ThreatQ connector (#1461)

stix_shifter_modules/threat_q/configuration/config.json

@@ -0,0 +1,123 @@
+{
+    "connection": {
+        "type": {
+            "id": "ThreatQ_Connector",
+            "displayName": "ThreatQ",
+            "description": "ThreatQ Threat Intelligence Platform"
+        },
+        "help": {
+            "default": "www.ibm.com",
+            "type": "link"
+        },
+        "options": {
+            "type": "fields",
+            "concurrent": {
+                "default": 4,
+                "min": 1,
+                "max": 100,
+                "type": "number",
+                "previous": "connection.maxConcurrentSearches"
+            },
+            "result_limit": {
+                "default": 10000,
+                "min": 1,
+                "max": 500000,
+                "type": "number",
+                "previous": "connection.resultSizeLimit",
+                "hidden": true
+            },
+            "time_range": {
+                "default": 5,
+                "min": 1,
+                "max": 10000,
+                "type": "number",
+                "previous": "connection.timerange",
+                "nullable": true,
+                "hidden": true
+            },
+            "timeout": {
+                "default": 30,
+                "min": 1,
+                "max": 60,
+                "type": "number",
+                "previous": "connection.timeoutLimit"
+            }
+        },
+        "namespace":{
+            "type": "text",
+            "default": "9d4bedaf-d351-4f50-930f-f8eb121e5bae",
+            "hidden": true
+        },
+        "host": {
+            "type": "text",
+            "default": "",
+            "hidden": true
+        },
+        "port": {
+            "default": 443,
+            "type": "number",
+            "min": 1,
+            "max": 65535,
+            "hidden": true
+        }
+    },
+    "configuration": {
+        "auth": {
+            "type" : "fields",
+            "hostname": {
+                "type": "text"
+            },
+            "username" : {
+                "type": "text"
+            },
+            "password": {
+                "type": "password"
+            }
+        },
+        "rateLimit": {
+            "type": "fields",
+            "rateLimit": {
+                "default": 10000,
+                "type": "number",
+                "hidden": true
+            },
+            "rateUnit": {
+                "default": "Day",
+                "type": "text",
+                "hidden": true
+            }
+        },
+        "cacheDuration": {
+            "type": "fields",
+            "cacheDuration": {
+                "default": 10,
+                "type": "number",
+                "hidden": true
+            },
+            "unit": {
+                "default": "Minute",
+                "type": "text",
+                "hidden": true
+            }
+        },
+        "dataTypeList": {
+            "type": "fields",
+            "ip": {
+                "type": "checkbox",
+                "default": true
+            },
+            "domain": {
+                "type": "checkbox",
+                "default": true
+            },
+            "url": {
+                "type": "checkbox",
+                "default": true
+            },
+            "hash": {
+                "type": "checkbox",
+                "default": true
+            }
+        }
+    }
+}

stix_shifter_modules/threat_q/configuration/lang_en.json

@@ -0,0 +1,81 @@
+{
+    "connection": {
+        "options": {
+            "concurrent": {
+                "label": "Concurrent Search Limit",
+                "description": "The number of simultaneous connections that can be made between the host and the data source.  Valid input range is {{min}} to {{max}}."
+            },
+            "search_timeout": {
+                "label": "Query Search Timeout Limit",
+                "description": "The limit on how long the query will run, in minutes, on the data source."
+            }
+        },
+        "host": {
+            "label": "Management IP address or Hostname",
+            "placeholder": "192.168.1.10",
+            "description": "Specify the OCP Cluster hostname or the XForce API host URL"
+        },
+        "port": {
+            "label": "Host Port",
+            "description": "Set the port number that is associated with the Host name or IP"
+        },
+        "namespace": {
+            "label": "The UUID Namespace to generate unique ",
+            "description": "Supply a UUID to generate deterministic UUIDs for the resulting STIX bundle"
+        }
+    },
+    "configuration": {
+        "auth": {
+            "hostname": {
+                "label": "hostname",
+                "description": "ThreatQ hostname"
+            },
+            "username": {
+                "label": "Username",
+                "description": "Username provisioned by ThreatQ"
+            },
+            "password": {
+                "label": "Password",
+                "description": "Password provisioned by ThreatQ"
+            }
+        },
+        "rateLimit": {
+            "rateLimit": {
+                "label": "Rate Limit",
+                "description": "The number of queries allowed by ThreatQ"
+            },
+            "rateUnit": {
+                "label": "Rate Unit",
+                "description": "The rate unit for rate limit in [seconds, minutes, days, months, years ...]"
+            }
+        },
+        "cacheDuration": {
+            "cacheDuration": {
+                "label": "Cache Duration",
+                "description": "How long should we cache the results of the STIX Bundle execution?"
+            },
+            "unit": {
+                "label": "Rate Unit",
+                "description": "The unit for cache in [seconds, minutes, days, months, years ...]"
+            }
+        },
+        "dataTypeList": {
+            "ip": {
+                "label": "IP Address",
+                "description": "Whether IP Address lookup queries are supported by ThreatQ based on the User's API Provisioning"
+            },
+            "domain": {
+                "label": "Domain",
+                "description": "Whether Domain queries are supported by ThreatQ based on the User's API Provisioning"
+            },
+            "url": {
+                "label": "URL",
+                "description": "Whether Domain queries are supported by ThreatQ based on the User's API Provisioning"
+            },
+            "hash": {
+                "label": "Hash",
+                "description": "Whether Hash queries are supported by ThreatQ based on the User's API Provisioning"
+            }
+        }
+    }
+}

stix_shifter_modules/threat_q/entry_point.py

@@ -0,0 +1,42 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+from stix_shifter_utils.modules.base.stix_transmission.base_sync_connector import BaseSyncConnector
+from .stix_transmission.ping_connector import PingConnector
+from .stix_transmission.delete_connector import DeleteConnector
+from .stix_transmission.results_connector import ResultsConnector
+from .stix_transmission.api_client import APIClient
+from .stix_translation.query_translator import QueryTranslator
+from .stix_translation.results_translator import ResultsTranslator
+from stix_shifter_utils.stix_translation.src.json_to_stix.json_to_stix import JSONToStix
+import os
+
+
+class EntryPoint(BaseEntryPoint):
+
+    # python main.py translate ibmxfe results '{"type": "identity","id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff","name": "IBM X-Force","identity_class": "system"}' '' < ../xfe_result.json --stix-validator
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(False)
+
+        if connection:
+            api_client = APIClient(connection, configuration)
+            base_sync_connector = BaseSyncConnector()
+            ping_connector = PingConnector(api_client)
+            query_connector = base_sync_connector
+            status_connector = base_sync_connector
+            results_connector = ResultsConnector(api_client)
+            delete_connector = DeleteConnector(api_client)
+
+            self.set_results_connector(results_connector)
+            self.set_status_connector(status_connector)
+            self.set_delete_connector(delete_connector)
+            self.set_query_connector(query_connector)
+            self.set_ping_connector(ping_connector)
+
+        basepath = os.path.dirname(__file__)
+        filepath = os.path.abspath(os.path.join(basepath, "stix_translation"))
+
+        dialect = 'default'
+        query_translator = QueryTranslator(options, dialect, filepath)
+        results_translator = ResultsTranslator(options, dialect, filepath)
+        self.add_dialect(dialect, query_translator=query_translator, results_translator=results_translator, default=True)

stix_shifter_modules/threat_q/requirements.txt

@@ -0,0 +1 @@
+uuid==1.30

stix_shifter_modules/threat_q/stix_translation/json/from_stix_map.json

@@ -0,0 +1,30 @@
+{
+  "url": {
+    "fields": {
+        "value": ["Url"]
+    }
+  },
+  "ipv4-addr": {
+    "fields": {
+      "value":["SourceIpV4", "DestinationIpV4"]
+    }
+  },
+  "ipv6-addr": {
+    "fields":{
+      "value":["SourceIpV6", "DestinationIpV6"]
+    }
+  },
+  "domain-name":{
+    "fields":{
+      "value":["Url"]
+    }
+  },
+  "file":{
+    "fields":{
+      "hashes.'SHA-256'": ["sha256hash"],
+      "hashes.MD5": ["md5hash"],
+      "hashes.'MD5'": ["md5hash"],
+      "hashes.'SHA-1'": ["sha1hash"]
+    }
+  }
+}

stix_shifter_modules/threat_q/stix_translation/json/operators.json

@@ -0,0 +1,16 @@
+{
+  "ComparisonExpressionOperators.And": "AND",
+  "ComparisonExpressionOperators.Or": "OR",
+  "ComparisonComparators.GreaterThan": ">",
+  "ComparisonComparators.GreaterThanOrEqual": ">=",
+  "ComparisonComparators.LessThan": "<",
+  "ComparisonComparators.LessThanOrEqual": "<=",
+  "ComparisonComparators.Equal": "=",
+  "ComparisonComparators.NotEqual": "!=",
+  "ComparisonComparators.Like": "=",
+  "ComparisonComparators.In": "IN",
+  "ComparisonComparators.Matches": "CONTAINS",
+  "ComparisonComparators.IsSubSet": "insubnet",
+  "ObservationOperators.Or": "OR",
+  "ObservationOperators.And": "AND"
+}

stix_shifter_modules/threat_q/stix_translation/json/to_stix_map.json

@@ -0,0 +1,3 @@
+{
+
+}