def test_user_account_json_to_stix(self):
"""to test user-account stix object properties"""
data = {
'xdr_data': {
'actor_process_logon_id': '794419589',
'action_process_username': '******',
'actor_primary_username': '******',
'actor_primary_user_sid': 'S-1-5-18'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
user_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'user-account')
assert user_obj is not None
assert user_obj['type'] == 'user-account'
assert user_obj['user_id'] == "S-1-5-18"
assert user_obj['extensions']['x-paloalto-user'][
'process_user_name'] == 'EC2AMAZ-IQFSLIL\\Administrator'
def test_network_cim_to_stix(self):
count = 2
time = "2018-08-21T15:11:55.000+00:00"
user = "******"
dest_ip = "127.0.0.1"
dest_port = "8090"
src_ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
src_port = "8080"
transport = "http"
data = {
"event_count": count,
"_time": time,
"user": user,
"dest_ip": dest_ip,
"dest_port": dest_port,
"src_ip": src_ip,
"src_port": src_port,
"protocol": transport
}
print(data)
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
nt_obj = TestTransform.get_first_of_type(objects.values(),
'network-traffic')
assert (nt_obj is not None), 'network-traffic object type not found'
assert (nt_obj.keys() == {
'type', 'src_port', 'dst_port', 'src_ref', 'dst_ref', 'protocols'
})
assert (nt_obj['src_port'] == 8080)
assert (nt_obj['dst_port'] == 8090)
assert (nt_obj['protocols'] == ['http'])
ip_ref = nt_obj['dst_ref']
assert (ip_ref
in objects), f"dst_ref with key {nt_obj['dst_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == dest_ip)
ip_ref = nt_obj['src_ref']
assert (ip_ref
in objects), f"src_ref with key {nt_obj['src_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value'})
assert (ip_obj['type'] == 'ipv6-addr')
assert (ip_obj['value'] == src_ip)
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'ProcessCreationEvents': {
'EventTime': '2019-09-20T06:57:11.8218304Z',
'MachineId': '8330ed311f1b21b861d63448984eb2632cc9c07c',
'ComputerName': 'desktop-536bt46',
'ActionType': 'ProcessCreated',
'FileName': 'consent.exe',
'FolderPath': 'C:\\Windows\\System32\\consent.exe',
'SHA1': '9329b2362078de27242dd4534f588af3264bf0bf',
'SHA256':
'8f112431143a22baaafb448eefd63bf90e7691c890ac69a296574fd07ba03ec6',
'MD5': '27992d7ebe51aec655a088de88bad5c9',
'ProcessId': 20948,
'ProcessCommandLine': 'consent.exe 10088 288 000001CB3AA92A80',
'ProcessIntegrityLevel': 'System',
'ProcessTokenElevation': 'TokenElevationTypeDefault',
'ProcessCreationTime': '2019-09-20T06:57:11.8212034Z',
'AccountDomain': 'nt authority',
'AccountName': 'system',
'AccountSid': 'S-1-5-18',
'LogonId': 999,
'InitiatingProcessAccountDomain': 'nt authority',
'InitiatingProcessAccountName': 'system',
'InitiatingProcessAccountSid': 'S-1-5-18',
'InitiatingProcessLogonId': 999,
'InitiatingProcessIntegrityLevel': 'System',
'InitiatingProcessTokenElevation': 'TokenElevationTypeDefault',
'InitiatingProcessSHA1':
'a1385ce20ad79f55df235effd9780c31442aa234',
'InitiatingProcessMD5': '8a0a29438052faed8a2532da50455756',
'InitiatingProcessFileName': 'svchost.exe',
'InitiatingProcessId': 10088,
'InitiatingProcessCommandLine':
'svchost.exe -k netsvcs -p -s Appinfo',
'InitiatingProcessCreationTime': '2019-09-18T05:56:15.268893Z',
'InitiatingProcessFolderPath':
'c:\\windows\\system32\\svchost.exe',
'InitiatingProcessParentId': 856,
'InitiatingProcessParentFileName': 'services.exe',
'InitiatingProcessParentCreationTime':
'2019-09-17T14:54:59.5778638Z',
'ReportId': 12048,
'rn': 1,
'event_count': '1'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_object = observed_data['x_msatp']
assert custom_object.keys() == {'computer_name', 'machine_id'}
assert custom_object['computer_name'] == 'desktop-536bt46'
def test_mac_addr_json_to_stix(self):
"""
to test network stix object properties
"""
data = {
'computer_identity': '541866979-suse01',
'subQueryID': 1,
'local_address': '192.168.36.110',
'mac': '0a-ab-41-e0-89-f8',
'type': 'Address',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'src_ref'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'computer_identity': '1626351170-xlcr.hcl.local',
'subQueryID': 1,
'sha256hash':
'89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp',
'file_name': 'big42E1.tmp',
'file_size': '770',
'type': 'file',
'timestamp': '1567046172',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_object = observed_data['x_bigfix_relevance']
assert custom_object.keys() == {'computer_identity'}
assert custom_object[
'computer_identity'] == '1626351170-xlcr.hcl.local'
def test_file_json_to_stix(self):
"""
to test file stix object properties
"""
data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1,
'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file',
'timestamp': '1567046172', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
file_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'file')
assert file_obj is not None, 'file object type not found'
assert file_obj.keys() == {'type', 'hashes', 'parent_directory_ref', 'name', 'size'}
assert file_obj['type'] == 'file'
assert file_obj['name'] == 'big42E1.tmp'
assert file_obj['hashes'] == {'SHA-256': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'SHA-1': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'MD5': '958d9ba84826e48094e361102a272fd6'}
assert file_obj['parent_directory_ref'] == '2'
assert file_obj['size'] == 770
def test_network_json_to_stix_negative():
"""to test negative test case for stix object"""
data = {"other_events": {
"_rowId": "189D1-C@Local", "Event Time": 1592820270804,
"Logger": "Local", "spid": "2497",
"agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd",
"categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com",
"priority": 3, "destinationUserId": "4294967295",
"deviceVendor": "Unix", "deviceProcessName": "auditd",
"destinationPort": 22, "name": "CRYPTO_KEY_USER|success",
"eventId": 2815858, "deviceProduct": "auditd",
"destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30",
"sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": ""
}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, data, get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'file')
assert network_obj is None
def test_event_json_to_stix(self):
"""to test custom event stix object properties"""
data = {
'xdr_data': {
'event_id': 'OTE0MTk5MTg2MDI1NzUyODc0NQ==',
'event_timestamp': 164632333729,
'event_version': 25,
'event_rpc_interface_uuid':
'{00000136-0000-0000-C000-000000000046}',
'event_type': 'EVENT_LOG'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
event_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'x-oca-event')
assert event_obj is not None
assert event_obj['code'] == "OTE0MTk5MTg2MDI1NzUyODc0NQ=="
assert event_obj['created'] == '1975-03-21T11:12:13.729Z'
assert event_obj['extensions']['x-paloalto-event']['version'] == 25
assert event_obj['extensions']['x-paloalto-event'][
'uuid'] == '{00000136-0000-0000-C000-000000000046}'
assert event_obj['category'] == ["event_log"]
def test_custom_network_json_to_stix(self):
"""to test custom network stix object properties"""
data = {
'xdr_data': {
'action_network_creation_time': 164632333729,
'action_network_connection_id': 'AdgAsdUgVlUAAAbYAAAAAA==',
'action_proxy': 'FALSE',
'action_external_hostname': 'Windows 8'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None
assert network_obj['extensions']['x-paloalto-network'][
'creation_time'] == '1975-03-21T11:12:13.729Z'
assert network_obj['extensions']['x-paloalto-network'][
'connection_id'] == "AdgAsdUgVlUAAAbYAAAAAA=="
assert network_obj['extensions']['x-paloalto-network'][
'is_proxy'] == False
assert network_obj['extensions']['x-paloalto-network'][
'external_hostname'] == 'Windows 8'
def test_custom_file_json_to_stix(self):
"""to test custom file stix object properties"""
data = {
'xdr_data': {
'action_file_extension': 'json',
'action_file_attributes': 128,
'action_file_last_writer_actor': 'AdgAsdUgVlUAAAbYAAAAAA==',
'action_file_signature_status': 3,
'action_file_type': 18,
'manifest_file_version': 5
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
custom_file_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'file')
assert custom_file_obj is not None
assert custom_file_obj['type'] == 'file'
assert custom_file_obj['extensions']['x-paloalto-file'][
'extension'] == "json"
assert custom_file_obj['extensions']['x-paloalto-file'][
'attributes'] == 128
assert custom_file_obj['extensions']['x-paloalto-file'][
'writer'] == "AdgAsdUgVlUAAAbYAAAAAA=="
assert custom_file_obj['extensions']['x-paloalto-file'][
'manifest_version'] == 5
def test_evtlog_json_to_stix(self):
"""to test custom evtlog stix object properties"""
data = {
'xdr_data': {
'action_evtlog_description': 'An account was logged off',
'action_evtlog_source': 3,
'action_evtlog_event_id': 4625,
'action_evtlog_uid': 'S-1-5-19',
'action_evtlog_level': 'INFO',
'action_evtlog_version': 2
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
evtlog_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'x-paloalto-evtlog')
assert evtlog_obj is not None
assert evtlog_obj['type'] == 'x-paloalto-evtlog'
assert evtlog_obj['description'] == "An account was logged off"
assert evtlog_obj['source'] == 3
assert evtlog_obj['evtlog_id'] == 4625
assert evtlog_obj['uid'] == "S-1-5-19"
assert evtlog_obj['level'] == "INFO"
def test_url_json_to_stix(self):
"""to test url stix object properties"""
data = {
'xdr_data': {
'dst_action_url_category': 'https://paloalto/index.com'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
url_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'url')
assert url_obj is not None
assert url_obj['type'] == 'url'
assert url_obj['value'] == 'https://paloalto/index.com'
def test_windows_registry_key_json_to_stix(self):
"""to test windows registry stix object properties"""
data = {
'xdr_data': {
'action_registry_key_name':
'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\terminpt'
'\\Enum',
'action_registry_value_name':
'Start'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
windows_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'windows-registry-key')
assert windows_obj is not None
assert windows_obj['type'] == 'windows-registry-key'
assert windows_obj[
'key'] == 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\terminpt\\Enum'
assert windows_obj['values'] == [{'name': 'Start'}]
def test_domain_name_json_to_stix(self):
"""to test domain-name stix object properties"""
data = {
'xdr_data': {
'auth_domain': 'dl.delivery.mp.microsoft.com',
'dst_host_metadata_domain':
'8.tlu.dl.delivery.mp.microsoft.com',
'host_metadata_domain': '7.tlu.dl.delivery.mp.microsoft.com'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
domain_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'domain-name')
assert domain_obj is not None
assert domain_obj['type'] == 'domain-name'
assert domain_obj['value'] == 'dl.delivery.mp.microsoft.com'
def test_common_prop_without_timestamp_data(self):
"""
to test the common stix object properties where no timestamp data field in results
"""
options = {"unmapped_fallback": True}
data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1,
'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source['identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['modified'] is not None
assert observed_data['created'] is not None
assert observed_data['first_observed'] is not None
assert observed_data['last_observed'] is not None
assert observed_data['number_observed'] is not None
def test_url_json_to_stix(self):
"""
to test url stix object properties
"""
data = {
'Proxy': {
'elementDisplayName': 'w7-cbr-se2',
'discoveryType': '',
'host': 't-ring.msedge.net',
'ipAddress': '172.22.32.1',
'pacUrl': 'c1.rfihub.net',
'port': '9443'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
proxy_obj = TestCybereasonResultsToStix.get_first_of_type(
objects.values(), 'url')
assert proxy_obj is not None
assert proxy_obj.keys() == {'type', 'value'}
assert proxy_obj['type'] == 'url'
assert proxy_obj['value'] == 'c1.rfihub.net'
def test_common_prop(self):
"""
to test the common stix object properties
"""
data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1,
'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file',
'timestamp': '1567046172', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source['identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['modified'] is not None
assert observed_data['created'] is not None
assert observed_data['first_observed'] is not None
assert observed_data['last_observed'] is not None
assert observed_data['number_observed'] is not None
def test_x_oca_event_network_ref(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options,
callback=hash_type_lookup)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
# validated_result = validate_instance(observed_data)
# assert(validated_result.is_valid is True)
self.assertTrue('objects' in observed_data, "non-empty objects is expected")
objects = observed_data['objects']
object_vals = objects.values()
x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event')
network_ref = x_oca_event.get("network_ref")
self.assertIsNotNone(network_ref)
network_ref_obj = objects.get(network_ref)
self.assertIsNotNone(network_ref_obj)
self.assertEqual(56109, network_ref_obj['src_port'])
self.assertEqual(9389, network_ref_obj['dst_port'])
src_ip_obj = objects[network_ref_obj['src_ref']]
dst_ip_obj = objects[network_ref_obj['dst_ref']]
self.assertEqual("ipv4-addr", src_ip_obj['type'])
self.assertEqual("ipv4-addr", dst_ip_obj['type'])
self.assertEqual(src_ip_obj['value'], '123.123.123.123')
self.assertEqual(dst_ip_obj['value'], '1.1.1.1')
def test_network_json_to_stix():
"""to test network stix object properties"""
data = {"network_events": {
"_rowId": "189D1-C@Local", "Event Time": 1592820270804,
"Logger": "Local", "spid": "2497", "transportProtocol": "TCP",
"agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd",
"categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com",
"priority": 3, "destinationUserId": "4294967295",
"deviceVendor": "Unix", "deviceProcessName": "auditd",
"destinationPort": 22, "name": "CRYPTO_KEY_USER|success",
"eventId": 2815858, "deviceProduct": "auditd",
"destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30",
"sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "", "protocols": ["TCP"]
}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'dst_port', 'dst_ref', 'src_ref', 'protocols'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['dst_port'] == 22
assert network_obj['protocols'] == ['tcp']
assert network_obj['src_ref'] == '14'
def test_x_oca_event_file_ref(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options,
callback=hash_type_lookup)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
# validated_result = validate_instance(observed_data)
# self.assertTrue(validated_result.is_valid)
self.assertTrue('objects' in observed_data, "non-empty objects is expected")
objects = observed_data['objects']
object_vals = objects.values()
x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event')
file_ref = x_oca_event.get("file_ref")
self.assertIsNotNone(file_ref)
file_ref_obj = objects.get(file_ref)
self.assertIsNotNone(file_ref_obj)
self.assertEqual("file", file_ref_obj['type'])
self.assertEqual("powershell.exe", file_ref_obj['name'])
parent_directory_obj = objects[file_ref_obj['parent_directory_ref']]
self.assertEqual("directory", parent_directory_obj['type'])
self.assertEqual("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_directory_obj['path'])
def test_common_prop():
"""to test the common stix object properties"""
data = {"network_events": {
"_rowId": "189D1-C@Local", "Event Time": 1592820270804,
"Logger": "Local", "spid": "2497",
"agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd",
"categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com",
"priority": 3, "destinationUserId": "4294967295",
"deviceVendor": "Unix", "deviceProcessName": "auditd",
"destinationPort": 22, "name": "CRYPTO_KEY_USER|success",
"eventId": 2815858, "deviceProduct": "auditd",
"destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30",
"sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": ""
}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source['identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['modified'] is not None
assert observed_data['created'] is not None
assert observed_data['first_observed'] is not None
assert observed_data['last_observed'] is not None
assert observed_data['number_observed'] is not None
def test_common_prop(self):
"""
to test the common stix object properties
"""
data = {
'createTime': '2019-10-31T11:15:55.099615Z',
'updateTime': '2019-10-31T11:15:55.099635Z',
'occurence_count': 1
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source[
'identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['first_observed'] is not None
assert (observed_data['first_observed'] == data['createTime'])
assert observed_data['last_observed'] is not None
assert (observed_data['last_observed'] == data['updateTime'])
assert observed_data['number_observed'] is not None
assert (observed_data['number_observed'] == data['occurence_count'])
def test_network_json_to_stix_negative(self):
"""
to test negative test case for stix object
"""
data = {
'computer_identity': '550872812-WIN-N11M78AV7BP',
'subQueryID': 1,
'local_address': '192.168.36.10',
'local_port': '139',
'process_ppid': '0',
'process_user': '******',
'timestamp': '1565875693',
'process_name': 'System',
'process_id': '4',
'type': 'Socket',
'protocol': 'udp',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, data, get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'file')
assert network_obj is None
def test_cybox_observables(self):
data = {
'author_id': 'IBMid-123',
'email': '*****@*****.**',
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'user-account')
assert (curr_obj is not None), 'user-account object type not found'
assert (curr_obj.keys() == {'type', 'user_id'})
assert (curr_obj['user_id'] == data['author_id'])
curr_obj = TestSecurityAdvisorResultsToStix.get_first_of_type(
objects.values(), 'email-addr')
assert (curr_obj is not None), 'eamil-addr object type not found'
assert (curr_obj.keys() == {'type', 'value'})
assert (curr_obj['value'] == data['email'])
def test_certificate_cim_to_stix(self):
count = 1
time = "2018-08-21T15:11:55.000+00:00"
serial = "1234"
version = "1"
sig_algorithm = "md5WithRSAEncryption"
key_algorithm = "rsaEncryption"
issuer = "C=US, ST=California, O=www.example.com, OU=new, CN=new"
subject = "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]"
ssl_hash = "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f"
data = {
"event_count": count,
"_time": time,
"ssl_serial": serial,
"ssl_version": version,
"ssl_signature_algorithm": sig_algorithm,
"ssl_issuer": issuer,
"ssl_subject": subject,
"ssl_hash": ssl_hash,
"ssl_publickey_algorithm": key_algorithm
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
# Test objects in Stix observable data model after transform
cert_obj = TestTransform.get_first_of_type(objects.values(),
'x509-certificate')
assert (cert_obj is not None), 'x509-certificate object type not found'
assert (cert_obj.keys() == {
'type', 'serial_number', 'version', "signature_algorithm",
"subject_public_key_algorithm", "issuer", "subject", "hashes"
})
assert (cert_obj['serial_number'] == "1234")
assert (cert_obj['version'] == "1")
assert (cert_obj['signature_algorithm'] == "md5WithRSAEncryption")
assert (cert_obj['issuer'] ==
"C=US, ST=California, O=www.example.com, OU=new, CN=new")
assert (
cert_obj['subject'] ==
"C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]"
)
assert (cert_obj['subject_public_key_algorithm'] == "rsaEncryption")
assert (
cert_obj['hashes']['SHA-256'] ==
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f")
assert (objects.keys() == set(map(str, range(0, 1))))
def test_process_json_to_stix(self):
"""
to test process stix object properties
"""
data = {'computer_identity': '13476923-archlinux', 'subQueryID': 1,
'sha256hash': '2f2f74f4083b95654a742a56a6c7318f3ab378c94b69009ceffc200fbc22d4d8',
'sha1hash': '0c8e8b1d4eb31e1e046fea1f1396ff85068a4c4a', 'md5hash': '148fd5f2a448b69a9f21d4c92098c4ca',
'file_path': '/usr/lib/systemd/systemd', 'process_ppid': '0', 'process_user': '******',
'timestamp': '1565616101', 'process_name': 'systemd', 'process_id': '1', 'file_size': '1468376',
'type': 'process', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
process_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'process')
assert process_obj is not None, 'process object type not found'
assert process_obj.keys() == {'type', 'binary_ref', 'parent_ref', 'creator_user_ref', 'name', 'pid'}
assert process_obj['type'] == 'process'
assert process_obj['name'] == 'systemd'
assert process_obj['pid'] == 1
assert process_obj['binary_ref'] == '1'
assert process_obj['parent_ref'] == '4'
assert process_obj['creator_user_ref'] == '5'
def test_common_prop(self):
data = {"_time": "2018-08-21T15:11:55.000+00:00", "event_count": 5}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == data_source['type'])
assert (result_bundle_identity['id'] == data_source['id'])
assert (result_bundle_identity['name'] == data_source['name'])
assert (result_bundle_identity['identity_class'] ==
data_source['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
assert (observed_data['number_observed'] == 5)
assert (observed_data['created'] is not None)
assert (observed_data['modified'] is not None)
assert (observed_data['first_observed'] is not None)
assert (observed_data['last_observed'] is not None)
def test_network_json_to_stix(self):
"""
to test network stix object properties
"""
data = {'computer_identity': '550872812-WIN-N11M78AV7BP', 'subQueryID': 1, 'local_address': '192.168.36.10',
'local_port': '139', 'process_ppid': '0', 'process_user': '******',
'timestamp': '1565875693', 'process_name': 'System', 'process_id': '4', 'type': 'Socket',
'protocol': 'udp', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'src_ref', 'src_port', 'protocols'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '1'
assert network_obj['src_port'] == 139
assert network_obj['protocols'] == ['udp']
def test_file_prop(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert ('objects' in observed_data)
objects = observed_data['objects']
file_object = TestElasticEcsTransform.get_first(
objects.values(), lambda o: type(o) == dict and o.get('type') ==
'file' and o.get('name') == 'example.png')
assert (file_object is not None), 'file object type not found'
assert (file_object.keys() == {'type', 'name', 'parent_directory_ref'})
assert (file_object['type'] == 'file')
assert (file_object['name'] == 'example.png')
parent_directory_ref = file_object['parent_directory_ref']
assert (
parent_directory_ref in objects
), f"parent_directory_ref with key {objects['parent_directory_ref']} not found"
parent_obj = objects[parent_directory_ref]
assert (parent_obj['type'] == "directory")
assert (parent_obj['path'] == "/home/alice")
def test_network_json_to_stix():
"""
to test network stix object properties
"""
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [DATA2], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestAzureSentinelResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {
'type', 'dst_ref', 'dst_port', 'protocols', 'src_ref', 'src_port'
}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_port'] == 9475
assert network_obj['dst_port'] == 22
assert network_obj['protocols'] == ['tcp']
assert network_obj['src_ref'] == '7'
assert network_obj['dst_ref'] == '5'
