Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
stix-shifter-modules-cybereason
Advanced tools
Tools and interface to translate STIX formatted results and queries to different data source formats and to set up appropriate connection strings for invoking and triggering actions in openwhisk
STIX-shifter is an open source python library allowing software to connect to products that house data repositories by using STIX Patterning, and return results as STIX Observations.
This library takes in STIX 2 Patterns as input, and "finds" data that matches the patterns inside various products that house repositories of cybersecurity data. Examples of such products include SIEM systems, endpoint management systems, threat intelligence platforms, orchestration platforms, network control points, data lakes, and more.
In addition to "finding" the data by using these patterns, STIX-Shifter also transforms the output into STIX 2 Observations. Why would we do that you ask? To put it simply - so that all of the security data, regardless of the source, mostly looks and behaves the same.
Project Documentation
For general information about STIX, this project, and the command line utilities, see the STIX-shifter Documentation
The recommended method for installing stix-shifter is via pip. Two prerequisite packages needs to be installed inlcuding the package of stix-shifter connector module to complete a stix-shifter connector installation. Run the below commands to install all the packages:
Main stix-shifter package: pip install stix-shifter
Stix-shifter Utility package: pip install stix-shifter-utils
Desired stix-shifter connector module package: pip install stix-shifter-modules-<module name>
Example: pip install stix-shifter-modules-qradar
STIX-shifter requries Python 3.8 or greater. See the requirements file for library dependencies.
STIX-Shifter can use used the following ways:
The STIX-Shifter comes with a bundled script which you can use to translate STIX Pattern to a native datasource query. It can also be used to translate a JSON data source query result to a STIX bundle of observable objects. You can also send query to a datasource by using a transmission option.
More details of the command line option can be found here
$ stix-shifter translate <MODULE NAME> query "<STIX IDENTITY OBJECT>" "<STIX PATTERN>" "<OPTIONS>"
Example:
$ stix-shifter translate qradar query {} "[ipv4-addr:value = '127.0.0.1']" {}
In order to build stix-shifter
packages from source follow the below prerequisite steps:
virtualenv -p python3 virtualenv && source virtualenv/bin/activate
python3 setup.py install
You may also use the python3 main.py
script. All the options are the same as the command line utility described above.
Example:
python3 main.py translate qradar query {} "[ipv4-addr:value = '127.0.0.1']" {}
In order to run python3 main.py
from the source follow the below prerequisite steps:
virtualenv -p python3 virtualenv && source virtualenv/bin/activate
INSTALL_REQUIREMENTS_ONLY=1 python3 setup.py install
.Note: setup.py only installs dependencies when INSTALL_REQUIREMENTS_ONLY=1 directive is used. This option is similar to python3 generate_requirements.py && pip install -r requirements.txt
You can also use this library to integrate STIX Shifter into your own tools. You can translate a STIX Pattern:
from stix_shifter.stix_translation import stix_translation
translation = stix_translation.StixTranslation()
response = translation.translate('<MODULE NAME>', 'query', '{}', '<STIX PATTERN>', '<OPTIONS>')
print(response)
If a connector has been installed using pip, the process for editing the STIX mappings is different than if you have pulled-down the project. When working locally, you can edit the mapping files directly. See the mapping files for the MySQL connector as an example. Editing the mapping files won't work if the connector has been installed with pip; the setup script of the stix-shifter package includes the mapppings inside config.json
. This allows stix-shifter to injest custom mappings as part of the connector's configuration.
Refer to Use of custom mappings for more details on how to edit the mappings in the configuration.
We are thrilled you are considering contributing! We welcome all contributors. Please read our guidelines for contributing.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Click here and fill out the form to receive an invite to the Open Cybersecurity Alliance slack instance, then join the #stix-shifter channel, to meet and discuss usage with the team.
Click here to view an introduction webinar on STIX Shifter and the use cases it solves for.
FAQs
Tools and interface to translate STIX formatted results and queries to different data source formats and to set up appropriate connection strings for invoking and triggering actions in openwhisk
We found that stix-shifter-modules-cybereason demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.