Tanium threat response connector 2

stix_shifter_modules/tanium/configuration/config.json

@@ -0,0 +1,30 @@
+{
+    "connection": {
+        "type": {
+            "displayName": "Tanium Threat Response",
+            "group": "tanium"
+        },
+        "host": {
+            "type": "text",
+            "regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_:/\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9_:/\\-]*[A-Za-z0-9])$"
+        },
+        "port": {
+            "type": "number",
+            "default": 443,
+            "min": 1,
+            "max": 65535
+        },
+        "options": {
+            "unmapped_fallback": {
+                "default": true
+            }
+        }
+    },
+    "configuration": {
+        "auth": {
+            "accessToken": {
+                "type": "password"
+            }
+        }
+    }
+}

stix_shifter_modules/tanium/configuration/lang_en.json

@@ -0,0 +1,20 @@
+{
+    "connection": {
+        "host": {
+            "label": "Management IP address or hostname",
+            "description": "Specify the IP address or hostname of the data source"
+        },
+        "port": {
+            "label": "Host port",
+            "description": "Set the port number that is associated with the hostname or IP address"
+        }
+    },
+    "configuration": {
+        "auth": {
+            "accessToken": {
+                "label": "Access Token",
+                "description": "An access token for the Tanium Threat Response API."
+            }
+        }
+    }
+}

stix_shifter_modules/tanium/entry_point.py

@@ -0,0 +1,11 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+class EntryPoint(BaseEntryPoint):
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(False)
+
+        if connection:
+            self.setup_transmission_basic(connection, configuration)
+
+        self.setup_translation_simple(dialect_default='default')

stix_shifter_modules/tanium/stix_translation/json/from_stix_map.json

@@ -0,0 +1,116 @@
+{
+  "x-oca-event": {
+    "fields": {
+      "outcome": [
+        "state"
+      ],
+      "severity": [
+        "severity"
+      ],
+      "category": [
+        "matchType"
+      ],
+      "provider": [
+        "intelType"
+      ],
+      "action": [
+        "intelDocName"
+      ],
+      "host_ref.hostname": [
+        "computerName"
+      ],
+      "host_ref.ip_refs.value": [
+        "computerIpAddress"
+      ],
+      "host_ref.os_ref.name": [
+        "platform"
+      ],
+      "file_ref.parent_directory_ref.path": [
+        "path"
+      ],
+      "x_ttp_tagging_refs.technique_id": [
+        "mitreId"
+      ]
+    }
+  },
+  "x-ibm-finding": {
+    "fields": {
+      "dst_ip_ref.value": [
+        "computerIpAddress"
+      ],
+      "name": [
+        "intelDocName"
+      ],
+      "severity": [
+        "severity"
+      ],
+      "dst_os_ref.name": [
+        "platform"
+      ],
+      "x_ttp_tagging_refs.technique_id": [
+        "mitreId"
+      ],
+      "x_guid": [
+        "guid"
+      ],
+      "x_priority": [
+        "priority"
+      ],
+      "x_intel_doc_id": [
+        "intelDocId"
+      ],
+      "x_scan_config_id": [
+        "scanConfigId"
+      ],
+      "x_path": [
+        "path"
+      ],
+      "x_type": [
+        "type"
+      ],
+      "x_source": [
+        "intelSource"
+      ],
+      "x_label_name": [
+        "labelName"
+      ],
+      "x_details": [
+        "details"
+      ]
+    }
+  },
+  "ipv4-addr": {
+    "fields": {
+      "value": [
+        "computerIpAddress"
+      ]
+    }
+  },
+  "ipv6-addr": {
+    "fields": {
+      "value": [
+        "computerIpAddress"
+      ]
+    }
+  },
+  "x-oca-asset": {
+    "fields": {
+      "hostname": [
+        "computerName"
+      ],
+      "ip_refs.value": [
+        "computerIpAddress"
+      ],
+      "os_ref.name": [
+        "platform"
+      ]
+    }
+  },
+  "software": {
+    "fields": {
+      "name": [
+        "platform"
+      ]
+    }
+  }
+}

stix_shifter_modules/tanium/stix_translation/json/operators.json

@@ -0,0 +1,8 @@
+{
+    "ComparisonExpressionOperators.And": "&",
+    "ComparisonExpressionOperators.Or": "&",
+    "ComparisonComparators.In": "IN",
+    "ComparisonComparators.Equal": "=",
+    "ObservationOperators.And": "&",
+    "ObservationOperators.Or": "&"
+}

stix_shifter_modules/tanium/stix_translation/json/stix_2_1/from_stix_map.json

@@ -0,0 +1,116 @@
+{
+  "x-oca-event": {
+    "fields": {
+      "outcome": [
+        "state"
+      ],
+      "severity": [
+        "severity"
+      ],
+      "category": [
+        "matchType"
+      ],
+      "provider": [
+        "intelType"
+      ],
+      "action": [
+        "intelDocName"
+      ],
+      "host_ref.hostname": [
+        "computerName"
+      ],
+      "host_ref.ip_refs.value": [
+        "computerIpAddress"
+      ],
+      "host_ref.os_ref.name": [
+        "platform"
+      ],
+      "file_ref.parent_directory_ref.path": [
+        "path"
+      ],
+      "x_ttp_tagging_refs.technique_id": [
+        "mitreId"
+      ]
+    }
+  },
+  "x-ibm-finding": {
+    "fields": {
+      "dst_ip_ref.value": [
+        "computerIpAddress"
+      ],
+      "name": [
+        "intelDocName"
+      ],
+      "severity": [
+        "severity"
+      ],
+      "dst_os_ref.name": [
+        "platform"
+      ],
+      "x_ttp_tagging_refs.technique_id": [
+        "mitreId"
+      ],
+      "x_guid": [
+        "guid"
+      ],
+      "x_priority": [
+        "priority"
+      ],
+      "x_intel_doc_id": [
+        "intelDocId"
+      ],
+      "x_scan_config_id": [
+        "scanConfigId"
+      ],
+      "x_path": [
+        "path"
+      ],
+      "x_type": [
+        "type"
+      ],
+      "x_source": [
+        "intelSource"
+      ],
+      "x_label_name": [
+        "labelName"
+      ],
+      "x_details": [
+        "details"
+      ]
+    }
+  },
+  "ipv4-addr": {
+    "fields": {
+      "value": [
+        "computerIpAddress"
+      ]
+    }
+  },
+  "ipv6-addr": {
+    "fields": {
+      "value": [
+        "computerIpAddress"
+      ]
+    }
+  },
+  "x-oca-asset": {
+    "fields": {
+      "hostname": [
+        "computerName"
+      ],
+      "ip_refs.value": [
+        "computerIpAddress"
+      ],
+      "os_ref.name": [
+        "platform"
+      ]
+    }
+  },
+  "software": {
+    "fields": {
+      "name": [
+        "platform"
+      ]
+    }
+  }
+}