Merge branch 'develop' into Fixing_Numpy_2.0_issue

opencybersecurityalliance · Jul 3, 2024 · 31f2b86 · 31f2b86
2 parents ebe4267 + f32d448
commit 31f2b86
Show file tree

Hide file tree

Showing 4 changed files with 120 additions and 3 deletions.
diff --git a/data/cybox/e2eStixBundle01.json b/data/cybox/e2eStixBundle01.json
@@ -0,0 +1,79 @@
+{
+    "type": "bundle",
+    "id": "bundle--258c4b63-6b04-4a0e-985d-f64a3a8c8ec7",
+    "spec_version": "2.0",
+    "objects": [
+      {
+        "type": "identity",
+        "id": "identity--33fa3e56-6511-40de-bc69-c5ffeb3838f9",
+        "created": "2024-06-03T09:44:40.150Z",
+        "modified": "2024-06-03T09:44:40.150Z",
+        "name": "E2E Testing",
+        "identity_class": "program"
+      },
+      {
+        "type": "observed-data",
+        "id": "observed-data--ed82dd61-cc41-485b-b608-d278469e6259",
+        "created_by_ref": "identity--33fa3e56-6511-40de-bc69-c5ffeb3838f9",
+        "created": "2024-06-03T09:44:40.150Z",
+        "modified": "2024-06-03T09:44:40.150Z",
+        "first_observed": "2020-07-29T09:44:40.150Z",
+        "last_observed": "2025-07-29T09:44:40.150Z",
+        "number_observed": 1,
+        "objects": {
+          "0": {
+            "type": "ipv4-addr",
+            "value": "127.0.0.1"
+          },
+          "1": {
+            "type": "ipv4-addr",
+            "value": "172.16.1.1"
+          },
+          "2": {
+            "type": "url",
+            "value": "onedrivefiles.digital"
+          },
+          "3": {
+            "type": "ipv6-addr",
+            "value": "0000:0000:0000:0000:0000:0000:0000:0001"
+          },
+          "4": {
+            "type": "url",
+            "value": "http://kbfvzoboss.bid/alien/fre.php"
+          },
+          "5": {
+            "type": "user-account",
+            "value": "e2e user"
+          },
+            "6": {
+            "type": "file:name",
+            "value": "uat_file.exe"
+          },
+            "7": {
+            "type": "file:hashes.'SHA-256'",
+            "value": "b0ab7076b0fe4b758d8e6622605d94204cc1b55baf718129cafe750d835ffb21"
+          },
+            "8": {
+            "type": "mac-addr",
+            "value": "00:00:00:00:00:00"
+          },
+          "9": {
+            "type": "user-account",
+            "user_id": "omern",
+            "account_login": "omern"
+           },
+           "10": {
+            "type": "file",
+            "name": "streamfwd",
+            "parent_directory_ref": "6"
+           },
+           "11": {
+            "type": "file",
+            "hashes": {
+            "MD5": "6F3C9485F8F97AC04C8E43EF4463A68C"
+                    }
+           }
+        }
+      }
+    ]
+  }
diff --git a/docs/README.md b/docs/README.md
@@ -9,9 +9,9 @@ This library takes in STIX 2 Patterns as input, and "finds" data that matches th
 
 In addition to "finding" the data by using these patterns, STIX-Shifter also _transforms the output_ into STIX 2 Observations. Why would we do that you ask? To put it simply - so that all of the security data, regardless of the source, mostly looks and behaves the same.
 
-***Project Documenation***
+***Project Documentation***
 
-For general information about STIX, this project, and the command line utilities, see the [STIX-shifter Documenation](https://stix-shifter.readthedocs.io/)
+For general information about STIX, this project, and the command line utilities, see the [STIX-shifter Documentation](https://stix-shifter.readthedocs.io/)
 
 ## Installation
 
@@ -126,4 +126,4 @@ limitations under the License.
 
 ## Changelog
 
-- [Changelog](../CHANGELOG.md)
+- [Changelog](../CHANGELOG.md)
diff --git a/stix_shifter_modules/sumologic/README.md b/stix_shifter_modules/sumologic/README.md
@@ -18,6 +18,10 @@ Result Endpoint: `https://api.sumologic.com/api/v1/search/jobs/<SEARCH_JOB_ID>/m
 
 [SumoLogic Search Job API](https://help.sumologic.com/APIs/Search-Job-API/About-the-Search-Job-API)
 
+## Dialects
+
+The connector supports two dialects: the default one and [the cloud_siem one](https://help.sumologic.com/docs/cse/get-started-with-cloud-siem/insight-generation-process/#entities-in-messages-are-mapped-to-entity-type-schema-attributes)
+
 ### Format for making STIX translation calls via the CLI
 
 `python main.py <translator_module> <query or result> <STIX identity object> <data>`

diff --git a/stix_shifter_modules/sumologic/sumologic_supported_stix.md b/stix_shifter_modules/sumologic/sumologic_supported_stix.md
@@ -17,6 +17,7 @@
 | IN | OR |
 | OR (Observation) | OR |
 | AND (Observation) | AND |
+| LIKE | = |
 | <br> | |
 ### Searchable STIX objects and properties
 | STIX Object and Property | Mapped Data Source Fields |
@@ -43,6 +44,39 @@
 | **user-account**:account_created | createdAt |
 | **user-account**:account_last_login | lastLoginTimestamp |
 | <br> | |
+### Searchable STIX objects and properties for Cloud_Siem dialect
+| STIX Object and Property | Mapped Data Source Fields |
+|--|--|
+| **ipv4-addr**:value | device_ip, device_natIp, dns_replyIp, dstDevice_ip, srcDevice_ip, dstDevice_natIp, srcDevice_natIp |
+| **ipv4-addr**:resolves-to-ref.value | srcDevice_mac, dstDevice_mac |
+| **network-traffic**:dst_port | dstPort |
+| **network-traffic**:src_port | srcPort |
+| **network-traffic**:dst_ref.value | dstDevice_ip |
+| **network-traffic**:src_ref.value | srcDevice_ip |
+| **x-oca-event**:network_ref.src_ref.value | srcDevice_ip |
+| **x-oca-event**:network_ref.dst_ref.value | dstDevice_ip |
+| **x-oca-event**:process_ref.binary_ref.name | baseImage |
+| **x-oca-event**:process_ref.command_line | commandLine |
+| **x-oca-event**:parent_process_ref.binary_ref.name | parentBaseImage |
+| **x-oca-event**:user_ref.user_id | user_username, user_username_raw |
+| **x-oca-event**:code | metadata_deviceEventId |
+| **mac-addr**:value | device_mac, srcDevice_mac, dstDevice_mac |
+| **file**:name | baseImage, parentBaseImage, file_basename, file_path |
+| **file**:parent_directory_ref.binary_ref.name | baseImage, parentBaseImage |
+| **file**:hashes.SHA-256 | file_hash_sha256 |
+| **file**:hashes.MD5 | file_hash_md5 |
+| **file**:hashes.SHA-1 | file_hash_sha1 |
+| **directory**:path | baseImage, parentBaseImage, file_path |
+| **process**:binary_ref.name | baseImage, parentBaseImage |
+| **process**:command_line | commandLine |
+| **process**:parent_ref.binary_ref.name | parentBaseImage |
+| **process**:creator_user_ref.user_id | user_username, user_username_raw |
+| **user-account**:user_id | user_username, user_username_raw, fromUser_username, fromUser_username_raw |
+| **user-account**:display_name | user_username, user_username_raw, fromUser_username, fromUser_username_raw |
+| **domain-name**:value | http_referer_fqdn, http_url_fqdn |
+| **url**:value | http_url |
+| **email-addr**:value | targetUser_email, user_email |
+| <br> | |
 ### Supported STIX Objects and Properties for Query Results
 | STIX Object | STIX Property | Data Source Field |
 |--|--|--|