Skip to content

Commit

Permalink
Updating file hash mapping for Athena OCSF support (#1345)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mdazam1942
mdazam1942 committed Mar 1, 2023
1 parent c0eced9 commit 9025116
Show file tree
Hide file tree
Showing 5 changed files with 325 additions and 24 deletions.
9 changes: 9 additions & 0 deletions stix_shifter_modules/aws_athena/stix_translation/json/hash_algorithm_map.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"0" : "Unknown",
"1" : "MD5",
"2" : "SHA-1",
"3" : "SHA-256",
"4" : "SHA-512",
"5" : "CTPH",
"99" : "Other"
}
62 changes: 47 additions & 15 deletions stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -992,17 +992,33 @@
"key": "file.extensions.x-ocsf-file-ext.description",
"object": "file"
},
"fingerprints": {
"algorithm": {
"key": "file.extensions.x-ocsf-file-ext.algorithm",
"hashes": {
"Unknown": {
"key": "file.hashes.Unknown",
"object": "file"
},
"algorithm_id": {
"key": "file.extensions.x-ocsf-file-ext.algorithm_id",
"MD5": {
"key": "file.hashes.MD5",
"object": "file"
},
"value": {
"key": "file.extensions.x-ocsf-file-ext.algorithm_value",
"SHA-1": {
"key": "file.hashes.SHA-1",
"object": "file"
},
"SHA-256": {
"key": "file.hashes.SHA-256",
"object": "file"
},
"SHA-512": {
"key": "file.hashes.SHA-512",
"object": "file"
},
"CTPH": {
"key": "file.hashes.CTPH",
"object": "file"
},
"Other": {
"key": "file.hashes.Other",
"object": "file"
}
},
Expand Down Expand Up @@ -1297,7 +1313,7 @@
"key": "process.name",
"object": "process"
},
"parent-process": {
"parent_process": {
"cmd_line": {
"key": "process.command_line",
"object": "parent-process"
Expand Down Expand Up @@ -1495,17 +1511,33 @@
"key": "file.extensions.x-ocsf-file-ext.description",
"object": "parent-file"
},
"fingerprints": {
"algorithm": {
"key": "file.extensions.x-ocsf-file-ext.algorithm",
"hashes": {
"Unknown": {
"key": "file.hashes.Unknown",
"object": "parent-file"
},
"algorithm_id": {
"key": "file.extensions.x-ocsf-file-ext.algorithm_id",
"MD5": {
"key": "file.hashes.MD5",
"object": "parent-file"
},
"value": {
"key": "file.extensions.x-ocsf-file-ext.algorithm_value",
"SHA-1": {
"key": "file.hashes.SHA-1",
"object": "parent-file"
},
"SHA-256": {
"key": "file.hashes.SHA-256",
"object": "parent-file"
},
"SHA-512": {
"key": "file.hashes.SHA-512",
"object": "parent-file"
},
"CTPH": {
"key": "file.hashes.CTPH",
"object": "parent-file"
},
"Other": {
"key": "file.hashes.Other",
"object": "parent-file"
}
},
Expand Down
39 changes: 38 additions & 1 deletion stix_shifter_modules/aws_athena/stix_translation/results_translator.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,42 @@
from stix_shifter_utils.stix_translation.src.json_to_stix.json_to_stix import JSONToStix

import os
import json

class ResultsTranslator(JSONToStix):
pass
def __init__(self, options, dialect, base_file_path=None, callback=None):
super().__init__(options, dialect, base_file_path, callback)
hash_algorithm_map = os.path.abspath(os.path.join(base_file_path, "json", "hash_algorithm_map.json"))
self.hash_names = self.read_json(hash_algorithm_map, options)

def translate_results(self, data_source, data):
mappping = self.map_data
ocsf_map = mappping['ocsf']
results = json.loads(data)
for result in results:
ocsf_payload = result['ocsf']
process_obj = ocsf_payload.get('process')
if process_obj:
file_obj = process_obj.get('file')
if file_obj:
file_obj['hashes'] = self.update_hash_mapping(file_obj)

parent_process = process_obj.get('parent_process')
if parent_process:
file_obj = parent_process.get('file')
if file_obj:
file_obj['hashes'] = self.update_hash_mapping(file_obj)

data = json.dumps(results)
return super().translate_results(data_source, data)

def update_hash_mapping(self, file_obj):
hashes = {}
fingerprints_objs =file_obj.get('fingerprints')

for fingerprint in fingerprints_objs:
hash_name = self.hash_names[str(fingerprint.get('algorithm_id'))]

hashes[hash_name] = fingerprint.get('value')

return hashes
189 changes: 189 additions & 0 deletions stix_shifter_modules/aws_athena/tests/stix_translation/json/process_activity.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,189 @@

{
"ocsf": {
"activity_id": 4,
"activity_name": "Inject",
"actor": {
"idp": {},
"invoked_by": "establishing sap lexington",
"user": {
"account_type": "AWS IAM User",
"account_type_id": 3,
"name": "Pole",
"uid": "70e087f4-b2e0-11ed-b90e-0242ac110002"
}
},
"category_name": "System Activity",
"category_uid": 1,
"class_name": "Process Activity",
"class_uid": 1007,
"device": {
"autoscale_uid": "70e0b58a-b2e0-11ed-bac3-0242ac110002",
"desc": "cholesterol marilyn copies",
"groups": [
{
"name": "write sustainable composer",
"uid": "70e0a3d8-b2e0-11ed-ad51-0242ac110002"
},
{
"name": "guam rhythm gave",
"uid": "70e0a8ec-b2e0-11ed-a67b-0242ac110002"
}
],
"hostname": "palmer.int",
"instance_uid": "70e0bcc4-b2e0-11ed-bfcf-0242ac110002",
"interface_name": "recycling tariff choose",
"interface_uid": "70e0c08e-b2e0-11ed-b1de-0242ac110002",
"ip": "200.246.41.59",
"is_compliant": true,
"is_managed": false,
"name": "wrapped suppose cleaning",
"network_interfaces": [
{
"hostname": "mpg.com",
"ip": "240.252.208.148",
"mac": "79:32:43:C9:22:5C:B7:F0",
"name": "coming orchestra architecture",
"type": "Wireless",
"type_id": 2
},
{
"hostname": "killing.mil",
"ip": "154.166.77.210",
"mac": "7C:7F:2B:4B:BF:C2:78:1A",
"name": "princeton optional rh",
"type": "Wireless",
"type_id": 2
}
],
"region": "weblog justin reconstruction",
"type": "Unknown",
"type_id": 0,
"uid": "70e0b15c-b2e0-11ed-bb16-0242ac110002",
"uuid": "70e0acc0-b2e0-11ed-b29c-0242ac110002"
},
"duration": 50,
"end_time": 1677091255453843,
"message": "flexible accomplish tower",
"metadata": {
"original_time": "highlighted icon when",
"product": {
"feature": {
"name": "chronic knit insurance",
"uid": "70e0908c-b2e0-11ed-baf2-0242ac110002",
"version": "1.0.0-rc.2"
},
"lang": "en",
"name": "zealand wicked described",
"uid": "70e0947e-b2e0-11ed-b823-0242ac110002",
"vendor_name": "feeding usgs strategic",
"version": "1.0.0-rc.2"
},
"profiles": [],
"version": "1.0.0-rc.2"
},
"process": {
"cmd_line": "florence cups venture",
"created_time": 1677091255455047,
"file": {
"fingerprints": [
{
"algorithm": "SHA-256",
"algorithm_id": 3,
"value": "401045DC4F861002C2494449EE92A7063F34AA49E4708EA6E3231B14D5D7B579"
},
{
"algorithm": "SHA-1",
"algorithm_id": 2,
"value": "CD89B1537C0E6664405C383CEE9DB1F2A6D1A5AC"
}
],
"name": "permit.msg",
"parent_folder": "/com/gdp/agent/sega/managed/collectables.heic",
"path": "/com/gdp/agent/sega/managed/collectables.heic/permit.msg",
"product": {
"lang": "en",
"name": "logan wrong man",
"uid": "70e0d268-b2e0-11ed-87cf-0242ac110002",
"vendor_name": "solely picnic wool",
"version": "1.0.0-rc.2"
},
"type": "Symbolic Link",
"type_id": 7
},
"name": "Virginia",
"parent_process": {
"cmd_line": "peer tears algeria",
"created_time": 1677091255455512,
"integrity": "Protected",
"integrity_id": 6,
"name": "Acids",
"file": {
"attributes": 59,
"confidentiality": "focus mit montreal",
"fingerprints": [
{
"algorithm": "SHA-256",
"algorithm_id": 3,
"value": "FAF9838AC653B1FE66CD949D9862F251532DDFEFED66B69E45D918413DD7207B"
},
{
"algorithm": "SHA-512",
"algorithm_id": 4,
"value": "7598F315CC628FB4776924563E0E829B8CCA39B7FAD98FA379FA9BA878C6034D92689E7B48D3931F30765CF0A44922E954240AFB658CF898961C102430072C67"
}
],
"mime_type": "potential/herbs",
"name": "powerful.tif",
"parent_folder": "/algebra/puerto/raising/died/default/charleston.nes",
"path": "/algebra/puerto/raising/died/default/charleston.nes/powerful.tif",
"product": {
"lang": "en",
"name": "chief pe writer",
"uid": "70e0e8f2-b2e0-11ed-b2a2-0242ac110002",
"vendor_name": "wesley afraid sunset",
"version": "1.0.0-rc.2"
},
"type": "Local Socket",
"type_id": 5
},
"pid": 33,
"sandbox": "nick named fill",
"uid": "70e2352c-b2e0-11ed-a5ba-0242ac110002",
"user": {
"groups": [
{
"name": "statute praise sporting",
"type": "gmt produces rich",
"uid": "70e23f86-b2e0-11ed-8907-0242ac110002"
}
],
"type": "advanced clarke opera",
"uid": "70e24378-b2e0-11ed-9c15-0242ac110002"
}
},
"pid": 9,
"uid": "70e246d4-b2e0-11ed-8c8d-0242ac110002",
"user": {
"account_type": "AWS IAM User",
"account_type_id": 3,
"credential_uid": "70e24e18-b2e0-11ed-97dc-0242ac110002",
"email_addr": "Dinah@kentucky.biz",
"org_uid": "70e251f6-b2e0-11ed-ab36-0242ac110002",
"type": "User",
"type_id": 1,
"uid": "70e25566-b2e0-11ed-8aad-0242ac110002"
},
"xattributes": {}
},
"severity": "Medium",
"severity_id": 3,
"start_time": 1677091255454950,
"status": "Unknown",
"status_id": 0,
"time": 1677091255453833,
"timezone_offset": 57,
"type_name": "Process Activity: Inject",
"type_uid": 100704
}
}
50 changes: 42 additions & 8 deletions stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,19 +490,53 @@ def test_ocsf_translation_prop(self):
assert user_account['user_id'] == '011222333553'
assert user_account['display_name'] == 'backup'

x_ibm_finding = TestAwsResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding')
assert x_ibm_finding is not None, 'x-ibm-finding object type not found'
assert x_ibm_finding.keys() == {'type', 'time_observed', 'dst_ip_ref', 'src_ip_ref', 'severity'}
assert x_ibm_finding['time_observed'] == '2020-10-07T08:08:37.000Z'
assert x_ibm_finding['severity'] == 0

def test_ocsf_file_translation(self):
"""
Test process object
"""
entry_point = EntryPoint()
result_file = open('stix_shifter_modules/aws_athena/tests/stix_translation/json/process_activity.json', 'r').read()
data = json.loads(result_file)

result_bundle = entry_point.translate_results(json.dumps(data_source),json.dumps([data]))
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']

file = TestAwsResultsToStix.get_first_of_type(objects.values(), 'file')
assert file['name'] == 'permit.msg'
assert file['hashes']['SHA-256'] == '401045DC4F861002C2494449EE92A7063F34AA49E4708EA6E3231B14D5D7B579'
assert file['hashes']['SHA-1'] == 'CD89B1537C0E6664405C383CEE9DB1F2A6D1A5AC'

def test_ocsf_network_translation(self):
"""
Test process object
"""
entry_point = EntryPoint()
result_file = open('stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json', 'r').read()
data = json.loads(result_file)
result_bundle = entry_point.translate_results(json.dumps(data_source),json.dumps([data]))
assert result_bundle['type'] == 'bundle'
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]
assert 'objects' in observed_data
objects = observed_data['objects']

network_traffic = TestAwsResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
assert network_traffic is not None, 'network-traffic object type not found'
assert network_traffic.keys() == {'type', 'extensions', 'protocols', 'dst_ref', 'dst_port', 'src_ref', 'src_port', 'dst_byte_count', 'dst_packets', 'src_packets'}
assert network_traffic.keys() == {'type', 'extensions','protocols', 'dst_ref', 'dst_port', 'src_ref', 'src_port', 'dst_byte_count', 'dst_packets', 'src_packets'}
assert network_traffic['protocols'] == ['tcp', 'ipv4']
assert network_traffic['src_port'] == 36136
assert network_traffic['dst_port'] == 19984
assert network_traffic['src_packets'] == 535302077
assert network_traffic['dst_packets'] == 4208942596
tcp_ext = network_traffic.get('extensions')['tcp-ext']
assert tcp_ext['src_flags_hex'] == 85

x_ibm_finding = TestAwsResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding')
assert x_ibm_finding is not None, 'x-ibm-finding object type not found'
assert x_ibm_finding.keys() == {'type', 'time_observed', 'dst_ip_ref', 'src_ip_ref', 'severity'}
assert x_ibm_finding['time_observed'] == '2020-10-07T08:08:37.000Z'
assert x_ibm_finding['severity'] == 0
assert tcp_ext['src_flags_hex'] == 85

0 comments on commit 9025116

Please sign in to comment.