From 7a9e0278048f256ee1dfab21655cd76c75db7ff1 Mon Sep 17 00:00:00 2001 From: DerekRushton <41486484+DerekRushton@users.noreply.github.com> Date: Thu, 15 Aug 2024 10:44:30 -0300 Subject: [PATCH] Resolved an issue where severity mapping in the from_stix was using text instead of int. (#1722) * Resolved some issues with the Tanium image. Signed-off-by: DerekRushton * Tanium test fixed and stix2.1 Signed-off-by: DerekRushton * Fixed severity mapping. Signed-off-by: DerekRushton * Severity test fix. Signed-off-by: DerekRushton --------- Signed-off-by: DerekRushton --- .../tanium/stix_translation/query_constructor.py | 16 +++++++++++++++- .../stix_translation/test_from_stix_to_query.py | 4 ++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/stix_shifter_modules/tanium/stix_translation/query_constructor.py b/stix_shifter_modules/tanium/stix_translation/query_constructor.py index dcdf7878f..06ee2cc16 100644 --- a/stix_shifter_modules/tanium/stix_translation/query_constructor.py +++ b/stix_shifter_modules/tanium/stix_translation/query_constructor.py @@ -1,4 +1,5 @@ import regex +from stix_shifter_modules.tanium.stix_translation.transformers import ConvertTextSeverityToNumberValue from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, ComparisonExpression, \ Pattern,\ CombinedComparisonExpression, CombinedObservationExpression @@ -27,14 +28,27 @@ def _format_start_stop_qualifier(self, expression, qualifier) -> str: stop = qualifier_split[3] qualified_query = f"{expression}&alertedAtFrom={start}&alertedAtUntil={stop}" return qualified_query + + @staticmethod + def _format_severity(self, value): + if(value < 40): + return "info" + elif(value >= 40 and value < 80): + return "low" + elif(value >= 80): + return "high" @staticmethod def _parse_mapped_fields(self, value, comparator, mapped_fields_array): - {} + if(mapped_fields_array[0] == "severity"): + value = QueryStringPatternTranslator._format_severity(self, value) parsed_fields = f"{mapped_fields_array[0]}{comparator}{value}" + if(comparator == "IN"): parsed_fields = "" for current_value in value.values: + if(mapped_fields_array[0] == "severity"): + value = QueryStringPatternTranslator._format_severity(self, value) parsed_fields += f"{mapped_fields_array[0]}={current_value}&" parsed_fields = parsed_fields[:-1] return parsed_fields diff --git a/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py b/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py index f4fa02bf8..76f889540 100644 --- a/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py +++ b/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py @@ -95,7 +95,7 @@ def test_event_oca_query(self): " AND [x-oca-event:host_ref.ip_refs.value = '10.0.0.4']" \ " AND [x-oca-event:host_ref.os_ref.name = 'windows']" \ " AND [x-oca-event:file_ref.parent_directory_ref.path = 'Application']" \ - " AND [x-oca-event:severity = 'info']" \ + " AND [x-oca-event:severity = 0]" \ " AND [x-oca-event:x_ttp_tagging_refs.technique_id = 'T1204']" \ " START t'2022-07-01T00:00:00.000Z'" \ " STOP t'2024-07-27T00:05:00.000Z'" @@ -118,7 +118,7 @@ def test_event_oca_query(self): def test_ibm_finding(self): stix_pattern = "([x-ibm-finding:dst_ip_ref.value = '10.0.0.4']" \ " AND [x-ibm-finding:name = 'Outlook Spawned Process Creating DLL Files']" \ - " AND [x-ibm-finding:severity = 'info']" \ + " AND [x-ibm-finding:severity = 0]" \ " AND [x-ibm-finding:dst_os_ref.name = 'windows']" \ " AND [x-ibm-finding:x_ttp_tagging_refs.technique_id = 'T1204']" \ " AND [x-ibm-finding:x_guid = '00000000-0000-0000-114a-7429237cffc5']" \