From d61a5a543af05b1914f50c2e1d36bb73d16e40c1 Mon Sep 17 00:00:00 2001 From: Danny Elliott Date: Mon, 15 May 2023 16:09:35 -0300 Subject: [PATCH] SDO connector cleanup and table of mappings (#1484) --- stix_shifter/requirements.txt | 3 +- .../scripts/supported_property_exporter.py | 179 +++++++++++------- stix_shifter_modules/abuseipdb/README.md | 7 + .../abuseipdb/abuseipdb_supported_stix.md | 36 ++++ .../abuseipdb/requirements.txt | 1 - .../alertflex/alertflex_supported_stix.md | 6 +- .../alienvault_otx/.coveragerc | 2 - stix_shifter_modules/alienvault_otx/README.md | 7 + .../alienvault_otx_supported_stix.md | 42 ++++ .../arcsight/arcsight_supported_stix.md | 6 +- .../aws_athena/aws_athena_supported_stix.md | 6 +- .../aws_cloud_watch_logs_supported_stix.md | 6 +- .../azure_log_analytics_supported_stix.md | 6 +- .../bigfix/bigfix_supported_stix.md | 6 +- .../carbonblack/carbonblack_supported_stix.md | 6 +- .../cbcloud/cbcloud_supported_stix.md | 6 +- .../crowdstrike/crowdstrike_supported_stix.md | 6 +- .../cybereason/cybereason_supported_stix.md | 6 +- .../darktrace/darktrace_supported_stix.md | 6 +- .../datadog/datadog_supported_stix.md | 6 +- stix_shifter_modules/dshield/.coveragerc | 2 - stix_shifter_modules/dshield/README.md | 7 + .../dshield/dshield_supported_stix.md | 36 ++++ stix_shifter_modules/dshield/requirements.txt | 1 - .../elastic_ecs/elastic_ecs_supported_stix.md | 90 +++++---- .../gcp_chronicle_supported_stix.md | 6 +- .../guardium/guardium_supported_stix.md | 6 +- .../ibm_security_verify_supported_stix.md | 6 +- stix_shifter_modules/intezer/.coveragerc | 2 - stix_shifter_modules/intezer/README.md | 7 + .../intezer/intezer_supported_stix.md | 40 ++++ stix_shifter_modules/intezer/requirements.txt | 1 - .../msatp/msatp_supported_stix.md | 6 +- .../okta/okta_supported_stix.md | 6 +- .../onelogin/onelogin_supported_stix.md | 6 +- .../paloalto/paloalto_supported_stix.md | 6 +- .../proofpoint/proofpoint_supported_stix.md | 6 +- .../qradar/qradar_supported_stix.md | 6 +- .../reaqta/reaqta_supported_stix.md | 6 +- .../recorded_future/README.md | 7 + .../recorded_future_supported_stix.md | 42 ++++ .../recorded_future/requirements.txt | 1 - stix_shifter_modules/reversinglabs/README.md | 6 + .../reversinglabs/requirements.txt | 1 - .../reversinglabs_supported_stix.md | 42 ++++ .../rhacs/rhacs_supported_stix.md | 6 +- .../secretserver_supported_stix.md | 6 +- .../sentinelone/sentinelone_supported_stix.md | 6 +- .../splunk/splunk_supported_stix.md | 8 +- .../sumologic/sumologic_supported_stix.md | 6 +- stix_shifter_modules/threat_grid/.coveragerc | 2 - stix_shifter_modules/threat_grid/README.md | 7 + .../threat_grid/requirements.txt | 1 - .../threat_grid/threat_grid_supported_stix.md | 41 ++++ stix_shifter_modules/threat_q/README.md | 7 + .../threat_q/requirements.txt | 1 - .../threat_q/threat_q_supported_stix.md | 42 ++++ .../trendmicro_vision_one_supported_stix.md | 6 +- stix_shifter_modules/virus_total/.coveragerc | 2 - stix_shifter_modules/virus_total/README.md | 7 + .../virus_total/requirements.txt | 1 - .../virus_total/virus_total_supported_stix.md | 42 ++++ 62 files changed, 725 insertions(+), 160 deletions(-) create mode 100644 stix_shifter_modules/abuseipdb/README.md create mode 100644 stix_shifter_modules/abuseipdb/abuseipdb_supported_stix.md delete mode 100644 stix_shifter_modules/abuseipdb/requirements.txt delete mode 100644 stix_shifter_modules/alienvault_otx/.coveragerc create mode 100644 stix_shifter_modules/alienvault_otx/README.md create mode 100644 stix_shifter_modules/alienvault_otx/alienvault_otx_supported_stix.md delete mode 100644 stix_shifter_modules/dshield/.coveragerc create mode 100644 stix_shifter_modules/dshield/README.md create mode 100644 stix_shifter_modules/dshield/dshield_supported_stix.md delete mode 100644 stix_shifter_modules/dshield/requirements.txt delete mode 100644 stix_shifter_modules/intezer/.coveragerc create mode 100644 stix_shifter_modules/intezer/README.md create mode 100644 stix_shifter_modules/intezer/intezer_supported_stix.md delete mode 100644 stix_shifter_modules/intezer/requirements.txt create mode 100644 stix_shifter_modules/recorded_future/README.md create mode 100644 stix_shifter_modules/recorded_future/recorded_future_supported_stix.md delete mode 100644 stix_shifter_modules/reversinglabs/requirements.txt create mode 100644 stix_shifter_modules/reversinglabs/reversinglabs_supported_stix.md delete mode 100644 stix_shifter_modules/threat_grid/.coveragerc create mode 100644 stix_shifter_modules/threat_grid/README.md delete mode 100644 stix_shifter_modules/threat_grid/requirements.txt create mode 100644 stix_shifter_modules/threat_grid/threat_grid_supported_stix.md create mode 100644 stix_shifter_modules/threat_q/README.md delete mode 100644 stix_shifter_modules/threat_q/requirements.txt create mode 100644 stix_shifter_modules/threat_q/threat_q_supported_stix.md delete mode 100644 stix_shifter_modules/virus_total/.coveragerc create mode 100644 stix_shifter_modules/virus_total/README.md create mode 100644 stix_shifter_modules/virus_total/virus_total_supported_stix.md diff --git a/stix_shifter/requirements.txt b/stix_shifter/requirements.txt index 6dbc8b6d9..8e07608a1 100644 --- a/stix_shifter/requirements.txt +++ b/stix_shifter/requirements.txt @@ -17,4 +17,5 @@ stix2-matcher==3.0.0 stix2-patterns==1.3.2 stix2-validator==3.1.3 xmltodict==0.13.0 -urllib3==1.26.15 \ No newline at end of file +urllib3==1.26.15 +uuid==1.30 \ No newline at end of file diff --git a/stix_shifter/scripts/supported_property_exporter.py b/stix_shifter/scripts/supported_property_exporter.py index e2621662d..a7ba25801 100644 --- a/stix_shifter/scripts/supported_property_exporter.py +++ b/stix_shifter/scripts/supported_property_exporter.py @@ -1,15 +1,21 @@ import json +import argparse from os import path import re from datetime import datetime +## Script for generating a table of mappings for each connector based on the operator, from-stix, and to-stix mapping files +## Add --sdo SDO argument for connectors that use SDO mappings instead of a to-stix SCO mapping file +## python supported_property_exporter.py --sdo SDO + current_dir = path.abspath(path.dirname(__file__)) CONNECTOR_MODULE_PATH = path.abspath(path.join(current_dir, "../../stix_shifter_modules")) ADAPTER_GUIDE_PATH = path.abspath(path.join(current_dir, '../../adapter-guide')) # Add new connectors to this dictionary as they become available. The key must match the name of the translation module. -CONNECTORS = { +# Comment out any connectors you wish to ommit. +SCO_CONNECTORS = { "qradar": "IBM QRadar", "splunk": "Splunk Enterprise Security", "bigfix": "HCL BigFix", @@ -20,7 +26,7 @@ # "security_advisor": "IBM Cloud Security Advisor", "guardium": "IBM Guardium Data Protection", "aws_cloud_watch_logs": "Amazon CloudWatch Logs", - "azure_sentinel": "Microsoft Graph Security", + # "azure_sentinel": "Microsoft Graph Security", "alertflex": "Alertflex", "arcsight": "Micro Focus ArcSight", "aws_athena": "Amazon Athena", @@ -44,6 +50,18 @@ "okta": "Okta" } +SDO_CONNECTORS = { + "abuseipdb": "AbuseIPDB", + "alienvault_otx": "AlienVault OTX", + "dshield": "SANS ISC DShield", + "intezer": "Intezer", + "recorded_future": "Recorded Future", + "reversinglabs": "ReversingLabs", + "threat_grid": "Cisco Threat Grid", + "threat_q": "ThreatQ", + "virus_total": "VirusTotal" +} + DEFAULT_DIALECT = "default" DIALECTS = { @@ -85,6 +103,17 @@ def __main__(): + # process arguments + parent_parser = argparse.ArgumentParser(description='mapping_table_generator') + parent_parser.add_argument('--sdo',help='Generate tables for connectors that use SDO mapping') + + args = parent_parser.parse_args() + + if args.sdo: + CONNECTORS = SDO_CONNECTORS + else: + CONNECTORS = SCO_CONNECTORS + table_of_contents = "# Currently supported STIX objects and properties\n\n" table_of_contents += "Each connector supports a set of STIX objects and properties as defined in the connector's mapping files. There is also a set of common STIX properties that all cyber observable objects must contain. See [STIX™ Version 2.0. Part 4: Cyber Observable Objects](http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber-observable-objects.html) for more information on STIX objects.\n" table_of_contents += "## Common cyber observable properties\n\n" @@ -99,16 +128,7 @@ def __main__(): table_of_contents_file_path = path.abspath(path.join(ADAPTER_GUIDE_PATH, "supported-mappings.md")) table_of_contents_file = open(table_of_contents_file_path, "w") - for index, (key, module) in enumerate(CONNECTORS.items()): - try: - filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "to_stix_map.json")) - to_stix_json_file = open(filepath) - loaded_to_stix_json = json.loads(to_stix_json_file.read()) - - - except(Exception): - print("Error for {} module".format(key)) - continue + for _, (key, module) in enumerate(CONNECTORS.items()): data_field_alias_mapping = [] if key == 'qradar': @@ -122,27 +142,23 @@ def __main__(): print("Error for {} module".format(key)) continue - stix_attribute_collection = _parse_attributes(loaded_to_stix_json, key, {}) - output_string = "" output_string += "##### Updated on " + UPDATED_AT + "\n" output_string += "## " + module + "\n" table_of_contents += "- [{}]({})\n".format(module, "../stix_shifter_modules/{}/{}_supported_stix.md".format(key, key)) + # SDOs + try: + output_string = _generate_sdo_list(output_string, args) + except Exception as e: + print("Error constructing SDO list for {} module: {}".format(key, e)) + continue # OPERATORS try: filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "operators.json")) operators_json_file = open(filepath) - loaded_operators_json = json.loads(operators_json_file.read()) - stix_operator_collection = _parse_operators(loaded_operators_json, {}) - output_string += "### Supported STIX Operators\n" - output_string += "*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*\n\n" - output_string += "| STIX Operator | Data Source Operator |\n" - output_string += "|--|--|\n" - for stix_operator, ds_operator in stix_operator_collection.items(): - output_string += "| {} | {} |\n".format(stix_operator, ds_operator) - output_string += "|
| |\n" + output_string = _generate_operators_table(operators_json_file, output_string) operators_json_file.close() except Exception as e: print("Error constructing STIX operator mapping table for {} module: {}".format(key, e)) @@ -163,65 +179,96 @@ def __main__(): output_string += "### Searchable STIX objects and properties for {} dialect\n".format(dialect.capitalize()) filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "{}from_stix_map.json".format(dialect + "_"))) from_stix_json_file = open(filepath) - loaded_from_stix_json = json.loads(from_stix_json_file.read()) - # sorted_from_stix_objects = json.dumps(loaded_from_stix_json, sort_keys=True) - # sorted_attribute_objects = json.loads(sorted_attribute_objects) - if key == 'cybereason': - output_string += "*The Cybereason connector can only join specific linked fields with the AND operator as defined in its [configmap](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/stix_shifter_modules/aws_athena/stix_translation/json/operators.json).*\n\n" - output_string += "| STIX Object and Property | Mapped Data Source Fields |\n" - output_string += "|--|--|\n" - for stix_object_key, value in loaded_from_stix_json.items(): - property_dictionary = value["fields"] - for s_property, fields_list in property_dictionary.items(): - if not isinstance(fields_list, list): - fields_list = [fields_list] - orig_fields_list = [] - if data_field_alias_mapping: - # TODO: Get real field name for QRadar - for aliased_field in fields_list: - orig_data_field = _get_data_field(aliased_field, data_field_alias_mapping) - orig_fields_list.append(orig_data_field) - else: - orig_fields_list = fields_list - - # output_string += "| {} | {} | {} |\n".format(stix_object_key, s_property, fields_list) - # fields_string = ', '.join(map(str, fields_list)) - - output_string += "| **{}**:{} | {} |\n".format(stix_object_key, s_property, ', '.join(map(str, orig_fields_list))) - output_string += "|
| |\n" + output_string = _generate_from_stix_table(from_stix_json_file, key, data_field_alias_mapping, output_string) from_stix_json_file.close() except Exception as e: print("Error constructing from-STIX mapping table for {} module: {}".format(key, e)) continue - # TO-STIX + if not args.sdo: + try: + filepath = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "stix_translation/json", "to_stix_map.json")) + to_stix_json_file = open(filepath) + output_string = _generate_to_stix_table(key, to_stix_json_file, data_field_alias_mapping, output_string) + to_stix_json_file.close() + except Exception as e: + print("Error constructing to-STIX mapping table for {} module: {}".format(key, e)) + continue + try: - # supported_stix_file_path = path.abspath(path.join(ADAPTER_GUIDE_PATH, "connectors", "{}_supported_stix.md".format(key))) supported_stix_file_path = path.abspath(path.join(CONNECTOR_MODULE_PATH, key, "{}_supported_stix.md".format(key))) supported_stix_file = open(supported_stix_file_path, "w") - sorted_attribute_objects = json.dumps(stix_attribute_collection, sort_keys=True) - sorted_attribute_objects = json.loads(sorted_attribute_objects) - output_string += "### Supported STIX Objects and Properties for Query Results\n" - output_string += "| STIX Object | STIX Property | Data Source Field |\n" - output_string += "|--|--|--|\n" - for stix_object, property_list in sorted_attribute_objects.items(): - for index, prop in enumerate(property_list): - stix_property, data_field = prop.split(":") - if data_field_alias_mapping: - data_field = _get_data_field(data_field, data_field_alias_mapping) - output_string += "| {} | {} | {} |\n".format(stix_object, stix_property, data_field) - output_string += "|
| | |\n" - to_stix_json_file.close() supported_stix_file.write(output_string) supported_stix_file.close() except Exception as e: - print("Error constructing to-STIX mapping table for {} module: {}".format(key, e)) - continue + print("Error writing mapping tables for {} module: {}".format(key, e)) + continue table_of_contents_file.write(table_of_contents) table_of_contents_file.close() +def _generate_sdo_list(output_string, args): + output_string += "### Results STIX Domain Objects\n" + if args.sdo: + output_string += "* Identity\n* Sighting\n* Infrastructure\n* Malware\n* Extension\n* Indicator\n" + else: + output_string += "* Identity\n* Observed Data\n" + output_string += "
\n" + return output_string + +def _generate_operators_table(operators_json_file, output_string): + loaded_operators_json = json.loads(operators_json_file.read()) + stix_operator_collection = _parse_operators(loaded_operators_json, {}) + output_string += "### Supported STIX Operators\n" + output_string += "*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*\n\n" + output_string += "| STIX Operator | Data Source Operator |\n" + output_string += "|--|--|\n" + for stix_operator, ds_operator in stix_operator_collection.items(): + output_string += "| {} | {} |\n".format(stix_operator, ds_operator) + output_string += "|
| |\n" + return output_string + +def _generate_from_stix_table(from_stix_json_file, key, data_field_alias_mapping, output_string): + loaded_from_stix_json = json.loads(from_stix_json_file.read()) + if key == 'cybereason': + output_string += "*The Cybereason connector can only join specific linked fields with the AND operator as defined in its [configmap](https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/stix_shifter_modules/aws_athena/stix_translation/json/operators.json).*\n\n" + output_string += "| STIX Object and Property | Mapped Data Source Fields |\n" + output_string += "|--|--|\n" + for stix_object_key, value in loaded_from_stix_json.items(): + property_dictionary = value["fields"] + for s_property, fields_list in property_dictionary.items(): + if not isinstance(fields_list, list): + fields_list = [fields_list] + orig_fields_list = [] + if data_field_alias_mapping: + # TODO: Get real field name for QRadar + for aliased_field in fields_list: + orig_data_field = _get_data_field(aliased_field, data_field_alias_mapping) + orig_fields_list.append(orig_data_field) + else: + orig_fields_list = fields_list + output_string += "| **{}**:{} | {} |\n".format(stix_object_key, s_property, ', '.join(map(str, orig_fields_list))) + output_string += "|
| |\n" + return output_string + +def _generate_to_stix_table(key, to_stix_json_file, data_field_alias_mapping, output_string): + loaded_to_stix_json = json.loads(to_stix_json_file.read()) + stix_attribute_collection = _parse_attributes(loaded_to_stix_json, key, {}) + sorted_attribute_objects = json.dumps(stix_attribute_collection, sort_keys=True) + sorted_attribute_objects = json.loads(sorted_attribute_objects) + output_string += "### Supported STIX Objects and Properties for Query Results\n" + output_string += "| STIX Object | STIX Property | Data Source Field |\n" + output_string += "|--|--|--|\n" + for stix_object, property_list in sorted_attribute_objects.items(): + for index, prop in enumerate(property_list): + stix_property, data_field = prop.split(":") + if data_field_alias_mapping: + data_field = _get_data_field(data_field, data_field_alias_mapping) + output_string += "| {} | {} | {} |\n".format(stix_object, stix_property, data_field) + output_string += "|
| | |\n" + return output_string + def _get_data_field(data_field, data_field_alias_mapping): for value in data_field_alias_mapping: diff --git a/stix_shifter_modules/abuseipdb/README.md b/stix_shifter_modules/abuseipdb/README.md new file mode 100644 index 000000000..33a8f45a7 --- /dev/null +++ b/stix_shifter_modules/abuseipdb/README.md @@ -0,0 +1,7 @@ +# AbuseIPDB + +Determine whether an IP was reported or not as malicious by AbuseIPDB. + +## Supported STIX Mappings + +See the [table of mappings](abuseipdb_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/abuseipdb/abuseipdb_supported_stix.md b/stix_shifter_modules/abuseipdb/abuseipdb_supported_stix.md new file mode 100644 index 000000000..dfb0d10c8 --- /dev/null +++ b/stix_shifter_modules/abuseipdb/abuseipdb_supported_stix.md @@ -0,0 +1,36 @@ +##### Updated on 05/15/23 +## AbuseIPDB +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +|
| | diff --git a/stix_shifter_modules/abuseipdb/requirements.txt b/stix_shifter_modules/abuseipdb/requirements.txt deleted file mode 100644 index 4336eaa01..000000000 --- a/stix_shifter_modules/abuseipdb/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -uuid==1.30 \ No newline at end of file diff --git a/stix_shifter_modules/alertflex/alertflex_supported_stix.md b/stix_shifter_modules/alertflex/alertflex_supported_stix.md index 07582fddb..e89964861 100644 --- a/stix_shifter_modules/alertflex/alertflex_supported_stix.md +++ b/stix_shifter_modules/alertflex/alertflex_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Alertflex +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/alienvault_otx/.coveragerc b/stix_shifter_modules/alienvault_otx/.coveragerc deleted file mode 100644 index 3dbfbb408..000000000 --- a/stix_shifter_modules/alienvault_otx/.coveragerc +++ /dev/null @@ -1,2 +0,0 @@ -[run] -omit = tests/* \ No newline at end of file diff --git a/stix_shifter_modules/alienvault_otx/README.md b/stix_shifter_modules/alienvault_otx/README.md new file mode 100644 index 000000000..5c328dcb9 --- /dev/null +++ b/stix_shifter_modules/alienvault_otx/README.md @@ -0,0 +1,7 @@ +# AlienVault OTX + +Query AlienVault OTX for IPs, domains, URLs, or file hashes. + +## Supported STIX Mappings + +See the [table of mappings](alienvault_otx_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/alienvault_otx/alienvault_otx_supported_stix.md b/stix_shifter_modules/alienvault_otx/alienvault_otx_supported_stix.md new file mode 100644 index 000000000..c62a104bd --- /dev/null +++ b/stix_shifter_modules/alienvault_otx/alienvault_otx_supported_stix.md @@ -0,0 +1,42 @@ +##### Updated on 05/15/23 +## AlienVault OTX +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **url**:value | Url | +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +| **domain-name**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| | diff --git a/stix_shifter_modules/arcsight/arcsight_supported_stix.md b/stix_shifter_modules/arcsight/arcsight_supported_stix.md index 797b993f2..6b78938c7 100644 --- a/stix_shifter_modules/arcsight/arcsight_supported_stix.md +++ b/stix_shifter_modules/arcsight/arcsight_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Micro Focus ArcSight +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/aws_athena/aws_athena_supported_stix.md b/stix_shifter_modules/aws_athena/aws_athena_supported_stix.md index 7b189f811..0aa923777 100644 --- a/stix_shifter_modules/aws_athena/aws_athena_supported_stix.md +++ b/stix_shifter_modules/aws_athena/aws_athena_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## Amazon Athena +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/aws_cloud_watch_logs/aws_cloud_watch_logs_supported_stix.md b/stix_shifter_modules/aws_cloud_watch_logs/aws_cloud_watch_logs_supported_stix.md index e0030fc05..1fcf22d0e 100644 --- a/stix_shifter_modules/aws_cloud_watch_logs/aws_cloud_watch_logs_supported_stix.md +++ b/stix_shifter_modules/aws_cloud_watch_logs/aws_cloud_watch_logs_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## Amazon CloudWatch Logs +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/azure_log_analytics/azure_log_analytics_supported_stix.md b/stix_shifter_modules/azure_log_analytics/azure_log_analytics_supported_stix.md index a5110cc9f..da9510633 100644 --- a/stix_shifter_modules/azure_log_analytics/azure_log_analytics_supported_stix.md +++ b/stix_shifter_modules/azure_log_analytics/azure_log_analytics_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## Azure Log Analytics +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/bigfix/bigfix_supported_stix.md b/stix_shifter_modules/bigfix/bigfix_supported_stix.md index fdbb813f4..c2b1eadb2 100644 --- a/stix_shifter_modules/bigfix/bigfix_supported_stix.md +++ b/stix_shifter_modules/bigfix/bigfix_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## HCL BigFix +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/carbonblack/carbonblack_supported_stix.md b/stix_shifter_modules/carbonblack/carbonblack_supported_stix.md index 310ca6c33..668882584 100644 --- a/stix_shifter_modules/carbonblack/carbonblack_supported_stix.md +++ b/stix_shifter_modules/carbonblack/carbonblack_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Carbon Black CB Response +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/cbcloud/cbcloud_supported_stix.md b/stix_shifter_modules/cbcloud/cbcloud_supported_stix.md index f23003bd9..d9b786d8d 100644 --- a/stix_shifter_modules/cbcloud/cbcloud_supported_stix.md +++ b/stix_shifter_modules/cbcloud/cbcloud_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Carbon Black Cloud +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/crowdstrike/crowdstrike_supported_stix.md b/stix_shifter_modules/crowdstrike/crowdstrike_supported_stix.md index aa89d0ad8..feb29b3cd 100644 --- a/stix_shifter_modules/crowdstrike/crowdstrike_supported_stix.md +++ b/stix_shifter_modules/crowdstrike/crowdstrike_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## CrowdStrike Falcon +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/cybereason/cybereason_supported_stix.md b/stix_shifter_modules/cybereason/cybereason_supported_stix.md index d11378162..1612eea69 100644 --- a/stix_shifter_modules/cybereason/cybereason_supported_stix.md +++ b/stix_shifter_modules/cybereason/cybereason_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Cybereason +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/darktrace/darktrace_supported_stix.md b/stix_shifter_modules/darktrace/darktrace_supported_stix.md index 514f07888..fce651461 100644 --- a/stix_shifter_modules/darktrace/darktrace_supported_stix.md +++ b/stix_shifter_modules/darktrace/darktrace_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Darktrace +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/datadog/datadog_supported_stix.md b/stix_shifter_modules/datadog/datadog_supported_stix.md index 129600abe..2610e43ea 100644 --- a/stix_shifter_modules/datadog/datadog_supported_stix.md +++ b/stix_shifter_modules/datadog/datadog_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## Datadog +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/dshield/.coveragerc b/stix_shifter_modules/dshield/.coveragerc deleted file mode 100644 index c712d2595..000000000 --- a/stix_shifter_modules/dshield/.coveragerc +++ /dev/null @@ -1,2 +0,0 @@ -[run] -omit = tests/* diff --git a/stix_shifter_modules/dshield/README.md b/stix_shifter_modules/dshield/README.md new file mode 100644 index 000000000..82342d705 --- /dev/null +++ b/stix_shifter_modules/dshield/README.md @@ -0,0 +1,7 @@ +# SANS ISC DShield + +Query the SANS ISC DShield API to check for an IP address reputation. + +## Supported STIX Mappings + +See the [table of mappings](dshield_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/dshield/dshield_supported_stix.md b/stix_shifter_modules/dshield/dshield_supported_stix.md new file mode 100644 index 000000000..d6139fe68 --- /dev/null +++ b/stix_shifter_modules/dshield/dshield_supported_stix.md @@ -0,0 +1,36 @@ +##### Updated on 05/15/23 +## SANS ISC DShield +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +|
| | diff --git a/stix_shifter_modules/dshield/requirements.txt b/stix_shifter_modules/dshield/requirements.txt deleted file mode 100644 index 4336eaa01..000000000 --- a/stix_shifter_modules/dshield/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -uuid==1.30 \ No newline at end of file diff --git a/stix_shifter_modules/elastic_ecs/elastic_ecs_supported_stix.md b/stix_shifter_modules/elastic_ecs/elastic_ecs_supported_stix.md index 54849a878..bc62406a4 100644 --- a/stix_shifter_modules/elastic_ecs/elastic_ecs_supported_stix.md +++ b/stix_shifter_modules/elastic_ecs/elastic_ecs_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 04/28/23 +##### Updated on 05/15/23 ## Elasticsearch ECS +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* @@ -170,12 +174,6 @@ | **x-ecs-cloud**:machine.type | cloud.machine.type | | **x-ecs-cloud**:provider | cloud.provider | | **x-ecs-cloud**:region | cloud.region | -| **x-ecs-container**:id | container.id | -| **x-ecs-container**:image.name | container.image.name | -| **x-ecs-container**:image.tag | container.image.tag | -| **x-ecs-container**:labels | container.labels | -| **x-ecs-container**:name | container.name | -| **x-ecs-container**:runtime | container.runtime | | **x-ecs-dns**:answers_class | dns.answers.class | | **x-ecs-dns**:answers_data | dns.answers.data | | **x-ecs-dns**:answers_name | dns.answers.name | @@ -205,12 +203,11 @@ | **x-oca-asset**:architecture | host.architecture | | **x-oca-asset**:domain | host.domain | | **x-oca-asset**:hostname | host.hostname, observer.hostname | -| **x-oca-asset**:id | host.id | +| **x-oca-asset**:id | host.id, observer.serial_number | | **x-oca-asset**:ip | host.ip, observer.ip | | **x-oca-asset**:mac | host.mac, observer.mac | | **x-oca-asset**:name | host.name, observer.name | | **x-oca-asset**:type | host.type, observer.type | -| **x-oca-asset**:serial_number | observer.serial_number | | **x-oca-asset**:ingress.zone | observer.ingress.zone | | **x-oca-asset**:ingress.interface.alias | observer.ingress.interface.alias | | **x-oca-asset**:ingress.interface.id | observer.ingress.interface.id | @@ -223,6 +220,12 @@ | **x-oca-asset**:os_ref.name | host.os.name, observer.os.name, observer.product | | **x-oca-asset**:os_ref.vendor | host.os.platform, observer.os.platform, observer.vendor | | **x-oca-asset**:os_ref.version | host.os.version, observer.os.version, observer.version | +| **x-oca-asset**:container.id | container.id | +| **x-oca-asset**:container.image.name | container.image.name | +| **x-oca-asset**:container.image.tag | container.image.tag | +| **x-oca-asset**:container.labels | container.labels | +| **x-oca-asset**:container.name | container.name | +| **x-oca-asset**:container.runtime | container.runtime | | **x-oca-geo**:city_name | server.geo.city_name, client.geo.city_name, source.geo.city_name, destination.geo.city_name | | **x-oca-geo**:continent_name | server.geo.continent_name, client.geo.continent_name, source.geo.continent_name, destination.geo.continent_name | | **x-oca-geo**:country_iso_code | server.geo.country_iso_code, client.geo.country_iso_code, source.geo.country_iso_code, destination.geo.country_iso_code | @@ -307,9 +310,9 @@ ### Searchable STIX objects and properties for Beats dialect | STIX Object and Property | Mapped Data Source Fields | |--|--| -| **ipv4-addr**:value | source.ip, destination.ip, client.ip, server.ip, host.ip, dns.resolved_ip, source.nat.ip, destination.nat.ip, client.nat.ip, server.nat.ip | -| **ipv6-addr**:value | source.ip, destination.ip, client.ip, server.ip, host.ip, dns.resolved_ip, source.nat.ip, destination.nat.ip, client.nat.ip, server.nat.ip | -| **mac-addr**:value | source.mac, destination.mac, client.mac, server.mac, host.mac.keyword | +| **ipv4-addr**:value | source.ip.keyword, destination.ip.keyword, client.ip.keyword, server.ip.keyword, host.ip.keyword, dns.resolved_ip.keyword, source.nat.ip.keyword, destination.nat.ip.keyword, client.nat.ip.keyword, server.nat.ip.keyword | +| **ipv6-addr**:value | source.ip.keyword, destination.ip.keyword, client.ip.keyword, server.ip.keyword, host.ip.keyword, dns.resolved_ip.keyword, source.nat.ip.keyword, destination.nat.ip.keyword, client.nat.ip.keyword, server.nat.ip.keyword | +| **mac-addr**:value | source.mac.keyword, destination.mac.keyword, client.mac.keyword, server.mac.keyword, host.mac.keyword | | **network-traffic**:src_port | source.port, client.port, source.nat.port, client.nat.port | | **network-traffic**:dst_port | destination.port, server.port, destination.nat.port, server.nat.port | | **network-traffic**:protocols[*] | network.transport.keyword, network.type.keyword, network.protocol.keyword | @@ -326,7 +329,7 @@ | **network-traffic**:x_name | network.name | | **network-traffic**:x_application | network.application | | **network-traffic**:x_direction | network.direction.keyword | -| **network-traffic**:x_forwarded_ip | network.forwarded_ip | +| **network-traffic**:x_forwarded_ip | network.forwarded_ip.keyword | | **network-traffic**:x_community_id | network.community_id.keyword | | **artifact**:payload_bin | event.original | | **file**:name | file.name, dll.name, file.path, process.name.keyword, process.executable.keyword, process.parent.name.keyword, process.parent.executable.keyword | @@ -364,7 +367,7 @@ | **directory**:path | file.directory, file.path | | **user-account**:user_id | user.name.keyword, user.id.keyword | | **user-account**:account_login | user.name.keyword | -| **user-account**:display_name | user.full_name | +| **user-account**:display_name | user.full_name.keyword | | **user-account**:x_domain | user.domain.keyword | | **user-account**:x_hash | user.hash | | **user-account**:x_group.domain | user.group.domain | @@ -399,7 +402,7 @@ | **process**:x_unique_id | process.entity_id.keyword, process.parent.entity_id.keyword | | **process**:x_uptime | process.uptime | | **url**:value | url.original | -| **domain-name**:value | url.domain, dns.question.name, dns.question.registered_domain, host.hostname, source.domain, destination.domain, server.domain, client.domain, source.registered_domain, destination.registered_domain, server.registered_domain, client.registered_domain, source.top_level_domain, destination.top_level_domain, server.top_level_domain, client.top_level_domain | +| **domain-name**:value | url.domain, dns.question.name, dns.question.registered_domain, host.hostname.keyword, source.domain, destination.domain, server.domain, client.domain, source.registered_domain, destination.registered_domain, server.registered_domain, client.registered_domain, source.top_level_domain, destination.top_level_domain, server.top_level_domain, client.top_level_domain | | **windows-registry-key**:key | registry.key | | **software**:name | agent.name.keyword, process.pe.original_file_name.keyword, file.pe.original_file_name.keyword, dll.pe.original_file_name.keyword | | **software**:vendor | process.pe.company.keyword, file.pe.company.keyword, dll.pe.company.keyword | @@ -453,12 +456,6 @@ | **x-ecs-cloud**:machine.type | cloud.machine.type | | **x-ecs-cloud**:provider | cloud.provider | | **x-ecs-cloud**:region | cloud.region | -| **x-ecs-container**:id | container.id | -| **x-ecs-container**:image.name | container.image.name | -| **x-ecs-container**:image.tag | container.image.tag | -| **x-ecs-container**:labels | container.labels | -| **x-ecs-container**:name | container.name | -| **x-ecs-container**:runtime | container.runtime | | **x-ecs-dns**:answers_class | dns.answers.class | | **x-ecs-dns**:answers_data | dns.answers.data | | **x-ecs-dns**:answers_name | dns.answers.name | @@ -485,15 +482,14 @@ | **x-ecs-group**:domain | group.domain | | **x-ecs-group**:id | group.id | | **x-ecs-group**:name | group.name | -| **x-oca-asset**:architecture | host.architecture | +| **x-oca-asset**:architecture | host.architecture.keyword | | **x-oca-asset**:domain | host.domain | -| **x-oca-asset**:hostname | host.hostname, observer.hostname | -| **x-oca-asset**:id | host.id | -| **x-oca-asset**:ip | host.ip, observer.ip | -| **x-oca-asset**:mac | host.mac, observer.mac | -| **x-oca-asset**:name | host.name, observer.name | +| **x-oca-asset**:hostname | host.hostname.keyword, observer.hostname.keyword | +| **x-oca-asset**:id | host.id.keyword, observer.serial_number.keyword | +| **x-oca-asset**:ip | host.ip.keyword, observer.ip.keyword | +| **x-oca-asset**:mac | host.mac.keyword, observer.mac.keyword | +| **x-oca-asset**:name | host.name.keyword, observer.name.keyword | | **x-oca-asset**:type | host.type, observer.type | -| **x-oca-asset**:serial_number | observer.serial_number | | **x-oca-asset**:ingress.zone | observer.ingress.zone | | **x-oca-asset**:ingress.interface.alias | observer.ingress.interface.alias | | **x-oca-asset**:ingress.interface.id | observer.ingress.interface.id | @@ -503,9 +499,15 @@ | **x-oca-asset**:egress.interface.id | observer.egress.interface.id | | **x-oca-asset**:egress.interface.name | observer.egress.interface.name | | **x-oca-asset**:uptime | host.uptime | -| **x-oca-asset**:os_ref.name | host.os.name, observer.os.name, observer.product | -| **x-oca-asset**:os_ref.vendor | host.os.platform, observer.os.platform, observer.vendor | -| **x-oca-asset**:os_ref.version | host.os.version, observer.os.version, observer.version | +| **x-oca-asset**:os_ref.name | host.os.name.keyword, observer.os.name.keyword, observer.product.keyword | +| **x-oca-asset**:os_ref.vendor | host.os.platform.keyword, observer.os.platform.keyword, observer.vendor.keyword | +| **x-oca-asset**:os_ref.version | host.os.version.keyword, observer.os.version.keyword, observer.version.keyword | +| **x-oca-asset**:container.id | container.id | +| **x-oca-asset**:container.image.name | container.image.name | +| **x-oca-asset**:container.image.tag | container.image.tag | +| **x-oca-asset**:container.labels | container.labels | +| **x-oca-asset**:container.name | container.name | +| **x-oca-asset**:container.runtime | container.runtime | | **x-oca-geo**:city_name | server.geo.city_name, client.geo.city_name, source.geo.city_name, destination.geo.city_name | | **x-oca-geo**:continent_name | server.geo.continent_name, client.geo.continent_name, source.geo.continent_name, destination.geo.continent_name | | **x-oca-geo**:country_iso_code | server.geo.country_iso_code, client.geo.country_iso_code, source.geo.country_iso_code, destination.geo.country_iso_code | @@ -758,13 +760,6 @@ | x-ecs-cloud | provider | provider | | x-ecs-cloud | region | region | |
| | | -| x-ecs-container | container_id | id | -| x-ecs-container | image_name | name | -| x-ecs-container | image_tag | tag | -| x-ecs-container | labels | labels | -| x-ecs-container | name | name | -| x-ecs-container | runtime | runtime | -|
| | | | x-ecs-destination | address | address | |
| | | | x-ecs-error | code | code | @@ -800,9 +795,6 @@ | x-ecs-log | severity_syslog_code | code | | x-ecs-log | severity_syslog_name | name | |
| | | -| x-ecs-observer | os_ref | name | -| x-ecs-observer | geo_ref | city_name | -|
| | | | x-ecs-organization | organization_id | id | | x-ecs-organization | name | name | |
| | | @@ -885,10 +877,16 @@ | x-ecs-vulnerability | score_temporal | temporal | | x-ecs-vulnerability | score_version | version | |
| | | +| x-oca-asset | extensions.x-oca-container-ext.id | id | +| x-oca-asset | extensions.x-oca-container-ext.image.name | name | +| x-oca-asset | extensions.x-oca-container-ext.image.tag | tag | +| x-oca-asset | extensions.x-oca-container-ext.labels | labels | +| x-oca-asset | extensions.x-oca-container-ext.name | name | +| x-oca-asset | extensions.x-oca-container-ext.container_type | runtime | | x-oca-asset | architecture | architecture | | x-oca-asset | domain_ref | domain | | x-oca-asset | hostname | hostname | -| x-oca-asset | host_id | id | +| x-oca-asset | device_id | id | | x-oca-asset | ip_refs | ip | | x-oca-asset | mac_refs | mac | | x-oca-asset | name | name | @@ -917,11 +915,9 @@ | x-oca-asset | ingress.interface.name | name | | x-oca-asset | ingress.vlan.id | id | | x-oca-asset | ingress.vlan.name | name | -| x-oca-asset | ip | ip | -| x-oca-asset | mac | mac | -| x-oca-asset | observer_software_ref | product | -| x-oca-asset | serial_number | serial_number | -| x-oca-asset | type | type | +| x-oca-asset | os_ref | product | +| x-oca-asset | device_id | serial_number | +| x-oca-asset | os_ref | vendor | |
| | | | x-oca-event | network_ref | transport | | x-oca-event | network_ref | type | diff --git a/stix_shifter_modules/gcp_chronicle/gcp_chronicle_supported_stix.md b/stix_shifter_modules/gcp_chronicle/gcp_chronicle_supported_stix.md index 89e817e1e..ac7665979 100644 --- a/stix_shifter_modules/gcp_chronicle/gcp_chronicle_supported_stix.md +++ b/stix_shifter_modules/gcp_chronicle/gcp_chronicle_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## GCP Chronicle +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/guardium/guardium_supported_stix.md b/stix_shifter_modules/guardium/guardium_supported_stix.md index c8bb187cc..b9e13374b 100644 --- a/stix_shifter_modules/guardium/guardium_supported_stix.md +++ b/stix_shifter_modules/guardium/guardium_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## IBM Guardium Data Protection +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/ibm_security_verify/ibm_security_verify_supported_stix.md b/stix_shifter_modules/ibm_security_verify/ibm_security_verify_supported_stix.md index 02f2c12bc..1eaf89946 100644 --- a/stix_shifter_modules/ibm_security_verify/ibm_security_verify_supported_stix.md +++ b/stix_shifter_modules/ibm_security_verify/ibm_security_verify_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## IBM Security Verify +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/intezer/.coveragerc b/stix_shifter_modules/intezer/.coveragerc deleted file mode 100644 index c712d2595..000000000 --- a/stix_shifter_modules/intezer/.coveragerc +++ /dev/null @@ -1,2 +0,0 @@ -[run] -omit = tests/* diff --git a/stix_shifter_modules/intezer/README.md b/stix_shifter_modules/intezer/README.md new file mode 100644 index 000000000..35cf884df --- /dev/null +++ b/stix_shifter_modules/intezer/README.md @@ -0,0 +1,7 @@ +# Intezer + +Analyze files, endpoints, and memory dumps, to detect and classify threats. + +## Supported STIX Mappings + +See the [table of mappings](intezer_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/intezer/intezer_supported_stix.md b/stix_shifter_modules/intezer/intezer_supported_stix.md new file mode 100644 index 000000000..7bcaa0628 --- /dev/null +++ b/stix_shifter_modules/intezer/intezer_supported_stix.md @@ -0,0 +1,40 @@ +##### Updated on 05/15/23 +## Intezer +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **url**:value | Url | +| **domain-name**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| | diff --git a/stix_shifter_modules/intezer/requirements.txt b/stix_shifter_modules/intezer/requirements.txt deleted file mode 100644 index 4336eaa01..000000000 --- a/stix_shifter_modules/intezer/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -uuid==1.30 \ No newline at end of file diff --git a/stix_shifter_modules/msatp/msatp_supported_stix.md b/stix_shifter_modules/msatp/msatp_supported_stix.md index 0ddfb42d4..8e11eaabf 100644 --- a/stix_shifter_modules/msatp/msatp_supported_stix.md +++ b/stix_shifter_modules/msatp/msatp_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 04/28/23 +##### Updated on 05/15/23 ## Microsoft Defender for Endpoint +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/okta/okta_supported_stix.md b/stix_shifter_modules/okta/okta_supported_stix.md index add896899..d49de646a 100644 --- a/stix_shifter_modules/okta/okta_supported_stix.md +++ b/stix_shifter_modules/okta/okta_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 04/18/23 +##### Updated on 05/15/23 ## Okta +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/onelogin/onelogin_supported_stix.md b/stix_shifter_modules/onelogin/onelogin_supported_stix.md index c2efea24d..5a429a510 100644 --- a/stix_shifter_modules/onelogin/onelogin_supported_stix.md +++ b/stix_shifter_modules/onelogin/onelogin_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## OneLogin +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/paloalto/paloalto_supported_stix.md b/stix_shifter_modules/paloalto/paloalto_supported_stix.md index d81f315de..63d78bd08 100644 --- a/stix_shifter_modules/paloalto/paloalto_supported_stix.md +++ b/stix_shifter_modules/paloalto/paloalto_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## PaloAlto Cortex XDR +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/proofpoint/proofpoint_supported_stix.md b/stix_shifter_modules/proofpoint/proofpoint_supported_stix.md index 179646201..72e6d51fa 100644 --- a/stix_shifter_modules/proofpoint/proofpoint_supported_stix.md +++ b/stix_shifter_modules/proofpoint/proofpoint_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Proofpoint (SIEM API) +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/qradar/qradar_supported_stix.md b/stix_shifter_modules/qradar/qradar_supported_stix.md index de2037f3b..df65763a8 100644 --- a/stix_shifter_modules/qradar/qradar_supported_stix.md +++ b/stix_shifter_modules/qradar/qradar_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 04/18/23 +##### Updated on 05/15/23 ## IBM QRadar +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/reaqta/reaqta_supported_stix.md b/stix_shifter_modules/reaqta/reaqta_supported_stix.md index ad1e143dd..321407757 100644 --- a/stix_shifter_modules/reaqta/reaqta_supported_stix.md +++ b/stix_shifter_modules/reaqta/reaqta_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## IBM Security ReaQta +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/recorded_future/README.md b/stix_shifter_modules/recorded_future/README.md new file mode 100644 index 000000000..12edc0e10 --- /dev/null +++ b/stix_shifter_modules/recorded_future/README.md @@ -0,0 +1,7 @@ +# Recorded Future + +Enrich IP addresses, domains, hashes and URLs with RecordedFuture threat intelligence service. + +## Supported STIX Mappings + +See the [table of mappings](recorded_future_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/recorded_future/recorded_future_supported_stix.md b/stix_shifter_modules/recorded_future/recorded_future_supported_stix.md new file mode 100644 index 000000000..f37fc32ac --- /dev/null +++ b/stix_shifter_modules/recorded_future/recorded_future_supported_stix.md @@ -0,0 +1,42 @@ +##### Updated on 05/15/23 +## Recorded Future +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +| **domain-name**:value | Url | +| **url**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| | diff --git a/stix_shifter_modules/recorded_future/requirements.txt b/stix_shifter_modules/recorded_future/requirements.txt index ddb63c156..9fe48850e 100644 --- a/stix_shifter_modules/recorded_future/requirements.txt +++ b/stix_shifter_modules/recorded_future/requirements.txt @@ -1,2 +1 @@ -uuid==1.30 jmespath==1.0.1 diff --git a/stix_shifter_modules/reversinglabs/README.md b/stix_shifter_modules/reversinglabs/README.md index df85fccbe..7f2d289a6 100644 --- a/stix_shifter_modules/reversinglabs/README.md +++ b/stix_shifter_modules/reversinglabs/README.md @@ -1,5 +1,11 @@ # ReversingLabs +Enrich IP addresses, domains, hashes and URLs with the ReversingLabs threat intelligence service. + +## Supported STIX Mappings + +See the [table of mappings](reversinglabs_supported_stix.md) for the STIX objects and operators supported by this connector. + ## ReversingLabs Supported STIX Pattern values (Querying): The following STIX Patterns are supported by ReversingLabs: diff --git a/stix_shifter_modules/reversinglabs/requirements.txt b/stix_shifter_modules/reversinglabs/requirements.txt deleted file mode 100644 index 4336eaa01..000000000 --- a/stix_shifter_modules/reversinglabs/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -uuid==1.30 \ No newline at end of file diff --git a/stix_shifter_modules/reversinglabs/reversinglabs_supported_stix.md b/stix_shifter_modules/reversinglabs/reversinglabs_supported_stix.md new file mode 100644 index 000000000..b331dc05d --- /dev/null +++ b/stix_shifter_modules/reversinglabs/reversinglabs_supported_stix.md @@ -0,0 +1,42 @@ +##### Updated on 05/15/23 +## ReversingLabs +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **url**:value | Url | +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +| **domain-name**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| | diff --git a/stix_shifter_modules/rhacs/rhacs_supported_stix.md b/stix_shifter_modules/rhacs/rhacs_supported_stix.md index db4d83cba..d9cf06a9f 100644 --- a/stix_shifter_modules/rhacs/rhacs_supported_stix.md +++ b/stix_shifter_modules/rhacs/rhacs_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Red Hat Advanced Cluster Security for Kubernetes (StackRox) +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/secretserver/secretserver_supported_stix.md b/stix_shifter_modules/secretserver/secretserver_supported_stix.md index f54f8d527..a2150c76a 100644 --- a/stix_shifter_modules/secretserver/secretserver_supported_stix.md +++ b/stix_shifter_modules/secretserver/secretserver_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## IBM Security Verify Privilege Vault +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/sentinelone/sentinelone_supported_stix.md b/stix_shifter_modules/sentinelone/sentinelone_supported_stix.md index b84940d40..6845eae10 100644 --- a/stix_shifter_modules/sentinelone/sentinelone_supported_stix.md +++ b/stix_shifter_modules/sentinelone/sentinelone_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## SentinelOne +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/splunk/splunk_supported_stix.md b/stix_shifter_modules/splunk/splunk_supported_stix.md index 9215a4b6a..7e4cdf5cf 100644 --- a/stix_shifter_modules/splunk/splunk_supported_stix.md +++ b/stix_shifter_modules/splunk/splunk_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Splunk Enterprise Security +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* @@ -89,6 +93,7 @@ | **process**:creator_user_ref.user_login | user | | **process**:binary_ref.parent_directory_ref.path | process_path | | **process**:binary_ref.name | process_exec | +| **process**:x_unique_id | process_guid | | **url**:value | url | | **user-account**:user_id | user | | **user-account**:account_login | user | @@ -182,6 +187,7 @@ | process | name | process_name | | process | command_line | process | | process | binary_ref | process_exec | +| process | x_unique_id | process_guid | | process | pid | parent_process_id | | process | parent_ref | parent_process_id | | process | name | parent_process_name | diff --git a/stix_shifter_modules/sumologic/sumologic_supported_stix.md b/stix_shifter_modules/sumologic/sumologic_supported_stix.md index 5fb99b64f..877b34ce7 100644 --- a/stix_shifter_modules/sumologic/sumologic_supported_stix.md +++ b/stix_shifter_modules/sumologic/sumologic_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 02/27/23 +##### Updated on 05/15/23 ## Sumo Logic +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/threat_grid/.coveragerc b/stix_shifter_modules/threat_grid/.coveragerc deleted file mode 100644 index c712d2595..000000000 --- a/stix_shifter_modules/threat_grid/.coveragerc +++ /dev/null @@ -1,2 +0,0 @@ -[run] -omit = tests/* diff --git a/stix_shifter_modules/threat_grid/README.md b/stix_shifter_modules/threat_grid/README.md new file mode 100644 index 000000000..fe7f37b35 --- /dev/null +++ b/stix_shifter_modules/threat_grid/README.md @@ -0,0 +1,7 @@ +# Cisco Threat Grid + +Enrich IP addresses, domains, hashes and URLs with the Threat Grid Sandbox threat intelligence service. + +## Supported STIX Mappings + +See the [table of mappings](threat_grid_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/threat_grid/requirements.txt b/stix_shifter_modules/threat_grid/requirements.txt deleted file mode 100644 index 4336eaa01..000000000 --- a/stix_shifter_modules/threat_grid/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -uuid==1.30 \ No newline at end of file diff --git a/stix_shifter_modules/threat_grid/threat_grid_supported_stix.md b/stix_shifter_modules/threat_grid/threat_grid_supported_stix.md new file mode 100644 index 000000000..245394bec --- /dev/null +++ b/stix_shifter_modules/threat_grid/threat_grid_supported_stix.md @@ -0,0 +1,41 @@ +##### Updated on 05/15/23 +## Cisco Threat Grid +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +| **domain-name**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| | diff --git a/stix_shifter_modules/threat_q/README.md b/stix_shifter_modules/threat_q/README.md new file mode 100644 index 000000000..8885a8b44 --- /dev/null +++ b/stix_shifter_modules/threat_q/README.md @@ -0,0 +1,7 @@ +# ThreatQ + +ThreatQ Threat Intelligence Platform + +## Supported STIX Mappings + +See the [table of mappings](threat_q_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/threat_q/requirements.txt b/stix_shifter_modules/threat_q/requirements.txt deleted file mode 100644 index 4336eaa01..000000000 --- a/stix_shifter_modules/threat_q/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -uuid==1.30 \ No newline at end of file diff --git a/stix_shifter_modules/threat_q/threat_q_supported_stix.md b/stix_shifter_modules/threat_q/threat_q_supported_stix.md new file mode 100644 index 000000000..b721b30f7 --- /dev/null +++ b/stix_shifter_modules/threat_q/threat_q_supported_stix.md @@ -0,0 +1,42 @@ +##### Updated on 05/15/23 +## ThreatQ +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **url**:value | Url | +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +| **domain-name**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| | diff --git a/stix_shifter_modules/trendmicro_vision_one/trendmicro_vision_one_supported_stix.md b/stix_shifter_modules/trendmicro_vision_one/trendmicro_vision_one_supported_stix.md index 21189029a..641bfa50f 100644 --- a/stix_shifter_modules/trendmicro_vision_one/trendmicro_vision_one_supported_stix.md +++ b/stix_shifter_modules/trendmicro_vision_one/trendmicro_vision_one_supported_stix.md @@ -1,5 +1,9 @@ -##### Updated on 03/08/23 +##### Updated on 05/15/23 ## Trend Micro Vision One +### Results STIX Domain Objects +* Identity +* Observed Data +
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* diff --git a/stix_shifter_modules/virus_total/.coveragerc b/stix_shifter_modules/virus_total/.coveragerc deleted file mode 100644 index c712d2595..000000000 --- a/stix_shifter_modules/virus_total/.coveragerc +++ /dev/null @@ -1,2 +0,0 @@ -[run] -omit = tests/* diff --git a/stix_shifter_modules/virus_total/README.md b/stix_shifter_modules/virus_total/README.md new file mode 100644 index 000000000..6e6d89b2f --- /dev/null +++ b/stix_shifter_modules/virus_total/README.md @@ -0,0 +1,7 @@ +# VirusTotal + +Get the latest VirusTotal report for a file, hash, domain or an IP address. This connector uses the + +## Supported STIX Mappings + +See the [table of mappings](virus_total_supported_stix.md) for the STIX objects and operators supported by this connector. \ No newline at end of file diff --git a/stix_shifter_modules/virus_total/requirements.txt b/stix_shifter_modules/virus_total/requirements.txt index 98c33cf89..08619807c 100644 --- a/stix_shifter_modules/virus_total/requirements.txt +++ b/stix_shifter_modules/virus_total/requirements.txt @@ -1,2 +1 @@ vt-py==0.17.5 -uuid==1.30 diff --git a/stix_shifter_modules/virus_total/virus_total_supported_stix.md b/stix_shifter_modules/virus_total/virus_total_supported_stix.md new file mode 100644 index 000000000..2095e7d58 --- /dev/null +++ b/stix_shifter_modules/virus_total/virus_total_supported_stix.md @@ -0,0 +1,42 @@ +##### Updated on 05/15/23 +## VirusTotal +### Results STIX Domain Objects +* Identity +* Sighting +* Infrastructure +* Malware +* Extension +* Indicator +
+### Supported STIX Operators +*Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).* + +| STIX Operator | Data Source Operator | +|--|--| +| AND (Comparision) | AND | +| OR (Comparision) | OR | +| > | > | +| >= | >= | +| < | < | +| <= | <= | +| = | = | +| != | != | +| LIKE | = | +| IN | IN | +| MATCHES | CONTAINS | +| ISSUBSET | insubnet | +| OR (Observation) | OR | +| AND (Observation) | AND | +|
| | +### Searchable STIX objects and properties +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **url**:value | Url | +| **ipv4-addr**:value | SourceIpV4, DestinationIpV4 | +| **ipv6-addr**:value | SourceIpV6, DestinationIpV6 | +| **domain-name**:value | Url | +| **file**:hashes.'SHA-256' | sha256hash | +| **file**:hashes.MD5 | md5hash | +| **file**:hashes.'MD5' | md5hash | +| **file**:hashes.'SHA-1' | sha1hash | +|
| |