MS Windows Defender ATP (#186)

MANIFEST.in

@@ -14,4 +14,5 @@ include stix_shifter/stix_translation/src/modules/qradar/json/*.json
 include stix_shifter/stix_translation/src/modules/splunk/json/*.json
 include stix_shifter/stix_translation/src/modules/carbonblack/json/*.json
 include stix_shifter/stix_translation/src/modules/elastic_ecs/json/*.json
-include stix_shifter/stix_translation/src/modules/cim/json/*.json
+include stix_shifter/stix_translation/src/modules/cim/json/*.json
+include stix_shifter/stix_translation/src/modules/msatp/json/*.json

requirements.txt

@@ -7,4 +7,5 @@ xmltodict>=0.11.0
 requests_toolbelt==0.9.1
 pandas>=0.25.0
 ibmcloudsql>=0.3.6
-# git+git://github.com/oasis-open/[email protected]#egg=stix2-matcher #uncomment when running locally
+adal>=1.2.2
+#git+git://github.com/oasis-open/[email protected]#egg=stix2-matcher #uncomment when running locally

setup.py

@@ -134,8 +134,9 @@
     #
     # For an analysis of "install_requires" vs pip's requirements files see:
     # https://packaging.python.org/en/latest/requirements.html
-    install_requires=['stix2-patterns>=1.1.0', 'stix2-validator>=0.5.0','antlr4-python3-runtime==4.7',
-                      'python-dateutil>=2.7.3', 'xmltodict>=0.11.0', 'requests_toolbelt==0.9.1'
+    install_requires=['stix2-patterns>=1.1.0', 'stix2-validator>=0.5.0',
+                      'antlr4-python3-runtime==4.7', 'python-dateutil>=2.7.3', 'xmltodict>=0.11.0',
+                      'requests_toolbelt==0.9.1', 'adal>=1.2.2'
                     #   ,'stix2-matcher@https://github.com/oasis-open/cti-pattern-matcher/archive/v0.1.0.zip#egg=stix2-matcher' # uncomment when running setup.py locally
                     ],  # Optional
 

stix_shifter/stix_translation/src/modules/msatp/__init__.py

@@ -0,0 +1 @@
+

stix_shifter/stix_translation/src/modules/msatp/data_mapping.py

@@ -0,0 +1,10 @@
+from os import path
+from stix_shifter.stix_translation.src.modules.base.base_data_mapper import BaseDataMapper
+
+
+class DataMapper(BaseDataMapper):
+
+    def __init__(self, options):
+        mapping_json = options['mapping'] if 'mapping' in options else {}
+        basepath = path.dirname(__file__)
+        self.map_data = mapping_json or self.fetch_mapping(basepath)

stix_shifter/stix_translation/src/modules/msatp/json/from_stix_map.json

@@ -0,0 +1,195 @@
+{
+  "ipv4-addr": {
+    "fields": {
+      "value": ["NetworkCommunicationEvents.LocalIP", "NetworkCommunicationEvents.RemoteIP"]
+    }
+  },
+  "ipv6-addr": {
+    "fields": {
+      "value": ["NetworkCommunicationEvents.LocalIP", "NetworkCommunicationEvents.RemoteIP"]
+    }
+  },
+  "network-traffic": {
+    "fields": {
+      "src_port": ["NetworkCommunicationEvents.LocalPort"],
+      "dst_port": ["NetworkCommunicationEvents.RemotePort"],
+      "protocols[*]": ["NetworkCommunicationEvents.Protocol"],
+      "src_ref.value": ["NetworkCommunicationEvents.LocalIP","MachineNetworkInfo.MacAddress"],
+      "dst_ref.value": ["NetworkCommunicationEvents.RemoteIP"]
+    }
+  },
+  "url": {
+    "fields": {
+      "value": ["NetworkCommunicationEvents.RemoteUrl"]
+    }
+  },
+  "file": {
+    "fields": {
+      "name": [
+        "FileCreationEvents.FileName",
+        "FileCreationEvents.InitiatingProcessFileName",
+        "FileCreationEvents.InitiatingProcessParentFileName",
+        "ProcessCreationEvents.FileName",
+        "ProcessCreationEvents.InitiatingProcessFileName",
+        "ProcessCreationEvents.InitiatingProcessParentFileName",
+        "NetworkCommunicationEvents.InitiatingProcessFileName",
+        "NetworkCommunicationEvents.InitiatingProcessParentFileName",
+        "RegistryEvents.InitiatingProcessFileName",
+        "RegistryEvents.InitiatingProcessParentFileName"
+      ],
+      "hashes.SHA-1": [
+        "FileCreationEvents.SHA1",
+        "FileCreationEvents.InitiatingProcessSHA1",
+        "ProcessCreationEvents.SHA1",
+        "ProcessCreationEvents.InitiatingProcessSHA1",
+        "NetworkCommunicationEvents.InitiatingProcessSHA1",
+        "RegistryEvents.InitiatingProcessSHA1"
+      ],
+      "hashes.SHA-256": [
+        "FileCreationEvents.SHA256",
+        "ProcessCreationEvents.SHA256",
+        "ProcessCreationEvents.InitiatingProcessSHA256"
+      ],
+      "hashes.MD5": [
+        "FileCreationEvents.MD5",
+        "FileCreationEvents.InitiatingProcessMD5",
+        "ProcessCreationEvents.MD5",
+        "ProcessCreationEvents.InitiatingProcessMD5",
+        "NetworkCommunicationEvents.InitiatingProcessMD5",
+        "RegistryEvents.InitiatingProcessMD5"
+      ],
+      "parent_directory_ref.path": [
+        "FileCreationEvents.FolderPath",
+        "FileCreationEvents.InitiatingProcessFolderPath",
+        "ProcessCreationEvents.FolderPath",
+        "ProcessCreationEvents.InitiatingProcessFolderPath",
+        "NetworkCommunicationEvents.InitiatingProcessFolderPath",
+        "RegistryEvents.InitiatingProcessFolderPath"]
+    }
+  },
+  "process" : {
+    "fields": {
+      "name": [
+        "ProcessCreationEvents.FileName",
+        "NetworkCommunicationEvents.InitiatingProcessFileName",
+        "NetworkCommunicationEvents.InitiatingProcessParentFileName",
+        "RegistryEvents.InitiatingProcessFileName",
+        "RegistryEvents.InitiatingProcessParentFileName"
+      ],
+      "parent_ref.name": [
+        "ProcessCreationEvents.InitiatingProcessFileName",
+        "NetworkCommunicationEvents.InitiatingProcessParentFileName",
+        "RegistryEvents.InitiatingProcessParentFileName"
+      ],
+      "parent_ref.parent_ref.name": ["ProcessCreationEvents.InitiatingProcessParentFileName"],
+      "command_line": [
+        "ProcessCreationEvents.ProcessCommandLine",
+        "NetworkCommunicationEvents.InitiatingProcessCommandLine",
+        "RegistryEvents.InitiatingProcessCommandLine"
+      ],
+      "parent_ref.command_line": ["ProcessCreationEvents.InitiatingProcessCommandLine"],
+      "pid": [
+        "ProcessCreationEvents.ProcessId",
+        "NetworkCommunicationEvents.InitiatingProcessId",
+        "NetworkCommunicationEvents.InitiatingProcessParentId",
+        "RegistryEvents.InitiatingProcessId",
+        "RegistryEvents.InitiatingProcessParentId"
+      ],
+      "parent_ref.pid": [
+        "ProcessCreationEvents.InitiatingProcessId",
+        "NetworkCommunicationEvents.InitiatingProcessParentId",
+        "RegistryEvents.InitiatingProcessParentId"
+      ],
+      "parent_ref.parent_ref.pid": ["ProcessCreationEvents.InitiatingProcessParentId"],
+      "creator_user_ref.user_id": ["ProcessCreationEvents.AccountSid"],
+      "creator_user_ref.account_login": ["ProcessCreationEvents.AccountName"],
+      "parent_ref.creator_user_ref.user_id": ["ProcessCreationEvents.InitiatingProcessAccountSid"],
+      "parent_ref.creator_user_ref.account_login": ["ProcessCreationEvents.InitiatingProcessAccountName"],
+      "binary_ref.hashes.SHA-1": [
+        "ProcessCreationEvents.SHA1",
+        "NetworkCommunicationEvents.InitiatingProcessSHA1",
+        "RegistryEvents.InitiatingProcessSHA1"
+      ],
+      "binary_ref.hashes.SHA-256": ["ProcessCreationEvents.SHA256"],
+      "binary_ref.hashes.MD5": [
+        "ProcessCreationEvents.MD5",
+        "NetworkCommunicationEvents.InitiatingProcessMD5",
+        "RegistryEvents.InitiatingProcessMD5"
+      ],
+      "parent_ref.binary_ref.hashes.SHA-1": ["ProcessCreationEvents.InitiatingProcessSHA1"],
+      "parent_ref.binary_ref.hashes.SHA-256": ["ProcessCreationEvents.InitiatingProcessSHA256"],
+      "parent_ref.binary_ref.hashes.MD5": ["ProcessCreationEvents.InitiatingProcessMD5"],
+      "created": [
+        "ProcessCreationEvents.ProcessCreationTime",
+        "NetworkCommunicationEvents.InitiatingProcessCreationTime",
+        "NetworkCommunicationEvents.InitiatingProcessParentCreationTime",
+        "RegistryEvents.InitiatingProcessCreationTime",
+        "RegistryEvents.InitiatingProcessParentCreationTime"
+      ],
+      "parent_ref.created": [
+        "ProcessCreationEvents.InitiatingProcessCreationTime",
+        "NetworkCommunicationEvents.InitiatingProcessParentCreationTime",
+        "RegistryEvents.InitiatingProcessParentCreationTime"
+      ],
+      "parent_ref.parent_ref.created": ["ProcessCreationEvents.InitiatingProcessParentCreationTime"],
+      "binary_ref.parent_directory_ref.path": [
+        "ProcessCreationEvents.FolderPath",
+        "NetworkCommunicationEvents.InitiatingProcessFolderPath",
+        "RegistryEvents.InitiatingProcessFolderPath"],
+      "parent_ref.binary_ref.parent_directory_ref.path": ["ProcessCreationEvents.InitiatingProcessFolderPath"]
+    }
+  },
+  "user-account": {
+    "fields": {
+      "user_id": [
+        "ProcessCreationEvents.AccountSid",
+        "NetworkCommunicationEvents.InitiatingProcessAccountSid",
+        "RegistryEvents.InitiatingProcessAccountSid"
+      ],
+      "account_login": [
+        "ProcessCreationEvents.AccountName",
+        "NetworkCommunicationEvents.InitiatingProcessAccountName",
+        "RegistryEvents.InitiatingProcessAccountName"
+      ]
+    }
+  },
+  "windows-registry-key": {
+      "fields": {
+          "key": ["RegistryEvents.RegistryKey"],
+          "values[*]": ["RegistryEvents.RegistryValueName"]
+      }
+  },
+  "mac-addr": {
+    "fields": {
+      "value": ["MachineNetworkInfo.MacAddress"]
+    }
+  },
+  "x-com-msatp": {
+    "fields": {
+      "computer_name": [
+        "FileCreationEvents.ComputerName",
+        "ProcessCreationEvents.ComputerName",
+        "NetworkCommunicationEvents.ComputerName",
+        "RegistryEvents.ComputerName"
+      ],
+      "machine_id": [
+        "FileCreationEvents.MachineId",
+        "ProcessCreationEvents.MachineId",
+        "NetworkCommunicationEvents.MachineId",
+        "RegistryEvents.MachineId"
+      ]
+    }
+  },
+  "directory": {
+    "fields": {
+      "path": [
+        "FileCreationEvents.FolderPath",
+        "FileCreationEvents.InitiatingProcessFolderPath",
+        "ProcessCreationEvents.FolderPath",
+        "ProcessCreationEvents.InitiatingProcessFolderPath",
+        "NetworkCommunicationEvents.InitiatingProcessFolderPath",
+        "RegistryEvents.InitiatingProcessFolderPath"
+      ]
+    }
+  }
+}