def test_custom_file_json_to_stix(self): """to test custom file stix object properties""" data = { 'xdr_data': { 'action_file_extension': 'json', 'action_file_attributes': 128, 'action_file_last_writer_actor': 'AdgAsdUgVlUAAAbYAAAAAA==', 'action_file_signature_status': 3, 'action_file_type': 18, 'manifest_file_version': 5 } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] custom_file_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'file') assert custom_file_obj is not None assert custom_file_obj['type'] == 'file' assert custom_file_obj['extensions']['x-paloalto-file'][ 'extension'] == "json" assert custom_file_obj['extensions']['x-paloalto-file'][ 'attributes'] == 128 assert custom_file_obj['extensions']['x-paloalto-file'][ 'writer'] == "AdgAsdUgVlUAAAbYAAAAAA==" assert custom_file_obj['extensions']['x-paloalto-file'][ 'manifest_version'] == 5
def test_common_prop(self): """ to test the common stix object properties """ data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6', 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file', 'timestamp': '1567046172', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source['identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['modified'] is not None assert observed_data['created'] is not None assert observed_data['first_observed'] is not None assert observed_data['last_observed'] is not None assert observed_data['number_observed'] is not None assert observed_data['x_bigfix_relevance'] is not None
def test_risk_finding(self): data = { "logsourceid": 126, "qidname": "event name", "creeventlist": ["one", "two"], "crename": "cre name", "credescription": "cre description", "identityip": "0.0.0.0", "severity": 4, "devicetypename": "device type name", "devicetype": 15, "rulenames": ["one", "two"] } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) observed_data = result_bundle['objects'][1] assert ('x_com_ibm_finding' in observed_data) finding = observed_data['x_com_ibm_finding'] assert (finding['name'] == data['crename']) assert (finding['description'] == data['credescription']) assert ('x_com_ibm_ariel' in observed_data) custom_prop = observed_data['x_com_ibm_ariel'] assert (custom_prop['severity'] == data['severity']) assert (custom_prop['event_name'] == data['qidname']) assert (custom_prop['device_type_name'] == data['devicetypename']) assert (custom_prop['device_type'] == data['devicetype']) assert (custom_prop['cre_event_list'] == data['creeventlist']) assert (custom_prop['rule_names'] == data['rulenames'])
def test_common_prop(self): data = {"_time": "2018-08-21T15:11:55.000+00:00", "event_count": 5} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert (result_bundle_identity['type'] == data_source['type']) assert (result_bundle_identity['id'] == data_source['id']) assert (result_bundle_identity['name'] == data_source['name']) assert (result_bundle_identity['identity_class'] == data_source['identity_class']) observed_data = result_bundle_objects[1] assert (observed_data['id'] is not None) assert (observed_data['type'] == "observed-data") assert ( observed_data['created_by_ref'] == result_bundle_identity['id']) assert (observed_data['number_observed'] == 5) assert (observed_data['created'] is not None) assert (observed_data['modified'] is not None) assert (observed_data['first_observed'] is not None) assert (observed_data['last_observed'] is not None)
def test_process_json_to_stix(self): """ to test process stix object properties """ data = {'computer_identity': '13476923-archlinux', 'subQueryID': 1, 'sha256hash': '2f2f74f4083b95654a742a56a6c7318f3ab378c94b69009ceffc200fbc22d4d8', 'sha1hash': '0c8e8b1d4eb31e1e046fea1f1396ff85068a4c4a', 'md5hash': '148fd5f2a448b69a9f21d4c92098c4ca', 'file_path': '/usr/lib/systemd/systemd', 'process_ppid': '0', 'process_user': '******', 'timestamp': '1565616101', 'process_name': 'systemd', 'process_id': '1', 'file_size': '1468376', 'type': 'process', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] process_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'process') assert process_obj is not None, 'process object type not found' assert process_obj.keys() == {'type', 'binary_ref', 'parent_ref', 'creator_user_ref', 'name', 'pid'} assert process_obj['type'] == 'process' assert process_obj['name'] == 'systemd' assert process_obj['pid'] == 1 assert process_obj['binary_ref'] == '0' assert process_obj['parent_ref'] == '3' assert process_obj['creator_user_ref'] == '4'
def test_network_json_to_stix_negative(self): """ to test negative test case for stix object """ data = { 'computer_identity': '550872812-WIN-N11M78AV7BP', 'subQueryID': 1, 'local_address': '192.168.36.10', 'local_port': '139', 'process_ppid': '0', 'process_user': '******', 'timestamp': '1565875693', 'process_name': 'System', 'process_id': '4', 'type': 'Socket', 'protocol': 'udp', 'event_count': '1' } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, data, get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestBigFixResultsToStix.get_first_of_type( objects.values(), 'file') assert network_obj is None
def test_certificate_cim_to_stix(self): count = 1 time = "2018-08-21T15:11:55.000+00:00" serial = "1234" version = "1" sig_algorithm = "md5WithRSAEncryption" key_algorithm = "rsaEncryption" issuer = "C=US, ST=California, O=www.example.com, OU=new, CN=new" subject = "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]" ssl_hash = "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f" data = { "event_count": count, "_time": time, "ssl_serial": serial, "ssl_version": version, "ssl_signature_algorithm": sig_algorithm, "ssl_issuer": issuer, "ssl_subject": subject, "ssl_hash": ssl_hash, "ssl_publickey_algorithm": key_algorithm } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] validated_result = validate_instance(observed_data) assert (validated_result.is_valid == True) assert ('objects' in observed_data) objects = observed_data['objects'] # Test objects in Stix observable data model after transform cert_obj = TestTransform.get_first_of_type(objects.values(), 'x509-certificate') assert (cert_obj is not None), 'x509-certificate object type not found' assert (cert_obj.keys() == { 'type', 'serial_number', 'version', "signature_algorithm", "subject_public_key_algorithm", "issuer", "subject", "hashes" }) assert (cert_obj['serial_number'] == "1234") assert (cert_obj['version'] == "1") assert (cert_obj['signature_algorithm'] == "md5WithRSAEncryption") assert (cert_obj['issuer'] == "C=US, ST=California, O=www.example.com, OU=new, CN=new") assert ( cert_obj['subject'] == "C=US, ST=Maryland, L=Baltimore, O=John Doe, OU=ExampleCorp, CN=www.example.com/[email protected]" ) assert (cert_obj['subject_public_key_algorithm'] == "rsaEncryption") assert ( cert_obj['hashes']['SHA-256'] == "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f") assert (objects.keys() == set(map(str, range(0, 1))))
def test_url_json_to_stix(self): """ to test url stix object properties """ data = { 'Proxy': { 'elementDisplayName': 'w7-cbr-se2', 'discoveryType': '', 'host': 't-ring.msedge.net', 'ipAddress': '172.22.32.1', 'pacUrl': 'c1.rfihub.net', 'port': '9443' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] proxy_obj = TestCybereasonResultsToStix.get_first_of_type( objects.values(), 'url') assert proxy_obj is not None assert proxy_obj.keys() == {'type', 'value'} assert proxy_obj['type'] == 'url' assert proxy_obj['value'] == 'c1.rfihub.net'
def test_x_oca_event_network_ref(self): result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options, callback=hash_type_lookup) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] # validated_result = validate_instance(observed_data) # assert(validated_result.is_valid is True) self.assertTrue('objects' in observed_data, "non-empty objects is expected") objects = observed_data['objects'] object_vals = objects.values() x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event') network_ref = x_oca_event.get("network_ref") self.assertIsNotNone(network_ref) network_ref_obj = objects.get(network_ref) self.assertIsNotNone(network_ref_obj) self.assertEqual(56109, network_ref_obj['src_port']) self.assertEqual(9389, network_ref_obj['dst_port']) src_ip_obj = objects[network_ref_obj['src_ref']] dst_ip_obj = objects[network_ref_obj['dst_ref']] self.assertEqual("ipv4-addr", src_ip_obj['type']) self.assertEqual("ipv4-addr", dst_ip_obj['type']) self.assertEqual(src_ip_obj['value'], '123.123.123.123') self.assertEqual(dst_ip_obj['value'], '1.1.1.1')
def test_event_finding(self): data = {"logsourceid": 126, "qidname": "event name", "creeventlist": ["one", "two"], "crename": "cre name", "credescription": "cre description", "identityip": "0.0.0.0", "eventseverity": 4, "magnitude": 8, "devicetypename": "device type name", "devicetype": 15, "rulenames": ["one", "two"], "eventcount": 25, "starttime": EPOCH_START, "endtime": EPOCH_END} result_bundle = json_to_stix_translator.convert_to_stix( DATA_SOURCE, MAP_DATA, [data], TRANSFORMERS, options) observed_data = result_bundle['objects'][1] objects = observed_data['objects'] finding = TestTransform.get_first_of_type(objects.values(), 'x-ibm-finding') assert(finding['type']) == "x-ibm-finding" assert(finding['name'] == data['crename']) assert(finding['description'] == data['credescription']) assert(finding['severity'] == data['eventseverity']) assert(finding['magnitude'] == data['magnitude']) assert(finding['rule_names'] == data['rulenames']) assert(finding['event_count'] == data['eventcount']) assert(finding['finding_type'] == 'event') assert(finding['start'] == START_TIMESTAMP) assert(finding['end'] == END_TIMESTAMP) custom_object = TestTransform.get_first_of_type(objects.values(), 'x-qradar') assert(custom_object is not None), 'domain-name object type not found' assert(custom_object['device_type'] == data['devicetype']) assert(custom_object['cre_event_list'] == data['creeventlist'])
def test_none_empty_values_in_results(self): payload = "Payload" user_id = "someuserid2018" url = None source_ip = "fd80:655e:171d:30d4:fd80:655e:171d:30d4" destination_ip = "255.255.255.1" file_name = "" source_mac = "00-00-5E-00-53-00" destination_mac = "00-00-5A-00-55-01" data = {"sourceip": source_ip, "destinationip": destination_ip, "url": url, "base64_payload": payload, "username": user_id, "protocol": 'TCP', "sourceport": "3000", "destinationport": 2000, "filename": file_name, "domainname": url, "sourcemac": source_mac, "destinationmac": destination_mac} result_bundle = json_to_stix_translator.convert_to_stix( DATA_SOURCE, MAP_DATA, [data], TRANSFORMERS, options) assert(result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] assert('objects' in observed_data) objects = observed_data['objects'] obj_keys = [] for key in TestTransform.get_object_keys(objects): obj_keys.append(key) # url object has None in results so url object will be skipped while creating the observables assert('url' not in obj_keys) # file object has empty string in results so url object will be skipped while creating the observables assert('file' not in obj_keys)
def test_custom_network_json_to_stix(self): """to test custom network stix object properties""" data = { 'xdr_data': { 'action_network_creation_time': 164632333729, 'action_network_connection_id': 'AdgAsdUgVlUAAAbYAAAAAA==', 'action_proxy': 'FALSE', 'action_external_hostname': 'Windows 8' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'network-traffic') assert network_obj is not None assert network_obj['extensions']['x-paloalto-network'][ 'creation_time'] == '1975-03-21T11:12:13.729Z' assert network_obj['extensions']['x-paloalto-network'][ 'connection_id'] == "AdgAsdUgVlUAAAbYAAAAAA==" assert network_obj['extensions']['x-paloalto-network'][ 'is_proxy'] == False assert network_obj['extensions']['x-paloalto-network'][ 'external_hostname'] == 'Windows 8'
def test_event_json_to_stix(self): """to test custom event stix object properties""" data = { 'xdr_data': { 'event_id': 'OTE0MTk5MTg2MDI1NzUyODc0NQ==', 'event_timestamp': 164632333729, 'event_version': 25, 'event_rpc_interface_uuid': '{00000136-0000-0000-C000-000000000046}', 'event_type': 'EVENT_LOG' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] event_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'x-oca-event') assert event_obj is not None assert event_obj['code'] == "OTE0MTk5MTg2MDI1NzUyODc0NQ==" assert event_obj['created'] == '1975-03-21T11:12:13.729Z' assert event_obj['extensions']['x-paloalto-event']['version'] == 25 assert event_obj['extensions']['x-paloalto-event'][ 'uuid'] == '{00000136-0000-0000-C000-000000000046}' assert event_obj['category'] == ["event_log"]
def test_evtlog_json_to_stix(self): """to test custom evtlog stix object properties""" data = { 'xdr_data': { 'action_evtlog_description': 'An account was logged off', 'action_evtlog_source': 3, 'action_evtlog_event_id': 4625, 'action_evtlog_uid': 'S-1-5-19', 'action_evtlog_level': 'INFO', 'action_evtlog_version': 2 } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] evtlog_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'x-paloalto-evtlog') assert evtlog_obj is not None assert evtlog_obj['type'] == 'x-paloalto-evtlog' assert evtlog_obj['description'] == "An account was logged off" assert evtlog_obj['source'] == 3 assert evtlog_obj['evtlog_id'] == 4625 assert evtlog_obj['uid'] == "S-1-5-19" assert evtlog_obj['level'] == "INFO"
def test_common_prop(self): data = { "starttime": EPOCH_START, "endtime": EPOCH_END, "eventcount": 5 } result_bundle = json_to_stix_translator.convert_to_stix( DATA_SOURCE, MAP_DATA, [data], TRANSFORMERS, options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert (result_bundle_identity['type'] == DATA_SOURCE['type']) assert (result_bundle_identity['id'] == DATA_SOURCE['id']) assert (result_bundle_identity['name'] == DATA_SOURCE['name']) assert (result_bundle_identity['identity_class'] == DATA_SOURCE['identity_class']) observed_data = result_bundle_objects[1] assert (observed_data['id'] is not None) assert (observed_data['type'] == "observed-data") assert ( observed_data['created_by_ref'] == result_bundle_identity['id']) assert (observed_data['number_observed'] == 5) assert (observed_data['created'] is not None) assert (observed_data['modified'] is not None) assert (observed_data['first_observed'] == START_TIMESTAMP) assert (observed_data['last_observed'] == END_TIMESTAMP)
def test_x_oca_event_file_ref(self): result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options, callback=hash_type_lookup) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] # validated_result = validate_instance(observed_data) # self.assertTrue(validated_result.is_valid) self.assertTrue('objects' in observed_data, "non-empty objects is expected") objects = observed_data['objects'] object_vals = objects.values() x_oca_event = TestTransform.get_first_of_type(object_vals, 'x-oca-event') file_ref = x_oca_event.get("file_ref") self.assertIsNotNone(file_ref) file_ref_obj = objects.get(file_ref) self.assertIsNotNone(file_ref_obj) self.assertEqual("file", file_ref_obj['type']) self.assertEqual("powershell.exe", file_ref_obj['name']) parent_directory_obj = objects[file_ref_obj['parent_directory_ref']] self.assertEqual("directory", parent_directory_obj['type']) self.assertEqual("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_directory_obj['path'])
def test_mac_addr_json_to_stix(self): """ to test network stix object properties """ data = { 'computer_identity': '541866979-suse01', 'subQueryID': 1, 'local_address': '192.168.36.110', 'mac': '0a-ab-41-e0-89-f8', 'type': 'Address', 'event_count': '1' } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestBigFixResultsToStix.get_first_of_type( objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'src_ref'} assert network_obj['type'] == 'network-traffic' assert network_obj['src_ref'] == '0'
def translate_results(self, data_source, data): """ Translates native data response into STIX object :param data_source: dialect specific model mapping data, see: https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/adapter-guide/develop-translation-module.md#step-2-edit-the-from_stix_map-json-file :type data_source: str :param data: native data response :type data: str :return: native query response :rtype: STIX object """ try: json_data = json.loads(data) data_source = json.loads(data_source) except Exception as exc: raise LoadJsonResultsException() from exc try: mapped_data = self.map_data results = json_to_stix_translator.convert_to_stix( data_source, mapped_data, json_data, self.transformers, self.options, self.callback) except Exception as ex: raise TranslationResultException( "Error when converting results to STIX: %s" % ex) from ex return results
def test_custom_property(self): """ to test the custom stix object properties """ data = { 'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6', 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file', 'timestamp': '1567046172', 'event_count': '1' } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] custom_object = observed_data['x_bigfix_relevance'] assert custom_object.keys() == {'computer_identity'} assert custom_object[ 'computer_identity'] == '1626351170-xlcr.hcl.local'
def test_common_prop_without_timestamp_data(self): """ to test the common stix object properties where no timestamp data field in results """ options = {"unmapped_fallback": True} data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source['identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['modified'] is not None assert observed_data['created'] is not None assert observed_data['first_observed'] is not None assert observed_data['last_observed'] is not None assert observed_data['number_observed'] is not None
def test_network_cim_to_stix(self): count = 2 time = "2018-08-21T15:11:55.000+00:00" user = "******" dest_ip = "127.0.0.1" dest_port = "8090" src_ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334" src_port = "8080" transport = "http" data = { "event_count": count, "_time": time, "user": user, "dest_ip": dest_ip, "dest_port": dest_port, "src_ip": src_ip, "src_port": src_port, "protocol": transport } print(data) result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] validated_result = validate_instance(observed_data) assert (validated_result.is_valid == True) assert ('objects' in observed_data) objects = observed_data['objects'] nt_obj = TestTransform.get_first_of_type(objects.values(), 'network-traffic') assert (nt_obj is not None), 'network-traffic object type not found' assert (nt_obj.keys() == { 'type', 'src_port', 'dst_port', 'src_ref', 'dst_ref', 'protocols' }) assert (nt_obj['src_port'] == 8080) assert (nt_obj['dst_port'] == 8090) assert (nt_obj['protocols'] == ['http']) ip_ref = nt_obj['dst_ref'] assert (ip_ref in objects), f"dst_ref with key {nt_obj['dst_ref']} not found" ip_obj = objects[ip_ref] assert (ip_obj.keys() == {'type', 'value'}) assert (ip_obj['type'] == 'ipv4-addr') assert (ip_obj['value'] == dest_ip) ip_ref = nt_obj['src_ref'] assert (ip_ref in objects), f"src_ref with key {nt_obj['src_ref']} not found" ip_obj = objects[ip_ref] assert (ip_obj.keys() == {'type', 'value'}) assert (ip_obj['type'] == 'ipv6-addr') assert (ip_obj['value'] == src_ip)
def test_vpc_flow_network_json_to_stix(self): """to test network stix object properties""" data = { 'vpcflow': {'@timestamp': '2019-10-20 10:43:09.000', 'srcAddr': '54.239.29.61', 'dstAddr': '172.31.88.63', 'srcPort': '443', 'dstPort': '53866', 'protocol': 'tcp', 'start': '1571568189', 'end': '1571568248', 'accountId': '979326520502', 'interfaceId': 'eni-02e70b8e842c70a2f', '@ptr': 'CloKIQodOTc5MzI2NTIwNTAyOlVTRWFzdDFfRmxvd0xvZ3MQBxI1GhgCBc2q4EYAAAACFMuFggAF2sO4QAAAAWIgA' 'SjoyP/F3i0wyPyNxt4tOCxA7TFI0ClQzyIQJRgB', 'event_count': 1}} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestAwsResultsToStix.get_first_of_type(objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'src_ref', 'dst_ref', 'src_port', 'dst_port', 'protocols', 'start', 'end'} assert network_obj['type'] == 'network-traffic' assert network_obj['src_ref'] == '0' assert network_obj['dst_ref'] == '2' assert network_obj['src_port'] == 443 assert network_obj['dst_port'] == 53866 assert network_obj['protocols'] == ['tcp'] assert network_obj['start'] == '2019-10-20T10:43:09.000Z' assert network_obj['end'] == '2019-10-20T10:44:08.000Z'
def test_custom_property(self): """ to test the custom stix object properties """ data = { 'ProcessCreationEvents': { 'EventTime': '2019-09-20T06:57:11.8218304Z', 'MachineId': '8330ed311f1b21b861d63448984eb2632cc9c07c', 'ComputerName': 'desktop-536bt46', 'ActionType': 'ProcessCreated', 'FileName': 'consent.exe', 'FolderPath': 'C:\\Windows\\System32\\consent.exe', 'SHA1': '9329b2362078de27242dd4534f588af3264bf0bf', 'SHA256': '8f112431143a22baaafb448eefd63bf90e7691c890ac69a296574fd07ba03ec6', 'MD5': '27992d7ebe51aec655a088de88bad5c9', 'ProcessId': 20948, 'ProcessCommandLine': 'consent.exe 10088 288 000001CB3AA92A80', 'ProcessIntegrityLevel': 'System', 'ProcessTokenElevation': 'TokenElevationTypeDefault', 'ProcessCreationTime': '2019-09-20T06:57:11.8212034Z', 'AccountDomain': 'nt authority', 'AccountName': 'system', 'AccountSid': 'S-1-5-18', 'LogonId': 999, 'InitiatingProcessAccountDomain': 'nt authority', 'InitiatingProcessAccountName': 'system', 'InitiatingProcessAccountSid': 'S-1-5-18', 'InitiatingProcessLogonId': 999, 'InitiatingProcessIntegrityLevel': 'System', 'InitiatingProcessTokenElevation': 'TokenElevationTypeDefault', 'InitiatingProcessSHA1': 'a1385ce20ad79f55df235effd9780c31442aa234', 'InitiatingProcessMD5': '8a0a29438052faed8a2532da50455756', 'InitiatingProcessFileName': 'svchost.exe', 'InitiatingProcessId': 10088, 'InitiatingProcessCommandLine': 'svchost.exe -k netsvcs -p -s Appinfo', 'InitiatingProcessCreationTime': '2019-09-18T05:56:15.268893Z', 'InitiatingProcessFolderPath': 'c:\\windows\\system32\\svchost.exe', 'InitiatingProcessParentId': 856, 'InitiatingProcessParentFileName': 'services.exe', 'InitiatingProcessParentCreationTime': '2019-09-17T14:54:59.5778638Z', 'ReportId': 12048, 'rn': 1, 'event_count': '1' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] observed_data = result_bundle_objects[1] custom_object = observed_data['x_msatp'] assert custom_object.keys() == {'computer_name', 'machine_id'} assert custom_object['computer_name'] == 'desktop-536bt46'
def test_network_json_to_stix(): """to test network stix object properties""" data = {"network_events": { "_rowId": "189D1-C@Local", "Event Time": 1592820270804, "Logger": "Local", "spid": "2497", "transportProtocol": "TCP", "agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd", "categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com", "priority": 3, "destinationUserId": "4294967295", "deviceVendor": "Unix", "deviceProcessName": "auditd", "destinationPort": 22, "name": "CRYPTO_KEY_USER|success", "eventId": 2815858, "deviceProduct": "auditd", "destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30", "sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "", "protocols": ["TCP"] }} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'dst_port', 'dst_ref', 'src_ref', 'protocols'} assert network_obj['type'] == 'network-traffic' assert network_obj['dst_port'] == 22 assert network_obj['protocols'] == ['tcp'] assert network_obj['src_ref'] == '14'
def test_network_json_to_stix(self): """ to test network stix object properties """ data = {'computer_identity': '550872812-WIN-N11M78AV7BP', 'subQueryID': 1, 'local_address': '192.168.36.10', 'local_port': '139', 'process_ppid': '0', 'process_user': '******', 'timestamp': '1565875693', 'process_name': 'System', 'process_id': '4', 'type': 'Socket', 'protocol': 'udp', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'network-traffic') assert network_obj is not None, 'network-traffic object type not found' assert network_obj.keys() == {'type', 'src_ref', 'src_port', 'protocols'} assert network_obj['type'] == 'network-traffic' assert network_obj['src_ref'] == '0' assert network_obj['src_port'] == 139 assert network_obj['protocols'] == ['udp']
def test_network_json_to_stix_negative(): """to test negative test case for stix object""" data = {"other_events": { "_rowId": "189D1-C@Local", "Event Time": 1592820270804, "Logger": "Local", "spid": "2497", "agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd", "categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com", "priority": 3, "destinationUserId": "4294967295", "deviceVendor": "Unix", "deviceProcessName": "auditd", "destinationPort": 22, "name": "CRYPTO_KEY_USER|success", "eventId": 2815858, "deviceProduct": "auditd", "destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30", "sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "" }} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, data, get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] network_obj = TestArcsightResultsToStix.get_first_of_type(objects.values(), 'file') assert network_obj is None
def test_file_json_to_stix(self): """ to test file stix object properties """ data = {'computer_identity': '1626351170-xlcr.hcl.local', 'subQueryID': 1, 'sha256hash': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'sha1hash': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'md5hash': '958d9ba84826e48094e361102a272fd6', 'file_path': '/tmp/big42E1.tmp', 'file_name': 'big42E1.tmp', 'file_size': '770', 'type': 'file', 'timestamp': '1567046172', 'event_count': '1'} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] file_obj = TestBigFixResultsToStix.get_first_of_type(objects.values(), 'file') assert file_obj is not None, 'file object type not found' assert file_obj.keys() == {'type', 'hashes', 'parent_directory_ref', 'name', 'size'} assert file_obj['type'] == 'file' assert file_obj['name'] == 'big42E1.tmp' assert file_obj['hashes'] == {'SHA-256': '89698504cb73fefacd012843a5ba2e0acda7fd8d5db4efaad22f7fe54fa422f5', 'SHA-1': '41838ed7a546aeefe184fb8515973ffee7c3ba7e', 'MD5': '958d9ba84826e48094e361102a272fd6'} assert file_obj['parent_directory_ref'] == '1' assert file_obj['size'] == 770
def test_common_prop(): """to test the common stix object properties""" data = {"network_events": { "_rowId": "189D1-C@Local", "Event Time": 1592820270804, "Logger": "Local", "spid": "2497", "agentHostName": "ip-172-31-62-249.ec2.internal", "destinationProcessName": "/usr/sbin/sshd", "categoryOutcome": "/Success", "sourceHostName": "176.122.190.164.16clouds.com", "priority": 3, "destinationUserId": "4294967295", "deviceVendor": "Unix", "deviceProcessName": "auditd", "destinationPort": 22, "name": "CRYPTO_KEY_USER|success", "eventId": 2815858, "deviceProduct": "auditd", "destinationHostName": "ip-172-31-66-30.ec2.internal", "destinationAddress": "172.31.66.30", "sourceUserId": "0", "sourceAddress": "176.122.190.164", "requestUrl": "" }} result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) assert result_bundle['type'] == 'bundle' result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] assert result_bundle_identity['id'] == data_source['id'] assert result_bundle_identity['name'] == data_source['name'] assert result_bundle_identity['identity_class'] == data_source['identity_class'] observed_data = result_bundle_objects[1] assert observed_data['id'] is not None assert observed_data['type'] == "observed-data" assert observed_data['created_by_ref'] == result_bundle_identity['id'] assert observed_data['modified'] is not None assert observed_data['created'] is not None assert observed_data['first_observed'] is not None assert observed_data['last_observed'] is not None assert observed_data['number_observed'] is not None
def test_common_prop(self): data = { "starttime": 1531169112, "endtime": 1531169254, "eventcount": 5 } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], transformers.get_all_transformers(), options) assert (result_bundle['type'] == 'bundle') result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert (result_bundle_identity['type'] == data_source['type']) assert (result_bundle_identity['id'] == data_source['id']) assert (result_bundle_identity['name'] == data_source['name']) assert (result_bundle_identity['identity_class'] == data_source['identity_class']) observed_data = result_bundle_objects[1] assert (observed_data['id'] is not None) assert (observed_data['type'] == "observed-data") assert ( observed_data['created_by_ref'] == result_bundle_identity['id']) assert (observed_data['number_observed'] == 5) assert (observed_data['created'] is not None) assert (observed_data['modified'] is not None) assert (observed_data['first_observed'] is not None) assert (observed_data['last_observed'] is not None)
def test_url_json_to_stix(self): """to test url stix object properties""" data = { 'xdr_data': { 'dst_action_url_category': 'https://paloalto/index.com' } } result_bundle = json_to_stix_translator.convert_to_stix( data_source, map_data, [data], get_module_transformers(MODULE), options) result_bundle_objects = result_bundle['objects'] result_bundle_identity = result_bundle_objects[0] assert result_bundle_identity['type'] == data_source['type'] observed_data = result_bundle_objects[1] assert 'objects' in observed_data objects = observed_data['objects'] url_obj = TestPaloaltoResultsToStix.get_first_of_type( objects.values(), 'url') assert url_obj is not None assert url_obj['type'] == 'url' assert url_obj['value'] == 'https://paloalto/index.com'