Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reaqta various mapping fixes #1683

Merged
merged 13 commits into from
May 7, 2024
Merged

Reaqta various mapping fixes #1683

merged 13 commits into from
May 7, 2024

Conversation

DerekRushton
Copy link
Collaborator

No description provided.

DerekRushton and others added 9 commits April 1, 2024 19:28
@DerekRushton
Resolved issue where value in json referenced to sql keyword.
1725b12 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
Resolved an issue where invalid columns would fail to resolve.
e158d2b 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
Adding the status message to the status
3af24e5 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
Removed the field changes for "group" and added suggested changes.
fe614a0 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
Fixed the unit test to use True instead of checking the string.
58df245 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
reaqta_various_fixes
e560bd7 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
Merge branch 'develop' into Reaqta_various_mapping_fixes
84c0e1f
@DerekRushton
Testing and STIX 2.1
c5c8a39 
Signed-off-by: DerekRushton <[email protected]>
@DerekRushton
Merge branch 'develop' into Reaqta_various_mapping_fixes
46aaa18
@DerekRushton
Copy link
Collaborator Author

Explaining the changes :

  1. Mitre tactics came as [1,2,3,4] where each number represented a tactic. The primary issue is that we require that the tactic_name must be a string and that it's required.

There were two possible solutions, we either map on the technique and change tactic_name to represent all the tactics, or we can create multiple mitre objects for each tactic. I've opted for the later to adhere to the extensions requirements.

Hence I've transformed the array into a dict object where each object has the technique, tactic_name (using the map from reaqta UI) and the tactic_number as an extension. Then the TTP references are grouped up for each tactic.

@DerekRushton
Copy link
Collaborator Author

Explaining the changes :

  1. I've largely removed many references to x-ibm-finding. In my investigation I found that the x-ibm-findings were not really representing the associated alert, which the data does not give any information about. The only information associated with an alert came with a policy ID.

Thus, I've added x-ibm-finding results for the policy_id (using it as the name of the alert) and either remapped the other references to x-reaqta or event objects, or removed them completely if the didn't fit. To my knowledge, there is no loss of information as all of it should be available in other objects.

@DerekRushton
Copy link
Collaborator Author

Explaining the changes :

  1. There existed an asset object that didn't quite make sense. It was always matching on the hostname_id which didn't really mean it was an asset. It was mapping some IP's to it, but there were no garuntee that IP's would be included. It was possible for their to be a host_id with no other fields.

I've changed this to no longer have that asset and instead map those fields to a reaqta extension object. There were other asset objects that made more sense.

mdazam1942
mdazam1942 reviewed Apr 24, 2024
View reviewed changes
stix_shifter_modules/reaqta/stix_transmission/connector.py Outdated
dict_list = []
for tactic in tactic_list:

if (f"{tactic}" in TACTIC_NAME_MAPPING):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TACTIC_NAME_MAPPING.get(tactic) more readable?

maybe you wanna change the dictionary name to simple lowercase

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a better way to indicate that a field should not be modified? That field (TACTIC_NAME_MAPPING) should not change during run-time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can save it in stix_shifter_modules/reaqta/stix_translation/json and read it from there. but that would be a overkill. this is already hard coded in the code. so no one will be able to change it anyway. you can probably add a debug log and add something in the comment

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll just modify it to use the lower case. There is already a comment describing it's purpose.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tactic_name_mapping.get(tactic) ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's what I've left it as.

mdazam1942
mdazam1942 reviewed Apr 25, 2024
View reviewed changes
stix_shifter_modules/reaqta/stix_transmission/connector.py
if (f"{tactic}" in TACTIC_NAME_MAPPING):
dict_list.append({"tactic_number": tactic, "tactic_name": TACTIC_NAME_MAPPING.get(f"{tactic}"), "technique":technique})
if (f"{tactic}" in tactic_name_mapping):
dict_list.append({"tactic_number": tactic, "tactic_name": tactic_name_mapping.get(f"{tactic}"), "technique":technique})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason you need to f'string the tactic value?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mapping was in string, but the values were int. I've changed the mapping to match what the API responds with (int) so I won't need the f string.

@mdazam1942 mdazam1942 linked an issue May 7, 2024 that may be closed by this pull request
Reaqta connector contains invalid stix-property name in the mapping #1669
Closed
@mdazam1942 mdazam1942 merged commit 853f2f7 into develop May 7, 2024
7 checks passed
@mdazam1942 mdazam1942 deleted the Reaqta_various_mapping_fixes branch May 7, 2024 13:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdazam1942 mdazam1942 mdazam1942 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reaqta connector contains invalid stix-property name in the mapping
2 participants
@DerekRushton @mdazam1942