Remove future timestamp qualifier conditions (#1619)

opencybersecurityalliance · Nov 22, 2023 · c455ab2 · c455ab2
1 parent 02d45de
commit c455ab2
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 18 deletions.
diff --git a/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py b/stix_shifter_modules/aws_guardduty/stix_translation/query_constructor.py
@@ -372,13 +372,9 @@ def _check_time_range_values(time_range_list):
         checks for valid start and stop time
         :param time_range_list: list
         """
-        utc_timestamp = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
-        converted_utc_timestamp = QueryStringPatternTranslator._format_datetime(utc_timestamp)
         converted_timestamp = []
         for timestamp in time_range_list:
             converted_time = QueryStringPatternTranslator._format_datetime(timestamp)
-            if converted_time > converted_utc_timestamp:
-                raise StartStopQualifierValueException('Start/Stop time should not be in the future UTC timestamp')
             converted_timestamp.append(converted_time)
         if converted_timestamp[0] >= converted_timestamp[1]:
             raise StartStopQualifierValueException('Start time should be lesser than Stop time')

diff --git a/..._shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py b/..._shifter_modules/aws_guardduty/tests/stix_translation/test_aws_guardduty_stix_to_query.py
@@ -654,13 +654,30 @@ def test_multiple_observation_with_single_qualifier_with_precedence_bracket(self
         queries = _remove_timestamp_from_query(queries)
         self._test_query_assertions(query, queries)
 
-    def test_invalid_qualifier_with_future_timestamp(self):
+    def test_timestamp_qualifier(self):
         stix_pattern = "[network-traffic:src_port >= 32794]START t'2023-01-19T11:00:00.000Z' " \
                        "STOP t'2024-02-07T11:00:00.003Z'"
-        result = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
-        assert result['success'] is False
-        assert "translation_error" == result['code']
-        assert 'Start/Stop time should not be in the future UTC timestamp' in result['error']
+        queries = {
+            "queries": [
+                {
+                    "FindingCriteria": {
+                        "Criterion": {
+                            "service.action.networkConnectionAction.localPortDetails.port": {
+                                "GreaterThanOrEqual": 32794
+                            },
+                            "updatedAt": {
+                                "GreaterThanOrEqual": 1674126000000,
+                                "LessThanOrEqual": 1707303600003
+                            }
+                        }
+                    }
+                }
+            ]
+        }
+        query = translation.translate('aws_guardduty', 'query', '{}', stix_pattern)
+        query = _remove_timestamp_from_query(query)
+        queries = _remove_timestamp_from_query(queries)
+        self._test_query_assertions(query, queries)
 
     def test_stop_time_lesser_than_start_time(self):
         stix_pattern = "[network-traffic:src_port >= 32794]START t'2023-01-19T11:00:00.000Z' " \

diff --git a/stix_shifter_modules/okta/stix_translation/query_constructor.py b/stix_shifter_modules/okta/stix_translation/query_constructor.py
@@ -230,13 +230,9 @@ def _check_time_range_values(time_range_list):
         checks for valid start and stop time
         :param time_range_list: list
         """
-        utc_timestamp = STOP_TIME.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
-        converted_utc_timestamp = QueryStringPatternTranslator._format_datetime(utc_timestamp)
         converted_timestamp = []
         for timestamp in time_range_list:
             converted_time = QueryStringPatternTranslator._format_datetime(timestamp)
-            if converted_time > converted_utc_timestamp:
-                raise StartStopQualifierValueException('Start/Stop time should not be in the future UTC timestamp')
             converted_timestamp.append(converted_time)
         if converted_timestamp[0] >= converted_timestamp[1]:
             raise StartStopQualifierValueException('Start time should be lesser than Stop time')

diff --git a/stix_shifter_modules/okta/test/stix_translation/test_okta_stix_to_query.py b/stix_shifter_modules/okta/test/stix_translation/test_okta_stix_to_query.py
@@ -317,13 +317,14 @@ def test_wildcard_characters_like_operator(self):
         queries = _remove_timestamp_from_query(queries)
         self._test_query_assertions(query, queries)
 
-    def test_invalid_qualifier_with_future_timestamp(self):
+    def test_timestamp_qualifier(self):
         stix_pattern = "[domain-name:value LIKE 'amazonaws.com'] " \
                        "START t'2023-01-19T11:00:00.000Z' STOP t'2024-02-07T11:00:00.003Z'"
-        result = translation.translate('okta', 'query', '{}', stix_pattern)
-        assert result['success'] is False
-        assert "translation_error" == result['code']
-        assert 'Start/Stop time should not be in the future UTC timestamp' in result['error']
+        query = translation.translate('okta', 'query', '{}', stix_pattern)
+        query['queries'] = _remove_timestamp_from_query(query['queries'])
+        queries = ["filter=securityContext.domain co \"amazonaws.com\" &since=2023-01-19T11:00:00.000Z&until=2024-02-07T11:00:00.003Z"]
+        queries = _remove_timestamp_from_query(queries)
+        self._test_query_assertions(query, queries)
 
     def test_invalid_operator_for_integer_type_field(self):
         stix_pattern = "[autonomous-system:number LIKE '50']"