diff --git a/tools/config/stix-custom.yml b/tools/config/stix-custom.yml new file mode 100644 index 000000000..f5061596b --- /dev/null +++ b/tools/config/stix-custom.yml @@ -0,0 +1,132 @@ +title: Additional STIX mapping for future use +backends: + - stix +order: 10 +fieldmappings: + record_type: + - x-dns:record_type + requestParameters.attribute: + - x-cloud:request_parameters + responseElements.publiclyAccessible: + - x-cloud:publicly_accessible + errorMessage: + - x-error:message + errorCode: + - x-error:code + responseElements: + - x-cloud:response_elements + requestParameters.userData: + - x-cloud:request_parameters + AccessMask: + - x-windows:accessmask + Accesses: + - x-windows:accesses + CallTrace: + - x-windows:calltrace + DestinationIsIpv6: + - x-windows:destisipv6 + ErrorCode: + - x-error:code + ExtendedErrorCode: + - x-error:code + - x-error:id + GrantedAccess: + - x-windows:grantedaccess + GroupDomain: + - x-group:domain + GroupID: + - x-group:id + GroupName: + - x-group:name + GroupSecurityID: + - x-group:security_id + IMPHash: + - x-windows:imphash + Imphash: + - x-windows:imphash + ImageTempPath: + - process:binary_ref.x_temp_path + InitiatedConnection: + - x-windows:initiatedconnection + Initiated: + - x-windows:initiatedconnection + IntegrityLevel: + - x-windows:integritylevel + LogonType: + - x-windows:logontype + ObjectName: + - x-windows:objectname + ObjectType: + - x-windows:objecttype + PipeName: + - x-windows:pipename + QueryName: + - x-windows:queryname + QueryResults: + - x-windows:queryresults + QueryStatus: + - x-windows:querystatus + ShareName: + - x-windows:sharename + SharePath: + - x-windows:sharepath + Signature: + - x-windows:signature + SignatureStatus: + - x-windows:signaturestatus + Signed: + - x-windows:signed + SourceImage: + - x-windows:sourceimage + SourceImageTempPath: + - x-windows:sourceimagetemppath + SourceWorkstation: + - x-windows:sourceworkstation + StartAddress: + - x-windows:startaddress + StartFunction: + - x-windows:startfunction + StartModule: + - x-windows:startmodule + TargetAccountSecurityID: + - x-windows:targetaccountsecurityid + TargetComputerDomain: + - x-windows:targetcomputerdomain + TargetComputerName: + - x-windows:targetcomputername + TargetDetails: + - x-windows:targetdetails + TargetImage: + - x-windows:targetimage + TargetImageName: + - x-windows:targetimagename + TargetProcessGuid: + - x-windows:targetprocessguid + TargetProcessAddress: + - x-windows:startaddress + TargetUserDomain: + - x-windows:targetuserdomain + TargetUserName: + - x-windows:targetusername + TaskName: + - x-windows:taskname + TicketEncryptionType: + - x-windows:ticketencryptiontype + event_data.PipeName: + - x-windows:pipename + event_data.ServiceFileName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + event_data.ShareName: + - x-windows:sharename + event_data.Signature: + - x-windows:signature + event_data.SourceImage: + - x-windows:sourceimage + event_data.StartModule: + - x-windows:startmodule + event_data.TargetImage: + - x-windows:targetimage + key: + - x-sigma:keywords + sc-status: + - x-web:status_code diff --git a/tools/config/stix-linux.yml b/tools/config/stix-linux.yml deleted file mode 100644 index 0ab8f72b1..000000000 --- a/tools/config/stix-linux.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: STIX for Linux Logs -backends: - - stix -order: 40 -logsources: - linux: - product: linux -fieldmappings: - type: - - x-ibm-event:action - keywords: - - artifact:payload_bin - a0: - - process:command_line - a1: - - process:command_line - name: - - file:name - a3: - - process:command_line - key: - - x-sigma:keywords - exe: - - file:name - a2: - - process:command_line - SYSCALL: - - x-ibm-event:action - pam_message: - - x-ibm-event:action - pam_user: - - user-account:user_id - pam_rhost: - - x-ibm-host:hostname - USER: - - user-account:user_id \ No newline at end of file diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml deleted file mode 100644 index cd78c1904..000000000 --- a/tools/config/stix-qradar.yml +++ /dev/null @@ -1,51 +0,0 @@ -title: STIX for QRadar -backends: - - stix -order: 30 -fieldmappings: - categoryid: - - x-ibm-ariel:category_id - categoryname: - - x-ibm-ariel:category_name - credescription: - - x-ibm-finding:description - Description: - - x-ibm-finding:description - credibility: - - x-ibm-ariel:credibility - crename: - - x-ibm-finding:name - devicetype: - - x-ibm-ariel:device_type - Device: - - x-ibm-ariel:device_type - direction: - - x-ibm-ariel:direction - domainid: - - x-ibm-ariel:domain_id - geographic: - - x-ibm-ariel:geographic - high_level_category_id: - - x-ibm-ariel:high_level_category_id - high_level_category_name: - - x-ibm-ariel:high_level_category_name - identityhostname: - - x-ibm-ariel:identity_host_name - logsourceid: - - x-ibm-ariel:log_source_id - logsourcename: - - x-ibm-ariel:log_source_name - logsourcetypename: - - x-ibm-ariel:log_source_type_name - magnitude: - - x-ibm-ariel:magnitude - qid: - - x-ibm-ariel:qid - qidname: - - x-ibm-ariel:event_name - relevance: - - x-ibm-ariel:relevance - rulenames: - - x-ibm-ariel:rule_names[*] - severity: - - x-ibm-ariel:severity diff --git a/tools/config/stix-shifter.yml b/tools/config/stix-shifter.yml new file mode 100644 index 000000000..02f725a64 --- /dev/null +++ b/tools/config/stix-shifter.yml @@ -0,0 +1,115 @@ +title: Custom mappings for stix-shifter project +backends: + - stix +order: 30 +fieldmappings: + # x-oca-event SCO + action: + - x-oca-event:action + operation: + - x-oca-event:action + event.category: + - x-oca-event:category + eventName: + - x-oca-event:action + eventType: + - x-oca-event:category + Description: + - x-oca-event:action + - x-ibm-finding:description + Event-ID: + - x-oca-event:code + EventID: + - x-oca-event:code + Event_ID: + - x-oca-event:code + event-id: + - x-oca-event:code + eventId: + - x-oca-event:code + EventType: + - x-oca-event:action + Message: + - x-oca-event:original + Details: + - windows-registry-key:values[*].data + - x-oca-event:original + event_id: + - x-oca-event:code + eventid: + - x-oca-event:code + type: + - x-oca-event:action + pam_message: + - x-oca-event:action + + # x-oca-asset SCO + cs-host: + - x-oca-asset:hostname + - domain-name:value + eventSource: + - x-oca-asset:hostname + ComputerName: + - x-oca-asset:hostname + pam_rhost: + - x-oca-asset:hostname + + # DNS network extension + r-dns: + - domain-name:value + - url:value + - network-traffic:extensions.'dns-ext'.question.domain_ref + query: + - domain-name:value + - url:value + - network-traffic:extensions.'dns-ext'.question.domain_ref + + # x-ibm-finding object + credescription: + - x-ibm-finding:description + crename: + - x-ibm-finding:name + + # x-qradar custom object + categoryid: + - x-qradar:category_id + categoryname: + - x-qradar:category_name + credibility: + - x-qradar:credibility + Device: + - x-qradar:device_type + - file:name + devicetype: + - x-qradar:device_type + direction: + - x-qradar:direction + domainid: + - x-qradar:domain_id + geographic: + - x-qradar:geographic + high_level_category_id: + - x-qradar:high_level_category_id + high_level_category_name: + - x-qradar:high_level_category_name + identityhostname: + - x-qradar:identity_host_name + logsourceid: + - x-qradar:log_source_id + logsourcename: + - x-qradar:log_source_name + logsourcetypename: + - x-qradar:log_source_type_name + magnitude: + - x-qradar:magnitude + qid: + - x-qradar:qid + qidname: + - x-qradar:event_name + relevance: + - x-qradar:relevance + rulenames: + - x-qradar:rule_names[*] + severity: + - x-qradar:severity + diff --git a/tools/config/stix.yml b/tools/config/stix.yml deleted file mode 100644 index facba562b..000000000 --- a/tools/config/stix.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Basic STIX -backends: - - stix -order: 20 -fieldmappings: - action: - - x-ibm-event:action - User: - - user-account:user_id - c-ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - cs-ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - destinationip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - destinationmac: - - mac-addr:value - - network-traffic:dst_ref.value - destinationport: - - network-traffic:dst_port - dst_port: - - network-traffic:dst_port - domainname: - - domain-name:value - dst: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - dst_ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - endtime: - - network-traffic:end - event_data.DestinationIp: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - DestinationIp: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - event_data.DestinationPort: - - network-traffic:dst_port - DestinationPort: - - network-traffic:dst_port - destination.port: - - network-traffic:dst_port - event_data.SubjectUserName: - - user-account:user_id - event_data.User: - - user-account:user_id - filehash: - - file:hashes.SHA-256 - - file:hashes.MD5 - - file:hashes.SHA-1 - filename: - - file:name - filepath: - - file:parent_directory_ref - - directory:path - identityip: - - ipv4-addr:value - protocolid: - - network-traffic:protocols[*] - sourceip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - sourcemac: - - mac-addr:value - - network-traffic:src_ref.value - sourceport: - - network-traffic:src_port - SourcePort: - - network-traffic:src_port - src: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - src_ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - starttime: - - network-traffic:start - url: - - url:value - user: - - user-account:user_id - username: - - user-account:user_id - utf8_payload: - - artifact:payload_bin - - # Web + Proxy mapping - c-uri: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - c-uri-query: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - c-uri-stem: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - keywords: - - artifact:payload_bin - cs-method: - - network-traffic:extensions.'http-request-ext'.request_method - sc-status: - - x-web:status_code - clientip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - c-useragent: - - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' - r-dns: - - domain-name:value - - url:value - - x-dns:query - cs-host: - - x-ibm-host:hostname - - domain-name:value - cs-cookie: - - network-traffic:extensions.'http-request-ext'.request_header.Cookie - query: - - domain-name:value - - url:value - - x-dns:query - record_type: - - x-dns:record_type - operation: - - x-ibm-event:action - - # Compliance mapping - event.category: - - x-ibm-event:category - host.scan.vuln_name: - - vulnerability:name - host.scan.vuln: - - vulnerability:external_references[*].external_id - - # Cloud mapping - eventSource: - - x-ibm-host:hostname - eventName: - - x-ibm-event:action - requestParameters.attribute: - - x-cloud:request_parameters - responseElements.publiclyAccessible: - - x-cloud:publicly_accessible - errorMessage: - - x-error:message - errorCode: - - x-error:code - responseElements: - - x-cloud:response_elements - requestParameters.userData: - - x-cloud:request_parameters - userIdentity.type: - - user-account:account_login - eventType: - - x-ibm-event:category - userIdentity.arn: - - user-account:account_login - - user-account:display_name - responseElements.pendingModifiedValues.masterUserPassword: - - user-account:credential diff --git a/tools/config/stix2.0.yml b/tools/config/stix2.0.yml new file mode 100644 index 000000000..e2f124194 --- /dev/null +++ b/tools/config/stix2.0.yml @@ -0,0 +1,280 @@ +title: Official STIX 2.0 +backends: + - stix +order: 100 +fieldmappings: + User: + - user-account:user_id + USER: + - user-account:user_id + user: + - user-account:user_id + event_data.SubjectUserName: + - user-account:user_id + - user-account:account_login + c-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + cs-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + destinationip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + destinationmac: + - mac-addr:value + - network-traffic:dst_ref.value + destinationport: + - network-traffic:dst_port + dst_port: + - network-traffic:dst_port + domainname: + - domain-name:value + dst: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + dst_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + endtime: + - network-traffic:end + event_data.DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + event_data.DestinationPort: + - network-traffic:dst_port + DestinationPort: + - network-traffic:dst_port + destination.port: + - network-traffic:dst_port + filehash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + filename: + - file:name + filepath: + - file:parent_directory_ref + - directory:path + identityip: + - ipv4-addr:value + protocolid: + - network-traffic:protocols[*] + sourceip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + sourcemac: + - mac-addr:value + - network-traffic:src_ref.value + sourceport: + - network-traffic:src_port + SourcePort: + - network-traffic:src_port + src: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + src_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + starttime: + - network-traffic:start + url: + - url:value + username: + - user-account:user_id + utf8_payload: + - artifact:payload_bin + + # Web + Proxy mapping + c-uri: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + c-uri-query: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + c-uri-stem: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + keywords: + - artifact:payload_bin + cs-method: + - network-traffic:extensions.'http-request-ext'.request_method + clientip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + c-useragent: + - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' + r-dns: + - domain-name:value + - url:value + cs-host: + - domain-name:value + cs-cookie: + - network-traffic:extensions.'http-request-ext'.request_header.Cookie + query: + - domain-name:value + - url:value + + # Compliance mapping + host.scan.vuln_name: + - vulnerability:name + host.scan.vuln: + - vulnerability:external_references[*].external_id + + # Cloud mapping + userIdentity.type: + - user-account:account_login + userIdentity.arn: + - user-account:account_login + - user-account:display_name + responseElements.pendingModifiedValues.masterUserPassword: + - user-account:credential + AccountDomain: + - user-account:x_domain + AccountID: + - user-account:user_id + AccountName: + - user-account:account_login + - user-account:display_name + AccountSecurityID: + - user-account:x_security_id + ClientIP: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + DestinationHostname: + - network-traffic:dst_ref.value + Device: + - file:name + FileDirectory: + - directory:path + FileExtension: + - file:x_extension + FileHash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + FilePath: + - file:name + Filename: + - file:name + HomeDirectory: + - directory:path + Image: + - process:binary_ref.name + ImageLoadedTempPath: + - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path + ImageName: + - process:binary_ref.name + ImagePath: + - binary_ref.parent_directory_ref.pat.name + InitiatorUserName: + - user-account:user_id + - user-account:account_login + LoadedImage: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + LoadedImageName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + MD5Hash: + - file:hashes.MD5 + NewName: + - windows-registry-key:key + ParentCommandLine: + - process:parent_ref.command_line + ParentImage: + - process:parent_ref.binary_ref.name + ParentImageName: + - process:parent_ref.binary_ref.name + ParentProcessGuid: + - process:parent_ref.x_guid + ParentProcessName: + - process:parent_ref.binary_ref.name + ParentProcessPath: + - process:parent_ref.binary_ref.name + ProcessCommandLine: + - process:command_line + Command: + - process:command_line + CommandLine: + - process:command_line + ProcessGuid: + - process:x_guid + ProcessId: + - process:pid + ProcessName: + - process:binary_ref.name + ProcessPath: + - process:binary_ref.parent_directory_ref.path + RegistryKey: + - windows-registry-key:key + RegistryValueData: + - windows-registry-key:values[*].data + RegistryValueName: + - windows-registry-key:values[*].name + SAMAccountName: + - user-account:account_login + - user-account:display_name + SHA1Hash: + - file:hashes.SHA-1 + SHA256Hash: + - file:hashes.SHA-256 + ServiceFileName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + ServiceName: + - process:extensions.'windows-service-ext'.service_name + Details: + - windows-registry-key:values[*].data + TargetFilename: + - file:name + TargetObject: + - windows-registry-key:key + UserDomain: + - user-account:x_domain + event_data.FileName: + - file:name + event_data.Image: + - process:binary_ref.name + event_data.ImageLoaded: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + ImageLoaded: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + event_data.ImagePath: + - process:binary_ref.parent_directory_ref.path + event_data.ParentCommandLine: + - process:parent_ref.command_line + event_data.ParentImage: + - process:parent_ref.binary_ref.name + event_data.ParentProcessName: + - process:parent_ref.binary_ref.name + event_data.TargetFilename: + - file:name + event_data.User: + - user-account:user_id + a0: + - process:command_line + a1: + - process:command_line + name: + - file:name + a3: + - process:command_line + exe: + - file:name + a2: + - process:command_line + pam_user: + - user-account:user_id diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py index 03191d8bf..c802180c4 100644 --- a/tools/sigma/backends/stix.py +++ b/tools/sigma/backends/stix.py @@ -16,7 +16,7 @@ class STIXBackend(SingleTextQueryBackend): mapExpression = "%s = %s" notMapExpression = "%s != %s" mapListsSpecialHandling = True - sigmaSTIXObjectName = "x-sigma" + sort_condition_lists = True def cleanKey(self, key): if key is None: @@ -113,7 +113,8 @@ class STIXBackend(SingleTextQueryBackend): def generateMapItemNode(self, node, currently_within_NOT_node=False): key, value = node if ":" not in key: - key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower()) + # key wasn't mapped + return None if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if type(value) == str and "*" in value: value = value.replace("*", "%")