-
Notifications
You must be signed in to change notification settings - Fork 234
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added Palo Alto Cortext XDR UDI Connector (#858)
- Loading branch information
1 parent
b0254a2
commit 1b70270
Showing
29 changed files
with
7,055 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"connection": { | ||
"type": { | ||
"displayName": "Palo Alto Cortex XDR" | ||
}, | ||
"host": { | ||
"type": "text" | ||
}, | ||
"quota_threshold": { | ||
"default": 5, | ||
"min": 1, | ||
"max": 15, | ||
"type": "number", | ||
"optional" : true | ||
}, | ||
"help": { | ||
"type": "link", | ||
"default": "data-sources.html" | ||
} | ||
}, | ||
"configuration": { | ||
"auth": { | ||
"type" : "fields", | ||
"tenant": { | ||
"type": "password" | ||
}, | ||
"api_key": { | ||
"type": "password" | ||
}, | ||
"api_key_id": { | ||
"type": "password" | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"connection": { | ||
"host": { | ||
"label": "Management IP address or Hostname", | ||
"description": "Specify the IP address or hostname of the data source so that IBM Cloud Pak for Security can communicate with it" | ||
}, | ||
"quota_threshold": { | ||
"label": "The quota limit for the API", | ||
"description": "Prevents the connector from exceeding the entire daily units allocated for the License. The Daily units for Standard license alone is 5 and it will be 15 if additional 10 units are purchased." | ||
}, | ||
"help": { | ||
"label": "Need additional help?", | ||
"description": "More details on the data source setting can be found in the specified link" | ||
} | ||
}, | ||
"configuration": { | ||
"auth": { | ||
"tenant": { | ||
"label": "Tenant", | ||
"description": "Tenant Id of Palo Alto Cortex XDR Application" | ||
}, | ||
"api_key": { | ||
"label": "API Key", | ||
"description": "The API Key is a unique identifier required for authenticating API calls." | ||
}, | ||
"api_key_id": { | ||
"label": "API Key Id", | ||
"description": "The API Key ID is a unique token used to authenticate the API Key" | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint | ||
|
||
|
||
class EntryPoint(BaseEntryPoint): | ||
|
||
# python main.py translate paloalto query '{}' "[ipv4-addr:value = '127.0.0.1']" | ||
|
||
def __init__(self, connection={}, configuration={}, options={}): | ||
super().__init__(connection, configuration, options) | ||
self.set_async(True) | ||
if connection: | ||
self.setup_transmission_simple(connection, configuration) | ||
|
||
self.setup_translation_simple(dialect_default='xdr_data') |
Empty file.
103 changes: 103 additions & 0 deletions
103
stix_shifter_modules/paloalto/stix_translation/json/config_map.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
{ | ||
"int_supported_fields": [ | ||
"action_local_port", | ||
"action_remote_port", | ||
"action_pkts_sent", | ||
"action_pkts_received", | ||
"action_file_size", | ||
"action_module_process_os_pid", | ||
"action_process_os_pid", | ||
"actor_process_os_pid", | ||
"causality_actor_process_os_pid", | ||
"os_actor_process_os_pid", | ||
"action_process_requested_parent_pid", | ||
"action_thread_parent_pid", | ||
"action_thread_child_pid" | ||
], | ||
"timestamp_supported_fields": [ | ||
"action_file_access_time", | ||
"actor_process_file_access_time", | ||
"os_actor_process_file_access_time", | ||
"action_file_mod_time", | ||
"actor_process_file_mod_time", | ||
"os_actor_process_file_mod_time", | ||
"action_file_create_time", | ||
"action_process_file_create_time", | ||
"actor_process_file_create_time", | ||
"causality_actor_process_file_create_time", | ||
"os_actor_process_file_create_time", | ||
"action_process_instance_execution_time", | ||
"actor_process_execution_time", | ||
"action_network_creation_time", | ||
"event_timestamp" | ||
], | ||
"mac_supported_fields": [ | ||
"mac", | ||
"associated_mac", | ||
"dst_associated_mac", | ||
"dst_mac" | ||
], | ||
"enum_supported_fields": [ | ||
"action_network_protocol", | ||
"event_type", | ||
"event_sub_type" | ||
], | ||
"enum_supported_values": { | ||
"action_network_protocol": ["TCP", "UDP"], | ||
"event_type": [ | ||
"AGENT_STATUS","CLOUD_AUDIT_LOGS","DEVICE","EVENT_LOG","FILE","GAP","HOST_FIREWALL", | ||
"HOST_METADATA","HOST_STATUS","INJECTION","LOAD_IMAGE","LOGIN_EVENT","MOUNT","NAMESPACE", | ||
"NETWORK","PROCESS","PROCESS_HANDLE","REGISTRY","RPC_CALL","STORY","SYSTEM_CALL", | ||
"THREAD","USER_STATUS_CHANGE","VPN_EVENT"], | ||
"event_sub_type": [ | ||
"AGENT_STATUS_AGENT_BOOT" ,"AGENT_STATUS_AGENT_INSTALLED", | ||
"AGENT_STATUS_AGENT_LOW_LEVEL_CONFIG_UPDATE" ,"AGENT_STATUS_AGENT_POLICY_FILTER_UPDATE" , | ||
"AGENT_STATUS_AGENT_REPLAY_ENDED" ,"AGENT_STATUS_AGENT_SHUTDOWN" , | ||
"AGENT_STATUS_AGENT_UNINSTALLED" ,"DEVICE_PLUG" ,"DEVICE_UNPLUG" , | ||
"EVENT_LOG_AGENT_EVENT_LOG" ,"EVENT_LOG_DOMAIN_CONTROLLER" ,"FILE_CHANGE_MODE" , | ||
"FILE_CHANGE_OWNER" ,"FILE_CREATE_NEW" ,"FILE_DELETE_EXT_ATTRIBUTE" , | ||
"FILE_DIR_CHANGE_MODE" ,"FILE_DIR_CHANGE_OWNER" ,"FILE_DIR_CREATE" ,"FILE_DIR_LINK" , | ||
"FILE_DIR_OPEN" ,"FILE_DIR_QUERY" ,"FILE_DIR_REMOVE" ,"FILE_DIR_RENAME" , | ||
"FILE_DIR_SET_ATTR" ,"FILE_DIR_WRITE" ,"FILE_LINK" ,"FILE_OPEN" ,"FILE_REMOVE" , | ||
"FILE_RENAME" ,"FILE_REPARSE" ,"FILE_SET_ATTRIBUTE" ,"FILE_SET_SECURITY_DESCRIPTOR" , | ||
"FILE_WRITE" ,"GAP_GAP_ENDED" ,"GAP_GAP_STARTED", "HOST_FIREWALL_HOST_FW_ALLOW" , | ||
"HOST_FIREWALL_HOST_FW_BLOCK" ,"HOST_METADATA_CHANGE" ,"HOST_STATUS_BOOT" , | ||
"HOST_STATUS_RESUME" ,"HOST_STATUS_SHUTDOWN" ,"HOST_STATUS_SUSPEND" , | ||
"INJECTION_CREATE_REMOTE_THREAD" ,"INJECTION_PROCESS_HOLLOW" ,"INJECTION_QUEUE_APC" , | ||
"INJECTION_SET_THREAD_CONTEXT" ,"LOAD_IMAGE_MODULE" ,"LOAD_IMAGE_MPROTECT" , | ||
"LOAD_IMAGE_PRELOAD" ,"LOAD_IMAGE_SO_LOAD" ,"MOUNT_DRIVE_MOUNT" , | ||
"MOUNT_DRIVE_UNMOUNT" ,"NAMESPACE_SETNS" ,"NAMESPACE_UNSHARE" , | ||
"NETWORK_DATAGRAM_STATISTICS" ,"NETWORK_DNS_QUERY" ,"NETWORK_HTTP_HEADER" , | ||
"NETWORK_OUTBOUND_ICMP" ,"NETWORK_PROXY_CONNECT" ,"NETWORK_RAW_DATA" , | ||
"NETWORK_RAW_PCAP_DATA" ,"NETWORK_STREAM_ACCEPT" ,"NETWORK_STREAM_CONNECT" , | ||
"NETWORK_STREAM_CONNECT_FAILED" ,"NETWORK_STREAM_DISCONNECT" ,"NETWORK_STREAM_LISTEN" , | ||
"NETWORK_STREAM_STATISTICS" ,"PROCESS_START" ,"PROCESS_STOP" ,"REGISTRY_CREATE_KEY" , | ||
"REGISTRY_DELETE_KEY" ,"REGISTRY_DELETE_VALUE" ,"REGISTRY_LOAD" ,"REGISTRY_RENAME_KEY" , | ||
"REGISTRY_RESTORE" ,"REGISTRY_SAVE" ,"REGISTRY_SET_VALUE" ,"REGISTRY_UNLOAD" , | ||
"RPC_CALL_RPC_CALLED" ,"SYSTEM_CALL_CREATE_SYMBOLIC_LINK" ,"SYSTEM_CALL_GDI_BIT_BLT" , | ||
"SYSTEM_CALL_GET_CLIPBOARD_DATA" ,"SYSTEM_CALL_NT_ALLOCATE_VIRTUAL_MEMORY_REMOTE" , | ||
"SYSTEM_CALL_NT_CREATE_MUTANT" ,"SYSTEM_CALL_NT_DELAY_EXECUTION" , | ||
"SYSTEM_CALL_NT_MAP_VIEW_OF_SECTION_REMOTE" ,"SYSTEM_CALL_NT_OPEN_FILE" , | ||
"SYSTEM_CALL_NT_PROTECT_VIRTUAL_MEMORY_REMOTE" ,"SYSTEM_CALL_NT_QUEUE_APC_THREAD_EX_REMOTE" , | ||
"SYSTEM_CALL_NT_READ_VIRTUAL_MEMORY_REMOTE" ,"SYSTEM_CALL_NT_SET_CONTEXT_THREAD_REMOTE" , | ||
"SYSTEM_CALL_NT_TERMINATE_PROCESS_REMOTE","SYSTEM_CALL_NT_UNMAP_VIEW_OF_SECTION" , | ||
"SYSTEM_CALL_NT_WRITE_VIRTUAL_MEMORY_REMOTE" ,"SYSTEM_CALL_OPEN_REMOTE_TOKEN" , | ||
"SYSTEM_CALL_QUERY_PROCESS_LIST" ,"SYSTEM_CALL_QUERY_USER_TOKEN" , | ||
"SYSTEM_CALL_REGISTER_RAW_INPUT_DEVICES" ,"SYSTEM_CALL_SET_INFO_VIRTUAL_MEMORY" , | ||
"SYSTEM_CALL_SET_WINDOWS_HOOK_EX" ,"SYSTEM_CALL_SET_WIN_EVENT_HOOK" , | ||
"SYSTEM_CALL_THREAD_IMPERSONATING" ,"USER_STATUS_CHANGE_LOGOFF" ,"USER_STATUS_CHANGE_LOGON" | ||
] | ||
}, | ||
"timestamp_supported_dataset": { | ||
"xdr_data": "_time" | ||
}, | ||
"mandatory_properties_to_stix": { | ||
"user": ["actor_primary_user_sid","action_process_user_sid"], | ||
"file": ["action_file_name"], | ||
"file_action_process" : ["action_process_image_name"], | ||
"file_actor_process": ["actor_process_image_name"], | ||
"file_causality_process": ["causality_actor_process_image_name"], | ||
"file_os_actor": ["os_actor_process_image_name"], | ||
"nt": [["action_local_ip","action_remote_ip"],"action_network_protocol"] | ||
} | ||
} |
45 changes: 45 additions & 0 deletions
45
stix_shifter_modules/paloalto/stix_translation/json/fields_map.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
{ | ||
"all_fields": [ | ||
"action_local_ip","action_remote_ip","agent_ip_addresses","agent_ip_addresses_v6","dst_agent_ip_addresses_v6", | ||
"action_local_port","action_remote_port","action_network_protocol","action_pkts_sent", | ||
"action_pkts_received","action_file_name","action_process_image_name","actor_process_image_name", | ||
"causality_actor_process_image_name","os_actor_process_image_name","action_file_size","action_file_md5", | ||
"action_module_md5","action_process_image_md5","action_file_authenticode_sha1", | ||
"action_file_authenticode_sha2","action_file_sha256","action_module_sha256", | ||
"action_process_image_sha256","action_file_access_time","actor_process_file_access_time", | ||
"os_actor_process_file_access_time","action_file_mod_time","actor_process_file_mod_time", | ||
"os_actor_process_file_mod_time","action_file_create_time","action_file_path", | ||
"action_process_image_path","action_registry_file_path","actor_process_image_path", | ||
"causality_actor_process_image_path","os_actor_process_image_path","action_process_image_command_line", | ||
"actor_process_command_line","causality_actor_process_command_line","os_actor_process_command_line", | ||
"action_process_file_create_time","actor_process_file_create_time", | ||
"causality_actor_process_file_create_time","os_actor_process_file_create_time", | ||
"action_module_process_os_pid","action_process_os_pid","actor_process_os_pid", | ||
"causality_actor_process_os_pid","os_actor_process_os_pid","action_process_requested_parent_pid", | ||
"action_thread_parent_pid","action_thread_child_pid","action_process_username","auth_domain", | ||
"dst_host_metadata_domain","host_metadata_domain","dst_action_url_category","action_registry_key_name", | ||
"action_registry_value_name","mac","associated_mac","dst_associated_mac","dst_mac", | ||
"actor_primary_user_sid","action_process_user_sid","actor_primary_username","actor_process_logon_id", | ||
"action_file_info_company","action_file_extension","action_file_attributes", | ||
"action_file_internal_zipped_files","action_file_last_writer_actor","action_file_signature_status", | ||
"action_file_signature_vendor","action_file_signature_product","action_file_info_description", | ||
"action_file_group","action_file_group_name","action_file_type","action_file_info_file_version", | ||
"manifest_file_version","action_file_info_product_version","action_file_owner", | ||
"action_file_owner_name","action_file_info_product_name","action_file_id", | ||
"action_file_wildfire_verdict","action_file_hash_control_verdict","actor_process_instance_id", | ||
"actor_process_causality_id","actor_process_auth_id","actor_process_container_id", | ||
"actor_process_signature_vendor","actor_process_signature_status","actor_process_signature_product", | ||
"actor_process_image_extension","action_process_termination_code","action_process_termination_date", | ||
"action_remote_process_thread_id","action_process_instance_execution_time", | ||
"actor_process_execution_time","action_process_handle_is_kernel","action_process_is_container_root", | ||
"actor_process_is_native","agent_version","agent_hostname","agent_content_version", | ||
"agent_session_start_time","agent_id","agent_os_type","agent_os_sub_type", | ||
"agent_is_vdi","action_user_agent","http_req_user_agent_header","action_evtlog_data_fields", | ||
"action_evtlog_description","action_evtlog_source","action_evtlog_event_id","action_evtlog_level", | ||
"action_evtlog_tid","action_evtlog_uid","action_evtlog_pid","action_evtlog_message", | ||
"action_evtlog_version","event_id","vpn_event_description","event_timestamp","event_version", | ||
"event_rpc_interface_uuid","event_address_mapped_image_path","event_type","event_sub_type", | ||
"action_network_creation_time","action_network_connection_id","action_network_packet_data", | ||
"action_proxy","host_metadata_hostname","action_external_hostname" | ||
] | ||
} |
15 changes: 15 additions & 0 deletions
15
stix_shifter_modules/paloalto/stix_translation/json/operators.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"ComparisonExpressionOperators.And": "and", | ||
"ComparisonExpressionOperators.Or": "or", | ||
"ComparisonComparators.Equal": "=", | ||
"ComparisonComparators.NotEqual": "!=", | ||
"ComparisonComparators.Like": "contains", | ||
"ComparisonComparators.Matches": "~=", | ||
"ComparisonComparators.GreaterThan": ">", | ||
"ComparisonComparators.GreaterThanOrEqual": ">=", | ||
"ComparisonComparators.LessThan": "<", | ||
"ComparisonComparators.LessThanOrEqual": "<=", | ||
"ComparisonComparators.In": "in", | ||
"ObservationOperators.Or": "or", | ||
"ObservationOperators.And": "or" | ||
} |
Oops, something went wrong.