From 5e1ab974add3a31d9500ea872b247ecdc813ee5a Mon Sep 17 00:00:00 2001 From: Kane Brennan Date: Wed, 1 Mar 2023 09:32:30 +0000 Subject: [PATCH 1/2] QRadarEpochToTimestamp for exponential notation --- .../stix_translation/json/stix_2_1/to_stix_map.json | 8 ++++---- .../qradar/stix_translation/json/to_stix_map.json | 8 ++++---- .../qradar/stix_translation/transformers.py | 11 +++++++++++ 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/stix_shifter_modules/qradar/stix_translation/json/stix_2_1/to_stix_map.json b/stix_shifter_modules/qradar/stix_translation/json/stix_2_1/to_stix_map.json index f4f114e22..71cbd5223 100644 --- a/stix_shifter_modules/qradar/stix_translation/json/stix_2_1/to_stix_map.json +++ b/stix_shifter_modules/qradar/stix_translation/json/stix_2_1/to_stix_map.json @@ -160,24 +160,24 @@ "starttime": [ { "key": "first_observed", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "cybox": false }, { "key": "x-ibm-finding.start", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "object": "finding" } ], "endtime": [ { "key": "last_observed", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "cybox": false }, { "key": "x-ibm-finding.end", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "object": "finding" } ], diff --git a/stix_shifter_modules/qradar/stix_translation/json/to_stix_map.json b/stix_shifter_modules/qradar/stix_translation/json/to_stix_map.json index 3742baa6c..2588956b9 100644 --- a/stix_shifter_modules/qradar/stix_translation/json/to_stix_map.json +++ b/stix_shifter_modules/qradar/stix_translation/json/to_stix_map.json @@ -160,24 +160,24 @@ "starttime": [ { "key": "first_observed", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "cybox": false }, { "key": "x-ibm-finding.start", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "object": "finding" } ], "endtime": [ { "key": "last_observed", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "cybox": false }, { "key": "x-ibm-finding.end", - "transformer": "EpochToTimestamp", + "transformer": "QRadarEpochToTimestamp", "object": "finding" } ], diff --git a/stix_shifter_modules/qradar/stix_translation/transformers.py b/stix_shifter_modules/qradar/stix_translation/transformers.py index 028be2251..a0f6cfa26 100644 --- a/stix_shifter_modules/qradar/stix_translation/transformers.py +++ b/stix_shifter_modules/qradar/stix_translation/transformers.py @@ -1,5 +1,6 @@ from stix_shifter_utils.stix_translation.src.utils.transformers import ValueTransformer from stix_shifter_utils.utils import logger +from datetime import datetime, timezone LOGGER = logger.set_logger(__name__) @@ -34,3 +35,13 @@ def transform(value): return [{ 'name': value }] except ValueError: LOGGER.error("Cannot convert root key to Stix formatted windows registry key") + +class QRadarEpochToTimestamp(ValueTransformer): + """A value transformer for the 13-digit timestamps, uses float(epoch) to handle exponential notation""" + + @staticmethod + def transform(epoch): + try: + return (datetime.fromtimestamp(float(epoch) / 1000, timezone.utc).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z') + except ValueError: + LOGGER.error("Cannot convert epoch value {} to timestamp".format(epoch)) From 10897bf5dfa8bc92df026a2a4996bc1c7d9147b3 Mon Sep 17 00:00:00 2001 From: Kane Brennan Date: Thu, 2 Mar 2023 14:51:54 +0000 Subject: [PATCH 2/2] Added test for epoch using exponent notation --- .../test_qradar_json_to_stix.py | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py b/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py index 2b097a4a2..766ce4c06 100644 --- a/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py +++ b/stix_shifter_modules/qradar/tests/stix_translation/test_qradar_json_to_stix.py @@ -611,4 +611,25 @@ def test_unmapped_fallback(self): assert(custom_objects['unmapped1'] == "value1") assert(custom_objects['unmapped2'] == "value2") assert 'unmapped3' not in custom_objects.keys() - assert 'unmapped4' not in custom_objects.keys() \ No newline at end of file + assert 'unmapped4' not in custom_objects.keys() + + def test_epoch_exponent_notation(self): + + data = [{ + "qidname": "Information Message", + "eventcount": "12912.0", + "starttime": "0.001531169112E12", + "endtime": "0.001531169254E12" + }] + + result_bundle = entry_point.translate_results(json.dumps(DATA_SOURCE), json.dumps(data)) + observed_data = result_bundle['objects'][1] + + assert(observed_data['first_observed'] == START_TIMESTAMP) + assert(observed_data['last_observed'] == END_TIMESTAMP) + + objects = observed_data['objects'] + finding = TestTransform.get_first_of_type(objects.values(), 'x-ibm-finding') + + assert(finding['start'] == START_TIMESTAMP) + assert(finding['end'] == END_TIMESTAMP) \ No newline at end of file