Update OCSF network traffic mappings (#1332)

opencybersecurityalliance · Feb 24, 2023 · bd7506b · bd7506b
1 parent 155c93d
commit bd7506b
Show file tree

Hide file tree

Showing 8 changed files with 79 additions and 20 deletions.
diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/ocsf_from_stix_map.json
@@ -142,11 +142,12 @@
       "extensions.'x-network-ext'.protocol_ver": [
         "connection_info.protocol_ver"
       ],
-      "extensions.'x-network-ext'.tcp_flags": [
+      "extensions.'tcp-ext'.src_flags_hex": [
         "connection_info.tcp_flags"
       ],
       "protocols[*]": [
-        "connection_info.protocol_num"
+        "connection_info.protocol_num",
+        "connection_info.protocol_ver_id"
       ],
       "src_byte_count": [
         "traffic.bytes_out"

diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/ocsf_from_stix_map.json
@@ -142,11 +142,12 @@
       "extensions.'x-network-ext'.protocol_ver": [
         "connection_info.protocol_ver"
       ],
-      "extensions.'x-network-ext'.tcp_flags": [
+      "extensions.'tcp-ext'.src_flags_hex": [
         "connection_info.tcp_flags"
       ],
       "protocols[*]": [
-        "connection_info.protocol_num"
+        "connection_info.protocol_name",
+        "connection_info.protocol_ver_id"
       ],
       "src_byte_count": [
         "traffic.bytes_out"

diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/stix_2_1/to_stix_map.json
@@ -2304,20 +2304,27 @@
     },
     "connection_info": {
       "protocol_num": {
-        "key": "network-traffic.protocol",
+        "key": "network-traffic.protocols",
         "object": "nt",
-        "transformer": "ProtocolNumToName"
+        "transformer": "ProtocolNumToName",
+        "group": true
       },
       "protocol_name": {
-        "key": "network-traffic.protocol",
+        "key": "network-traffic.extensions.x-network-ext.protocol_name",
         "object": "nt"
       },
       "tcp_flags": {
-        "key": "network-traffic.extensions.x-network-ext.tcp_flags",
+        "key": "network-traffic.extensions.tcp-ext.src_flags_hex",
         "object": "nt"
       },
       "protocol_ver": {
-        "key": "network-traffic.extensions.x-network-ext.protocol_ver",
+        "key": "network-traffic.protocols",
+        "object": "nt",
+        "group": true,
+        "transformer": "ToLowercaseArray"
+      },
+      "protocol_ver_id": {
+        "key": "network-traffic.extensions.x-network-ext.protocol_ver_id",
         "object": "nt"
       },
       "direction": {

diff --git a/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json b/stix_shifter_modules/aws_athena/stix_translation/json/to_stix_map.json
@@ -2308,20 +2308,27 @@
     },
     "connection_info": {
       "protocol_num": {
-        "key": "network-traffic.protocol",
+        "key": "network-traffic.protocols",
         "object": "nt",
-        "transformer": "ProtocolNumToName"
+        "transformer": "ProtocolNumToName",
+        "group": true
       },
       "protocol_name": {
-        "key": "network-traffic.protocol",
+        "key": "network-traffic.extensions.x-network-ext.protocol_name",
         "object": "nt"
       },
       "tcp_flags": {
-        "key": "network-traffic.extensions.x-network-ext.tcp_flags",
+        "key": "network-traffic.extensions.tcp-ext.src_flags_hex",
         "object": "nt"
       },
       "protocol_ver": {
-        "key": "network-traffic.extensions.x-network-ext.protocol_ver",
+        "key": "network-traffic.protocols",
+        "object": "nt",
+        "group": true,
+        "transformer": "ToLowercaseArray"
+      },
+      "protocol_ver_id": {
+        "key": "network-traffic.extensions.x-network-ext.protocol_ver_id",
         "object": "nt"
       },
       "direction": {

diff --git a/stix_shifter_modules/aws_athena/stix_translation/transformers.py b/stix_shifter_modules/aws_athena/stix_translation/transformers.py
@@ -24,6 +24,6 @@ def transform(protocol_decimal):
             for key, value in protocol_dict.items():
                 if str(protocol_decimal) == value:
                     protocol = key
-            return protocol
+            return [protocol]
         except ValueError:
             LOGGER.error("Cannot convert protocol number to protocol name")
diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json b/stix_shifter_modules/aws_athena/tests/stix_translation/json/ocsf_results.json
@@ -23,9 +23,40 @@
             }
         },
         "ref_event_uid": "e12b3bc4-e1e3-11ab-22e1-de0b4d745bb1",
+        "connection_info": {
+            "boundary": "mentor lucia villa",
+            "direction": "Inbound",
+            "direction_id": 1,
+            "protocol_name": "tcp",
+            "protocol_num": 6,
+            "protocol_ver": "ipv4",
+            "protocol_ver_id": 4,
+            "tcp_flags": 85
+        },
+        "dst_endpoint": {
+            "hostname": "mirror.aero",
+            "instance_uid": "8fbaf31c-ad59-11ed-b661-0242ac110002",
+            "interface_name": "ll hourly lotus",
+            "interface_uid": "8fbaf81c-ad59-11ed-91ac-0242ac110002",
+            "ip": "63.71.92.147",
+            "port": 19984,
+            "svc_name": "norway lyrics survey",
+            "uid": "8fbafce0-ad59-11ed-bb7e-0242ac110002"
+        },
         "src_endpoint": {
-            "ip": "1.1.2.2",
-            "uid": null
+            "hostname": "investor.gov",
+            "instance_uid": "8fbb31b0-ad59-11ed-a55e-0242ac110002",
+            "interface_name": "cow ebay curtis",
+            "interface_uid": "8fbb35ca-ad59-11ed-936c-0242ac110002",
+            "ip": "116.8.200.100",
+            "port": 36136,
+            "uid": "8fbb398a-ad59-11ed-8ba9-0242ac110002"
+        },
+        "traffic": {
+            "bytes_in": 790742923,
+            "packets": 3901887417,
+            "packets_in": 4208942596,
+            "packets_out": 535302077
         },
         "resources": [
             {

diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_json_to_stix.py
@@ -463,7 +463,6 @@ def test_ocsf_translation_prop(self):
 
         result_bundle = json_to_stix_translator.convert_to_stix(
             data_source, map_data, [data], get_module_transformers(MODULE), options)
-
         assert result_bundle['type'] == 'bundle'
         result_bundle_objects = result_bundle['objects']
 
@@ -483,15 +482,27 @@ def test_ocsf_translation_prop(self):
 
         assert 'objects' in observed_data
         objects = observed_data['objects']
+
         user_account = TestAwsResultsToStix.get_first_of_type(objects.values(), 'user-account')
         assert user_account is not None, 'user-account object type not found'
         assert user_account.keys() == {'type', 'extensions', 'display_name', 'user_id'}
         assert user_account['type'] == 'user-account'
         assert user_account['user_id'] == '011222333553'
         assert user_account['display_name'] == 'backup'
 
+        network_traffic = TestAwsResultsToStix.get_first_of_type(objects.values(), 'network-traffic')
+        assert network_traffic is not None, 'network-traffic object type not found'
+        assert network_traffic.keys() == {'type', 'extensions', 'protocols', 'dst_ref', 'dst_port', 'src_ref', 'src_port', 'dst_byte_count', 'dst_packets', 'src_packets'}
+        assert network_traffic['protocols'] == ['tcp', 'ipv4']
+        assert network_traffic['src_port'] == 36136
+        assert network_traffic['dst_port'] == 19984
+        assert network_traffic['src_packets'] == 535302077
+        assert network_traffic['dst_packets'] == 4208942596
+        tcp_ext = network_traffic.get('extensions')['tcp-ext']
+        assert tcp_ext['src_flags_hex'] == 85
+
         x_ibm_finding = TestAwsResultsToStix.get_first_of_type(objects.values(), 'x-ibm-finding')
         assert x_ibm_finding is not None, 'x-ibm-finding object type not found'
-        assert x_ibm_finding.keys() == {'type', 'time_observed','src_ip_ref', 'severity'}
+        assert x_ibm_finding.keys() == {'type', 'time_observed', 'dst_ip_ref', 'src_ip_ref', 'severity'}
         assert x_ibm_finding['time_observed'] == '2020-10-07T08:08:37.000Z'
         assert x_ibm_finding['severity'] == 0
diff --git a/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py b/stix_shifter_modules/aws_athena/tests/stix_translation/test_aws_athena_stix_to_query.py
@@ -73,7 +73,8 @@ def test_network_protocol(self):
             "vpcflow": "(CAST(protocol AS varchar) IN ('6', '9') AND start BETWEEN 1601541790 AND 1604054590)"
         },
         {
-            "ocsf": "(CAST(connection_info.protocol_num AS varchar) IN ('6', '9') AND time BETWEEN 1601541790000 AND 1604054590000)"
+            "ocsf": "((CAST(connection_info.protocol_num AS varchar) IN ('6', '9') OR "
+                    "CAST(connection_info.protocol_ver_id AS varchar) IN ('6', '9')) AND time BETWEEN 1601541790000 AND 1604054590000)"
         }
         ]
         print(json.dumps(query, indent=4))