def translate_results(self, data_source, data):
"""
Translates JSON data into STIX results based on a mapping file
:param data: JSON formatted data to translate into STIX format
:type data: str
:return: STIX formatted results
:rtype: str
"""
json_data = json.loads(data)
data_source = json.loads(data_source)
results = json_to_stix_translator.convert_to_stix(
data_source, self.map_data, json_data, self.transformers,
self.options)
if len(results['objects']) - 1 == len(json_data):
for i in range(1, len(results['objects'])):
results['objects'][i]['number_observed'] = 1
else:
raise RuntimeError(
"Incorrect number of result objects after translation. Found: {}, expected: {}."
.format(len(results['objects']) - 1, len(json_data)))
return results
def translate_results(self, data_source, data):
"""
Translates JSON data into STIX results based on a mapping file
:param data: JSON formatted data to translate into STIX format
:type data: str
:param mapping: The mapping file path to use as instructions on how to translate the given JSON data to STIX.
Defaults the path to whatever is passed into the constructor for JSONToSTIX (This should be the to_stix_map.json in the module's json directory)
:type mapping: str (filepath)
:return: STIX formatted results
:rtype: str
"""
json_data = json.loads(data)
data_source = json.loads(data_source)
results = json_to_stix_translator.convert_to_stix(
data_source, self.map_data, json_data, self.transformers,
self.options)
if len(results['objects']) - 1 == len(json_data):
for i in range(1, len(results['objects'])):
results['objects'][i]['number_observed'] = 1
else:
raise RuntimeError(
"Incorrect number of result objects after translation. Found: {}, expected: {}."
.format(len(results['objects']) - 1, len(json_data)))
return results
def test_common_prop(self):
"""
to test the common stix object properties
"""
data = {
'createTime': '2019-10-31T11:15:55.099615Z',
'updateTime': '2019-10-31T11:15:55.099635Z',
'occurence_count': 1
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source[
'identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['first_observed'] is not None
assert (observed_data['first_observed'] == data['createTime'])
assert observed_data['last_observed'] is not None
assert (observed_data['last_observed'] == data['updateTime'])
assert observed_data['number_observed'] is not None
assert (observed_data['number_observed'] == data['occurence_count'])
def test_cybox_observables(self):
data = {
'author_id': 'IBMid-123',
'email': '*****@*****.**',
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'user-account')
assert (curr_obj is not None), 'user-account object type not found'
assert (curr_obj.keys() == {'type', 'user_id'})
assert (curr_obj['user_id'] == data['author_id'])
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'email-addr')
assert (curr_obj is not None), 'eamil-addr object type not found'
assert (curr_obj.keys() == {'type', 'value'})
assert (curr_obj['value'] == data['email'])
def test_common_prop(self):
# transformer = None
data = {"starttime": 1531169112, "eventcount": 5}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == data_source['type'])
assert (result_bundle_identity['id'] == data_source['id'])
assert (result_bundle_identity['name'] == data_source['name'])
assert (result_bundle_identity['identity_class'] ==
data_source['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
assert (observed_data['number_observed'] == 5)
assert (observed_data['created'] is not None)
assert (observed_data['modified'] is not None)
assert (observed_data['first_observed'] is not None)
assert (observed_data['last_observed'] is not None)
def test_process_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
proc_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'process')
assert (proc_object is not None), 'process object type not found'
assert (proc_object.keys() == {
'type', 'pid', 'name', 'created', 'creator_user_ref', 'binary_ref'
})
assert (proc_object['type'] == 'process')
assert (proc_object['pid'] == 609)
assert (proc_object['created'] == '2019-04-10T11:33:57.571Z')
creator_user_ref = proc_object['creator_user_ref']
assert (
creator_user_ref in objects
), f"dst_ref with key {proc_object['creator_user_ref']} not found"
creator_user_ref_obj = objects[creator_user_ref]
assert (creator_user_ref_obj.keys() == {'type', 'user_id'})
assert (creator_user_ref_obj['type'] == 'user-account')
assert (creator_user_ref_obj['user_id'] == '-')
def test_file_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
file_object = TestElasticEcsTransform.get_first(
objects.values(), lambda o: type(o) == dict and o.get('type') ==
'file' and o.get('name') == 'example.png')
assert (file_object is not None), 'file object type not found'
assert (file_object.keys() == {'type', 'name', 'parent_directory_ref'})
assert (file_object['type'] == 'file')
assert (file_object['name'] == 'example.png')
parent_directory_ref = file_object['parent_directory_ref']
assert (
parent_directory_ref in objects
), f"parent_directory_ref with key {objects['parent_directory_ref']} not found"
parent_obj = objects[parent_directory_ref]
assert (parent_obj['type'] == "directory")
assert (parent_obj['path'] == "/home/alice")
def translate_results(self, data_source, data, options, mapping=None):
"""
Translates JSON data into STIX results based on a mapping file
:param data: JSON formatted data to translate into STIX format
:type data: str
:param mapping: The mapping file path to use as instructions on how to translate the given JSON data to STIX.
Defaults the path to whatever is passed into the constructor for JSONToSTIX (This should be the to_stix_map.json in the module's json directory)
:type mapping: str (filepath)
:return: STIX formatted results
:rtype: str
"""
self.mapping = options['mapping'] if 'mapping' in options else {}
json_data = json.loads(data)
data_source = json.loads(data_source)
if (not self.mapping):
map_file = open(self.mapping_filepath).read()
map_data = json.loads(map_file)
else:
map_data = self.mapping
results = json_to_stix_translator.convert_to_stix(
data_source, map_data, json_data,
transformers.get_all_transformers(), options)
if len(results['objects']) - 1 == len(json_data):
for i in range(1, len(results['objects'])):
results['objects'][i]['number_observed'] = 1
else:
raise RuntimeError(
"Incorrect number of result objects after translation. Found: {}, expected: {}."
.format(len(results['objects']) - 1, len(json_data)))
return json.dumps(results, indent=4, sort_keys=False)
def test_unmapped_attribute_alone(self):
data = {"unmapped": "nothing to see here"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
assert (objects == {})
def test_unmapped_attribute_with_mapped_attribute(self):
message = "\"GET /blog HTTP/1.1\" 200 2571"
data = {"message": message, "unmapped": "nothing to see here"}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
assert (objects == {})
curr_obj = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'message')
assert (curr_obj is None), 'url object type not found'
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'author_accountId': 'test_id_1',
'name': 'test_id_1/providers/sec_adv/occurrences/853092',
'id': '853092',
'noteName': 'test_id_1/providers/sec_adv/notes/cert_mngr',
'updateTime': '2019-10-31T11:15:55.099635Z',
'createTime': '2019-10-31T11:15:55.099615Z',
'shortDescription': 'testing data tranlation',
'providerId': 'sec_adv',
'providerName': 'test_id_1/providers/sec_adv',
'longDescription': 'testing data tranlation',
'context_accountId': 'test_id_1',
'context_resourceName': 'mycluster',
'reportedBy_id': 'cert_mngr',
'reportedBy_title': 'Security Advisor',
'finding_severity': 'MEDIUM',
'finding_certainty': 'HIGH',
'occurence_count': 1
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_props = observed_data['x_security_advisor_finding']
assert (custom_props['author_accountId'] == data['author_accountId'])
assert (custom_props['name'] == data['name'])
assert (custom_props['noteName'] == data['noteName'])
assert (custom_props['shortDescription'] == data['shortDescription'])
assert (custom_props['longDescription'] == data['longDescription'])
assert (custom_props['context_accountId'] == data['context_accountId'])
assert (custom_props['context_resourceName'] ==
data['context_resourceName'])
assert (custom_props['finding_severity'] == data['finding_severity'])
assert (custom_props['finding_certainty'] == data['finding_certainty'])
assert (custom_props['providerId'] == data['providerId'])
assert (custom_props['providerName'] == data['providerName'])
assert (custom_props['reportedBy_id'] == data['reportedBy_id'])
assert (custom_props['reportedBy_title'] == data['reportedBy_title'])
def test_unmapped_attribute_with_mapped_attribute(self):
accountId = 'test_id_1',
data = {
"author_accountId": accountId,
"unmapped": "nothing to see here"
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
assert (objects == {})
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'author_accountId')
assert (curr_obj is None), 'author_accountId object type not found'
def test_artifact_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
artifact_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'artifact')
assert (artifact_object is not None), 'artifact object type not found'
assert (artifact_object.keys() == {'type', 'payload_bin'})
assert (artifact_object['type'] == 'artifact')
def test_network_traffic_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
nt_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'network-traffic')
assert (nt_object is not None), 'network-traffic object type not found'
assert (nt_object.keys() == {
'type', 'src_port', 'src_byte_count', 'src_packets', 'dst_port',
'dst_byte_count', 'dst_packets', 'src_ref', 'dst_ref', 'protocols'
})
assert (nt_object['type'] == 'network-traffic')
assert (nt_object['src_port'] == 49745)
assert (nt_object['dst_port'] == 443)
assert (nt_object['protocols'] == ['ipv4', 'tcp'])
ip_ref = nt_object['dst_ref']
assert (
ip_ref
in objects), f"dst_ref with key {nt_object['dst_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value', 'resolves_to_refs'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == '100.101.0.69')
assert (isinstance(ip_obj['resolves_to_refs'], list)
and isinstance(ip_obj['resolves_to_refs'][0], str))
ip_ref = nt_object['src_ref']
assert (
ip_ref
in objects), f"src_ref with key {nt_object['src_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value', 'resolves_to_refs'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == '107.0.0.48')
assert (isinstance(ip_obj['resolves_to_refs'], list)
and isinstance(ip_obj['resolves_to_refs'][0], str))
def test_file_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
file_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'file')
assert (file_object is not None), 'file object type not found'
assert (file_object.keys() == {'type', 'name'})
assert (file_object['type'] == 'file')
assert (file_object['name'] == 'SubmitDiagInfo')
def test_file_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
file_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'file')
assert (file_object is not None), 'file object type not found'
assert (file_object.keys() == {'type', 'name', 'parent_directory_ref'})
assert (file_object['type'] == 'file')
assert (file_object['name'] == 'example.png')
def test_url_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
url_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'url')
assert (url_object is not None), 'url object type not found'
assert (url_object.keys() == {'type', 'value'})
assert (url_object['type'] == 'url')
assert (url_object['value'] == '/blog')
def test_common_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == data_source['type'])
assert (result_bundle_identity['id'] == data_source['id'])
assert (result_bundle_identity['name'] == data_source['name'])
assert (result_bundle_identity['identity_class'] ==
data_source['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
def test_unwrap_flag_in_mapping(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
custom_dns_obj = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'x-ecs-dns')
assert (isinstance(custom_dns_obj['resolved_ip_refs'], list)
and isinstance(custom_dns_obj['resolved_ip_refs'][0], str))
assert objects[custom_dns_obj['resolved_ip_refs'][0]].get(
'value') == "40.116.120.16"
assert objects[custom_dns_obj['resolved_ip_refs'][1]].get(
'value') == "1.2.3.4"
def test_artifact_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
artifact_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'artifact')
assert (artifact_object is not None), 'artifact object type not found'
assert (artifact_object.keys() == {'type', 'payload_bin'})
assert (artifact_object['type'] == 'artifact')
assert (
artifact_object['payload_bin'] ==
'MTAuNDIuNDIuNDIgLSAtIFswNy9EZWMvMjAxODoxMTowNTowNyArMDEwMF0gIkdFVCAvYmxvZyBIVFRQLzEuMSIgMjAwIDI1NzEgIi0iICJNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNF8wKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzAuMC4zNTM4LjEwMiBTYWZhcmkvNTM3LjM2Ig=='
)
def test_cybox_observables(self):
# transformer = None
payload = "SomeBase64Payload"
user_id = "someuserid2018"
url = "https://example.com"
domain = "example.com"
source_ip = "127.0.0.1"
destination_ip = "255.255.255.1"
data = {
"sourceip": source_ip,
"destinationip": destination_ip,
"url": url,
"domain": domain,
"payload": payload,
"username": user_id,
"protocol": 'TCP',
"sourceport": 3000,
"destinationport": 2000
}
# data = {"Network": {"A" : source_ip}, "destinationip": destination_ip, "url": url,
# "domain": domain, "payload": payload, "username": user_id, "protocol": 'TCP', "sourceport": 3000, "destinationport": 2000}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
# Test that each data element is properly mapped and input into the STIX JSON
for key, value in objects.items():
assert (int(key) in list(range(0, len(objects))))
# Todo: handle case where there is both a source and destination ip, there will be more than one ipv4-addr
if (value['type'] == 'ipv4-addr'):
# assert(
# value['value'] == source_ip), "Wrong value returned " + key + ":" + str(value)
assert (True)
elif (value['type'] == 'url'):
assert(value['value'] == url), "Wrong value returned " + \
key + ":" + str(value)
elif (value['type'] == 'domain-name'):
assert (value['value'] == domain
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'artifact'):
assert (value['payload_bin'] == payload
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'user-account'):
assert (value['user_id'] == user_id
), "Wrong value returned " + key + ":" + str(value)
# Todo: should not be returned since the address passed in isn't ipv6, still needs to be fixed in logic
elif (value['type'] == 'ipv6-addr'):
# assert(
# value['value'] == source_ip), "Wrong value returned " + key + ":" + str(value)
assert (True)
elif (value['type'] == 'network-traffic'):
assert (int(value['src_ref']) in list(range(0, len(objects)))
), "Wrong value returned " + key + ":" + str(value)
assert (type(value['src_ref']) is
str), "Reference value should be a string"
assert (int(value['dst_ref']) in list(range(0, len(objects)))
), "Wrong value returned " + key + ":" + str(value)
assert (type(value['dst_ref']) is
str), "Reference value should be a string"
assert (value['protocols'] == ['tcp'])
assert (value['src_port'] == 3000)
assert (value['dst_port'] == 2000)
else:
assert(False), "Returned a non-mapped value " + \
key + ":" + str(value)
def test_at_props(self):
transformer = None
actio = "actioniam-identity.serviceid-apikey.login"
isoti = "2018-07-16T15:00+0000"
alcht = "alchtenida:560ea90982962784957b94135af14810"
tarid = "taridcrn:v1:bluemix:public:iam-identity::a/560ea90982962784957b94135af14810::apikey:ApiKey-b1ebb918c"
tarna = "auto-generated-apikey-4df4db90-06ef-4efa-9d3f-bc7ccf247326"
event = "d9b5a3a9-8fb8-4d6d-90cd-0a50f4842c6a"
messa = "message is a very long string"
activ = "activity"
sampl = "sample-response"
alcha = "alchaccid560ea90982962784957b"
initi = "iam-ServiceId-f48385a1"
initn = "ServiceId-f48385a1"
initc = "apikey"
data = {
# "initiator_name": initn,
# "initiator_id": initi,
"ALCH_ACCOUNT_ID": alcha,
"responseData": sampl,
"eventType": activ,
"message": messa,
"type": "ActivityTracker",
"event_uuid": event,
"tags": [],
# "target_name": tarna,
# "target_id": tarid,
"ALCH_TENANT_ID": alcht,
"logmet_cluster": "topic3-elasticsearch_3",
"@timestamp": "2018-07-16T15:00:03.062Z",
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",
"@version": "1",
"eventTime": isoti,
"action": actio,
"requestData": "requestdata",
"outcome": "success"
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
print(result_bundle)
observed_data = result_bundle['objects'][1]
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
# Test that each data element is properly mapped and input into the STIX JSON
for key, value in objects.items():
assert (int(key) in list(range(0, len(objects))))
if (value['type'] == 'initiator_credential_type'):
assert (value['value'] == initc
), "Wrong value returned " + key + ":" + str(value)
assert (True)
elif (value['type'] == 'initiator_name'):
assert(value['value'] == initn), "Wrong value returned " + \
key + ":" + str(value)
elif (value['type'] == 'initiator_id'):
assert (value['value'] == initi
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'ALCH_ACCOUNT_ID'):
assert (value['value'] == alcha
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'message'):
assert (value['value'] == messa
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'event_uuid'):
assert (value['value'] == event
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'ALCH_TENANT_ID'):
assert (value['value'] == alcht
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'action'):
assert (value['value'] == actio
), "Wrong value returned " + key + ":" + str(value)
elif (value['type'] == 'eventTime'):
assert (value['value'] == isoti
), "Wrong value returned " + key + ":" + str(value)
else:
assert(False), "Returned a non-mapped value " + \
key + ":" + str(value)
def test_network_traffic_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
nt_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'network-traffic')
assert (nt_object is not None), 'network-traffic object type not found'
assert (nt_object.keys() == {
'type', 'src_port', 'src_byte_count', 'src_packets', 'dst_port',
'dst_byte_count', 'dst_packets', 'src_ref', 'dst_ref', 'protocols',
'extensions'
})
assert (nt_object['type'] == 'network-traffic')
assert (nt_object['src_port'] == 49745)
assert (nt_object['dst_port'] == 443)
assert (nt_object['protocols'] == ['ipv4', 'tcp'])
ip_ref = nt_object['dst_ref']
assert (
ip_ref
in objects), f"dst_ref with key {nt_object['dst_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value', 'resolves_to_refs'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == '100.101.0.69')
assert (isinstance(ip_obj['resolves_to_refs'], list)
and isinstance(ip_obj['resolves_to_refs'][0], str))
ip_ref = nt_object['src_ref']
assert (
ip_ref
in objects), f"src_ref with key {nt_object['src_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value', 'resolves_to_refs'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == '107.0.0.48')
assert (isinstance(ip_obj['resolves_to_refs'], list)
and isinstance(ip_obj['resolves_to_refs'][0], str))
dns_ext = nt_object['extensions']['dns-ext']
assert (dns_ext is not None)
assert (dns_ext["question"] is not None)
name_ref = dns_ext["question"]["domain_ref"]
assert (
name_ref in objects
), f"name_ref with key {dns_ext['question']['name_ref']} not found"
domain_obj = objects[name_ref]
assert (domain_obj["type"] == "domain-name")
assert (domain_obj["value"] == "officehomeblobs.blob.core.windows.net")
assert (dns_ext["resolved_ip_refs"] is not None)
for ip_ref in dns_ext["resolved_ip_refs"]:
assert (ip_ref
in objects), f"resolved_ip_ref with key {ip_ref} not found"
ip_obj = objects[ip_ref]
assert (ip_obj["type"] == "ipv4-addr")
assert (ip_obj["value"] in ["40.116.120.16", "1.2.3.4"])
def test_x_ibm_event(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [event_data],
get_module_transformers(MODULE), options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
event_object = TestElasticEcsTransform.get_first_of_type(
objects.values(), 'x-oca-event')
assert (event_object is not None), 'x-oca-event object type not found'
host_ref = event_object['host_ref']
assert (host_ref in objects
), f"host_ref with key {event_object['host_ref']} not found"
host_obj = objects[host_ref]
assert (host_obj['type'] == 'x-oca-asset')
assert (host_obj['hostname'] == 'HOST-NAME')
mac_refs = host_obj['mac_refs']
assert (mac_refs is not None), "host mac_refs not found"
assert (len(mac_refs) == 1)
mac_obj = objects[mac_refs[0]]
assert (mac_obj.keys() == {'type', 'value'})
assert (mac_obj['type'] == 'mac-addr')
assert (mac_obj['value'] == "00:01:02:0a:0b:0c")
process_ref = event_object['process_ref']
assert (
process_ref in objects
), f"process_ref with key {event_object['process_ref']} not found"
process_obj = objects[process_ref]
assert (process_obj['type'] == 'process')
assert (process_obj['command_line'] ==
"C:\\WINDOWS\\system32\\wbem\\unsecapp.exe -Embedding")
binary_obj = objects[process_obj['binary_ref']]
assert (binary_obj is not None), "process binary ref not found"
assert (binary_obj.keys() == {'type', 'name', 'parent_directory_ref'})
assert (binary_obj['type'] == "file")
assert (binary_obj['name'] == "unsecapp.exe")
binary_parent_dir_obj = objects[binary_obj['parent_directory_ref']]
assert (binary_parent_dir_obj
is not None), "process binary parent directory ref not found"
assert (binary_parent_dir_obj['type'] == "directory")
assert (binary_parent_dir_obj['path'] == "C:\\Windows\\System32\\wbem")
process_parent_ref = process_obj['parent_ref']
assert (process_parent_ref in objects
), f"parent_ref with key {process_obj['parent_ref']} not found"
parent_obj = objects[process_parent_ref]
assert (parent_obj.keys() == {
'type', 'pid', 'binary_ref', 'command_line', 'name'
})
assert (parent_obj['type'] == "process")
assert (parent_obj['command_line'] ==
"C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p")
assert (parent_obj['pid'] == 1248)
assert (parent_obj['name'] == "svchost.exe")
binary_obj = objects[parent_obj['binary_ref']]
assert (binary_obj is not None), "process parent binary ref not found"
assert (binary_obj.keys() == {'type', 'name', 'parent_directory_ref'})
assert (binary_obj['type'] == "file")
assert (binary_obj['name'] == "svchost.exe")
binary_parent_dir_obj = objects[binary_obj['parent_directory_ref']]
assert (binary_parent_dir_obj is not None
), "process parent binary parent directory ref not found"
assert (binary_parent_dir_obj['type'] == "directory")
assert (binary_parent_dir_obj['path'] == "C:\\Windows\\System32")
file_ref = event_object['file_ref']
assert (file_ref in objects
), f"file_ref with key {event_object['file_ref']} not found"
file_obj = objects[file_ref]
assert (file_obj.keys() == {'type', 'name', 'parent_directory_ref'})
assert (file_obj['type'] == 'file')
assert (file_obj['name'] == "example.png")
parent_obj = objects[file_obj['parent_directory_ref']]
assert (parent_obj is not None), "file parent ref not found"
assert (parent_obj.keys() == {'type', 'path'})
assert (parent_obj['type'] == "directory")
assert (parent_obj['path'] == "/home/alice")
domain_ref = event_object['domain_ref']
assert (
domain_ref in objects
), f"domain_ref with key {event_object['domain_ref']} not found"
domain_obj = objects[domain_ref]
assert (domain_obj.keys() == {'type', 'value'})
assert (domain_obj['type'] == 'domain-name')
assert (domain_obj['value'] == "domain.com")
registry_ref = event_object['registry_ref']
assert (
registry_ref in objects
), f"registry_ref with key {event_object['registry_ref']} not found"
reg_obj = objects[registry_ref]
assert (reg_obj['type'] == 'windows-registry-key')
assert (reg_obj['key'] == 'HKEY_LOCAL_MACHINE\\a\\b\\c')
network_ref = event_object['network_ref']
assert (
network_ref in objects
), f"network_ref with key {event_object['network_ref']} not found"
nt_obj = objects[network_ref]
assert (nt_obj['type'] == 'network-traffic')
user_ref = event_object['user_ref']
assert (user_ref in objects
), f"user_ref with key {event_object['user_ref']} not found"
user_obj = objects[user_ref]
assert (user_obj['type'] == 'user-account')
assert (user_obj['user_id'] == 'USERNAME')
