def test_user_account_json_to_stix(self): """to test user-account stix object properties""" data = { 'xdr_data': { 'actor_process_logon_id': '794419589', 'action_process_username': '******', 'actor_primary_username': '******', 'actor_primary_user_sid': 'S-1-5-18' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] user_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'user-account') assert user_obj is not None assert user_obj['type'] == 'user-account' assert user_obj['user_id'] == "S-1-5-18" assert user_obj['extensions']['x-paloalto-user'][ 'process_user_name'] == 'EC2AMAZ-IQFSLIL\\Administrator'
def test_network_cim_to_stix(self): count = 2 time = "2018-08-21T15:11:55.000+00:00" user = "******" dest_ip = "127.0.0.1" dest_port = "8090" src_ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334" src_port = "8080" transport = "http" data = { "event_count": count, "_time": time, "user": user, "dest_ip": dest_ip, "dest_port": dest_port, "src_ip": src_ip, "src_port": src_port, "protocol": transport } print(data) result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] validated_result = validate_instance(observed_data) assert (validated_result.is_valid == True) assert ('objects' in observed_data) objects = observed_data['objects'] nt_obj = TestTransform.get_first_of_type(objects.values(), 'network-traffic') assert (nt_obj is not None), 'network-traffic object type not found' assert (nt_obj.keys() == { 'type', 'src_port', 'dst_port', 'src_ref', 'dst_ref', 'protocols' }) assert (nt_obj['src_port'] == 8080) assert (nt_obj['dst_port'] == 8090) assert (nt_obj['protocols'] == ['http']) ip_ref = nt_obj['dst_ref'] assert (ip_ref in objects), f"dst_ref with key {nt_obj['dst_ref']} not found" ip_obj = objects[ip_ref] assert (ip_obj.keys() == {'type', 'value'}) assert (ip_obj['type'] == 'ipv4-addr') assert (ip_obj['value'] == dest_ip) ip_ref = nt_obj['src_ref'] assert (ip_ref in objects), f"src_ref with key {nt_obj['src_ref']} not found" ip_obj = objects[ip_ref] assert (ip_obj.keys() == {'type', 'value'}) assert (ip_obj['type'] == 'ipv6-addr') assert (ip_obj['value'] == src_ip)
def test_custom_property(self): """ to test the custom stix object properties """ data = { 'ProcessCreationEvents': { 'EventTime': '2019-09-20T06:57:11.8218304Z', 'MachineId': '8330ed311f1b21b861d63448984eb2632cc9c07c', 'ComputerName': 'desktop-536bt46', 'ActionType': 'ProcessCreated', 'FileName': 'consent.exe', 'FolderPath': 'C:\\Windows\\System32\\consent.exe', 'SHA1': '9329b2362078de27242dd4534f588af3264bf0bf', 'SHA256': '8f112431143a22baaafb448eefd63bf90e7691c890ac69a296574fd07ba03ec6', 'MD5': '27992d7ebe51aec655a088de88bad5c9', 'ProcessId': 20948, 'ProcessCommandLine': 'consent.exe 10088 288 000001CB3AA92A80', 'ProcessIntegrityLevel': 'System', 'ProcessTokenElevation': 'TokenElevationTypeDefault', 'ProcessCreationTime': '2019-09-20T06:57:11.8212034Z', 'AccountDomain': 'nt authority', 'AccountName': 'system', 'AccountSid': 'S-1-5-18', 'LogonId': 999, 'InitiatingProcessAccountDomain': 'nt authority', 'InitiatingProcessAccountName': 'system', 'InitiatingProcessAccountSid': 'S-1-5-18', 'InitiatingProcessLogonId': 999, 'InitiatingProcessIntegrityLevel': 'System', 'InitiatingProcessTokenElevation': 'TokenElevationTypeDefault', 'InitiatingProcessSHA1': 'a1385ce20ad79f55df235effd9780c31442aa234', 'InitiatingProcessMD5': '8a0a29438052faed8a2532da50455756', 'InitiatingProcessFileName': 'svchost.exe', 'InitiatingProcessId': 10088, 'InitiatingProcessCommandLine': 'svchost.exe -k netsvcs -p -s Appinfo', 'InitiatingProcessCreationTime': '2019-09-18T05:56:15.268893Z', 'InitiatingProcessFolderPath': 'c:\\windows\\system32\\svchost.exe', 'InitiatingProcessParentId': 856, 'InitiatingProcessParentFileName': 'services.exe', 'InitiatingProcessParentCreationTime': '2019-09-17T14:54:59.5778638Z', 'ReportId': 12048, 'rn': 1, 'event_count': '1' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] custom_object = observed_data['x_msatp'] assert custom_object.keys() == {'computer_name', 'machine_id'} assert custom_object['computer_name'] == 'desktop-536bt46'
def test_mac_addr_json_to_stix(self): """ to test network stix object properties """ data = { 'computer_identity': '541866979-suse01', 'subQueryID': 1, 'local_address': '192.168.36.110', 'mac': '0a-ab-41-e0-89-f8', 'type': 'Address', 'event_count': '1' } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestBigFixResultsToStix.get_first_of_type( objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'src_ref'} assert network_obj['type'] == 'network-traffic' assert network_obj['src_ref'] == '0'
def test_custom_property(self): """ to test the custom stix object properties """ data = { 'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6', 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file', 'timestamp': '1567046172', 'event_count': '1' } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] custom_object = observed_data['x_bigfix_relevance'] assert custom_object.keys() == {'computer_identity'} assert custom_object[ 'computer_identity'] == '1626351170-xlcr.hcl.local'
def test_file_json_to_stix(self): """ to test file stix object properties """ data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6', 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file', 'timestamp': '1567046172', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] file_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'file') assert file_obj is not None, 'file object type not found' assert file_obj.keys() == {'type', 'hashes', 'parent_directory_ref', 'name', 'size'} assert file_obj['type'] == 'file' assert file_obj['name'] == 'big42E1.tmp' assert file_obj['hashes'] == {'SHA-256': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'SHA-1': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'MD5': '958d9ba84826e48094e361102a272fd6'} assert file_obj['parent_directory_ref'] == '2' assert file_obj['size'] == 770
def test_network_json_to_stix_negative(): """to test negative test case for stix object""" data = {"other_events": { "_rowId": "189D1-C@Local", "Event Time": 1592820270804, "Logger": "Local", "spid": "2497", "agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd", "categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com", "priority": 3, "destinationUserId": "4294967295", "deviceVendor": "Unix", "deviceProcessName": "auditd", "destinationPort": 22, "name": "CRYPTO_KEY_USER|success", "eventId": 2815858, "deviceProduct": "auditd", "destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30", "sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "" }} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, data, get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'file') assert network_obj is None
def test_event_json_to_stix(self): """to test custom event stix object properties""" data = { 'xdr_data': { 'event_id': 'OTE0MTk5MTg2MDI1NzUyODc0NQ==', 'event_timestamp': 164632333729, 'event_version': 25, 'event_rpc_interface_uuid': '{00000136-0000-0000-C000-000000000046}', 'event_type': 'EVENT_LOG' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] event_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'x-oca-event') assert event_obj is not None assert event_obj['code'] == "OTE0MTk5MTg2MDI1NzUyODc0NQ==" assert event_obj['created'] == '1975-03-21T11:12:13.729Z' assert event_obj['extensions']['x-paloalto-event']['version'] == 25 assert event_obj['extensions']['x-paloalto-event'][ 'uuid'] == '{00000136-0000-0000-C000-000000000046}' assert event_obj['category'] == ["event_log"]
def test_custom_network_json_to_stix(self): """to test custom network stix object properties""" data = { 'xdr_data': { 'action_network_creation_time': 164632333729, 'action_network_connection_id': 'AdgAsdUgVlUAAAbYAAAAAA==', 'action_proxy': 'FALSE', 'action_external_hostname': 'Windows 8' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'network-traffic') assert network_obj is not None assert network_obj['extensions']['x-paloalto-network'][ 'creation_time'] == '1975-03-21T11:12:13.729Z' assert network_obj['extensions']['x-paloalto-network'][ 'connection_id'] == "AdgAsdUgVlUAAAbYAAAAAA==" assert network_obj['extensions']['x-paloalto-network'][ 'is_proxy'] == False assert network_obj['extensions']['x-paloalto-network'][ 'external_hostname'] == 'Windows 8'
def test_custom_file_json_to_stix(self): """to test custom file stix object properties""" data = { 'xdr_data': { 'action_file_extension': 'json', 'action_file_attributes': 128, 'action_file_last_writer_actor': 'AdgAsdUgVlUAAAbYAAAAAA==', 'action_file_signature_status': 3, 'action_file_type': 18, 'manifest_file_version': 5 } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] custom_file_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'file') assert custom_file_obj is not None assert custom_file_obj['type'] == 'file' assert custom_file_obj['extensions']['x-paloalto-file'][ 'extension'] == "json" assert custom_file_obj['extensions']['x-paloalto-file'][ 'attributes'] == 128 assert custom_file_obj['extensions']['x-paloalto-file'][ 'writer'] == "AdgAsdUgVlUAAAbYAAAAAA==" assert custom_file_obj['extensions']['x-paloalto-file'][ 'manifest_version'] == 5
def test_evtlog_json_to_stix(self): """to test custom evtlog stix object properties""" data = { 'xdr_data': { 'action_evtlog_description': 'An account was logged off', 'action_evtlog_source': 3, 'action_evtlog_event_id': 4625, 'action_evtlog_uid': 'S-1-5-19', 'action_evtlog_level': 'INFO', 'action_evtlog_version': 2 } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] evtlog_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'x-paloalto-evtlog') assert evtlog_obj is not None assert evtlog_obj['type'] == 'x-paloalto-evtlog' assert evtlog_obj['description'] == "An account was logged off" assert evtlog_obj['source'] == 3 assert evtlog_obj['evtlog_id'] == 4625 assert evtlog_obj['uid'] == "S-1-5-19" assert evtlog_obj['level'] == "INFO"
def test_url_json_to_stix(self): """to test url stix object properties""" data = { 'xdr_data': { 'dst_action_url_category': 'https://paloalto/index.com' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] url_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'url') assert url_obj is not None assert url_obj['type'] == 'url' assert url_obj['value'] == 'https://paloalto/index.com'
def test_windows_registry_key_json_to_stix(self): """to test windows registry stix object properties""" data = { 'xdr_data': { 'action_registry_key_name': 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\terminpt' '\\Enum', 'action_registry_value_name': 'Start' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] windows_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'windows-registry-key') assert windows_obj is not None assert windows_obj['type'] == 'windows-registry-key' assert windows_obj[ 'key'] == 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\terminpt\\Enum' assert windows_obj['values'] == [{'name': 'Start'}]
def test_domain_name_json_to_stix(self): """to test domain-name stix object properties""" data = { 'xdr_data': { 'auth_domain': 'dl.delivery.mp.microsoft.com', 'dst_host_metadata_domain': '8.tlu.dl.delivery.mp.microsoft.com', 'host_metadata_domain': '7.tlu.dl.delivery.mp.microsoft.com' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] domain_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'domain-name') assert domain_obj is not None assert domain_obj['type'] == 'domain-name' assert domain_obj['value'] == 'dl.delivery.mp.microsoft.com'
def test_common_prop_without_timestamp_data(self): """ to test the common stix object properties where no timestamp data field in results """ options = {"unmapped_fallback": True} data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source['identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['modified'] is not None assert observed_data['created'] is not None assert observed_data['first_observed'] is not None assert observed_data['last_observed'] is not None assert observed_data['number_observed'] is not None
def test_url_json_to_stix(self): """ to test url stix object properties """ data = { 'Proxy': { 'elementDisplayName': 'w7-cbr-se2', 'discoveryType': '', 'host': 't-ring.msedge.net', 'ipAddress': '172.22.32.1', 'pacUrl': 'c1.rfihub.net', 'port': '9443' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] proxy_obj = TestCybereasonResultsToStix.get_first_of_type( objects.values(), 'url') assert proxy_obj is not None assert proxy_obj.keys() == {'type', 'value'} assert proxy_obj['type'] == 'url' assert proxy_obj['value'] == 'c1.rfihub.net'
def test_common_prop(self): """ to test the common stix object properties """ data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6', 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file', 'timestamp': '1567046172', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source['identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['modified'] is not None assert observed_data['created'] is not None assert observed_data['first_observed'] is not None assert observed_data['last_observed'] is not None assert observed_data['number_observed'] is not None
def test_x_oca_event_network_ref(self): result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options, callback=hash_type_lookup) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] # validated_result = validate_instance(observed_data) # assert(validated_result.is_valid is True) self.assertTrue('objects' in observed_data, "non-empty objects is expected") objects = observed_data['objects'] object_vals = objects.values() x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event') network_ref = x_oca_event.get("network_ref") self.assertIsNotNone(network_ref) network_ref_obj = objects.get(network_ref) self.assertIsNotNone(network_ref_obj) self.assertEqual(56109, network_ref_obj['src_port']) self.assertEqual(9389, network_ref_obj['dst_port']) src_ip_obj = objects[network_ref_obj['src_ref']] dst_ip_obj = objects[network_ref_obj['dst_ref']] self.assertEqual("ipv4-addr", src_ip_obj['type']) self.assertEqual("ipv4-addr", dst_ip_obj['type']) self.assertEqual(src_ip_obj['value'], '123.123.123.123') self.assertEqual(dst_ip_obj['value'], '1.1.1.1')
def test_network_json_to_stix(): """to test network stix object properties""" data = {"network_events": { "_rowId": "189D1-C@Local", "Event Time": 1592820270804, "Logger": "Local", "spid": "2497", "transportProtocol": "TCP", "agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd", "categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com", "priority": 3, "destinationUserId": "4294967295", "deviceVendor": "Unix", "deviceProcessName": "auditd", "destinationPort": 22, "name": "CRYPTO_KEY_USER|success", "eventId": 2815858, "deviceProduct": "auditd", "destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30", "sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "", "protocols": ["TCP"] }} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'dst_port', 'dst_ref', 'src_ref', 'protocols'} assert network_obj['type'] == 'network-traffic' assert network_obj['dst_port'] == 22 assert network_obj['protocols'] == ['tcp'] assert network_obj['src_ref'] == '14'
def test_x_oca_event_file_ref(self): result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options, callback=hash_type_lookup) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] # validated_result = validate_instance(observed_data) # self.assertTrue(validated_result.is_valid) self.assertTrue('objects' in observed_data, "non-empty objects is expected") objects = observed_data['objects'] object_vals = objects.values() x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event') file_ref = x_oca_event.get("file_ref") self.assertIsNotNone(file_ref) file_ref_obj = objects.get(file_ref) self.assertIsNotNone(file_ref_obj) self.assertEqual("file", file_ref_obj['type']) self.assertEqual("powershell.exe", file_ref_obj['name']) parent_directory_obj = objects[file_ref_obj['parent_directory_ref']] self.assertEqual("directory", parent_directory_obj['type']) self.assertEqual("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_directory_obj['path'])
def test_common_prop(): """to test the common stix object properties""" data = {"network_events": { "_rowId": "189D1-C@Local", "Event Time": 1592820270804, "Logger": "Local", "spid": "2497", "agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd", "categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com", "priority": 3, "destinationUserId": "4294967295", "deviceVendor": "Unix", "deviceProcessName": "auditd", "destinationPort": 22, "name": "CRYPTO_KEY_USER|success", "eventId": 2815858, "deviceProduct": "auditd", "destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30", "sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "" }} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source['identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['modified'] is not None assert observed_data['created'] is not None assert observed_data['first_observed'] is not None assert observed_data['last_observed'] is not None assert observed_data['number_observed'] is not None
def test_common_prop(self): """ to test the common stix object properties """ data = { 'createTime': '2019-10-31T11:15:55.099615Z', 'updateTime': '2019-10-31T11:15:55.099635Z', 'occurence_count': 1 } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source[ 'identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['first_observed'] is not None assert (observed_data['first_observed'] == data['createTime']) assert observed_data['last_observed'] is not None assert (observed_data['last_observed'] == data['updateTime']) assert observed_data['number_observed'] is not None assert (observed_data['number_observed'] == data['occurence_count'])
def test_network_json_to_stix_negative(self): """ to test negative test case for stix object """ data = { 'computer_identity': '550872812-WIN-N11M78AV7BP', 'subQueryID': 1, 'local_address': '192.168.36.10', 'local_port': '139', 'process_ppid': '0', 'process_user': '******', 'timestamp': '1565875693', 'process_name': 'System', 'process_id': '4', 'type': 'Socket', 'protocol': 'udp', 'event_count': '1' } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, data, get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestBigFixResultsToStix.get_first_of_type( objects.values(), 'file') assert network_obj is None
def test_cybox_observables(self): data = { 'author_id': 'IBMid-123', 'email': '*****@*****.**', } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] assert ('objects' in observed_data) objects = observed_data['objects'] curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type( objects.values(), 'user-account') assert (curr_obj is not None), 'user-account object type not found' assert (curr_obj.keys() == {'type', 'user_id'}) assert (curr_obj['user_id'] == data['author_id']) curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type( objects.values(), 'email-addr') assert (curr_obj is not None), 'eamil-addr object type not found' assert (curr_obj.keys() == {'type', 'value'}) assert (curr_obj['value'] == data['email'])
def test_certificate_cim_to_stix(self): count = 1 time = "2018-08-21T15:11:55.000+00:00" serial = "1234" version = "1" sig_algorithm = "md5WithRSAEncryption" key_algorithm = "rsaEncryption" issuer = "C=US, ST=California, O=www.example.com, OU=new, CN=new" subject = "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]" ssl_hash = "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f" data = { "event_count": count, "_time": time, "ssl_serial": serial, "ssl_version": version, "ssl_signature_algorithm": sig_algorithm, "ssl_issuer": issuer, "ssl_subject": subject, "ssl_hash": ssl_hash, "ssl_publickey_algorithm": key_algorithm } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] validated_result = validate_instance(observed_data) assert (validated_result.is_valid == True) assert ('objects' in observed_data) objects = observed_data['objects'] # Test objects in Stix observable data model after transform cert_obj = TestTransform.get_first_of_type(objects.values(), 'x509-certificate') assert (cert_obj is not None), 'x509-certificate object type not found' assert (cert_obj.keys() == { 'type', 'serial_number', 'version', "signature_algorithm", "subject_public_key_algorithm", "issuer", "subject", "hashes" }) assert (cert_obj['serial_number'] == "1234") assert (cert_obj['version'] == "1") assert (cert_obj['signature_algorithm'] == "md5WithRSAEncryption") assert (cert_obj['issuer'] == "C=US, ST=California, O=www.example.com, OU=new, CN=new") assert ( cert_obj['subject'] == "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]" ) assert (cert_obj['subject_public_key_algorithm'] == "rsaEncryption") assert ( cert_obj['hashes']['SHA-256'] == "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f") assert (objects.keys() == set(map(str, range(0, 1))))
def test_process_json_to_stix(self): """ to test process stix object properties """ data = {'computer_identity': '13476923-archlinux', 'subQueryID': 1, 'sha256hash': '2f2f74f4083b95654a742a56a6c7318f3ab378c94b69009ceffc200fbc22d4d8', 'sha1hash': '0c8e8b1d4eb31e1e046fea1f1396ff85068a4c4a', 'md5hash': '148fd5f2a448b69a9f21d4c92098c4ca', 'file_path': '/usr/lib/systemd/systemd', 'process_ppid': '0', 'process_user': '******', 'timestamp': '1565616101', 'process_name': 'systemd', 'process_id': '1', 'file_size': '1468376', 'type': 'process', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] process_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'process') assert process_obj is not None, 'process object type not found' assert process_obj.keys() == {'type', 'binary_ref', 'parent_ref', 'creator_user_ref', 'name', 'pid'} assert process_obj['type'] == 'process' assert process_obj['name'] == 'systemd' assert process_obj['pid'] == 1 assert process_obj['binary_ref'] == '1' assert process_obj['parent_ref'] == '4' assert process_obj['creator_user_ref'] == '5'
def test_common_prop(self): data = {"_time": "2018-08-21T15:11:55.000+00:00", "event_count": 5} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert (result_bundle_identity['type'] == data_source['type']) assert (result_bundle_identity['id'] == data_source['id']) assert (result_bundle_identity['name'] == data_source['name']) assert (result_bundle_identity['identity_class'] == data_source['identity_class']) observed_data = result_bundle_objects[1] assert (observed_data['id'] is not None) assert (observed_data['type'] == "observed-data") assert ( observed_data['created_by_ref'] == result_bundle_identity['id']) assert (observed_data['number_observed'] == 5) assert (observed_data['created'] is not None) assert (observed_data['modified'] is not None) assert (observed_data['first_observed'] is not None) assert (observed_data['last_observed'] is not None)
def test_network_json_to_stix(self): """ to test network stix object properties """ data = {'computer_identity': '550872812-WIN-N11M78AV7BP', 'subQueryID': 1, 'local_address': '192.168.36.10', 'local_port': '139', 'process_ppid': '0', 'process_user': '******', 'timestamp': '1565875693', 'process_name': 'System', 'process_id': '4', 'type': 'Socket', 'protocol': 'udp', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'src_ref', 'src_port', 'protocols'} assert network_obj['type'] == 'network-traffic' assert network_obj['src_ref'] == '1' assert network_obj['src_port'] == 139 assert network_obj['protocols'] == ['udp']
def test_file_prop(self): result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] assert ('objects' in observed_data) objects = observed_data['objects'] file_object = TestElasticEcsTransform.get_first( objects.values(), lambda o: type(o) == dict and o.get('type') == 'file' and o.get('name') == 'example.png') assert (file_object is not None), 'file object type not found' assert (file_object.keys() == {'type', 'name', 'parent_directory_ref'}) assert (file_object['type'] == 'file') assert (file_object['name'] == 'example.png') parent_directory_ref = file_object['parent_directory_ref'] assert ( parent_directory_ref in objects ), f"parent_directory_ref with key {objects['parent_directory_ref']} not found" parent_obj = objects[parent_directory_ref] assert (parent_obj['type'] == "directory") assert (parent_obj['path'] == "/home/alice")
def test_network_json_to_stix(): """ to test network stix object properties """ result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [DATA2], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestAzureSentinelResultsToStix.get_first_of_type( objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == { 'type', 'dst_ref', 'dst_port', 'protocols', 'src_ref', 'src_port' } assert network_obj['type'] == 'network-traffic' assert network_obj['src_port'] == 9475 assert network_obj['dst_port'] == 22 assert network_obj['protocols'] == ['tcp'] assert network_obj['src_ref'] == '7' assert network_obj['dst_ref'] == '5'