Splunk ext

stix_shifter_modules/splunk/stix_translation/cim_query_translator.py

@@ -1,5 +1,7 @@
 from stix_shifter_utils.modules.cim.stix_translation.query_translator import CimBaseQueryTranslator
 import logging
+from os import path
+from stix_shifter_utils.utils.file_helper import read_json
 from . import query_constructor
 
 logger = logging.getLogger(__name__)
@@ -9,6 +11,18 @@
 
 
 class CimQueryTranslator(CimBaseQueryTranslator):
+    def __init__(self, options={}, dialect=None):
+        super().__init__(options, dialect)
+        if 'mapping' not in options or 'cim_select_fields' not in options['mapping']:
+            ext_select_fields = read_json('cim_select_fields_ext', options)
+            self.select_fields["default"].extend(ext_select_fields["default"])
+        if 'mapping' not in options or 'cim_from_stix_map' not in options['mapping']:
+            ext_map_data = self.fetch_mapping(path.dirname(__file__), dialect, options)
+            for obj_name, obj_dict in ext_map_data.items():
+                if obj_name not in self.map_data:
+                    self.map_data[obj_name] = obj_dict
+                else:
+                    self.map_data[obj_name]["fields"].update(obj_dict["fields"])
 
     def transform_antlr(self, data, antlr_parsing_object):
         """

stix_shifter_modules/splunk/stix_translation/json/cim_select_fields_ext.json

@@ -0,0 +1,22 @@
+{
+  "default": [
+    "process",
+    "process_id",
+    "process_name",
+    "process_exec",
+    "process_path",
+    "process_hash",
+    "parent_process",
+    "parent_process_id",
+    "parent_process_name",
+    "parent_process_exec",
+    "host",
+    "source",
+    "description",
+    "result",
+    "signature",
+    "signature_id",
+    "query",
+    "answer"
+  ]
+}

stix_shifter_modules/splunk/stix_translation/json/from_stix_map.json

@@ -0,0 +1,37 @@
+{
+  "x-oca-event": {
+    "cim_type": "alert",
+    "fields": {
+      "code": ["signature_id"],
+      "action": ["signature"],
+      "outcome": ["result"],
+      "module": ["source"],
+      "created": ["_time"],
+      "process_ref.command_line": ["process"],
+      "process_ref.binary_ref.name": ["process_exec"],
+      "process_ref.parent_ref.command_line": ["parent_process"],
+      "process_ref.creator_user_ref.user_id": ["process_user"],
+      "process_ref.name": ["process_name"],
+      "process_ref.pid": ["process_id"],
+      "parent_process_ref.command_line": ["parent_process"],
+      "parent_process_ref.binary_ref.name": ["parent_process_exec"],
+      "parent_process_ref.pid": ["parent_process_id"],
+      "parent_process_ref.name": ["parent_process_name"],
+      "domain_ref.value": ["url", "url_domain"],
+      "file_ref.name": ["file_name"],
+      "host_ref.hostname": ["host"],
+      "host_ref.ip_refs[*].value": ["src_ip"],
+      "registry_ref.key": ["ObjectName", "RegistryKey"],
+      "user_ref.user_id": ["user"],
+      "url_ref.value": ["url"]
+    }
+  },
+  "x-oca-asset": {
+    "cim_type": "host",
+    "fields": {
+      "hostname": "host"
+    }
+  }
+
+
+}