Skip to content

Commit

Permalink
Module name changed to nozomi_vantage
Browse files Browse the repository at this point in the history 
Module name changed to nozomi_vantage
  • Loading branch information
@thangaraj-ramesh
thangaraj-ramesh committed Apr 9, 2024
1 parent 13db2fe commit 613b684
Show file tree
Hide file tree
Showing 23 changed files with 119 additions and 123 deletions.
38 changes: 18 additions & 20 deletions stix_shifter_modules/nozomi/README.md → ..._shifter_modules/nozomi_vantage/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## Supported STIX Mappings

See the [table of mappings](nozomi_supported_stix.md) for the STIX objects and operators supported by this connector.
See the [table of mappings](nozomi_vantage_supported_stix.md) for the STIX objects and operators supported by this connector.


**Table of Contents**
Expand Down Expand Up @@ -51,7 +51,7 @@ python main.py `<translator_module>` `<query or result>` `<STIX identity object>

#### STIX Translate query to fetch the messages from a specific ipaddress
```shell
translate nozomi query {} "[ipv4-addr:value='1.1.1.1'] START t'2024-01-01T11:00:00.000Z' STOP t'2024-01-10T00:00:00.000Z'"
translate nozomi_vantage query {} "[ipv4-addr:value='1.1.1.1'] START t'2024-01-01T11:00:00.000Z' STOP t'2024-01-10T00:00:00.000Z'"
```
#### STIX Translate query - output
```json
Expand All @@ -65,7 +65,7 @@ translate nozomi query {} "[ipv4-addr:value='1.1.1.1'] START t'2024-01-01T11:00:
#### STIX Transmit results

```shell
transmit nozomi "{\"host\":\"nozomi-xxxxxxxxx.vantage.nozominetworks.io\", \"port\":443}" "{\"auth\":{\"key_name\":\"XXXXXXX\", \"key_token\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxx\"}}" results "query=alerts | where ip_src==\"1.1.1.1\" OR ip_dst==\"1.1.1.1\" | where record_created_at>=1704106800000 | where record_created_at<=1704844800000"
transmit nozomi_vantage "{\"host\":\"nozomi-server.vantage.nozominetworks.io\", \"port\":443}" "{\"auth\":{\"key_name\":\"KEY NAME\", \"key_token\":\"KEY TOKEN\"}}" results "query=alerts | where ip_src==\"1.1.1.1\" OR ip_dst==\"1.1.1.1\" | where record_created_at>=1704106800000 | where record_created_at<=1704844800000"
0
1
```
Expand Down Expand Up @@ -93,8 +93,8 @@ transmit nozomi "{\"host\":\"nozomi-xxxxxxxxx.vantage.nozominetworks.io\", \"por
"ip_dst": "2.2.2.2",
"ip_dst:info": null,
"status": "open",
"mac_src": "00:d0:24:25:f9:54",
"mac_dst": "ff:ff:ff:ff:ff:ff",
"mac_src": "01:01:01:01:01:01",
"mac_dst": "02:02:02:02:02:02",
"port_dst": null,
"port_src": null,
"protocol": "",
Expand Down Expand Up @@ -132,7 +132,7 @@ transmit nozomi "{\"host\":\"nozomi-xxxxxxxxx.vantage.nozominetworks.io\", \"por
}
]
},
"incident_key_confidence:AnomalousPackets_10.80.68.90-255.255.255.255-": 1.0
"incident_key_confidence:AnomalousPacket": 1.0
},
"closed_time": 0,
"close_option": null,
Expand Down Expand Up @@ -231,12 +231,12 @@ transmit nozomi "{\"host\":\"nozomi-xxxxxxxxx.vantage.nozominetworks.io\", \"por
},
"4": {
"type": "mac-addr",
"value": "00:d0:24:25:f9:54",
"value": "01:01:01:01:01:01",
"x_nozomi_info_ref": "7"
},
"5": {
"type": "mac-addr",
"value": "ff:ff:ff:ff:ff:ff",
"value": "02:02:02:02:02:02",
"x_nozomi_info_ref": "6"
},
"6": {
Expand Down Expand Up @@ -286,7 +286,7 @@ transmit nozomi "{\"host\":\"nozomi-xxxxxxxxx.vantage.nozominetworks.io\", \"por

```shell
translate
nozomi
nozomi_vantage
query {}
"[(ipv4-addr:value = '1.1.1.1' AND network-traffic:dst_port == 22) OR network-traffic:protocols[*] == 'ssh'] START t'2024-01-01T00:00:00.000Z' STOP t'2024-01-16T11:54:00.000Z'"
```
Expand All @@ -303,11 +303,11 @@ query {}
### STIX Execute query
```shell
execute
nozomi
nozomi
"{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"Nozomi\",\"identity_class\":\"events\", \"created\": \"2023-04-11T16:11:11.878Z\",\"modified\": \"2023-04-11T16:11:11.878Z\"}"
"{\"host\":\"nozomi-xxxxxxx.vantage.nozominetworks.io\", \"port\":443}"
"{\"auth\":{\"key_name\":\"XXXXXXX\", \"key_token\":\"xxxxxxxxxxxxxxxxxxxxxxxxxxxx\"}}"
nozomi_vantage
nozomi_vantage
"{\"type\":\"identity\",\"id\":\"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",\"name\":\"Nozomi Vantage\",\"identity_class\":\"events\", \"created\": \"2023-04-11T16:11:11.878Z\",\"modified\": \"2023-04-11T16:11:11.878Z\"}"
"{\"host\":\"nozomi-server.vantage.nozominetworks.io\", \"port\":443}"
"{\"auth\":{\"key_name\":\"KEY NAME\", \"key_token\":\"KEY TOKEN\"}}"
"[(ipv4-addr:value = '1.1.1.1' AND network-traffic:dst_port == 22) OR network-traffic:protocols[*] == 'ssh'] START t'2024-01-01T00:00:00.000Z' STOP t'2024-01-16T11:54:00.000Z'"
```

Expand All @@ -320,7 +320,7 @@ nozomi
{
"type": "identity",
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "Nozomi",
"name": "Nozomi Vantage",
"identity_class": "events",
"created": "2023-04-11T16:11:11.878Z",
"modified": "2023-04-11T16:11:11.878Z"
Expand All @@ -338,7 +338,7 @@ nozomi
"time_observed": "2024-01-09T09:19:33.000Z",
"name": "New global MAC vendor",
"finding_type": "alert",
"description": "A new Private MAC Address has been found in the network -- 52:54:00:12:35:02",
"description": "A new Private MAC Address has been found in the network -- 02:02:02:02:02:02",
"x_is_acknowledged": false,
"severity": 50,
"src_ip_ref": "1",
Expand Down Expand Up @@ -461,10 +461,8 @@ nozomi
- The maximum allowable page number is 1,000. Requests for pages beyond this limit will result in an error response Bad request.

### References
- [Nozomi Product Overview](https://www.nozominetworks.com/products/vantage)
- [Vantage Overview | Help and documentation](https://help.vantage.nozominetworks.io/docs/)
- [Online User Manual](https://technicaldocs.nozominetworks.com/n2os-ol-um-intro.html)
- [User Manual SDK](https://technicaldocs.nozominetworks.com/n2os-ol-sdk-intro.html)
- [API Documentation](https://technicaldocs.nozominetworks.com/products/n2os/sdk/open-api-index.html)
- [Query endpoint](https://technicaldocs.nozominetworks.com/products/n2os/sdk/open-api-query.html)

### Appendix
List of fields that is available in schema of Nozomi alert logs
Expand Down
0 stix_shifter_modules/nozomi/__init__.py → ...hifter_modules/nozomi_vantage/__init__.py
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion ..._modules/nozomi/configuration/config.json → .../nozomi_vantage/configuration/config.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"connection": {
"type": {
"displayName": "Nozomi",
"displayName": "Nozomi Vantage",
"group": "nozomi"
},
"host": {
Expand Down
0 ...modules/nozomi/configuration/lang_en.json → ...nozomi_vantage/configuration/lang_en.json
View file
File renamed without changes.
0 stix_shifter_modules/nozomi/entry_point.py → ...ter_modules/nozomi_vantage/entry_point.py
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion ...r_modules/nozomi/nozomi_supported_stix.md → ..._vantage/nozomi_vantage_supported_stix.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
##### Updated on 01/22/24
## Nozomi
## Nozomi Vantage
### Results STIX Domain Objects
* Identity
* Observed Data
Expand Down
0 ...dules/nozomi/stix_translation/__init__.py → ...zomi_vantage/stix_translation/__init__.py
View file
File renamed without changes.
0 ...omi/stix_translation/json/config_map.json → ...age/stix_translation/json/config_map.json
View file
File renamed without changes.
0 .../stix_translation/json/from_stix_map.json → .../stix_translation/json/from_stix_map.json
View file
File renamed without changes.
0 ...zomi/stix_translation/json/operators.json → ...tage/stix_translation/json/operators.json
View file
File renamed without changes.
0 ...nslation/json/stix_2_1/from_stix_map.json → ...nslation/json/stix_2_1/from_stix_map.json
View file
File renamed without changes.
0 ...ranslation/json/stix_2_1/to_stix_map.json → ...ranslation/json/stix_2_1/to_stix_map.json
View file
File renamed without changes.
0 ...mi/stix_translation/json/to_stix_map.json → ...ge/stix_translation/json/to_stix_map.json
View file
File renamed without changes.
36 changes: 17 additions & 19 deletions ...omi/stix_translation/query_constructor.py → ...age/stix_translation/query_constructor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ class QueryStringPatternTranslator:

def __init__(self, pattern: Pattern, data_model_mapper, options):

logger.info("Nozomi Connector")
logger.info("Nozomi Vantage Connector")
self.dmm = data_model_mapper
self.comparator_lookup = self.dmm.map_comparator()
self.config_map = self.load_json(CONFIG_MAP_PATH)
Expand Down Expand Up @@ -190,7 +190,7 @@ def _check_value_comparator_support(self, value, comparator, mapped_field_type,
ComparisonComparators.GreaterThanOrEqual,
ComparisonComparators.LessThanOrEqual,
ComparisonComparators.IsSubSet):
raise NotImplementedError('Nozomi is not supported for NOT <, NOT >, NOT <=, NOT >=, NOT ISSUBSET'
raise NotImplementedError('Nozomi Vantage is not supported for NOT <, NOT >, NOT <=, NOT >=, NOT ISSUBSET'
' operators')

if mapped_field_type == "bytes" and comparator in (ComparisonComparators.Equal, ComparisonComparators.NotEqual,
Expand Down Expand Up @@ -219,19 +219,13 @@ def _eval_comparison_value(self, expression, mapped_field_type, mapped_fields_ar
:param mapped_fields_array: list object
:return: formatted expression value
"""
if expression.comparator == ComparisonComparators.Like:
value = self._check_value_comparator_support(expression.value, expression.comparator, mapped_field_type,
mapped_fields_array, expression)
value = self._format_value(value)
elif expression.comparator == ComparisonComparators.In:
if expression.comparator == ComparisonComparators.In:
value = self._format_set(expression.value, mapped_field_type, expression, mapped_fields_array)
elif expression.comparator in [ComparisonComparators.GreaterThan, ComparisonComparators.GreaterThanOrEqual,
elif expression.comparator in [ComparisonComparators.Like,
ComparisonComparators.GreaterThan, ComparisonComparators.GreaterThanOrEqual,
ComparisonComparators.LessThan, ComparisonComparators.LessThanOrEqual,
ComparisonComparators.Equal, ComparisonComparators.NotEqual]:
value = self._check_value_comparator_support(expression.value, expression.comparator, mapped_field_type,
mapped_fields_array, expression)
value = self._format_value(value)
elif expression.comparator == ComparisonComparators.IsSubSet:
ComparisonComparators.Equal, ComparisonComparators.NotEqual,
ComparisonComparators.IsSubSet]:
value = self._check_value_comparator_support(expression.value, expression.comparator, mapped_field_type,
mapped_fields_array, expression)
value = self._format_value(value)
Expand Down Expand Up @@ -334,11 +328,15 @@ def check_common_timestamp(query_01, query_02):
:param query_02: str
:return query_01_without_timestamp str, query_02_without_timestamp str, timestamp str
"""
# Last 81 characters in the query string contains timestamp value
if query_01[-81:] == query_02[-81:]:
timestamp = query_02[-81:]
query_01_without_timestamp = query_01[:-81]
query_02_without_timestamp = query_02[:-81]
# Find the index where timestamp starts in the query string
query_01_timestamp_index = query_01.find('| where record_created_at>=')
query_02_timestamp_index = query_02.find('| where record_created_at>=')

# Check if the substrings from the index in both query strings are equal.
if query_01[query_01_timestamp_index:] == query_02[query_02_timestamp_index:]:
timestamp = query_02[query_02_timestamp_index:]
query_01_without_timestamp = query_01[:query_01_timestamp_index]
query_02_without_timestamp = query_02[:query_02_timestamp_index]
return query_01_without_timestamp, query_02_without_timestamp, timestamp
return query_01, query_02, None

Expand Down Expand Up @@ -538,7 +536,7 @@ def parse_expression(self, pattern: Pattern) -> list:

def translate_pattern(pattern: Pattern, data_model_mapping, options) -> list:
"""
Conversion of ANTLR pattern to nozomi query
Conversion of ANTLR pattern to nozomi vantage query
:param pattern: expression object, ANTLR parsed expression object
:param data_model_mapping: DataMapper object, mapping object obtained by parsing json
:param options: dict, time_range defaults to 5
Expand Down
0 ...zomi/stix_translation/query_translator.py → ...tage/stix_translation/query_translator.py
View file
File renamed without changes.
14 changes: 7 additions & 7 deletions ...s/nozomi/stix_translation/transformers.py → ..._vantage/stix_translation/transformers.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import re
from stix_shifter_utils.utils import logger
from datetime import datetime, timezone
from stix_shifter_utils.stix_translation.src.utils.transformers import ValueTransformer
from stix_shifter_utils.stix_translation.src.utils.transformers import EpochToTimestamp

LOGGER = logger.set_logger(__name__)
connector = __name__.split('.')[1]
Expand Down Expand Up @@ -76,7 +76,7 @@ def transform(obj):
return int(float(obj) * 10)
return None
except ValueError:
LOGGER.error("%s connector error, cannot convert input : %s", connector, obj)
LOGGER.error("%s connector error, cannot convert field into a severity rating : %s", connector, obj)
raise


Expand All @@ -93,7 +93,7 @@ def transform(obj):
return int(str(obj).replace(" bytes", ""))
return None
except ValueError:
LOGGER.error("%s connector error, cannot convert input : %s", connector, obj)
LOGGER.error("%s connector error, failed to convert byte size to integer : %s", connector, obj)
raise


Expand All @@ -108,19 +108,19 @@ def transform(obj):
try:
if obj:
if '/' in obj:
protocol = obj.split("/")[0]
protocol = obj.split("/")[0].lower()
return [protocol]
if obj == 'unknown':
return ['tcp']
return [obj.lower()]
return None
except ValueError:
LOGGER.error("%s connector error, cannot convert input : %s", connector, obj)
LOGGER.error("%s connector error, cannot convert input into protocol value : %s", connector, obj)
raise


class EpochToTimestampConversion(ValueTransformer):
"""A value transformer for the 13-digit timestamps
"""A value transformer for the 13-digit timestamps with check on input value
Example:
Input: 1698836400000
Output: '2023-11-01T11:00:00.000Z'
Expand All @@ -129,7 +129,7 @@ class EpochToTimestampConversion(ValueTransformer):
def transform(obj):
try:
if obj:
return datetime.fromtimestamp(int(obj)/1000, timezone.utc).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
return EpochToTimestamp.transform(obj)
return None
except ValueError:
LOGGER.error("%s connector error, cannot convert epoch value %s to timestamp", connector, obj)
0 ...ules/nozomi/stix_transmission/__init__.py → ...omi_vantage/stix_transmission/__init__.py
View file
File renamed without changes.
0 ...es/nozomi/stix_transmission/api_client.py → ...i_vantage/stix_transmission/api_client.py
View file
File renamed without changes.
0 ...les/nozomi/stix_transmission/connector.py → ...mi_vantage/stix_transmission/connector.py
View file
File renamed without changes.
1 change: 1 addition & 0 deletions .../nozomi/stix_transmission/error_mapper.py → ...vantage/stix_transmission/error_mapper.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
400: ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR,
401: ErrorCode.TRANSMISSION_AUTH_CREDENTIALS,
403: ErrorCode.TRANSMISSION_QUERY_PARSING_ERROR,
404: ErrorCode.TRANSMISSION_CONNECT,
408: ErrorCode.TRANSMISSION_CONNECT,
422: ErrorCode.TRANSMISSION_INVALID_PARAMETER,
500: ErrorCode.TRANSMISSION_REMOTE_SYSTEM_IS_UNAVAILABLE
Expand Down
10 changes: 5 additions & 5 deletions ...x_translation/test_nozomi_json_to_stix.py → ...ation/test_nozomi_vantage_json_to_stix.py
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
""" test script to perform unit test case for nozomi translate results """
""" test script to perform unit test case for nozomi vantage translate results """
import unittest
from stix_shifter_modules.nozomi.entry_point import EntryPoint
from stix_shifter_modules.nozomi_vantage.entry_point import EntryPoint
from stix_shifter_utils.stix_translation.src.json_to_stix import json_to_stix_translator
from stix_shifter_utils.stix_translation.src.utils.transformer_utils import get_module_transformers

MODULE = "nozomi"
MODULE = "nozomi_vantage"
entry_point = EntryPoint()
map_data = entry_point.get_results_translator().map_data
data_source = {
"type": "identity",
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "nozomi",
"name": "nozomi_vantage",
"identity_class": "events"
}
options = {}
Expand Down Expand Up @@ -140,7 +140,7 @@

class TestNozomiResultsToStix(unittest.TestCase):
"""
class to perform unit test case for nozomi translate results
class to perform unit test case for nozomi vantage translate results
"""

@staticmethod
Expand Down
Loading

0 comments on commit 613b684

Please sign in to comment.