Resolved an issue where severity mapping in the from_stix was using t…

…ext instead of int. (#1722) * Resolved some issues with the Tanium image. Signed-off-by: DerekRushton <[email protected]> * Tanium test fixed and stix2.1 Signed-off-by: DerekRushton <[email protected]> * Fixed severity mapping. Signed-off-by: DerekRushton <[email protected]> * Severity test fix. Signed-off-by: DerekRushton <[email protected]> --------- Signed-off-by: DerekRushton <[email protected]>
opencybersecurityalliance · Aug 15, 2024 · 7a9e027 · 7a9e027
1 parent 6b19a23
commit 7a9e027
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/stix_shifter_modules/tanium/stix_translation/query_constructor.py b/stix_shifter_modules/tanium/stix_translation/query_constructor.py
@@ -1,4 +1,5 @@
 import regex
+from stix_shifter_modules.tanium.stix_translation.transformers import ConvertTextSeverityToNumberValue
 from stix_shifter_utils.stix_translation.src.patterns.pattern_objects import ObservationExpression, ComparisonExpression, \
     Pattern,\
     CombinedComparisonExpression, CombinedObservationExpression
@@ -27,14 +28,27 @@ def _format_start_stop_qualifier(self, expression, qualifier) -> str:
         stop = qualifier_split[3]
         qualified_query = f"{expression}&alertedAtFrom={start}&alertedAtUntil={stop}"
         return qualified_query
+
+    @staticmethod
+    def _format_severity(self, value):
+        if(value < 40):
+            return "info"
+        elif(value >= 40 and value < 80):
+            return "low"
+        elif(value >= 80):
+            return "high"
 
     @staticmethod
     def _parse_mapped_fields(self, value, comparator, mapped_fields_array):
-        {}
+        if(mapped_fields_array[0] == "severity"):
+            value = QueryStringPatternTranslator._format_severity(self, value)
         parsed_fields = f"{mapped_fields_array[0]}{comparator}{value}"
+
         if(comparator == "IN"):
             parsed_fields = ""
             for current_value in value.values:
+                if(mapped_fields_array[0] == "severity"):
+                    value = QueryStringPatternTranslator._format_severity(self, value)
                 parsed_fields += f"{mapped_fields_array[0]}={current_value}&"
             parsed_fields = parsed_fields[:-1]
         return parsed_fields

diff --git a/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py b/stix_shifter_modules/tanium/tests/stix_translation/test_from_stix_to_query.py
@@ -95,7 +95,7 @@ def test_event_oca_query(self):
                             " AND [x-oca-event:host_ref.ip_refs.value = '10.0.0.4']" \
                             " AND [x-oca-event:host_ref.os_ref.name = 'windows']" \
                             " AND [x-oca-event:file_ref.parent_directory_ref.path = 'Application']" \
-                            " AND [x-oca-event:severity = 'info']" \
+                            " AND [x-oca-event:severity = 0]" \
                             " AND [x-oca-event:x_ttp_tagging_refs.technique_id = 'T1204']" \
                             " START t'2022-07-01T00:00:00.000Z'" \
                             " STOP t'2024-07-27T00:05:00.000Z'"
@@ -118,7 +118,7 @@ def test_event_oca_query(self):
     def test_ibm_finding(self):
         stix_pattern = "([x-ibm-finding:dst_ip_ref.value = '10.0.0.4']" \
                         " AND [x-ibm-finding:name = 'Outlook Spawned Process Creating DLL Files']" \
-                        " AND [x-ibm-finding:severity = 'info']" \
+                        " AND [x-ibm-finding:severity = 0]" \
                         " AND [x-ibm-finding:dst_os_ref.name = 'windows']" \
                         " AND [x-ibm-finding:x_ttp_tagging_refs.technique_id = 'T1204']" \
                         " AND [x-ibm-finding:x_guid = '00000000-0000-0000-114a-7429237cffc5']" \