Add log analytics API support to azure sentinel connector

[mdazam1942]

No description provided.

[codecov]

Codecov Report

Base: 85.35% // Head: 85.33% // Decreases project coverage by -0.01% ⚠️

Coverage data is based on head (38cb77e) compared to base (88a2af6).
Patch coverage: 84.30% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #1214      +/-   ##
===========================================
- Coverage    85.35%   85.33%   -0.02%     
===========================================
  Files          558      568      +10     
  Lines        41753    42454     +701     
===========================================
+ Hits         35637    36228     +591     
- Misses        6116     6226     +110     

Impacted Files	Coverage Δ
...zure_log_analytics/stix_transmission/api_client.py	31.03% <31.03%> (ø)
...og_analytics/stix_translation/query_constructor.py	63.73% <63.73%> (ø)
...azure_log_analytics/stix_transmission/connector.py	72.13% <72.13%> (ø)
...re_log_analytics/stix_transmission/error_mapper.py	81.81% <81.81%> (ø)
...test_azure_sentinel_log_analytics_stix_to_query.py	98.24% <98.24%> (ø)
..._transmission/test_azure_sentinel_log_analytics.py	99.11% <99.11%> (ø)
...shifter_modules/azure_log_analytics/entry_point.py	100.00% <100.00%> (ø)
...log_analytics/stix_translation/query_translator.py	100.00% <100.00%> (ø)
...g_analytics/stix_translation/results_translator.py	100.00% <100.00%> (ø)
.../test_azure_sentinel_log_analytics_json_to_stix.py	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[delliott90]

I don't think there would every be a search for just hashes, would that even be a valid property or wold it always be hashes.'SHA-1' hashes.'MD5' and so on?

[mdazam1942]

ohh didn't notice they put this under hashes. the property is simply called FileHash so all types of hashes will basically be translated into FileHash filed in the query.

[mdazam1942]

And we need to do some processing before results translation to correctly map the hash type in the bundle

[delliott90]

the device id and computer seem like it could fit in x-oca-asset? https://github.com/opencybersecurityalliance/stix-extensions/blob/main/2.0/x-oca-asset.md

[delliott90]

Severity should go under x-ibm-finding provided it's on a scale of 1-100.

[delliott90]

Should go under x-ibm-finding:alert_id

[delliott90]

Should go under x-ibm-finding:description

[delliott90]

Should go under x-ibm-finding

[delliott90]

Should go under x-ibm-finding

[delliott90]

Anything that doesn't fit directly into a finding property should be a custom extension of the finding object.

[delliott90]

Anything that doesn't fit with a finding property should go under a custom extension to the finding object.

[delliott90]

Anything that won't fit in a finding property should go in an extension of the finding.

[delliott90]

should be url.value

[delliott90]

The name property on the process was removed in 2.1, need to change to x_name

[delliott90]

Needs to be mapped to specific hash type ie. file.hashes.'MD5'

[mdazam1942]

it needs some post processing on the datasource fields. basically needs to check the hash type and create new datasource fields based on the hash value. The newly created datasource fields can be mapped in to_stix.