Fixed severity mapping.

Signed-off-by: DerekRushton <[email protected]>
opencybersecurityalliance · Aug 15, 2024 · 4d9148e · 4d9148e
1 parent aea948c
commit 4d9148e
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/stix_shifter_modules/tanium/stix_translation/query_constructor.py b/stix_shifter_modules/tanium/stix_translation/query_constructor.py
@@ -1,4 +1,5 @@
 import regex
+from stix_shifter_modules.tanium.stix_translation.transformers import ConvertTextSeverityToNumberValue
 from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, ComparisonExpression, \
     Pattern,\
     CombinedComparisonExpression, CombinedObservationExpression
@@ -27,14 +28,27 @@ def _format_start_stop_qualifier(self, expression, qualifier) -> str:
         stop = qualifier_split[3]
         qualified_query = f"{expression}&alertedAtFrom={start}&alertedAtUntil={stop}"
         return qualified_query
+
+    @staticmethod
+    def _format_severity(self, value):
+        if(value < 40):
+            return "info"
+        elif(value >= 40 and value < 80):
+            return "low"
+        elif(value >= 80):
+            return "high"
 
     @staticmethod
     def _parse_mapped_fields(self, value, comparator, mapped_fields_array):
-        {}
+        if(mapped_fields_array[0] == "severity"):
+            value = QueryStringPatternTranslator._format_severity(self, value)
         parsed_fields = f"{mapped_fields_array[0]}{comparator}{value}"
+
         if(comparator == "IN"):
             parsed_fields = ""
             for current_value in value.values:
+                if(mapped_fields_array[0] == "severity"):
+                    value = QueryStringPatternTranslator._format_severity(self, value)
                 parsed_fields += f"{mapped_fields_array[0]}={current_value}&"
             parsed_fields = parsed_fields[:-1]
         return parsed_fields