Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New UDI connector module for IBM Security Verify #802

Merged
merged 27 commits into from
Mar 4, 2022
Merged

New UDI connector module for IBM Security Verify #802

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
2bec8b1
adding verify for new pull request
kr-riteshsinha Feb 4, 2022
b188a51
Merge branch 'develop' into develop
mdazam1942 Feb 15, 2022
133a91c
updated stix mapping reference and fixed escpae character problem in…
kr-riteshsinha Feb 16, 2022
8e78789
Merge branch 'develop' of https://github.com/priti-patil/stix-shifter…
kr-riteshsinha Feb 16, 2022
f3aebeb
added IN support and corrected mapping of outcome
kr-riteshsinha Feb 16, 2022
b989b46
changes are done as per reviewr feedback
kr-riteshsinha Feb 17, 2022
3b69c61
fixed unit test case. removed space between character
kr-riteshsinha Feb 17, 2022
df265cf
removesuffice available only in 3.9 version. change the code to support
kr-riteshsinha Feb 17, 2022
d15459f
removed the duplicate parameters from config and lang_en files. Defau…
kr-riteshsinha Feb 18, 2022
6b7d8a4
added few more mapping
kr-riteshsinha Feb 18, 2022
d560158
fix the unit test case and apply formatting
kr-riteshsinha Feb 18, 2022
deb0b2f
made the changes as per feedback received
kr-riteshsinha Feb 21, 2022
994096d
rename module name from verify to ibm_security_verify
kr-riteshsinha Feb 21, 2022
fa399a6
fixed mapping for lan and lat geo location
kr-riteshsinha Feb 21, 2022
c3f9e9d
mapping correction for geoloaction
kr-riteshsinha Feb 21, 2022
3ca75e2
Merge branch 'develop' into develop
mdazam1942 Feb 22, 2022
a42fe57
Rename test_stix_to_query.py to test_ibm_verify_stix_to_query.py
kr-riteshsinha Feb 22, 2022
e91c221
Rename test_transform.py to test_ibm_verify_transform.py
kr-riteshsinha Feb 22, 2022
59cb6bd
rename test_transmission to test_ibm_verify_transmission
kr-riteshsinha Feb 22, 2022
0942dd2
Merge branch 'develop' into develop
mdazam1942 Feb 23, 2022
db1486d
Merge branch 'develop' into develop
mdazam1942 Feb 28, 2022
667f0e2
removed operator_lookup from queryConstructor class and now refering …
kr-riteshsinha Mar 1, 2022
d3fe306
removed unused import in queryConstructor.py
kr-riteshsinha Mar 2, 2022
216c5e3
Merge branch 'develop' into develop
mdazam1942 Mar 2, 2022
654840b
added stix_2_1 mapping and corrected mapping of useraccount.account_type
kr-riteshsinha Mar 4, 2022
57f1200
Merge branch 'develop' of https://github.com/priti-patil/stix-shifter…
kr-riteshsinha Mar 4, 2022
82ffba8
Merge branch 'develop' into develop
mdazam1942 Mar 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 152 additions & 0 deletions stix_shifter_modules/ibm_security_verify/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
# IBM Security Verify

This is a connector for searching IBM Security Verify events. Connector uses stix-patterns and IBM event verify REST API to make a convert and execute the qurey.

* To know more about IBM Security Verify API refer to the [API Reference](https://docs.verify.ibm.com/verify/reference/getallevents)
* Connector uses the stix schema defined as per [stix-extension/stix2.0/x-oca-event](https://github.ibm.com/IBM-Security-STIX/stix-extensions/blob/verify/STIX%202.0/x-oca-event.md)
* Connector supports ` Equal, AND, IN ` stix operations
* Possible event types are ` sso,authentication,management,risk,adaptive_risk `

### Some of Stix pattern examples

* Event type `[x-oca-event:category='authentication']`
* IPv4-Addr `[ ipv4-addr:value IN ('192.168.1.1', '192.168.1.2', '192.168.1.3') ]"`
* oca-event `[x-oca-event:extensions.'x-iam-ext'.application_name='Bane']`
`
`

### Format for making STIX translation calls via the CLI

`python main.py <translator_module> <query or result> <STIX identity object> <data>
`

### Converting from STIX patterns to verify_event queries

CLI example of stix input pattern for TRANSLATE


`
python main.py translate ibm_security_verify query "{}" "[x-oca-event:category='sso']"
`

Returns the following search query:

`
{
"queries": [
"event_type=\"sso\"&limit=10000"
]
}
`

### Transmit functions

Transmit offers several functions: ping, query, results and execute.
### Ping
Uses the data source API to ping the connection.


`
python main.py transmit ibm_security_verify '{ "host": "<Host Name>","port" :<port>}' '{ "auth": { "clientId": "<client-Id>, "clientSecret": "<token>"}}' ping
`

If connection is established, Connector will return the following response:

`
{
"success": true
}
`
### Results

Uses the data source API to fetch the query results based on the search ID, offset, and length.

CLI Command

`
python main.py transmit ibm_security_verify '{ "host": "<Host Name>" ,"port" :<port>}' '{ "auth": { "clientId": "<client-Id>, "clientSecret": "<token>"}}'
`

Response

`
{
"success": true,
"search_id": "event_type=\"sso\"&limit=10000"
}
`

### Execute

```
python main.py execute ibm_security_verify ibm_security_verify '{"type": "identity","id": "<identity Id>","name":"verify","identity_class":"events"}' '{ }' '{ "host": "<Host Name>" ,"port" :<port>}' '{ "auth": { "clientId": "<client-Id>, "clientSecret": "<token>"}}' "[x-oca-event:category = 'sso']"
```

Response object

```json
{
"type": "bundle",
"id": "bundle--65fc22ff-0063-4afc-a61e-b9b50c0b1e18",
"objects": [
{
"type": "identity",
"id": "32a23267-52fb-4e82-859b-0a15d6a2d334",
"name": "verify",
"identity_class": "events"
},
{
"id": "observed-data--63964544-6b66-4673-ad37-bbeab66d328d",
"type": "observed-data",
"created_by_ref": "32a23267-52fb-4e82-859b-0a15d6a2d334",
"created": "2022-02-17T07:33:21.969Z",
"modified": "2022-02-17T07:33:21.969Z",
"objects": {
"0": {
"type": "x-oca-event",
"extensions": {
"x-iam-ext": {
"continent_name": "Asia",
"city_name": "mumbai",
"country_iso_code": "IN",
"country_name": "India",
"subcategory": "saml",
"provider_id": "http://ibm.com",
"realm": "www.google.com",
"application_id": "6773634223410562472",
"application_type": "Custom Application",
"browser_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
"applicationname": "Bane"
}
},
"ip_refs": [
"1"
],
"outcome": "success",
"user_ref": "2",
"category": "sso",
"provider": "IBM Security Verify IAM",
"domain_ref": "3",
"module": "saml_runtime",
"created": "2022-02-17T07:31:38.824Z"
},
"1": {
"type": "ipv4-addr",
"value": "192.168.1.1"
},
"2": {
"type": "user-account",
"user_id": "123456"
},
"3": {
"type": "domain-name",
"value": "ibmcloud.com"
}
},
"first_observed": "2022-02-17T07:33:21.969Z",
"last_observed": "2022-02-17T07:33:21.969Z",
"number_observed": 1
}
}
```

Empty file added stix_shifter_modules/ibm_security_verify/__init__.py
View file
Open in desktop
Empty file.
37 changes: 37 additions & 0 deletions stix_shifter_modules/ibm_security_verify/configuration/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"connection": {
"type": {
"displayName": "IBM Security Verify",
"type": "connectorType"
},
"host": {
"type": "text",
"regex": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_:/\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9_:/\\-]*[A-Za-z0-9])$"
},
"port": {
"type": "number",
"default": 443,
"min": 1,
"max": 65535
},
"sni": {
"type": "text",
"optional": true
},
"selfSignedCert": {
"type": "password",
"optional": true
}
},
"configuration": {
"auth": {
"type": "fields",
"clientId": {
"type": "password"
},
"clientSecret": {
"type": "password"
}
}
}
}
38 changes: 38 additions & 0 deletions stix_shifter_modules/ibm_security_verify/configuration/lang_en.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"connection": {
"host": {
"label": "Management IP address or Hostname",
"placeholder": "192.168.1.1",
"description": "Specify the IBM Security verify IP address or Hostname."
},
"port": {
"label": "Host Port",
"placeholder": "443",
"description": "Specify the associated port number of the data source."
},
"help": {
"label": "Need additional help?"
},
"selfSignedCert": {
"label": "IBM Security Verify Certificate",
"placeholder": "Paste your certificate"
},
"sni": {
"label": "Server name indicator",
"placeholder": "Add a server name indicator",
"description": "If your hostname or IP address does not match the common name you will need to supply a Server Name Indicator (SNI). This is used to allow a separate hostname to be provided to the TLS handshake of the resource connection."
}
},
"configuration": {
"auth": {
"clientId": {
"label": "Client Id",
"description": "Client ID of IBM Seurity Verify"
},
"clientSecret": {
"label": "Client Secret",
"description": "Client secret of Client ID of IBM Seurity Verify"
}
}
}
}
11 changes: 11 additions & 0 deletions stix_shifter_modules/ibm_security_verify/entry_point.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint


class EntryPoint(BaseEntryPoint):

def __init__(self, connection={}, configuration={}, options={}):
super().__init__(connection, configuration, options)
if connection:
self.setup_transmission_simple(connection, configuration)

self.setup_translation_simple(dialect_default='default')
Empty file added stix_shifter_modules/ibm_security_verify/stix_translation/__init__.py
View file
Open in desktop
Empty file.
Loading