def __init__(self, connection={}, configuration={}, options={}):
super().__init__(options)
if connection:
api_client = APIClient(connection, configuration)
ping_connector = QRadarPingConnector(api_client)
query_connector = QRadarQueryConnector(api_client)
status_connector = QRadarStatusConnector(api_client)
results_connector = QRadarResultsConnector(api_client)
delete_connector = QRadarDeleteConnector(api_client)
self.set_ping_connector(ping_connector)
self.set_query_connector(query_connector)
self.set_status_connector(status_connector)
self.set_results_connector(results_connector)
self.set_delete_connector(delete_connector)
else:
basepath = os.path.dirname(__file__)
filepath = os.path.abspath(
os.path.join(basepath, "stix_translation", "json",
"to_stix_map.json"))
# self.mapping_filepath = filepath
# Pass in callback function to handle hashes with unknown type
results_translator = JSONToStix(filepath, hash_type_lookup)
self.setup_translation_simple(
'events', results_translator=results_translator)
def __init__(self, connection={}, configuration={}, options={}):
super().__init__(connection, configuration, options)
self.set_async(False)
if connection:
# Use default transmission setup otherwise...
# self.setup_transmission_simple(connection, configuration)
# ...implement your own setup similar to the following:
api_client = APIClient(connection, configuration)
base_sync_connector = BaseSyncConnector()
ping_connector = PingConnector(api_client)
query_connector = base_sync_connector
status_connector = base_sync_connector
results_connector = ResultsConnector(api_client)
delete_connector = DeleteConnector(api_client)
self.set_results_connector(results_connector)
self.set_status_connector(status_connector)
self.set_delete_connector(delete_connector)
self.set_query_connector(query_connector)
self.set_ping_connector(ping_connector)
# Use default translation setup with default dialect otherwise...
# self.setup_translation_simple(dialect_default='default')
# ...implement your own setup similar to the following:
basepath = os.path.dirname(__file__)
filepath = os.path.abspath(os.path.join(basepath, "stix_translation"))
dialect = 'dialect1'
query_translator = QueryTranslator(options, dialect, filepath)
results_translator = JSONToStix(options, dialect, filepath)
self.add_dialect(dialect,
query_translator=query_translator,
results_translator=results_translator,
default=True)
dialect = 'dialect2'
query_translator = QueryTranslator(options, dialect, filepath)
results_translator = JSONToStix(options, dialect, filepath)
self.add_dialect(dialect,
query_translator=query_translator,
results_translator=results_translator,
default=False)
def create_default_results_translator(self):
module = self.__connector_module
translation_module = importlib.import_module("stix_shifter_modules." +
module +
".stix_translation")
basepath = os.path.dirname(translation_module.__file__)
mapping_filepath = os.path.abspath(
os.path.join(basepath, "json", "to_stix_map.json"))
return JSONToStix(mapping_filepath)
def __init__(self, connection={}, configuration={}, options={}):
super().__init__(options)
self.set_async(False)
if connection:
api_client = APIClient(connection, configuration)
base_sync_connector = BaseSyncConnector()
ping_connector = SynchronousDummyPingConnector(api_client)
query_connector = base_sync_connector
status_connector = base_sync_connector
results_connector = SynchronousDummyResultsConnector(api_client)
delete_connector = SynchronousDummyDeleteConnector(api_client)
self.set_results_connector(results_connector)
self.set_status_connector(status_connector)
self.set_delete_connector(delete_connector)
self.set_query_connector(query_connector)
self.set_ping_connector(ping_connector)
else:
# self.setup_translation_simple('default') # <-------------
# all the lines below can be replaced with one line configuration |
query_translator = QueryTranslator()
basepath = os.path.dirname(__file__)
filepath = os.path.abspath(
os.path.join(basepath, "stix_translation", "json",
"to_stix_map.json"))
results_translator = JSONToStix(filepath)
dialect = 'dialect1'
data_mapper = DataMapper(options, dialect=dialect)
self.add_dialect(dialect,
data_mapper=data_mapper,
query_translator=query_translator,
results_translator=results_translator,
default=True)
dialect = 'dialect2'
data_mapper = DataMapper(options, dialect=dialect)
self.add_dialect(dialect,
data_mapper=data_mapper,
query_translator=query_translator,
results_translator=results_translator,
default=False)
def translate_results(self, data_source, data, options, mapping=None):
"""
Translates JSON data into STIX results based on a mapping file
:param data: JSON formatted data to translate into STIX format
:type data: str
:param mapping: The mapping file path to use as instructions on how to translate the given JSON data to STIX. Defaults the path to whatever is passed into the constructor for JSONToSTIX (This should be the to_stix_map.json in the module's json directory)
:type mapping: str (filepath)
:return: STIX formatted results
:rtype: str
"""
json_data = json.loads(data)
for obj in json_data:
typ = obj.pop('object', '')
fields = obj.pop('fields', [])
for field in fields:
obj[f"{typ}.{field}"] = fields[field]
return JSONToStix.translate_results(self, data_source,
json.dumps(json_data), options,
mapping)
class JSONToStixObservablesDecorator(BaseResultTranslator):
def __init__(self, filepath):
super().__init__(filepath)
self.result_translator = JSONToStix(filepath)
self.filepath = filepath
self.default_mapping_file_path = filepath
def translate_results(self, data_source, data, options, mapping=None):
json_data = json.loads(data)
map_file = open(self.filepath).read()
mapping_overriden = json.loads(map_file)
# Decorate the findings with std observables at this step
self.decorateFindingsWithObjects(json_data, mapping_overriden)
data = json.dumps(json_data)
# Override the mapping with dynamically identified definitions
options["mapping"] = mapping_overriden
return self.result_translator.translate_results(
data_source, data, options, mapping_overriden)
# Decorate the finding with dynamically identified cyber observables
def decorateFindingsWithObjects(self, data, mapping_overriden):
for finding in data:
flattened_finding = flatten(finding)
self.regexAndDecorateWithStdObjects(
flattened_finding, finding,
r'((?:[\da-fA-F]{2}[:\-]){5}[\da-fA-F]{2})', "mac-addr",
mapping_overriden)
self.regexAndDecorateWithStdObjects(flattened_finding, finding,
r'[0-9]+(?:\.[0-9]+){3}',
"ipv4address",
mapping_overriden)
self.regexAndDecorateWithStdObjects(
flattened_finding, finding,
r'(?<![:.\w])(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4}(?![:.\w])',
"ipv6address", mapping_overriden)
self.regexAndDecorateWithStdObjects(
flattened_finding, finding,
r"([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)", "email",
mapping_overriden)
self.regexAndDecorateWithStdObjects(
flattened_finding, finding,
r"(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]",
"domain-name", mapping_overriden)
self.regexAndDecorateWithStdObjects(flattened_finding, finding,
r'(https?://\S+)', "url",
mapping_overriden)
self.regexAndDecorateWithStdObjects(
flattened_finding, finding,
r'([~!@#$%^&*()\-_+={}\[\]|\\:;\"`\'<>.\?\w]+\.[a-z,A-Z][\w]+|[\w]+\.[a-z,A-Z][\W]+|\.[a-z,A-Z][\w]+)',
"file", mapping_overriden)
self.customFunctionAndDecorateWithStdObjects(
flattened_finding, finding, "directory", mapping_overriden)
# This method decorates finding with cyber observables and overrides mapping to support these observables
def regexAndDecorateWithStdObjects(self, flattened_finding, finding, regex,
type, mapping_overriden):
definition = mapping_overriden[type]
objects = []
for key, value in flattened_finding.items():
try:
objectList = re.findall(regex, value)
exceptionList = []
if len(objectList) > 0:
if type == 'domain-name':
for value in objectList:
if "securityadvisor." in value:
exceptionList.append(value)
elif ".pdf" in value or ".sh" in value or ".txt" in value or ".html" in value:
exceptionList.append(value)
if type == 'file':
for value in objectList:
if ".com" in value or ".in" in value or ".org" in value or ".co.in" in value or ".net" in value:
exceptionList.append(value)
# Removing specific exceptions here.
objectList = list(set(objectList) - set(exceptionList))
objects.extend(objectList)
except:
pass
count = 1
for entry in set(objects):
try:
finding[type + str(count)] = entry
# Dynamically add mapping, for eg: 5 email definitions if there are 5 emails identified from a finding
mapping_overriden[type + str(count)] = definition
count += 1
except:
pass
# This method provides a way to call custom functions when function name is provided as string
def customFunctionAndDecorateWithStdObjects(self, flattened_finding,
finding, type,
mapping_overriden):
m = globals()['ObjectParserMethods']()
function_name = "parse" + type.capitalize()
getattr(m, function_name)(flattened_finding, finding, type,
mapping_overriden)
def __init__(self, filepath):
super().__init__(filepath)
self.result_translator = JSONToStix(filepath)
self.filepath = filepath
self.default_mapping_file_path = filepath