New qradar mappings (#192)

opencybersecurityalliance · Oct 28, 2019 · 411d03b · 411d03b
1 parent c5f1b93
commit 411d03b
Show file tree

Hide file tree

Showing 7 changed files with 358 additions and 331 deletions.
diff --git a/stix_shifter/stix_translation/src/modules/qradar/json/aql_event_fields.json b/stix_shifter/stix_translation/src/modules/qradar/json/aql_event_fields.json
@@ -21,7 +21,7 @@
     "username as username",
     "eventdirection as direction",
     "identityip as identityip",
-    "identityhostname as identity_host_name",
+    "identityhostname as identityhostname",
     "eventcount as eventcount",
     "PROTOCOLNAME(protocolid) as protocol",
     "BASE64(payload) as base64_payload",
@@ -30,6 +30,7 @@
     "magnitude as magnitude",
     "Filename as filename",
     "URL as domainname",
-    "\"File Hash\" as filehash"
+    "\"File Hash\" as filehash",
+    "\"File Path\" as filepath"
   ]
 }
diff --git a/stix_shifter/stix_translation/src/modules/qradar/json/from_stix_map.json b/stix_shifter/stix_translation/src/modules/qradar/json/from_stix_map.json
@@ -24,7 +24,13 @@
       "name": ["filename"],
       "hashes.SHA-256": ["filehash"],
       "hashes.MD5": ["filehash"],
-      "hashes.SHA-1": ["filehash"]
+      "hashes.SHA-1": ["filehash"],
+      "parent_directory_ref": ["filepath"]
+    }
+  },
+  "directory": {
+    "fields": {
+      "path": ["filepath"]
     }
   },
   "network-traffic": {
@@ -57,5 +63,21 @@
     "fields": {
       "value": ["utf8_payload"]
     }
+  },
+  "x-com-ibm-ariel": {
+    "fields": {
+      "qid": ["qid"],
+      "qid_name": ["qidname"],
+      "magnitude": ["magnitude"],
+      "log_source_id": ["logsourceid"],
+      "log_source_name": ["logsourcename"],
+      "log_source_type_name": ["logsourcetypename"],
+      "category_id": ["categoryid"],
+      "category_name": ["categoryname"],
+      "high_level_category_name": ["high_level_category_name"],
+      "high_level_category_id": ["high_level_category_id"],
+      "direction": ["direction"],
+      "identity_host_name": ["identityhostname"]
+    }
   }
 }
diff --git a/stix_shifter/stix_translation/src/modules/qradar/json/to_stix_map.json b/stix_shifter/stix_translation/src/modules/qradar/json/to_stix_map.json
@@ -10,14 +10,22 @@
     "key": "x_com_ibm_ariel.category_name",
     "cybox": false
   },
-  "logsourceid": {
-    "key": "x_com_ibm_ariel.log_source_id",
+  "high_level_category_name": {
+    "key": "x_com_ibm_ariel.high_level_category_name",
+    "cybox": false
+  },
+  "high_level_category_id": {
+    "key": "x_com_ibm_ariel.high_level_category_id",
     "cybox": false
   },
   "identityip": {
     "key": "x_com_ibm_ariel.identity_ip",
     "cybox": false
   },
+  "identityhostname": {
+    "key": "x_com_ibm_ariel.identity_host_name",
+    "cybox": false
+  },
   "qidname": {
     "key": "x_com_ibm_ariel.qid_name",
     "cybox": false
@@ -42,25 +50,36 @@
     "cybox": false,
     "transformer": "ToInteger"
   },
-  "starttime": [
-    {
-      "key": "first_observed",
-      "transformer": "EpochToTimestamp",
-      "cybox": false
-    },
-    {
-      "key": "last_observed",
-      "transformer": "EpochToTimestamp",
-      "cybox": false
-    }
-  ],
+  "starttime": {
+    "key": "first_observed",
+    "transformer": "EpochToTimestamp",
+    "cybox": false
+  },
+  "endtime": {
+    "key": "last_observed",
+    "transformer": "EpochToTimestamp",
+    "cybox": false
+  },
+  "logsourceid": {
+    "key": "x_com_ibm_ariel.log_source_id",
+    "cybox": false
+  },
   "logsourcename": {
     "key": "x_com_ibm_ariel.log_source_name",
     "cybox": false
   },
+  "logsourcetypename": {
+    "key": "x_com_ibm_ariel.log_source_type_name",
+    "cybox": false
+  },
+  "direction": {
+    "key": "x_com_ibm_ariel.direction",
+    "cybox": false
+  },
   "magnitude": {
     "key": "x_com_ibm_ariel.magnitude",
-    "cybox": false
+    "cybox": false,
+    "transformer": "ToInteger"
   },
   "sourceip": [
     {
@@ -136,13 +155,24 @@
     "key": "file.hashes.UNKNOWN",
     "object": "fl"
   },
+  "filesize": {
+    "key": "file.size",
+    "object": "fl"
+  },
+  "filepath": [
+    {
+      "key": "directory.path",
+      "object": "dir"
+    },
+    {
+      "key": "file.parent_directory_ref",
+      "object": "fl",
+      "references": "dir"
+    }
+  ],
   "base64_payload": {
     "key": "artifact.payload_bin"
   },
-  "utf8_payload": {
-    "key": "x_com_ibm_ariel.utf8_payload",
-    "cybox": false
-  },
   "destinationport": {
     "key": "network-traffic.dst_port",
     "object": "nt",
@@ -162,4 +192,4 @@
     "key": "domain-name.value",
     "transformer": "ToDomainName"
   }
-}
+}