'
assert process_obj['pid'] == 1
assert process_obj['binary_ref'] == '0'
assert process_obj['parent_ref'] == '3'
assert process_obj['creator_user_ref'] == '4'
def test_unmapped_attribute_with_mapped_attribute(self):
accountId = 'test_id_1',
data = {
"author_accountId": accountId,
"unmapped": "nothing to see here"
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
assert (objects == {})
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'author_accountId')
assert (curr_obj is None), 'author_accountId object type not found'
def test_payload_results(self):
data = {
"src_ip": "169.250.0.1",
"src_port": "1220",
"src_mac": "aa:bb:cc:dd:11:22",
"dest_ip": "127.0.0.1",
"dest_port": "1120",
"dest_mac": "ee:dd:bb:aa:cc:11",
"file_hash":
"741ad92448fd12a089a13c6de49fb204e4693e1d3e9f7715471c292adf8c6bef",
"user": "******",
"url":
"https://wally.fireeye.com/malware_analysis/analyses?maid=1",
"protocol": "tcp",
"_bkt": "main~44~6D3E49A0-31FE-44C3-8373-C3AC6B1ABF06",
"_cd": "44:12606114",
"_indextime": "1546960685",
"_raw":
"Jan 08 2019 15:18:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Jan 08 2019 15:18:04 Z src=169.250.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=41a26255d16d121dc525a6445144b895 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://wally.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n",
"_serial": "0",
"_si": ["splunk3-01.internal.resilientsystems.com", "main"],
"_sourcetype": "fe_cef_syslog",
"_time": "2019-01-08T15:18:04.000+00:00",
"event_count": 1
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source,
map_data, [data],
transformers.get_all_transformers(),
options,
callback=hash_type_lookup)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
# somehow breaking the stix validation
# validated_result = validate_instance(observed_data)
# assert(validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
utf8 = "Jan 08 2019 15:18:04 192.168.33.131 fenotify-2.alert: CEF:0|FireEye|MAS|6.2.0.74298|MO|malware-object|4|rt=Jan 08 2019 15:18:04 Z src=169.250.0.1 dpt=1120 dst=127.0.0.1 spt=1220 smac=AA:BB:CC:DD:11:22 dmac=EE:DD:BB:AA:CC:11 cn2Label=sid cn2=111 fileHash=41a26255d16d121dc525a6445144b895 proto=tcp request=http://qa-server.eng.fireeye.com/QE/NotificationPcaps/58.253.68.29_80-192.168.85.128_1165-2119283109_T.exe cs3Label=osinfo cs3=Microsoft Windows7 Professional 6.1 sp1 dvchost=wally dvc=10.2.101.101 cn1Label=vlan cn1=0 externalId=1 cs4Label=link cs4=https://wally.fireeye.com/malware_analysis/analyses?maid=1 cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_UPX;Trojan.PWS.OnlineGames \n"
assert (observed_data['x_com_splunk_spl']['utf8_payload'] == utf8)
def test_vpc_flow_custom_attr_json_to_stix(self):
"""to test network stix object properties"""
data = {
'vpcflow': {
'@timestamp':
'2019-10-20 10:43:09.000',
'srcAddr':
'54.239.29.61',
'dstAddr':
'172.31.88.63',
'srcPort':
'443',
'dstPort':
'53866',
'protocol':
'tcp',
'start':
'1571568189',
'end':
'1571568248',
'accountId':
'979326520502',
'interfaceId':
'eni-02e70b8e842c70a2f',
'@ptr':
'CloKIQodOTc5MzI2NTIwNTAyOlVTRWFzdDFfRmxvd0xvZ3MQBxI1GhgCBc2q4EYAAAACFMuFggAF2sO4QAAAAWIg'
'ASjoyP/F3i0wyPyNxt4tOCxA7TFI0ClQzyIQJRgB',
'event_count':
1
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
custom_object = observed_data['x_com_aws']
assert custom_object.keys() == {'account_id'}
assert custom_object['account_id'] == '979326520502'
def test_file_json_to_stix(self):
"""
to test file stix object properties
"""
data = {
"computer_identity": "12369754-bigdata4545.canlab.ibm.com",
"subQueryID": 1,
"type": "file",
"file_name": ".X0-lock",
"sha256hash":
"7236f966f07259a1de3ee0d48a3ef0ee47c4a551af7f0d76dcabbbb9d6e00940",
"sha1hash": "8b5e953be1db90172af66631132f6f27dda402d2",
"md5hash": "e5307d27f0eb9a27af8597a1ddc51e89",
"file_path": "/tmp/.X0-lock",
"modified_time": "1541424894"
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
file_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'file')
assert file_obj is not None, 'file object type not found'
assert file_obj.keys() == {
'type', 'name', 'hashes', 'parent_directory_ref'
}
assert file_obj['type'] == 'file'
assert file_obj['name'] == '.X0-lock'
assert file_obj['hashes'] == {
'SHA-256':
'7236f966f07259a1de3ee0d48a3ef0ee47c4a551af7f0d76dcabbbb9d6e00940',
'SHA-1': '8b5e953be1db90172af66631132f6f27dda402d2',
'MD5': 'e5307d27f0eb9a27af8597a1ddc51e89'
}
assert file_obj['parent_directory_ref'] == '1'
def test_network_json_to_stix(self):
"""
to test network stix object properties
"""
data = {
'computer_identity': '550872812-WIN-N11M78AV7BP',
'subQueryID': 1,
'local_address': '192.168.36.10',
'local_port': '139',
'process_ppid': '0',
'process_user': '******',
'timestamp': '1565875693',
'process_name': 'System',
'process_id': '4',
'type': 'Socket',
'protocol': 'udp',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {
'type', 'src_ref', 'src_port', 'protocols'
}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
assert network_obj['src_port'] == 139
assert network_obj['protocols'] == ['udp']
def test_process_results_to_stix(self):
process_name = 'systemd'
data = {"computer_identity": "12369754-bigdata4545.canlab.ibm.com", "subQueryID": 1, "start_time": "1541424881", "type": "process", "process_name": "systemd", "process_id": "1",
"sha256hash": "9c74c625b2aba7a2e8d8a42e2e94715c355367f7cbfa9bd5404ba52b726792a6", "sha1hash": "916933045c5c91ebcaa325e7f8302f3a732a0a3d", "md5hash": "28a9beb86c4d4c31ba572805bea8494f", "file_path": "/usr/lib/systemd/systemd"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
print(json.dumps(result_bundle, indent=2))
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert(result_bundle_identity['type'] == data_source['type'])
observed_data = result_bundle_objects[1]
assert('objects' in observed_data)
objects = observed_data['objects']
process_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'process')
assert(process_obj is not None), 'process object type not found'
assert(process_obj.keys() == {'type', 'name', 'pid', 'binary_ref'})
assert(process_obj['name'] == process_name)
def test_guardduty_custom_attr_json_to_stix(self):
"""to test network stix object properties"""
data = {
'guardduty': {
'NETWORK_CONNECTION': {
'version':
'0',
'id':
'617628ca-ae74-5875-6e9c-be4cd2e9e267',
'detail-type':
'GuardDuty Finding',
'time':
'2019-10-17T09:30:05Z',
'region':
'us-east-1',
'detail_schemaVersion':
'2.0',
'detail_accountId':
'979326520502',
'detail_partition':
'aws',
'detail_arn':
'arn:aws:guardduty:us-east-1:979326520502:detector'
'/6ab6e6ee780ed494f3b7ca56acdc74df/finding/6cb6e9975'
'1fcbed76aae1a9a64bb96a8',
'detail_resource_instanceDetails_instanceId':
'i-0b8fd03ade35c'
'681d',
'detail_resource_instanceDetails_instanceType':
't2.micro',
'detail_resource_instanceDetails_launchTime':
'2019-10-14T12:51:'
'57Z',
'detail_resource_instanceDetails_iamInstanceProfile'
'_arn':
'arn:aws:iam::979326520502:instance-profile/EC2_Instances_'
'Full_Access',
'detail_resource_instanceDetails_iamInstanceProfile_id':
'AIPA6IBDIZS3ES3TI5TNQ',
'detail_resource_instanceDetails_networkInterfaces_0_'
'networkInterfaceId':
'eni-02e70b8e842c70a2f',
'detail_resource_instanceDetails_networkInterfaces_0_'
'privateDnsName':
'ip-172-31-88-63.ec2.internal',
'detail_resource_instanceDetails_networkInterfaces_0_'
'privateIpAddress':
'172.31.88.63',
'detail_resource_instanceDetails_networkInterfaces_0_'
'privateIpAddresses_0_privateDnsName':
'ip-172-31-88-63.ec2.internal',
'detail_resource_instanceDetails_networkInterfaces_0_'
'privateIpAddresses_0_privateIpAddress':
'172.31.88.63',
'detail_resource_instanceDetails_networkInterfaces_0_subnetId':
'subnet-c62a11e8',
'detail_resource_instanceDetails_networkInterfaces_0_vpcId':
'vpc-10db926a',
'detail_resource_instanceDetails_networkInterfaces_0_'
'securityGroups_0_groupName':
'launch-wizard-1',
'detail_resource_instanceDetails_networkInterfaces_0_'
'securityGroups_0_groupId':
'sg-0aa89ff4646f71594',
'detail_resource_instanceDetails_networkInterfaces_0_'
'publicDnsName':
'ec2-54-211-223-78.compute-1.amazonaws.com',
'detail_resource_instanceDetails_networkInterfaces_0_'
'publicIp':
'54.211.223.78',
'detail_resource_instanceDetails_instanceState':
'running',
'detail_resource_instanceDetails_availabilityZone':
'us-east-1b',
'detail_resource_instanceDetails_imageId':
'ami-04763b3055de4860b',
'detail_resource_instanceDetails_imageDescription':
'Canonical, Ubuntu, 16.04 LTS, amd64 xenial image build on '
'2019-09-13',
'detail_service_serviceName':
'guardduty',
'detail_service_detectorId':
'6ab6e6ee780ed494f3b7ca56acdc74df',
'detail_service_action_networkConnectionAction_'
'connectionDirection':
'INBOUND',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'ipAddressV4':
'54.211.162.49',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'organization_asn':
'14618',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'organization_asnOrg':
'Amazon.com, Inc.',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'organization_isp':
'Amazon.com',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'organization_org':
'Amazon.com',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'country_countryName':
'United States',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'city_cityName':
'Ashburn',
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'geoLocation_lat':
39.0481,
'detail_service_action_networkConnectionAction_remoteIpDetails_'
'geoLocation_lon':
-77.4728,
'detail_service_action_networkConnectionAction_remotePortDetails_'
'port':
32820,
'detail_service_action_networkConnectionAction_remotePortDetails_'
'portName':
'Unknown',
'detail_service_action_networkConnectionAction_localPortDetails_'
'port':
22,
'detail_service_action_networkConnectionAction_localPortDetails_'
'portName':
'SSH',
'detail_service_action_networkConnectionAction_protocol':
'TCP',
'detail_service_action_networkConnectionAction_blocked':
'false',
'detail_service_additionalInfo': {}
},
'source':
'aws.guardduty',
'account':
'979326520502',
'detail_region':
'us-east-1',
'detail_id':
'6cb6e99751fcbed76aae1a9a64bb96a8',
'detail_type':
'UnauthorizedAccess:EC2/SSHBruteForce',
'detail_resource_resourceType':
'Instance',
'detail_service_action_actionType':
'NETWORK_CONNECTION',
'detail_service_resourceRole':
'TARGET',
'detail_service_eventFirstSeen':
'2019-10-16T05:55:25Z',
'detail_service_eventLastSeen':
'2019-10-17T09:05:51Z',
'detail_service_archived':
'false',
'detail_service_count':
16,
'detail_severity':
2,
'detail_createdAt':
'2019-10-16T06:08:32.249Z',
'detail_updatedAt':
'2019-10-17T09:20:25.038Z',
'detail_title':
'54.211.162.49 is performing SSH brute force attacks against i-0b8fd03'
'ade35c681d. ',
'detail_description':
'54.211.162.49 is performing SSH brute force attacks against '
'i-0b8fd03ade35c681d. Brute force attacks are used to gain '
'unauthorized access to your instance by guessing the SSH '
'password.',
'@timestamp':
'2019-10-17 09:30:05.000',
'event_count':
1
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
custom_object = observed_data['x_com_aws_guardduty_finding']
assert custom_object.keys() == {
'severity', 'id', 'type', 'title', 'timestamp'
}
assert custom_object['id'] == '6cb6e99751fcbed76aae1a9a64bb96a8'
assert custom_object['type'] == 'UnauthorizedAccess:EC2/SSHBruteForce'
assert custom_object['severity'] == 2
assert custom_object['timestamp'] == '2019-10-17T09:30:05.000Z'
assert custom_object[
'title'] == '54.211.162.49 is performing SSH brute force attacks against i-0b8fd03ade35c681d. '
def test_cybox_observables(self):
payload = "SomeBase64Payload"
user_id = "someuserid2018"
url = "https://example.com"
source_ip = "fd80:655e:171d:30d4:fd80:655e:171d:30d4"
destination_ip = "255.255.255.1"
file_name = "somefile.exe"
source_mac = "00-00-5E-00-53-00"
destination_mac = "00-00-5A-00-55-01"
data = {
"sourceip": source_ip,
"destinationip": destination_ip,
"url": url,
"base64_payload": payload,
"username": user_id,
"protocol": 'TCP',
"sourceport": "3000",
"destinationport": 2000,
"filename": file_name,
"domainname": url,
"sourcemac": source_mac,
"destinationmac": destination_mac
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
nt_object = TestTransform.get_first_of_type(objects.values(),
'network-traffic')
assert (nt_object is not None), 'network-traffic object type not found'
assert (nt_object.keys() == {
'type', 'src_port', 'dst_port', 'src_ref', 'dst_ref', 'protocols'
})
assert (nt_object['src_port'] == 3000)
assert (nt_object['dst_port'] == 2000)
assert (nt_object['protocols'] == ['tcp'])
ip_ref = nt_object['dst_ref']
assert (
ip_ref
in objects), f"dst_ref with key {nt_object['dst_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value', 'resolves_to_refs'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == destination_ip)
ip_ref = nt_object['src_ref']
assert (
ip_ref
in objects), f"src_ref with key {nt_object['src_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value', 'resolves_to_refs'})
assert (ip_obj['type'] == 'ipv6-addr')
assert (ip_obj['value'] == source_ip)
curr_obj = TestTransform.get_first_of_type(objects.values(), 'url')
assert (curr_obj is not None), 'url object type not found'
assert (curr_obj.keys() == {'type', 'value'})
assert (curr_obj['value'] == url)
curr_obj = TestTransform.get_first_of_type(objects.values(),
'artifact')
assert (curr_obj is not None), 'artifact object type not found'
assert (curr_obj.keys() == {'type', 'payload_bin'})
assert (curr_obj['payload_bin'] == payload)
curr_obj = TestTransform.get_first_of_type(objects.values(),
'user-account')
assert (curr_obj is not None), 'user-account object type not found'
assert (curr_obj.keys() == {'type', 'user_id'})
assert (curr_obj['user_id'] == user_id)
curr_obj = TestTransform.get_first_of_type(objects.values(), 'file')
assert (curr_obj is not None), 'file object type not found'
assert (curr_obj.keys() == {'type', 'name'})
assert (curr_obj['name'] == file_name)
curr_obj = TestTransform.get_first_of_type(objects.values(),
'domain-name')
assert (curr_obj is not None), 'domain-name object type not found'
assert (curr_obj.keys() == {'type', 'value'})
assert (curr_obj['value'] == 'example.com')
assert (objects.keys() == set(map(str, range(0, 10))))
