def test_custom_file_json_to_stix(self):
"""to test custom file stix object properties"""
data = {
'xdr_data': {
'action_file_extension': 'json',
'action_file_attributes': 128,
'action_file_last_writer_actor': 'AdgAsdUgVlUAAAbYAAAAAA==',
'action_file_signature_status': 3,
'action_file_type': 18,
'manifest_file_version': 5
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
custom_file_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'file')
assert custom_file_obj is not None
assert custom_file_obj['type'] == 'file'
assert custom_file_obj['extensions']['x-paloalto-file'][
'extension'] == "json"
assert custom_file_obj['extensions']['x-paloalto-file'][
'attributes'] == 128
assert custom_file_obj['extensions']['x-paloalto-file'][
'writer'] == "AdgAsdUgVlUAAAbYAAAAAA=="
assert custom_file_obj['extensions']['x-paloalto-file'][
'manifest_version'] == 5
def test_common_prop(self):
"""
to test the common stix object properties
"""
data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1,
'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file',
'timestamp': '1567046172', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source['identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['modified'] is not None
assert observed_data['created'] is not None
assert observed_data['first_observed'] is not None
assert observed_data['last_observed'] is not None
assert observed_data['number_observed'] is not None
assert observed_data['x_bigfix_relevance'] is not None
def test_risk_finding(self):
data = {
"logsourceid": 126,
"qidname": "event name",
"creeventlist": ["one", "two"],
"crename": "cre name",
"credescription": "cre description",
"identityip": "0.0.0.0",
"severity": 4,
"devicetypename": "device type name",
"devicetype": 15,
"rulenames": ["one", "two"]
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
observed_data = result_bundle['objects'][1]
assert ('x_com_ibm_finding' in observed_data)
finding = observed_data['x_com_ibm_finding']
assert (finding['name'] == data['crename'])
assert (finding['description'] == data['credescription'])
assert ('x_com_ibm_ariel' in observed_data)
custom_prop = observed_data['x_com_ibm_ariel']
assert (custom_prop['severity'] == data['severity'])
assert (custom_prop['event_name'] == data['qidname'])
assert (custom_prop['device_type_name'] == data['devicetypename'])
assert (custom_prop['device_type'] == data['devicetype'])
assert (custom_prop['cre_event_list'] == data['creeventlist'])
assert (custom_prop['rule_names'] == data['rulenames'])
def test_common_prop(self):
data = {"_time": "2018-08-21T15:11:55.000+00:00", "event_count": 5}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == data_source['type'])
assert (result_bundle_identity['id'] == data_source['id'])
assert (result_bundle_identity['name'] == data_source['name'])
assert (result_bundle_identity['identity_class'] ==
data_source['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
assert (observed_data['number_observed'] == 5)
assert (observed_data['created'] is not None)
assert (observed_data['modified'] is not None)
assert (observed_data['first_observed'] is not None)
assert (observed_data['last_observed'] is not None)
def test_process_json_to_stix(self):
"""
to test process stix object properties
"""
data = {'computer_identity': '13476923-archlinux', 'subQueryID': 1,
'sha256hash': '2f2f74f4083b95654a742a56a6c7318f3ab378c94b69009ceffc200fbc22d4d8',
'sha1hash': '0c8e8b1d4eb31e1e046fea1f1396ff85068a4c4a', 'md5hash': '148fd5f2a448b69a9f21d4c92098c4ca',
'file_path': '/usr/lib/systemd/systemd', 'process_ppid': '0', 'process_user': '******',
'timestamp': '1565616101', 'process_name': 'systemd', 'process_id': '1', 'file_size': '1468376',
'type': 'process', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
process_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'process')
assert process_obj is not None, 'process object type not found'
assert process_obj.keys() == {'type', 'binary_ref', 'parent_ref', 'creator_user_ref', 'name', 'pid'}
assert process_obj['type'] == 'process'
assert process_obj['name'] == 'systemd'
assert process_obj['pid'] == 1
assert process_obj['binary_ref'] == '0'
assert process_obj['parent_ref'] == '3'
assert process_obj['creator_user_ref'] == '4'
def test_network_json_to_stix_negative(self):
"""
to test negative test case for stix object
"""
data = {
'computer_identity': '550872812-WIN-N11M78AV7BP',
'subQueryID': 1,
'local_address': '192.168.36.10',
'local_port': '139',
'process_ppid': '0',
'process_user': '******',
'timestamp': '1565875693',
'process_name': 'System',
'process_id': '4',
'type': 'Socket',
'protocol': 'udp',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, data, get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'file')
assert network_obj is None
def test_certificate_cim_to_stix(self):
count = 1
time = "2018-08-21T15:11:55.000+00:00"
serial = "1234"
version = "1"
sig_algorithm = "md5WithRSAEncryption"
key_algorithm = "rsaEncryption"
issuer = "C=US, ST=California, O=www.example.com, OU=new, CN=new"
subject = "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]"
ssl_hash = "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f"
data = {
"event_count": count,
"_time": time,
"ssl_serial": serial,
"ssl_version": version,
"ssl_signature_algorithm": sig_algorithm,
"ssl_issuer": issuer,
"ssl_subject": subject,
"ssl_hash": ssl_hash,
"ssl_publickey_algorithm": key_algorithm
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
# Test objects in Stix observable data model after transform
cert_obj = TestTransform.get_first_of_type(objects.values(),
'x509-certificate')
assert (cert_obj is not None), 'x509-certificate object type not found'
assert (cert_obj.keys() == {
'type', 'serial_number', 'version', "signature_algorithm",
"subject_public_key_algorithm", "issuer", "subject", "hashes"
})
assert (cert_obj['serial_number'] == "1234")
assert (cert_obj['version'] == "1")
assert (cert_obj['signature_algorithm'] == "md5WithRSAEncryption")
assert (cert_obj['issuer'] ==
"C=US, ST=California, O=www.example.com, OU=new, CN=new")
assert (
cert_obj['subject'] ==
"C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]"
)
assert (cert_obj['subject_public_key_algorithm'] == "rsaEncryption")
assert (
cert_obj['hashes']['SHA-256'] ==
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f")
assert (objects.keys() == set(map(str, range(0, 1))))
def test_url_json_to_stix(self):
"""
to test url stix object properties
"""
data = {
'Proxy': {
'elementDisplayName': 'w7-cbr-se2',
'discoveryType': '',
'host': 't-ring.msedge.net',
'ipAddress': '172.22.32.1',
'pacUrl': 'c1.rfihub.net',
'port': '9443'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
proxy_obj = TestCybereasonResultsToStix.get_first_of_type(
objects.values(), 'url')
assert proxy_obj is not None
assert proxy_obj.keys() == {'type', 'value'}
assert proxy_obj['type'] == 'url'
assert proxy_obj['value'] == 'c1.rfihub.net'
def test_x_oca_event_network_ref(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options,
callback=hash_type_lookup)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
# validated_result = validate_instance(observed_data)
# assert(validated_result.is_valid is True)
self.assertTrue('objects' in observed_data, "non-empty objects is expected")
objects = observed_data['objects']
object_vals = objects.values()
x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event')
network_ref = x_oca_event.get("network_ref")
self.assertIsNotNone(network_ref)
network_ref_obj = objects.get(network_ref)
self.assertIsNotNone(network_ref_obj)
self.assertEqual(56109, network_ref_obj['src_port'])
self.assertEqual(9389, network_ref_obj['dst_port'])
src_ip_obj = objects[network_ref_obj['src_ref']]
dst_ip_obj = objects[network_ref_obj['dst_ref']]
self.assertEqual("ipv4-addr", src_ip_obj['type'])
self.assertEqual("ipv4-addr", dst_ip_obj['type'])
self.assertEqual(src_ip_obj['value'], '123.123.123.123')
self.assertEqual(dst_ip_obj['value'], '1.1.1.1')
def test_event_finding(self):
data = {"logsourceid": 126, "qidname": "event name", "creeventlist": ["one", "two"],
"crename": "cre name", "credescription": "cre description", "identityip": "0.0.0.0",
"eventseverity": 4, "magnitude": 8, "devicetypename": "device type name", "devicetype": 15,
"rulenames": ["one", "two"], "eventcount": 25, "starttime": EPOCH_START, "endtime": EPOCH_END}
result_bundle = json_to_stix_translator.convert_to_stix(
DATA_SOURCE, MAP_DATA, [data], TRANSFORMERS, options)
observed_data = result_bundle['objects'][1]
objects = observed_data['objects']
finding = TestTransform.get_first_of_type(objects.values(), 'x-ibm-finding')
assert(finding['type']) == "x-ibm-finding"
assert(finding['name'] == data['crename'])
assert(finding['description'] == data['credescription'])
assert(finding['severity'] == data['eventseverity'])
assert(finding['magnitude'] == data['magnitude'])
assert(finding['rule_names'] == data['rulenames'])
assert(finding['event_count'] == data['eventcount'])
assert(finding['finding_type'] == 'event')
assert(finding['start'] == START_TIMESTAMP)
assert(finding['end'] == END_TIMESTAMP)
custom_object = TestTransform.get_first_of_type(objects.values(), 'x-qradar')
assert(custom_object is not None), 'domain-name object type not found'
assert(custom_object['device_type'] == data['devicetype'])
assert(custom_object['cre_event_list'] == data['creeventlist'])
def test_none_empty_values_in_results(self):
payload = "Payload"
user_id = "someuserid2018"
url = None
source_ip = "fd80:655e:171d:30d4:fd80:655e:171d:30d4"
destination_ip = "255.255.255.1"
file_name = ""
source_mac = "00-00-5E-00-53-00"
destination_mac = "00-00-5A-00-55-01"
data = {"sourceip": source_ip, "destinationip": destination_ip, "url": url, "base64_payload": payload, "username": user_id, "protocol": 'TCP',
"sourceport": "3000", "destinationport": 2000, "filename": file_name, "domainname": url, "sourcemac": source_mac, "destinationmac": destination_mac}
result_bundle = json_to_stix_translator.convert_to_stix(
DATA_SOURCE, MAP_DATA, [data], TRANSFORMERS, options)
assert(result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert('objects' in observed_data)
objects = observed_data['objects']
obj_keys = []
for key in TestTransform.get_object_keys(objects):
obj_keys.append(key)
# url object has None in results so url object will be skipped while creating the observables
assert('url' not in obj_keys)
# file object has empty string in results so url object will be skipped while creating the observables
assert('file' not in obj_keys)
def test_custom_network_json_to_stix(self):
"""to test custom network stix object properties"""
data = {
'xdr_data': {
'action_network_creation_time': 164632333729,
'action_network_connection_id': 'AdgAsdUgVlUAAAbYAAAAAA==',
'action_proxy': 'FALSE',
'action_external_hostname': 'Windows 8'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None
assert network_obj['extensions']['x-paloalto-network'][
'creation_time'] == '1975-03-21T11:12:13.729Z'
assert network_obj['extensions']['x-paloalto-network'][
'connection_id'] == "AdgAsdUgVlUAAAbYAAAAAA=="
assert network_obj['extensions']['x-paloalto-network'][
'is_proxy'] == False
assert network_obj['extensions']['x-paloalto-network'][
'external_hostname'] == 'Windows 8'
def test_event_json_to_stix(self):
"""to test custom event stix object properties"""
data = {
'xdr_data': {
'event_id': 'OTE0MTk5MTg2MDI1NzUyODc0NQ==',
'event_timestamp': 164632333729,
'event_version': 25,
'event_rpc_interface_uuid':
'{00000136-0000-0000-C000-000000000046}',
'event_type': 'EVENT_LOG'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
event_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'x-oca-event')
assert event_obj is not None
assert event_obj['code'] == "OTE0MTk5MTg2MDI1NzUyODc0NQ=="
assert event_obj['created'] == '1975-03-21T11:12:13.729Z'
assert event_obj['extensions']['x-paloalto-event']['version'] == 25
assert event_obj['extensions']['x-paloalto-event'][
'uuid'] == '{00000136-0000-0000-C000-000000000046}'
assert event_obj['category'] == ["event_log"]
def test_evtlog_json_to_stix(self):
"""to test custom evtlog stix object properties"""
data = {
'xdr_data': {
'action_evtlog_description': 'An account was logged off',
'action_evtlog_source': 3,
'action_evtlog_event_id': 4625,
'action_evtlog_uid': 'S-1-5-19',
'action_evtlog_level': 'INFO',
'action_evtlog_version': 2
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
evtlog_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'x-paloalto-evtlog')
assert evtlog_obj is not None
assert evtlog_obj['type'] == 'x-paloalto-evtlog'
assert evtlog_obj['description'] == "An account was logged off"
assert evtlog_obj['source'] == 3
assert evtlog_obj['evtlog_id'] == 4625
assert evtlog_obj['uid'] == "S-1-5-19"
assert evtlog_obj['level'] == "INFO"
def test_common_prop(self):
data = {
"starttime": EPOCH_START,
"endtime": EPOCH_END,
"eventcount": 5
}
result_bundle = json_to_stix_translator.convert_to_stix(
DATA_SOURCE, MAP_DATA, [data], TRANSFORMERS, options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == DATA_SOURCE['type'])
assert (result_bundle_identity['id'] == DATA_SOURCE['id'])
assert (result_bundle_identity['name'] == DATA_SOURCE['name'])
assert (result_bundle_identity['identity_class'] ==
DATA_SOURCE['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
assert (observed_data['number_observed'] == 5)
assert (observed_data['created'] is not None)
assert (observed_data['modified'] is not None)
assert (observed_data['first_observed'] == START_TIMESTAMP)
assert (observed_data['last_observed'] == END_TIMESTAMP)
def test_x_oca_event_file_ref(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options,
callback=hash_type_lookup)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
# validated_result = validate_instance(observed_data)
# self.assertTrue(validated_result.is_valid)
self.assertTrue('objects' in observed_data, "non-empty objects is expected")
objects = observed_data['objects']
object_vals = objects.values()
x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event')
file_ref = x_oca_event.get("file_ref")
self.assertIsNotNone(file_ref)
file_ref_obj = objects.get(file_ref)
self.assertIsNotNone(file_ref_obj)
self.assertEqual("file", file_ref_obj['type'])
self.assertEqual("powershell.exe", file_ref_obj['name'])
parent_directory_obj = objects[file_ref_obj['parent_directory_ref']]
self.assertEqual("directory", parent_directory_obj['type'])
self.assertEqual("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_directory_obj['path'])
def test_mac_addr_json_to_stix(self):
"""
to test network stix object properties
"""
data = {
'computer_identity': '541866979-suse01',
'subQueryID': 1,
'local_address': '192.168.36.110',
'mac': '0a-ab-41-e0-89-f8',
'type': 'Address',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(
objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'src_ref'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
def translate_results(self, data_source, data):
"""
Translates native data response into STIX object
:param data_source: dialect specific model mapping data, see: https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/develop-translation-module.md#step-2-edit-the-from_stix_map-json-file
:type data_source: str
:param data: native data response
:type data: str
:return: native query response
:rtype: STIX object
"""
try:
json_data = json.loads(data)
data_source = json.loads(data_source)
except Exception as exc:
raise LoadJsonResultsException() from exc
try:
mapped_data = self.map_data
results = json_to_stix_translator.convert_to_stix(
data_source, mapped_data, json_data, self.transformers,
self.options, self.callback)
except Exception as ex:
raise TranslationResultException(
"Error when converting results to STIX: %s" % ex) from ex
return results
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'computer_identity': '1626351170-xlcr.hcl.local',
'subQueryID': 1,
'sha256hash':
'89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp',
'file_name': 'big42E1.tmp',
'file_size': '770',
'type': 'file',
'timestamp': '1567046172',
'event_count': '1'
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_object = observed_data['x_bigfix_relevance']
assert custom_object.keys() == {'computer_identity'}
assert custom_object[
'computer_identity'] == '1626351170-xlcr.hcl.local'
def test_common_prop_without_timestamp_data(self):
"""
to test the common stix object properties where no timestamp data field in results
"""
options = {"unmapped_fallback": True}
data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1,
'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source['identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['modified'] is not None
assert observed_data['created'] is not None
assert observed_data['first_observed'] is not None
assert observed_data['last_observed'] is not None
assert observed_data['number_observed'] is not None
def test_network_cim_to_stix(self):
count = 2
time = "2018-08-21T15:11:55.000+00:00"
user = "******"
dest_ip = "127.0.0.1"
dest_port = "8090"
src_ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
src_port = "8080"
transport = "http"
data = {
"event_count": count,
"_time": time,
"user": user,
"dest_ip": dest_ip,
"dest_port": dest_port,
"src_ip": src_ip,
"src_port": src_port,
"protocol": transport
}
print(data)
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
validated_result = validate_instance(observed_data)
assert (validated_result.is_valid == True)
assert ('objects' in observed_data)
objects = observed_data['objects']
nt_obj = TestTransform.get_first_of_type(objects.values(),
'network-traffic')
assert (nt_obj is not None), 'network-traffic object type not found'
assert (nt_obj.keys() == {
'type', 'src_port', 'dst_port', 'src_ref', 'dst_ref', 'protocols'
})
assert (nt_obj['src_port'] == 8080)
assert (nt_obj['dst_port'] == 8090)
assert (nt_obj['protocols'] == ['http'])
ip_ref = nt_obj['dst_ref']
assert (ip_ref
in objects), f"dst_ref with key {nt_obj['dst_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value'})
assert (ip_obj['type'] == 'ipv4-addr')
assert (ip_obj['value'] == dest_ip)
ip_ref = nt_obj['src_ref']
assert (ip_ref
in objects), f"src_ref with key {nt_obj['src_ref']} not found"
ip_obj = objects[ip_ref]
assert (ip_obj.keys() == {'type', 'value'})
assert (ip_obj['type'] == 'ipv6-addr')
assert (ip_obj['value'] == src_ip)
def test_vpc_flow_network_json_to_stix(self):
"""to test network stix object properties"""
data = {
'vpcflow': {'@timestamp': '2019-10-20 10:43:09.000', 'srcAddr': '54.239.29.61', 'dstAddr': '172.31.88.63',
'srcPort': '443', 'dstPort': '53866', 'protocol': 'tcp', 'start': '1571568189',
'end': '1571568248', 'accountId': '979326520502', 'interfaceId': 'eni-02e70b8e842c70a2f',
'@ptr':
'CloKIQodOTc5MzI2NTIwNTAyOlVTRWFzdDFfRmxvd0xvZ3MQBxI1GhgCBc2q4EYAAAACFMuFggAF2sO4QAAAAWIgA'
'SjoyP/F3i0wyPyNxt4tOCxA7TFI0ClQzyIQJRgB',
'event_count': 1}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestAwsResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'src_ref', 'dst_ref', 'src_port', 'dst_port', 'protocols', 'start', 'end'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
assert network_obj['dst_ref'] == '2'
assert network_obj['src_port'] == 443
assert network_obj['dst_port'] == 53866
assert network_obj['protocols'] == ['tcp']
assert network_obj['start'] == '2019-10-20T10:43:09.000Z'
assert network_obj['end'] == '2019-10-20T10:44:08.000Z'
def test_custom_property(self):
"""
to test the custom stix object properties
"""
data = {
'ProcessCreationEvents': {
'EventTime': '2019-09-20T06:57:11.8218304Z',
'MachineId': '8330ed311f1b21b861d63448984eb2632cc9c07c',
'ComputerName': 'desktop-536bt46',
'ActionType': 'ProcessCreated',
'FileName': 'consent.exe',
'FolderPath': 'C:\\Windows\\System32\\consent.exe',
'SHA1': '9329b2362078de27242dd4534f588af3264bf0bf',
'SHA256':
'8f112431143a22baaafb448eefd63bf90e7691c890ac69a296574fd07ba03ec6',
'MD5': '27992d7ebe51aec655a088de88bad5c9',
'ProcessId': 20948,
'ProcessCommandLine': 'consent.exe 10088 288 000001CB3AA92A80',
'ProcessIntegrityLevel': 'System',
'ProcessTokenElevation': 'TokenElevationTypeDefault',
'ProcessCreationTime': '2019-09-20T06:57:11.8212034Z',
'AccountDomain': 'nt authority',
'AccountName': 'system',
'AccountSid': 'S-1-5-18',
'LogonId': 999,
'InitiatingProcessAccountDomain': 'nt authority',
'InitiatingProcessAccountName': 'system',
'InitiatingProcessAccountSid': 'S-1-5-18',
'InitiatingProcessLogonId': 999,
'InitiatingProcessIntegrityLevel': 'System',
'InitiatingProcessTokenElevation': 'TokenElevationTypeDefault',
'InitiatingProcessSHA1':
'a1385ce20ad79f55df235effd9780c31442aa234',
'InitiatingProcessMD5': '8a0a29438052faed8a2532da50455756',
'InitiatingProcessFileName': 'svchost.exe',
'InitiatingProcessId': 10088,
'InitiatingProcessCommandLine':
'svchost.exe -k netsvcs -p -s Appinfo',
'InitiatingProcessCreationTime': '2019-09-18T05:56:15.268893Z',
'InitiatingProcessFolderPath':
'c:\\windows\\system32\\svchost.exe',
'InitiatingProcessParentId': 856,
'InitiatingProcessParentFileName': 'services.exe',
'InitiatingProcessParentCreationTime':
'2019-09-17T14:54:59.5778638Z',
'ReportId': 12048,
'rn': 1,
'event_count': '1'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
custom_object = observed_data['x_msatp']
assert custom_object.keys() == {'computer_name', 'machine_id'}
assert custom_object['computer_name'] == 'desktop-536bt46'
def test_network_json_to_stix():
"""to test network stix object properties"""
data = {"network_events": {
"_rowId": "189D1-C@Local", "Event Time": 1592820270804,
"Logger": "Local", "spid": "2497", "transportProtocol": "TCP",
"agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd",
"categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com",
"priority": 3, "destinationUserId": "4294967295",
"deviceVendor": "Unix", "deviceProcessName": "auditd",
"destinationPort": 22, "name": "CRYPTO_KEY_USER|success",
"eventId": 2815858, "deviceProduct": "auditd",
"destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30",
"sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "", "protocols": ["TCP"]
}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'dst_port', 'dst_ref', 'src_ref', 'protocols'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['dst_port'] == 22
assert network_obj['protocols'] == ['tcp']
assert network_obj['src_ref'] == '14'
def test_network_json_to_stix(self):
"""
to test network stix object properties
"""
data = {'computer_identity': '550872812-WIN-N11M78AV7BP', 'subQueryID': 1, 'local_address': '192.168.36.10',
'local_port': '139', 'process_ppid': '0', 'process_user': '******',
'timestamp': '1565875693', 'process_name': 'System', 'process_id': '4', 'type': 'Socket',
'protocol': 'udp', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
assert network_obj is not None, 'network-traffic object type not found'
assert network_obj.keys() == {'type', 'src_ref', 'src_port', 'protocols'}
assert network_obj['type'] == 'network-traffic'
assert network_obj['src_ref'] == '0'
assert network_obj['src_port'] == 139
assert network_obj['protocols'] == ['udp']
def test_network_json_to_stix_negative():
"""to test negative test case for stix object"""
data = {"other_events": {
"_rowId": "189D1-C@Local", "Event Time": 1592820270804,
"Logger": "Local", "spid": "2497",
"agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd",
"categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com",
"priority": 3, "destinationUserId": "4294967295",
"deviceVendor": "Unix", "deviceProcessName": "auditd",
"destinationPort": 22, "name": "CRYPTO_KEY_USER|success",
"eventId": 2815858, "deviceProduct": "auditd",
"destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30",
"sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": ""
}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, data, get_module_transformers(MODULE), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'file')
assert network_obj is None
def test_file_json_to_stix(self):
"""
to test file stix object properties
"""
data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1,
'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6',
'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file',
'timestamp': '1567046172', 'event_count': '1'}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(), options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
file_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'file')
assert file_obj is not None, 'file object type not found'
assert file_obj.keys() == {'type', 'hashes', 'parent_directory_ref', 'name', 'size'}
assert file_obj['type'] == 'file'
assert file_obj['name'] == 'big42E1.tmp'
assert file_obj['hashes'] == {'SHA-256': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5',
'SHA-1': '41838ed7a546aeefe184fb8515973ffee7c3ba7e',
'MD5': '958d9ba84826e48094e361102a272fd6'}
assert file_obj['parent_directory_ref'] == '1'
assert file_obj['size'] == 770
def test_common_prop():
"""to test the common stix object properties"""
data = {"network_events": {
"_rowId": "189D1-C@Local", "Event Time": 1592820270804,
"Logger": "Local", "spid": "2497",
"agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd",
"categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com",
"priority": 3, "destinationUserId": "4294967295",
"deviceVendor": "Unix", "deviceProcessName": "auditd",
"destinationPort": 22, "name": "CRYPTO_KEY_USER|success",
"eventId": 2815858, "deviceProduct": "auditd",
"destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30",
"sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": ""
}}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE), options)
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
assert result_bundle_identity['id'] == data_source['id']
assert result_bundle_identity['name'] == data_source['name']
assert result_bundle_identity['identity_class'] == data_source['identity_class']
observed_data = result_bundle_objects[1]
assert observed_data['id'] is not None
assert observed_data['type'] == "observed-data"
assert observed_data['created_by_ref'] == result_bundle_identity['id']
assert observed_data['modified'] is not None
assert observed_data['created'] is not None
assert observed_data['first_observed'] is not None
assert observed_data['last_observed'] is not None
assert observed_data['number_observed'] is not None
def test_common_prop(self):
data = {
"starttime": 1531169112,
"endtime": 1531169254,
"eventcount": 5
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], transformers.get_all_transformers(),
options)
assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert (result_bundle_identity['type'] == data_source['type'])
assert (result_bundle_identity['id'] == data_source['id'])
assert (result_bundle_identity['name'] == data_source['name'])
assert (result_bundle_identity['identity_class'] ==
data_source['identity_class'])
observed_data = result_bundle_objects[1]
assert (observed_data['id'] is not None)
assert (observed_data['type'] == "observed-data")
assert (
observed_data['created_by_ref'] == result_bundle_identity['id'])
assert (observed_data['number_observed'] == 5)
assert (observed_data['created'] is not None)
assert (observed_data['modified'] is not None)
assert (observed_data['first_observed'] is not None)
assert (observed_data['last_observed'] is not None)
def test_url_json_to_stix(self):
"""to test url stix object properties"""
data = {
'xdr_data': {
'dst_action_url_category': 'https://paloalto/index.com'
}
}
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [data], get_module_transformers(MODULE),
options)
result_bundle_objects = result_bundle['objects']
result_bundle_identity = result_bundle_objects[0]
assert result_bundle_identity['type'] == data_source['type']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']
url_obj = TestPaloaltoResultsToStix.get_first_of_type(
objects.values(), 'url')
assert url_obj is not None
assert url_obj['type'] == 'url'
assert url_obj['value'] == 'https://paloalto/index.com'
