Added Palo Alto Cortext XDR UDI Connector (#858)

stix_shifter_modules/paloalto/configuration/config.json

@@ -0,0 +1,35 @@
+{
+    "connection": {
+        "type": {
+            "displayName": "Palo Alto Cortex XDR"
+        },
+        "host": {
+            "type": "text"
+        },
+        "quota_threshold": {
+            "default": 5,
+            "min": 1,
+            "max": 15,
+            "type": "number",
+            "optional" : true
+        },
+        "help": {
+            "type": "link",
+            "default": "data-sources.html"
+        }
+    },
+    "configuration": {
+        "auth": {
+            "type" : "fields",
+            "tenant": {
+                "type": "password"
+            },
+            "api_key": {
+                "type": "password"
+            },
+            "api_key_id": {
+                "type": "password"
+            }
+        }
+    }
+}

stix_shifter_modules/paloalto/configuration/lang_en.json

@@ -0,0 +1,32 @@
+{
+    "connection": {
+        "host": {
+            "label": "Management IP address or Hostname",
+            "description": "Specify the IP address or  hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+        },
+        "quota_threshold": {
+            "label": "The quota limit for the API",
+            "description": "Prevents the connector from exceeding the entire daily units allocated for the License. The Daily units for Standard license alone is 5 and it will be 15 if additional 10 units are purchased."
+        },
+        "help": {
+            "label": "Need additional help?",
+            "description": "More details on the data source setting can be found in the specified link"
+        }
+    },
+    "configuration": {
+        "auth": {
+             "tenant": {
+                "label": "Tenant",
+                "description": "Tenant Id of Palo Alto Cortex XDR Application"
+            },
+            "api_key": {
+                "label": "API Key",
+                "description": "The API Key is a unique identifier required for authenticating API calls."
+            },
+            "api_key_id": {
+                "label": "API Key Id",
+                "description": "The API Key ID is a unique token used to authenticate the API Key"
+            }
+        }
+    }
+}

stix_shifter_modules/paloalto/entry_point.py

@@ -0,0 +1,14 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+
+class EntryPoint(BaseEntryPoint):
+
+    # python main.py translate paloalto query '{}' "[ipv4-addr:value = '127.0.0.1']"
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(True)
+        if connection:
+            self.setup_transmission_simple(connection, configuration)
+
+        self.setup_translation_simple(dialect_default='xdr_data')

stix_shifter_modules/paloalto/stix_translation/json/config_map.json

@@ -0,0 +1,103 @@
+{
+	"int_supported_fields": [
+      "action_local_port",
+      "action_remote_port",
+      "action_pkts_sent",
+      "action_pkts_received",
+      "action_file_size",
+      "action_module_process_os_pid",
+      "action_process_os_pid",
+      "actor_process_os_pid",
+      "causality_actor_process_os_pid",
+      "os_actor_process_os_pid",
+      "action_process_requested_parent_pid",
+      "action_thread_parent_pid",
+      "action_thread_child_pid"
+    ],
+    "timestamp_supported_fields": [
+      "action_file_access_time",
+      "actor_process_file_access_time",
+      "os_actor_process_file_access_time",
+      "action_file_mod_time",
+      "actor_process_file_mod_time",
+      "os_actor_process_file_mod_time",
+      "action_file_create_time",
+      "action_process_file_create_time",
+      "actor_process_file_create_time",
+      "causality_actor_process_file_create_time",
+      "os_actor_process_file_create_time",
+      "action_process_instance_execution_time",
+      "actor_process_execution_time",
+      "action_network_creation_time",
+      "event_timestamp"
+    ],
+    "mac_supported_fields": [
+      "mac",
+      "associated_mac",
+      "dst_associated_mac",
+      "dst_mac"
+    ],
+    "enum_supported_fields": [
+      "action_network_protocol",
+      "event_type",
+      "event_sub_type"
+    ],
+	"enum_supported_values": {
+		  "action_network_protocol": ["TCP", "UDP"],
+		   "event_type": [
+			  "AGENT_STATUS","CLOUD_AUDIT_LOGS","DEVICE","EVENT_LOG","FILE","GAP","HOST_FIREWALL",
+              "HOST_METADATA","HOST_STATUS","INJECTION","LOAD_IMAGE","LOGIN_EVENT","MOUNT","NAMESPACE",
+			  "NETWORK","PROCESS","PROCESS_HANDLE","REGISTRY","RPC_CALL","STORY","SYSTEM_CALL",
+			  "THREAD","USER_STATUS_CHANGE","VPN_EVENT"],
+          "event_sub_type": [
+			  "AGENT_STATUS_AGENT_BOOT" ,"AGENT_STATUS_AGENT_INSTALLED",
+			  "AGENT_STATUS_AGENT_LOW_LEVEL_CONFIG_UPDATE" ,"AGENT_STATUS_AGENT_POLICY_FILTER_UPDATE" ,
+			  "AGENT_STATUS_AGENT_REPLAY_ENDED" ,"AGENT_STATUS_AGENT_SHUTDOWN" ,
+			  "AGENT_STATUS_AGENT_UNINSTALLED" ,"DEVICE_PLUG" ,"DEVICE_UNPLUG" ,
+			  "EVENT_LOG_AGENT_EVENT_LOG" ,"EVENT_LOG_DOMAIN_CONTROLLER" ,"FILE_CHANGE_MODE" ,
+			  "FILE_CHANGE_OWNER" ,"FILE_CREATE_NEW" ,"FILE_DELETE_EXT_ATTRIBUTE" ,
+			  "FILE_DIR_CHANGE_MODE" ,"FILE_DIR_CHANGE_OWNER" ,"FILE_DIR_CREATE" ,"FILE_DIR_LINK" ,
+			  "FILE_DIR_OPEN" ,"FILE_DIR_QUERY" ,"FILE_DIR_REMOVE" ,"FILE_DIR_RENAME" ,
+			  "FILE_DIR_SET_ATTR" ,"FILE_DIR_WRITE" ,"FILE_LINK" ,"FILE_OPEN" ,"FILE_REMOVE" ,
+			  "FILE_RENAME" ,"FILE_REPARSE" ,"FILE_SET_ATTRIBUTE" ,"FILE_SET_SECURITY_DESCRIPTOR" ,
+			  "FILE_WRITE" ,"GAP_GAP_ENDED" ,"GAP_GAP_STARTED", "HOST_FIREWALL_HOST_FW_ALLOW" ,
+			  "HOST_FIREWALL_HOST_FW_BLOCK" ,"HOST_METADATA_CHANGE" ,"HOST_STATUS_BOOT" ,
+			  "HOST_STATUS_RESUME" ,"HOST_STATUS_SHUTDOWN" ,"HOST_STATUS_SUSPEND" ,
+			  "INJECTION_CREATE_REMOTE_THREAD" ,"INJECTION_PROCESS_HOLLOW" ,"INJECTION_QUEUE_APC" ,
+			  "INJECTION_SET_THREAD_CONTEXT" ,"LOAD_IMAGE_MODULE" ,"LOAD_IMAGE_MPROTECT" ,
+			  "LOAD_IMAGE_PRELOAD" ,"LOAD_IMAGE_SO_LOAD" ,"MOUNT_DRIVE_MOUNT" ,
+			  "MOUNT_DRIVE_UNMOUNT" ,"NAMESPACE_SETNS" ,"NAMESPACE_UNSHARE" ,
+			  "NETWORK_DATAGRAM_STATISTICS" ,"NETWORK_DNS_QUERY" ,"NETWORK_HTTP_HEADER" ,
+			  "NETWORK_OUTBOUND_ICMP" ,"NETWORK_PROXY_CONNECT" ,"NETWORK_RAW_DATA" ,
+			  "NETWORK_RAW_PCAP_DATA" ,"NETWORK_STREAM_ACCEPT" ,"NETWORK_STREAM_CONNECT" ,
+			  "NETWORK_STREAM_CONNECT_FAILED" ,"NETWORK_STREAM_DISCONNECT" ,"NETWORK_STREAM_LISTEN" ,
+			  "NETWORK_STREAM_STATISTICS" ,"PROCESS_START" ,"PROCESS_STOP" ,"REGISTRY_CREATE_KEY" ,
+			  "REGISTRY_DELETE_KEY" ,"REGISTRY_DELETE_VALUE" ,"REGISTRY_LOAD" ,"REGISTRY_RENAME_KEY" ,
+			  "REGISTRY_RESTORE" ,"REGISTRY_SAVE" ,"REGISTRY_SET_VALUE" ,"REGISTRY_UNLOAD" ,
+			  "RPC_CALL_RPC_CALLED" ,"SYSTEM_CALL_CREATE_SYMBOLIC_LINK" ,"SYSTEM_CALL_GDI_BIT_BLT" ,
+			  "SYSTEM_CALL_GET_CLIPBOARD_DATA" ,"SYSTEM_CALL_NT_ALLOCATE_VIRTUAL_MEMORY_REMOTE" ,
+			  "SYSTEM_CALL_NT_CREATE_MUTANT" ,"SYSTEM_CALL_NT_DELAY_EXECUTION" ,
+			  "SYSTEM_CALL_NT_MAP_VIEW_OF_SECTION_REMOTE" ,"SYSTEM_CALL_NT_OPEN_FILE" ,
+			  "SYSTEM_CALL_NT_PROTECT_VIRTUAL_MEMORY_REMOTE" ,"SYSTEM_CALL_NT_QUEUE_APC_THREAD_EX_REMOTE" ,
+			  "SYSTEM_CALL_NT_READ_VIRTUAL_MEMORY_REMOTE" ,"SYSTEM_CALL_NT_SET_CONTEXT_THREAD_REMOTE" ,
+			  "SYSTEM_CALL_NT_TERMINATE_PROCESS_REMOTE","SYSTEM_CALL_NT_UNMAP_VIEW_OF_SECTION" ,
+			  "SYSTEM_CALL_NT_WRITE_VIRTUAL_MEMORY_REMOTE" ,"SYSTEM_CALL_OPEN_REMOTE_TOKEN" ,
+			  "SYSTEM_CALL_QUERY_PROCESS_LIST" ,"SYSTEM_CALL_QUERY_USER_TOKEN" ,
+			  "SYSTEM_CALL_REGISTER_RAW_INPUT_DEVICES" ,"SYSTEM_CALL_SET_INFO_VIRTUAL_MEMORY" ,
+			  "SYSTEM_CALL_SET_WINDOWS_HOOK_EX" ,"SYSTEM_CALL_SET_WIN_EVENT_HOOK" ,
+			  "SYSTEM_CALL_THREAD_IMPERSONATING" ,"USER_STATUS_CHANGE_LOGOFF" ,"USER_STATUS_CHANGE_LOGON"
+		  ]
+	},
+	"timestamp_supported_dataset": {
+		"xdr_data": "_time"
+	},
+	"mandatory_properties_to_stix": {
+		"user": ["actor_primary_user_sid","action_process_user_sid"],
+		"file": ["action_file_name"],
+		"file_action_process" : ["action_process_image_name"],
+		"file_actor_process": ["actor_process_image_name"],
+		"file_causality_process": ["causality_actor_process_image_name"],
+		"file_os_actor": ["os_actor_process_image_name"],
+		"nt": [["action_local_ip","action_remote_ip"],"action_network_protocol"]
+	}
+}

stix_shifter_modules/paloalto/stix_translation/json/fields_map.json

@@ -0,0 +1,45 @@
+{
+        "all_fields": [
+                "action_local_ip","action_remote_ip","agent_ip_addresses","agent_ip_addresses_v6","dst_agent_ip_addresses_v6",
+                "action_local_port","action_remote_port","action_network_protocol","action_pkts_sent",
+                "action_pkts_received","action_file_name","action_process_image_name","actor_process_image_name",
+                "causality_actor_process_image_name","os_actor_process_image_name","action_file_size","action_file_md5",
+                "action_module_md5","action_process_image_md5","action_file_authenticode_sha1",
+                "action_file_authenticode_sha2","action_file_sha256","action_module_sha256",
+                "action_process_image_sha256","action_file_access_time","actor_process_file_access_time",
+                "os_actor_process_file_access_time","action_file_mod_time","actor_process_file_mod_time",
+                "os_actor_process_file_mod_time","action_file_create_time","action_file_path",
+                "action_process_image_path","action_registry_file_path","actor_process_image_path",
+                "causality_actor_process_image_path","os_actor_process_image_path","action_process_image_command_line",
+                "actor_process_command_line","causality_actor_process_command_line","os_actor_process_command_line",
+                "action_process_file_create_time","actor_process_file_create_time",
+                "causality_actor_process_file_create_time","os_actor_process_file_create_time",
+                "action_module_process_os_pid","action_process_os_pid","actor_process_os_pid",
+                "causality_actor_process_os_pid","os_actor_process_os_pid","action_process_requested_parent_pid",
+                "action_thread_parent_pid","action_thread_child_pid","action_process_username","auth_domain",
+                "dst_host_metadata_domain","host_metadata_domain","dst_action_url_category","action_registry_key_name",
+                "action_registry_value_name","mac","associated_mac","dst_associated_mac","dst_mac",
+                "actor_primary_user_sid","action_process_user_sid","actor_primary_username","actor_process_logon_id",
+                "action_file_info_company","action_file_extension","action_file_attributes",
+                "action_file_internal_zipped_files","action_file_last_writer_actor","action_file_signature_status",
+                "action_file_signature_vendor","action_file_signature_product","action_file_info_description",
+                "action_file_group","action_file_group_name","action_file_type","action_file_info_file_version",
+                "manifest_file_version","action_file_info_product_version","action_file_owner",
+                "action_file_owner_name","action_file_info_product_name","action_file_id",
+                "action_file_wildfire_verdict","action_file_hash_control_verdict","actor_process_instance_id",
+                "actor_process_causality_id","actor_process_auth_id","actor_process_container_id",
+                "actor_process_signature_vendor","actor_process_signature_status","actor_process_signature_product",
+                "actor_process_image_extension","action_process_termination_code","action_process_termination_date",
+                "action_remote_process_thread_id","action_process_instance_execution_time",
+                "actor_process_execution_time","action_process_handle_is_kernel","action_process_is_container_root",
+                "actor_process_is_native","agent_version","agent_hostname","agent_content_version",
+                "agent_session_start_time","agent_id","agent_os_type","agent_os_sub_type",
+                "agent_is_vdi","action_user_agent","http_req_user_agent_header","action_evtlog_data_fields",
+                "action_evtlog_description","action_evtlog_source","action_evtlog_event_id","action_evtlog_level",
+                "action_evtlog_tid","action_evtlog_uid","action_evtlog_pid","action_evtlog_message",
+                "action_evtlog_version","event_id","vpn_event_description","event_timestamp","event_version",
+                "event_rpc_interface_uuid","event_address_mapped_image_path","event_type","event_sub_type",
+                "action_network_creation_time","action_network_connection_id","action_network_packet_data",
+                "action_proxy","host_metadata_hostname","action_external_hostname"
+        ]
+}

stix_shifter_modules/paloalto/stix_translation/json/operators.json

@@ -0,0 +1,15 @@
+{
+        "ComparisonExpressionOperators.And": "and",
+        "ComparisonExpressionOperators.Or": "or",
+        "ComparisonComparators.Equal": "=",
+        "ComparisonComparators.NotEqual": "!=",
+        "ComparisonComparators.Like": "contains",
+        "ComparisonComparators.Matches": "~=",
+        "ComparisonComparators.GreaterThan": ">",
+        "ComparisonComparators.GreaterThanOrEqual": ">=",
+        "ComparisonComparators.LessThan": "<",
+        "ComparisonComparators.LessThanOrEqual": "<=",
+        "ComparisonComparators.In": "in",
+        "ObservationOperators.Or": "or",
+        "ObservationOperators.And": "or"
+    }