Paul Coccoli
Paul Coccoli
kestrel_datasource_stixbundle and kestrel_analytics_docker are "built-ins" but some kestrel installations may not use them. Since the datasource and analytics interfaces are modular, we should not build these in as it makes...
**Describe the bug** Kestrel does not accept newlines inside STIX patterns, but accepts newlines elsewhere inside statements. **Details of the bug** Statement: ``` reg = get process from file:///home/pcoccoli/Data/STIX/mitre-brawl.json where...
**Describe the bug** Unable to use any markdown file with fenced code blocks, like the terminal_ext example **To Reproduce** Steps to reproduce the behavior: ``` lookatme ~/Downloads/example.md ``` **Expected behavior**...
**Describe the bug** Some connectors (like qradar) are adding wildcards to the start and end of the user's value when translating the `LIKE` operator. The `LIKE` operator comes from SQL,...
**Describe the bug** Many connector module have `from_stix_map`s that map STIX references (e.g. `email-message:from_ref`) instead of mapping a *property* of the referenced object (in this example `email-message:from_ref.value` since `from_ref` references...
**Is your feature request related to a problem? Please describe.** stix-shifter "to_stix_map" mappings are currently "dumb", meaning that they map a native result field to a STIX property regardless of...
**Is your feature request related to a problem? Please describe.** STIX 2.1 introduced a unary `EXISTS` operator: https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_t11hn314cr7w None of the stix-shifter modules support it. **Describe the solution you'd like**...
**Describe the bug** crowdstrike connector does not support LIKE but FQL supports wildcards; see https://falconpy.io/Usage/Falcon-Query-Language.html#operators **To Reproduce** Steps to reproduce the behavior: 1. `python main.py translate crowdstrike query '{}' "[process:name...
**Describe the bug** Kestrel is trying to use `x_unique_id` (in prefetch) which causes stix-shifter to throw an error **Details of the bug** - What is the hunt flow/script you are...