def test_mac_address_query(self): interface = qradar_translator.Translator() input_arguments = "[mac-addr:value = '00-00-5E-00-53-00']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE (sourcemac = '00-00-5E-00-53-00' OR destinationmac = '00-00-5E-00-53-00')"
def test_user_account_query(self): interface = qradar_translator.Translator() input_arguments = "[user-account:user_id = 'root']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE username = '******'"
def test_file_query(self): # TODO: Add support for file hashes. Unsure at this point how QRadar queries them interface = qradar_translator.Translator() input_arguments = "[file:name = 'some_file.exe']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + " FROM events WHERE filename = 'some_file.exe'"
def test_domain_query(self): interface = qradar_translator.Translator() input_arguments = "[domain-name:value = 'example.com']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE domainname = 'example.com'"
def test_ipv6_query(self): interface = qradar_translator.Translator() input_arguments = "[ipv6-addr:value = '192.168.122.83']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE (sourceip = '192.168.122.83' OR destinationip = '192.168.122.83' OR identityip = '192.168.122.83')"
def test_url_query(self): interface = qradar_translator.Translator() input_arguments = "[url:value = 'http://www.testaddress.com']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE url = 'http://www.testaddress.com'"
def test_artifact_queries(self): interface = qradar_translator.Translator() input_arguments = "[artifact:payload_bin matches 'some text']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE payload MATCHES '.*some text.*'"
def test_network_traffic_start_stop(self): interface = qradar_translator.Translator() input_arguments = "[network-traffic:'start' = '2018-06-14T08:36:24.000Z' or network-traffic:end = '2018-06-14T08:36:24.000Z']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + \ " FROM events WHERE endtime = '1528965384' OR starttime = '1528965384'"
def test_invalid_stix_pattern(self): stix_validation_exception = base_translator.StixValidationException interface = qradar_translator.Translator() input_arguments = "[not_a_valid_pattern]" options = {} self.assertRaises( stix_validation_exception, lambda: interface.transform_query(input_arguments, options))
def test_query_from_multiple_comparison_expressions_joined_by_and(self): interface = qradar_translator.Translator() input_arguments = "[domain-name:value = 'example.com' and mac-addr:value = '00-00-5E-00-53-00']" options = {} query = interface.transform_query(input_arguments, options) # Expect the STIX and to convert to an AQL AND. assert query == selections + \ " FROM events WHERE (sourcemac = '00-00-5E-00-53-00' OR destinationmac = '00-00-5E-00-53-00') AND domainname = 'example.com'"
def test_unmapped_attribute(self): data_mapping_exception = DataMappingException interface = qradar_translator.Translator() input_arguments = "[network-traffic:some_invalid_attribute = 'whatever']" options = {} self.assertRaises( data_mapping_exception, lambda: interface.transform_query(input_arguments, options))
def test_network_traffic_protocols(self): interface = qradar_translator.Translator() for key, value in protocols.items(): # Test for both upper and lower case protocols in the STIX pattern if random.randint(0, 1) == 0: key = key.upper() input_arguments = "[network-traffic:protocols[*] = '" + key + "']" options = {} query = interface.transform_query(input_arguments, options) assert query == selections + " FROM events WHERE protocolid = '" + value + "'"
def test_url_query(self): interface = qradar_translator.Translator() input_arguments = "[url:value = 'http://www.testaddress.com']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE url = 'http://www.testaddress.com'" parsed_stix = [{ 'attribute': 'url:value', 'comparison_operator': '=', 'value': 'http://www.testaddress.com' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_domain_query(self): interface = qradar_translator.Translator() input_arguments = "[domain-name:value = 'example.com']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE domainname = 'example.com'" parsed_stix = [{ 'attribute': 'domain-name:value', 'comparison_operator': '=', 'value': 'example.com' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_ipv6_query(self): interface = qradar_translator.Translator() input_arguments = "[ipv6-addr:value = '192.168.122.83']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE (sourceip = '192.168.122.83' OR destinationip = '192.168.122.83' OR identityip = '192.168.122.83')" parsed_stix = [{ 'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '192.168.122.83' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_artifact_queries(self): interface = qradar_translator.Translator() input_arguments = "[artifact:payload_bin matches 'some text']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE payload MATCHES '.*some text.*'" parsed_stix = [{ 'attribute': 'artifact:payload_bin', 'comparison_operator': 'MATCHES', 'value': 'some text' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_mac_address_query(self): interface = qradar_translator.Translator() input_arguments = "[mac-addr:value = '00-00-5E-00-53-00']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE (sourcemac = '00-00-5E-00-53-00' OR destinationmac = '00-00-5E-00-53-00')" parsed_stix = [{ 'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_user_account_query(self): interface = qradar_translator.Translator() input_arguments = "[user-account:user_id = 'root']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE username = '******'" parsed_stix = [{ 'attribute': 'user-account:user_id', 'comparison_operator': '=', 'value': 'root' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_file_query(self): # TODO: Add support for file hashes. Unsure at this point how QRadar queries them interface = qradar_translator.Translator() input_arguments = "[file:name = 'some_file.exe']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE filename = 'some_file.exe'" parsed_stix = [{ 'attribute': 'file:name', 'comparison_operator': '=', 'value': 'some_file.exe' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_network_traffic_start_stop(self): interface = qradar_translator.Translator() input_arguments = "[network-traffic:'start' = '2018-06-14T08:36:24.000Z' or network-traffic:end = '2018-06-14T08:36:24.000Z']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE endtime = '1528965384' OR starttime = '1528965384'" parsed_stix = [{ 'attribute': 'network-traffic:end', 'comparison_operator': '=', 'value': '2018-06-14T08:36:24.000Z' }, { 'attribute': 'network-traffic:start', 'comparison_operator': '=', 'value': '2018-06-14T08:36:24.000Z' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_network_traffic_protocols(self): interface = qradar_translator.Translator() for key, value in protocols.items(): # Test for both upper and lower case protocols in the STIX pattern if random.randint(0, 1) == 0: key = key.upper() input_arguments = "[network-traffic:protocols[*] = '" + key + "']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE protocolid = '" + value + "'" parsed_stix = [{ 'attribute': 'network-traffic:protocols[*]', 'comparison_operator': '=', 'value': key }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_port_queries(self): interface = qradar_translator.Translator() input_arguments = "[network-traffic:src_port = 12345 or network-traffic:dst_port = 23456]" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE destinationport = '23456' OR sourceport = '12345'" parsed_stix = [{ 'attribute': 'network-traffic:dst_port', 'comparison_operator': '=', 'value': 23456 }, { 'attribute': 'network-traffic:src_port', 'comparison_operator': '=', 'value': 12345 }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
def test_query_from_multiple_comparison_expressions_joined_by_and(self): interface = qradar_translator.Translator() input_arguments = "[domain-name:value = 'example.com' and mac-addr:value = '00-00-5E-00-53-00']" options = {} query = interface.transform_query(input_arguments, options) # Expect the STIX and to convert to an AQL AND. where_statement = "WHERE (sourcemac = '00-00-5E-00-53-00' OR destinationmac = '00-00-5E-00-53-00') AND domainname = 'example.com'" parsed_stix = [{ 'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00' }, { 'attribute': 'domain-name:value', 'comparison_operator': '=', 'value': 'example.com' }] assert query == { 'aql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix }
from stix_shifter.src.json_to_stix import json_to_stix_translator from stix_shifter.src import transformers from stix_shifter.src.modules.qradar import qradar_translator import json from stix_shifter import stix_shifter interface = qradar_translator.Translator() map_file = open(interface.mapping_filepath).read() map_data = json.loads(map_file) data_source = { "type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events" } options = {} class TestTransform(object): @staticmethod def get_first(itr, constraint): return next((obj for obj in itr if constraint(obj)), None) @staticmethod def get_first_of_type(itr, typ): return TestTransform.get_first( itr, lambda o: type(o) == dict and o.get('type') == typ) def test_common_prop(self): data = {"starttime": 1531169112, "eventcount": 5}