QRadar module incorrectly maps QRadar domain to domain-name:value

Question

QRadar module incorrectly maps QRadar domain to domain-name:value

pcoccoli opened this issue 2 years ago · 1 comments

In the to_stix_map.json, we see this:

  "domainname": [
    {
      "key": "domain-name.value",
      "object": "domain2",
      "transformer": "ToDomainName"
    },
    {
      "key": "x-qradar.domain_name",
      "object": "x-qradar"
    }
  ],

If you look at any STIX pattern translated to AQL, in the SELECT clause you will see DOMAINNAME(domainid) as domainname. QRadar's domainid and domainname are unrelated to DNS domain names. That first mapping above should be removed.

In the events_from_stix_map.json, there's this:

  "domain-name": {
    "fields": {
      "value": ["domainname", "UrlHost"]
    }
  }

This unnecessarily adds domainname LIKE '%example.com%'. If someone wants to search for QRadar domains by name, there should be a mapping from x-qradar:domain_name to domainname.

Answer 1 · 2023-08-30T18:36:36.000Z

This bug is fixed in #1342