Added Palo Alto Cortext XDR UDI Connector

stix_shifter_modules/paloalto/configuration/config.json

@@ -0,0 +1,41 @@
+{
+    "connection": {
+        "type": {
+            "displayName": "Palo Alto Cortex XDR"
+        },
+        "host": {
+            "type": "text"
+        },
+        "help": {
+            "type": "link",
+            "default": "data-sources.html"
+        },
+        "options": {
+            "type": "fields",
+            "result_limit": {
+                "default": 1000,
+                "min": 1,
+                "max": 1000,
+                "type": "number"
+            }
+        },
+        "quota_threshold": {
+            "default": 3.00,
+            "type": "float"
+        }
+    },
+    "configuration": {
+        "auth": {
+            "type" : "fields",
+            "tenant": {
+                "type": "password"
+            },
+            "api_key": {
+                "type": "password"
+            },
+            "api_key_id": {
+                "type": "password"
+            }
+        }
+    }
+}

stix_shifter_modules/paloalto/configuration/lang_en.json

@@ -0,0 +1,36 @@
+{
+    "connection": {
+        "host": {
+            "label": "Management IP address or Hostname",
+            "description": "Specify the IP address or  hostname of the data source so that IBM Cloud Pak for Security can communicate with it"
+        },
+        "help": {
+            "label": "Need additional help?",
+            "description": "More details on the data source setting can be found in the specified link"
+        },
+        "result_limit": {
+            "label": "The Result limit for the connector",
+            "description": "The total number of results returned from the connector"
+        },
+        "quota_threshold": {
+            "label": "The quota limit for the API",
+            "description": "Prevents the connector from exceeding the quota threshold limit"
+}
+    },
+    "configuration": {
+        "auth": {
+             "tenant": {
+                "label": "Tenant",
+                "description": "Tenant Id of Palo Alto Cortex XDR Application"
+            },
+            "api_key": {
+                "label": "API Key",
+                "description": "The API Key is a unique identifier required for authenticating API calls."
+            },
+            "api_key_id": {
+                "label": "API Key Id",
+                "description": "The API Key ID is a unique token used to authenticate the API Key"
+            }
+        }
+    }
+}

stix_shifter_modules/paloalto/entry_point.py

@@ -0,0 +1,14 @@
+from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
+
+
+class EntryPoint(BaseEntryPoint):
+
+    # python main.py translate paloalto query '{}' "[ipv4-addr:value = '127.0.0.1']"
+
+    def __init__(self, connection={}, configuration={}, options={}):
+        super().__init__(connection, configuration, options)
+        self.set_async(True)
+        if connection:
+            self.setup_transmission_simple(connection, configuration)
+
+        self.setup_translation_simple(dialect_default='xdr_data')

stix_shifter_modules/paloalto/stix_translation/json/config_map.json

@@ -0,0 +1,65 @@
+{
+	"int_supported_fields": [
+      "action_local_port",
+      "action_remote_port",
+      "action_pkts_sent",
+      "action_pkts_received",
+      "action_file_size",
+      "action_module_process_os_pid",
+      "action_process_os_pid",
+      "actor_process_os_pid",
+      "causality_actor_process_os_pid",
+      "os_actor_process_os_pid",
+      "action_process_requested_parent_pid",
+      "action_thread_parent_pid",
+      "action_thread_child_pid"
+    ],
+    "timestamp_supported_fields": [
+      "action_file_access_time",
+      "actor_process_file_access_time",
+      "os_actor_process_file_access_time",
+      "action_file_mod_time",
+      "actor_process_file_mod_time",
+      "os_actor_process_file_mod_time",
+      "action_file_create_time",
+      "action_process_file_create_time",
+      "actor_process_file_create_time",
+      "causality_actor_process_file_create_time",
+      "os_actor_process_file_create_time",
+      "action_process_instance_execution_time",
+      "actor_process_execution_time",
+      "action_network_creation_time"
+    ],
+    "mac_supported_fields": [
+      "mac",
+      "associated_mac",
+      "dst_associated_mac",
+      "dst_mac"
+    ],
+    "enum_supported_fields": [
+      "action_network_protocol",
+      "agent_os_type",
+      "event_type"
+    ],
+	"enum_supported_values": {
+		  "action_network_protocol": ["TCP", "UDP"],
+		  "agent_os_type": ["AGENT_OS_LINUX", "AGENT_OS_MAC", "AGENT_OS_WINDOWS"],
+		   "event_type": [
+			  "AGENT_STATUS","CLOUD_AUDIT_LOGS","DEVICE","EVENT_LOG","FILE","GAP","HOST_FIREWALL",
+              "HOST_METADATA","HOST_STATUS","INJECTION","LOAD_IMAGE","LOGIN_EVENT","MOUNT","NAMESPACE",
+			  "NETWORK","PROCESS","PROCESS_HANDLE","REGISTRY","RPC_CALL","STORY","SYSTEM_CALL",
+			  "THREAD","USER_STATUS_CHANGE","VPN_EVENT"]
+	},
+	"timestamp_supported_dataset": {
+		"xdr_data": "_time"
+	},
+	"mandatory_properties_to_stix": {
+		"user": ["actor_primary_user_sid","action_process_user_sid"],
+		"file": ["action_file_name"],
+		"file_action_process" : ["action_process_image_name"],
+		"file_actor_process": ["actor_process_image_name"],
+		"file_causality_process": ["causality_actor_process_image_name"],
+		"file_os_actor": ["os_actor_process_image_name"],
+		"nt": [["action_local_ip","action_remote_ip"],"action_network_protocol"]
+	}
+}

stix_shifter_modules/paloalto/stix_translation/json/fields_map.json

@@ -0,0 +1,45 @@
+{
+        "all_fields": [
+                "action_local_ip","action_remote_ip","agent_ip_addresses_v6","dst_agent_ip_addresses_v6",
+                "action_local_port","action_remote_port","action_network_protocol","action_pkts_sent",
+                "action_pkts_received","action_file_name","action_process_image_name","actor_process_image_name",
+                "causality_actor_process_image_name","os_actor_process_image_name","action_file_size","action_file_md5",
+                "action_module_md5","action_process_image_md5","action_file_authenticode_sha1",
+                "action_file_authenticode_sha2","action_file_sha256","action_module_sha256",
+                "action_process_image_sha256","action_file_access_time","actor_process_file_access_time",
+                "os_actor_process_file_access_time","action_file_mod_time","actor_process_file_mod_time",
+                "os_actor_process_file_mod_time","action_file_create_time","action_file_path",
+                "action_process_image_path","action_registry_file_path","actor_process_image_path",
+                "causality_actor_process_image_path","os_actor_process_image_path","action_process_image_command_line",
+                "actor_process_command_line","causality_actor_process_command_line","os_actor_process_command_line",
+                "action_process_file_create_time","actor_process_file_create_time",
+                "causality_actor_process_file_create_time","os_actor_process_file_create_time",
+                "action_module_process_os_pid","action_process_os_pid","actor_process_os_pid",
+                "causality_actor_process_os_pid","os_actor_process_os_pid","action_process_requested_parent_pid",
+                "action_thread_parent_pid","action_thread_child_pid","action_process_username","auth_domain",
+                "dst_host_metadata_domain","host_metadata_domain","dst_action_url_category","action_registry_key_name",
+                "action_registry_value_name","mac","associated_mac","dst_associated_mac","dst_mac",
+                "actor_primary_user_sid","action_process_user_sid","actor_primary_username","actor_process_logon_id",
+                "action_file_info_company","action_file_extension","action_file_attributes",
+                "action_file_internal_zipped_files","action_file_last_writer_actor","action_file_signature_status",
+                "action_file_signature_vendor","action_file_signature_product","action_file_info_description",
+                "action_file_group","action_file_group_name","action_file_type","action_file_info_file_version",
+                "manifest_file_version","action_file_info_product_version","action_file_owner",
+                "action_file_owner_name","action_file_info_product_name","action_file_id",
+                "action_file_wildfire_verdict","action_file_hash_control_verdict","actor_process_instance_id",
+                "actor_process_causality_id","actor_process_auth_id","actor_process_container_id",
+                "actor_process_signature_vendor","actor_process_signature_status","actor_process_signature_product",
+                "actor_process_image_extension","action_process_termination_code","action_process_termination_date",
+                "action_remote_process_thread_id","action_process_instance_execution_time",
+                "actor_process_execution_time","action_process_handle_is_kernel","action_process_is_container_root",
+                "actor_process_is_native","agent_version","agent_hostname","agent_content_version",
+                "agent_session_start_time","agent_id","agent_os_type","agent_os_sub_type",
+                "agent_is_vdi","action_user_agent","http_req_user_agent_header","action_evtlog_data_fields",
+                "action_evtlog_description","action_evtlog_source","action_evtlog_event_id","action_evtlog_level",
+                "action_evtlog_tid","action_evtlog_uid","action_evtlog_pid","action_evtlog_message",
+                "action_evtlog_version","event_id","vpn_event_description","event_timestamp","event_version",
+                "event_rpc_interface_uuid","event_address_mapped_image_path","event_type","event_sub_type",
+                "action_network_creation_time","action_network_connection_id","action_network_packet_data",
+                "action_proxy","host_metadata_hostname","action_external_hostname"
+        ]
+}

stix_shifter_modules/paloalto/stix_translation/json/operators.json

@@ -0,0 +1,15 @@
+{
+        "ComparisonExpressionOperators.And": "and",
+        "ComparisonExpressionOperators.Or": "or",
+        "ComparisonComparators.Equal": "=",
+        "ComparisonComparators.NotEqual": "!=",
+        "ComparisonComparators.Like": "contains",
+        "ComparisonComparators.Matches": "~=",
+        "ComparisonComparators.GreaterThan": ">",
+        "ComparisonComparators.GreaterThanOrEqual": ">=",
+        "ComparisonComparators.LessThan": "<",
+        "ComparisonComparators.LessThanOrEqual": "<=",
+        "ComparisonComparators.In": "in",
+        "ObservationOperators.Or": "or",
+        "ObservationOperators.And": "or"
+    }