stix-shifter-modules-sysdig 8.0.2__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. stix_shifter_modules/sysdig/__init__.py +0 -0
  2. stix_shifter_modules/sysdig/configuration/config.json +603 -0
  3. stix_shifter_modules/sysdig/configuration/dialects.json +6 -0
  4. stix_shifter_modules/sysdig/configuration/lang_en.json +69 -0
  5. stix_shifter_modules/sysdig/entry_point.py +12 -0
  6. stix_shifter_modules/sysdig/stix_translation/__init__.py +0 -0
  7. stix_shifter_modules/sysdig/stix_translation/json/config_map.json +33 -0
  8. stix_shifter_modules/sysdig/stix_translation/json/from_stix_map.json +110 -0
  9. stix_shifter_modules/sysdig/stix_translation/json/operators.json +13 -0
  10. stix_shifter_modules/sysdig/stix_translation/json/stix_2_1/from_stix_map.json +110 -0
  11. stix_shifter_modules/sysdig/stix_translation/json/stix_2_1/to_stix_map.json +332 -0
  12. stix_shifter_modules/sysdig/stix_translation/json/to_stix_map.json +332 -0
  13. stix_shifter_modules/sysdig/stix_translation/json_to_stix_translator.py +529 -0
  14. stix_shifter_modules/sysdig/stix_translation/query_constructor.py +472 -0
  15. stix_shifter_modules/sysdig/stix_translation/query_translator.py +26 -0
  16. stix_shifter_modules/sysdig/stix_translation/transformers.py +66 -0
  17. stix_shifter_modules/sysdig/stix_transmission/__init__.py +0 -0
  18. stix_shifter_modules/sysdig/stix_transmission/api_client.py +37 -0
  19. stix_shifter_modules/sysdig/stix_transmission/connector.py +213 -0
  20. stix_shifter_modules/sysdig/stix_transmission/error_mapper.py +34 -0
  21. stix_shifter_modules_sysdig-8.0.2.dist-info/METADATA +148 -0
  22. stix_shifter_modules_sysdig-8.0.2.dist-info/RECORD +27 -0
  23. stix_shifter_modules_sysdig-8.0.2.dist-info/WHEEL +5 -0
  24. stix_shifter_modules_sysdig-8.0.2.dist-info/licenses/AUTHORS.md +23 -0
  25. stix_shifter_modules_sysdig-8.0.2.dist-info/licenses/LICENSE.md +219 -0
  26. stix_shifter_modules_sysdig-8.0.2.dist-info/licenses/NOTICE +32 -0
  27. stix_shifter_modules_sysdig-8.0.2.dist-info/top_level.txt +1 -0
stix_shifter_modules/sysdig/configuration/lang_en.json ADDED
@@ -0,0 +1,69 @@
1
+ {
2
+ "connection": {
3
+ "host": {
4
+ "label": "Management IP address or hostname",
5
+ "description": "Specify the IP address or hostname of the data source"
6
+ },
7
+ "port": {
8
+ "label": "Host port",
9
+ "description": "Set the port number that is associated with the hostname or IP address"
10
+ },
11
+ "help": {
12
+ "label": "Need additional help?",
13
+ "description": "More details on the data source setting can be found in the specified link"
14
+ },
15
+ "selfSignedCert": {
16
+ "label": "PEM Formatted SSL certificate(s)",
17
+ "description": "Provide a self-signed or CA-signed certificate to securely communicate with the data source."
18
+ },
19
+ "type": {
20
+ "description": "Data source type"
21
+ },
22
+ "options": {
23
+ "result_limit": {
24
+ "label": "Result size limit",
25
+ "description": "The maximum number of entries or objects that are returned by search query. Valid input range is {{min}} to {{max}}."
26
+ },
27
+ "batch_size": {
28
+ "label": "Result length for datasource request",
29
+ "description": "The maximum results retrive in single API request to the datasource. This is not results limit. This value is mainly used for pagination."
30
+ },
31
+ "time_range": {
32
+ "label": "Query time range",
33
+ "description": "Time range for the search, in minutes, represented as last x minutes. Valid input range is {{min}} to {{max}}."
34
+ },
35
+ "timeout": {
36
+ "label": "Query response timeout limit",
37
+ "description": "The limit on how long to wait for the data source response, in seconds. Valid input range is {{min}} to {{max}}."
38
+ },
39
+ "dialects": {
40
+ "label": "Dialect",
41
+ "description": "The dialect to use if the data source needs to search multiple schema or database tables."
42
+ },
43
+ "validate_pattern": {
44
+ "label": "STIX pattern validator",
45
+ "description": "Validate STIX patterns that needs to be translated into native data source query"
46
+ },
47
+ "stix_validator": {
48
+ "label": "STIX object validator",
49
+ "description": "Validate translated STIX Objects"
50
+ },
51
+ "mapping": {
52
+ "label": "Custom mapping",
53
+ "description": "Custom stix mapping if default mapping needs to be replaced"
54
+ },
55
+ "concurrent": {
56
+ "label": "Concurrent search limit",
57
+ "description": "The number of simultaneous connections that can be made to the data source. Valid input range is {{min}} to {{max}}."
58
+ }
59
+ }
60
+ },
61
+ "configuration": {
62
+ "auth": {
63
+ "token": {
64
+ "label": "API token",
65
+ "description": "Token with readonly access to the Sysdig API"
66
+ }
67
+ }
68
+ }
69
+ }
stix_shifter_modules/sysdig/entry_point.py ADDED
@@ -0,0 +1,12 @@
1
+ from stix_shifter_utils.utils.base_entry_point import BaseEntryPoint
2
+
3
+
4
+ class EntryPoint(BaseEntryPoint):
5
+
6
+ def __init__(self, connection={}, configuration={}, options={}):
7
+ super().__init__(connection, configuration, options)
8
+ self.set_async(False)
9
+ if connection:
10
+ self.setup_transmission_basic(connection, configuration)
11
+
12
+ self.setup_translation_simple(dialect_default='default')
stix_shifter_modules/sysdig/stix_translation/json/config_map.json ADDED
@@ -0,0 +1,33 @@
1
+ {
2
+ "int_supported_fields": [
3
+ "severity",
4
+ "ruleType",
5
+ "ruleSubType",
6
+ "policyId",
7
+ "agentId",
8
+ "aws.accountId"
9
+ ],
10
+ "string_supported_fields": [
11
+ "kubernetes.cluster.name",
12
+ "kubernetes.namespace.name",
13
+ "kubernetes.deployment.name",
14
+ "containerId",
15
+ "container.name",
16
+ "container.image.id",
17
+ "container.image.repo",
18
+ "container.image.tag",
19
+ "container.image.digest",
20
+ "container.label.io.kubernetes.pod.name",
21
+ "container.label.io.kubernetes.pod.namespace",
22
+ "ruleName",
23
+ "category",
24
+ "originator",
25
+ "source",
26
+ "host.hostName",
27
+ "cloudProvider.name",
28
+ "aws.region"
29
+ ],
30
+ "mac_supported_fields": [
31
+ "machineId"
32
+ ]
33
+ }
stix_shifter_modules/sysdig/stix_translation/json/from_stix_map.json ADDED
@@ -0,0 +1,110 @@
1
+ {
2
+ "mac-addr": {
3
+ "fields": {
4
+ "value": [
5
+ "machineId"
6
+ ]
7
+ }
8
+ },
9
+ "x-oca-asset": {
10
+ "fields": {
11
+ "hostname": [
12
+ "host.hostName"
13
+ ],
14
+ "extensions.'x-oca-container-ext'.container_id": [
15
+ "containerId"
16
+ ],
17
+ "extensions.'x-oca-container-ext'.name": [
18
+ "container.name"
19
+ ],
20
+ "extensions.'x-oca-container-ext'.image_id": [
21
+ "container.image.id"
22
+ ],
23
+ "extensions.'x-oca-container-ext'.x_repo": [
24
+ "container.image.repo"
25
+ ],
26
+ "extensions.'x-oca-container-ext'.x_tag": [
27
+ "container.image.tag"
28
+ ],
29
+ "extensions.'x-oca-container-ext'.x_digest": [
30
+ "container.image.digest"
31
+ ],
32
+ "extensions.'x-oca-pod-ext'.pod_name": [
33
+ "container.label.io.kubernetes.pod.name"
34
+ ],
35
+ "extensions.'x-oca-pod-ext'.x_namespace": [
36
+ "container.label.io.kubernetes.pod.namespace"
37
+ ]
38
+ }
39
+ },
40
+ "x-ibm-finding": {
41
+ "fields": {
42
+ "name": [
43
+ "ruleName"
44
+ ],
45
+ "severity": [
46
+ "severity"
47
+ ],
48
+ "x_category": [
49
+ "category"
50
+ ],
51
+ "x_threat_originator": [
52
+ "originator"
53
+ ],
54
+ "x_threat_source": [
55
+ "source"
56
+ ],
57
+ "x_agent_id": [
58
+ "agentId"
59
+ ]
60
+ }
61
+ },
62
+ "x-sysdig-cluster": {
63
+ "fields": {
64
+ "name": [
65
+ "kubernetes.cluster.name"
66
+ ],
67
+ "namespace": [
68
+ "kubernetes.namespace.name"
69
+ ]
70
+ }
71
+ },
72
+ "x-sysdig-deployment": {
73
+ "fields": {
74
+ "name": [
75
+ "kubernetes.deployment.name"
76
+ ]
77
+ }
78
+ },
79
+ "x-sysdig-policy": {
80
+ "fields": {
81
+ "rule_name": [
82
+ "ruleName"
83
+ ],
84
+ "rule_type": [
85
+ "ruleType"
86
+ ],
87
+ "rule_subtype": [
88
+ "ruleSubType"
89
+ ],
90
+ "policy_id": [
91
+ "policyId"
92
+ ]
93
+ }
94
+ },
95
+ "x-cloud-provider": {
96
+ "fields": {
97
+ "account_id": [
98
+ "aws.accountId"
99
+ ],
100
+ "name": [
101
+ "cloudProvider.name"
102
+ ],
103
+ "region": [
104
+ "aws.region"
105
+ ]
106
+ }
107
+ }
108
+ }
109
+
110
+
stix_shifter_modules/sysdig/stix_translation/json/operators.json ADDED
@@ -0,0 +1,13 @@
1
+ {
2
+ "ComparisonExpressionOperators.And": "and",
3
+ "ComparisonExpressionOperators.Or": "or",
4
+ "ComparisonComparators.Equal": "=",
5
+ "ComparisonComparators.NotEqual": "!=",
6
+ "ComparisonComparators.GreaterThan": ">",
7
+ "ComparisonComparators.GreaterThanOrEqual": ">=",
8
+ "ComparisonComparators.LessThan": "<",
9
+ "ComparisonComparators.LessThanOrEqual": "<=",
10
+ "ComparisonComparators.In": "in",
11
+ "ObservationOperators.Or": "or",
12
+ "ObservationOperators.And": "or"
13
+ }
stix_shifter_modules/sysdig/stix_translation/json/stix_2_1/from_stix_map.json ADDED
@@ -0,0 +1,110 @@
1
+ {
2
+ "mac-addr": {
3
+ "fields": {
4
+ "value": [
5
+ "machineId"
6
+ ]
7
+ }
8
+ },
9
+ "x-oca-asset": {
10
+ "fields": {
11
+ "hostname": [
12
+ "host.hostName"
13
+ ],
14
+ "extensions.'x-oca-container-ext'.container_id": [
15
+ "containerId"
16
+ ],
17
+ "extensions.'x-oca-container-ext'.name": [
18
+ "container.name"
19
+ ],
20
+ "extensions.'x-oca-container-ext'.image_id": [
21
+ "container.image.id"
22
+ ],
23
+ "extensions.'x-oca-container-ext'.x_repo": [
24
+ "container.image.repo"
25
+ ],
26
+ "extensions.'x-oca-container-ext'.x_tag": [
27
+ "container.image.tag"
28
+ ],
29
+ "extensions.'x-oca-container-ext'.x_digest": [
30
+ "container.image.digest"
31
+ ],
32
+ "extensions.'x-oca-pod-ext'.pod_name": [
33
+ "container.label.io.kubernetes.pod.name"
34
+ ],
35
+ "extensions.'x-oca-pod-ext'.x_namespace": [
36
+ "container.label.io.kubernetes.pod.namespace"
37
+ ]
38
+ }
39
+ },
40
+ "x-ibm-finding": {
41
+ "fields": {
42
+ "name": [
43
+ "ruleName"
44
+ ],
45
+ "x_severity": [
46
+ "severity"
47
+ ],
48
+ "x_category": [
49
+ "category"
50
+ ],
51
+ "x_threat_originator": [
52
+ "originator"
53
+ ],
54
+ "x_threat_source": [
55
+ "source"
56
+ ],
57
+ "x_agent_id": [
58
+ "agentId"
59
+ ]
60
+ }
61
+ },
62
+ "x-sysdig-cluster": {
63
+ "fields": {
64
+ "name": [
65
+ "kubernetes.cluster.name"
66
+ ],
67
+ "namespace": [
68
+ "kubernetes.namespace.name"
69
+ ]
70
+ }
71
+ },
72
+ "x-sysdig-deployment": {
73
+ "fields": {
74
+ "name": [
75
+ "kubernetes.deployment.name"
76
+ ]
77
+ }
78
+ },
79
+ "x-sysdig-policy": {
80
+ "fields": {
81
+ "rule_name": [
82
+ "ruleName"
83
+ ],
84
+ "rule_type": [
85
+ "ruleType"
86
+ ],
87
+ "rule_subtype": [
88
+ "ruleSubType"
89
+ ],
90
+ "policy_id": [
91
+ "policyId"
92
+ ]
93
+ }
94
+ },
95
+ "x-cloud-provider": {
96
+ "fields": {
97
+ "account_id": [
98
+ "aws.accountId"
99
+ ],
100
+ "name": [
101
+ "cloudProvider.name"
102
+ ],
103
+ "region": [
104
+ "aws.region"
105
+ ]
106
+ }
107
+ }
108
+ }
109
+
110
+
stix_shifter_modules/sysdig/stix_translation/json/stix_2_1/to_stix_map.json ADDED
@@ -0,0 +1,332 @@
1
+ {
2
+ "category": {
3
+ "key": "x-ibm-finding.x_category",
4
+ "object": "finding"
5
+ },
6
+ "originator": {
7
+ "key": "x-ibm-finding.x_threat_originator",
8
+ "object": "finding"
9
+ },
10
+ "source": {
11
+ "key": "x-ibm-finding.x_threat_source",
12
+ "object": "finding"
13
+ },
14
+ "agentId": {
15
+ "key": "x-ibm-finding.x_agent_id",
16
+ "object": "finding"
17
+ },
18
+ "finding_type": {
19
+ "key": "x-ibm-finding.finding_type",
20
+ "object": "finding"
21
+ },
22
+ "l4protocol": {
23
+ "key": "network-traffic.protocols",
24
+ "object": "network",
25
+ "transformer": "ToLowercaseArray"
26
+ },
27
+ "clientPort": {
28
+ "key": "network-traffic.src_port",
29
+ "object": "network",
30
+ "transformer": "ToInteger"
31
+ },
32
+ "serverPort": {
33
+ "key": "network-traffic.dst_port",
34
+ "object": "network",
35
+ "transformer": "ToInteger"
36
+ },
37
+ "serverIpv4": [
38
+ {
39
+ "key": "ipv4-addr.value",
40
+ "object": "dst_ip"
41
+ },
42
+ {
43
+ "key": "network-traffic.dst_ref",
44
+ "object": "network",
45
+ "references": "dst_ip"
46
+ }
47
+ ],
48
+ "clientIpv4": [
49
+ {
50
+ "key": "ipv4-addr.value",
51
+ "object": "src_ip"
52
+ },
53
+ {
54
+ "key": "network-traffic.src_ref",
55
+ "object": "network",
56
+ "references": "src_ip"
57
+ }
58
+ ],
59
+ "severity": {
60
+ "key": "x-ibm-finding.x_severity",
61
+ "object": "finding",
62
+ "transformer": "SeverityToScore"
63
+ },
64
+ "containerId": {
65
+ "key": "x-oca-asset.extensions.x-oca-container-ext.container_id",
66
+ "object": "asset"
67
+ },
68
+ "description": [
69
+ {
70
+ "key": "x-sysdig-policy.description",
71
+ "object": "policy"
72
+ },
73
+ {
74
+ "key": "x-ibm-finding.x_policy_ref",
75
+ "object": "finding",
76
+ "references": "policy"
77
+ }
78
+ ],
79
+ "content": {
80
+ "ruleName": {
81
+ "key": "x-sysdig-policy.rule_name",
82
+ "object": "policy"
83
+ },
84
+ "ruleType": {
85
+ "key": "x-sysdig-policy.rule_type",
86
+ "object": "policy"
87
+ },
88
+ "ruleSubType": {
89
+ "key": "x-sysdig-policy.rule_subtype",
90
+ "object": "policy"
91
+ },
92
+ "policyId": {
93
+ "key": "x-sysdig-policy.policy_id",
94
+ "object": "policy"
95
+ },
96
+ "fields": {
97
+ "falco.rule": {
98
+ "key": "x-ibm-finding.name",
99
+ "object": "finding"
100
+ },
101
+ "proc.cmdline": {
102
+ "key": "process.command_line",
103
+ "object": "proc"
104
+ },
105
+ "proc.name": [
106
+ {
107
+ "key": "file.name",
108
+ "object": "file"
109
+ },
110
+ {
111
+ "key": "process.name",
112
+ "object": "proc"
113
+ },
114
+ {
115
+ "key": "process.binary_ref",
116
+ "object": "proc",
117
+ "references": "file"
118
+ }
119
+ ],
120
+ "proc.pid": {
121
+ "key": "process.pid",
122
+ "object": "proc",
123
+ "transformer": "ToInteger"
124
+ },
125
+ "proc.sid": {
126
+ "key": "process.x_sid",
127
+ "object": "proc"
128
+ },
129
+ "proc.exepath": [
130
+ {
131
+ "key": "directory.path",
132
+ "object": "file_dir"
133
+ },
134
+ {
135
+ "key": "file.parent_directory_ref",
136
+ "object": "file",
137
+ "references": "file_dir"
138
+ }
139
+ ],
140
+ "proc.cwd": {
141
+ "key": "process.cwd",
142
+ "object": "proc"
143
+ },
144
+ "proc.pname": [
145
+ {
146
+ "key": "file.name",
147
+ "object": "parent_file"
148
+ },
149
+ {
150
+ "key": "process.name",
151
+ "object": "parent_proc"
152
+ },
153
+ {
154
+ "key": "process.parent_ref",
155
+ "object": "proc",
156
+ "references": "parent_proc"
157
+ },
158
+ {
159
+ "key": "process.binary_ref",
160
+ "object": "parent_proc",
161
+ "references": "parent_file"
162
+ }
163
+ ],
164
+ "proc.pcmdline": {
165
+ "key": "process.command_line",
166
+ "object": "parent_proc"
167
+ },
168
+ "proc.ppid": {
169
+ "key": "process.pid",
170
+ "object": "parent_proc",
171
+ "transformer": "ToInteger"
172
+ },
173
+ "proc.anames": {
174
+ "key": "process.x_parent_names",
175
+ "object": "parent_proc"
176
+ },
177
+ "user.loginname": {
178
+ "key": "user-account.account_login",
179
+ "object": "user"
180
+ },
181
+ "user.loginuid": {
182
+ "key": "user-account.x_loginuid",
183
+ "object": "user"
184
+ },
185
+ "user.name": [
186
+ {
187
+ "key": "user-account.display_name",
188
+ "object": "user"
189
+ },
190
+ {
191
+ "key": "process.creator_user_ref",
192
+ "object": "proc",
193
+ "references": "user"
194
+ }
195
+ ],
196
+ "user.uid": {
197
+ "key": "user-account.user_id",
198
+ "object": "user"
199
+ }
200
+ }
201
+ },
202
+ "labels": {
203
+ "host.hostName": {
204
+ "key": "x-oca-asset.hostname",
205
+ "object": "asset"
206
+ },
207
+ "container.image.digest": {
208
+ "key": "x-oca-asset.extensions.x-oca-container-ext.x_digest",
209
+ "object": "asset"
210
+ },
211
+ "container.image.id": {
212
+ "key": "x-oca-asset.extensions.x-oca-container-ext.image_id",
213
+ "object": "asset"
214
+ },
215
+ "container.image.tag": {
216
+ "key": "x-oca-asset.extensions.x-oca-container-ext.x_tag",
217
+ "object": "asset"
218
+ },
219
+ "container.image.repo": {
220
+ "key": "x-oca-asset.extensions.x-oca-container-ext.x_repo",
221
+ "object": "asset"
222
+ },
223
+ "container.label.io.kubernetes.pod.name": {
224
+ "key": "x-oca-asset.extensions.x-oca-pod-ext.pod_name",
225
+ "object": "asset"
226
+ },
227
+ "container.label.io.kubernetes.pod.namespace": {
228
+ "key": "x-oca-asset.extensions.x-oca-pod-ext.x_namespace",
229
+ "object": "asset"
230
+ },
231
+ "container.name": {
232
+ "key": "x-oca-asset.extensions.x-oca-container-ext.name",
233
+ "object": "asset"
234
+ },
235
+ "host.mac": [
236
+ {
237
+ "key": "mac-addr.value",
238
+ "object": "mac"
239
+ },
240
+ {
241
+ "key": "x-oca-asset.mac_refs",
242
+ "object": "asset",
243
+ "references": [
244
+ "mac"
245
+ ]
246
+ }
247
+ ],
248
+ "kubernetes.cluster.name": [
249
+ {
250
+ "key": "x-sysdig-cluster.name",
251
+ "object": "cluster"
252
+ },
253
+ {
254
+ "key": "x-ibm-finding.x_cluster_ref",
255
+ "object": "finding",
256
+ "references": "cluster"
257
+ },
258
+ {
259
+ "key": "x-sysdig-cluster.x_node_ref",
260
+ "object": "cluster",
261
+ "references": "asset"
262
+ }
263
+ ],
264
+ "kubernetes.daemonSet.name": {
265
+ "key": "x-sysdig-cluster.daemonset",
266
+ "object": "cluster"
267
+ },
268
+ "kubernetes.namespace.name": {
269
+ "key": "x-sysdig-cluster.namespace",
270
+ "object": "cluster"
271
+ },
272
+ "kubernetes.deployment.name": [
273
+ {
274
+ "key": "x-sysdig-deployment.name",
275
+ "object": "deployment"
276
+ },
277
+ {
278
+ "key": "x-ibm-finding.x_deployment_ref",
279
+ "object": "finding",
280
+ "references": "deployment"
281
+ }
282
+ ],
283
+ "kubernetes.node.name": [
284
+ {
285
+ "key": "ipv4-addr.value",
286
+ "object": "ip",
287
+ "transformer": "HostnameToIpAddress"
288
+ },
289
+ {
290
+ "key": "x-oca-asset.ip_refs",
291
+ "object": "asset",
292
+ "references": [
293
+ "ip"
294
+ ]
295
+ }
296
+ ],
297
+ "kubernetes.workload.name": {
298
+ "key": "x-ibm-finding.x_workload_name",
299
+ "object": "finding"
300
+ },
301
+ "kubernetes.workload.type": {
302
+ "key": "x-ibm-finding.x_workload_type",
303
+ "object": "finding"
304
+ },
305
+ "aws.accountId": {
306
+ "key": "x-cloud-provider.account_id",
307
+ "object": "cloud_provider"
308
+ },
309
+ "cloudProvider.name": {
310
+ "key": "x-cloud-provider.name",
311
+ "object": "cloud_provider"
312
+ },
313
+ "aws.region": {
314
+ "key": "x-cloud-provider.region",
315
+ "object": "cloud_provider"
316
+ },
317
+ "aws.instanceId": {
318
+ "key": "x-cloud-resource.aws_instance_id",
319
+ "object": "cloud_resource"
320
+ }
321
+ },
322
+ "timestamp": [
323
+ {
324
+ "key": "first_observed",
325
+ "transformer": "TimestampConversion"
326
+ },
327
+ {
328
+ "key": "last_observed",
329
+ "transformer": "TimestampConversion"
330
+ }
331
+ ]
332
+ }