🐛 fix(mappers): iterate all matching outcomes instead of first only

Author: Kakudou

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/converter_to_stix.py

@@ -13,7 +13,7 @@
 
 
 class ConverterToStix:
-    """Convert Google SecOps Chronicle alerts into flat lists of STIX 2.1 objects."""
+    """Convert Google SecOps alerts into flat lists of STIX 2.1 objects."""
 
     def __init__(
         self,
@@ -31,10 +31,10 @@ def __init__(
         self.tlp_marking = TLPMarking(level=TLPLevel(tlp_level)).to_stix2_object()
 
     def convert_rule_alert(self, alert: Alert, rule_metadata: RuleMetadata) -> list:
-        """Convert a single Chronicle alert into a flat list of STIX objects.
+        """Convert a single alert into a flat list of STIX objects.
 
         Args:
-            alert: The Chronicle detection alert.
+            alert: The detection alert.
             rule_metadata: Metadata for the rule that triggered the alert.
 
         Returns:
@@ -44,7 +44,7 @@ def convert_rule_alert(self, alert: Alert, rule_metadata: RuleMetadata) -> list:
             alert, rule_metadata, author=self.author, tlp_marking=self.tlp_marking
         )
 
-        hostname = map_hostname(
+        hostnames = map_hostname(
             alert.outcomes, author=self.author, tlp_marking=self.tlp_marking
         )
         ips = map_ip_addresses(
@@ -58,8 +58,7 @@ def convert_rule_alert(self, alert: Alert, rule_metadata: RuleMetadata) -> list:
         )
 
         observables: list = []
-        if hostname:
-            observables.append(hostname)
+        observables.extend(hostnames)
         observables.extend(ips)
         observables.extend(users)
         observables.extend(files)

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/__init__.py

@@ -1 +1 @@
-"""Mapper modules for converting Chronicle alert data to connectors_sdk models."""
+"""Mapper modules for converting alert data to connectors_sdk models."""

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/_utils.py

@@ -17,3 +17,16 @@ def find_outcome(outcomes: list[Outcome], name: str) -> Outcome | None:
         if o.name == name:
             return o
     return None
+
+
+def find_all_outcomes(outcomes: list[Outcome], name: str) -> list[Outcome]:
+    """Return all outcomes matching name.
+
+    Args:
+        outcomes: List of alert outcomes to search.
+        name: Outcome name to match.
+
+    Returns:
+        List of matching Outcome objects (may be empty).
+    """
+    return [o for o in outcomes if o.name == name]

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/file_mapper.py

@@ -1,10 +1,11 @@
-"""Map Chronicle alert outcomes to File observables."""
+"""Map alert outcomes to File observables."""
 
 from typing import Any
 
 from connectors_sdk.models import File
 from connectors_sdk.models.enums import HashAlgorithm
-from google_secops_siem_incidents.mappers._utils import find_outcome
+
+from google_secops_siem_incidents.mappers._utils import find_all_outcomes
 from google_secops_siem_incidents.models.rule_alert_response import Outcome
 
 
@@ -46,25 +47,27 @@ def map_files(
 
     result = []
     for path_name, sha256_name in pairs:
-        path_outcome = find_outcome(outcomes, path_name)
-        if path_outcome is None or not path_outcome.string_val:
-            continue
-
-        path = path_outcome.string_val
-        name = _basename(path)
-
-        sha256_outcome = find_outcome(outcomes, sha256_name)
-        hashes = None
-        if sha256_outcome and sha256_outcome.string_val:
-            hashes = {HashAlgorithm.SHA256: sha256_outcome.string_val}
-
-        result.append(
-            File(
-                name=name,
-                hashes=hashes,
-                author=author,
-                markings=[tlp_marking],
+        path_outcomes = find_all_outcomes(outcomes, path_name)
+        sha256_outcomes = find_all_outcomes(outcomes, sha256_name)
+
+        for i, path_outcome in enumerate(path_outcomes):
+            if not path_outcome.string_val:
+                continue
+
+            path = path_outcome.string_val
+            name = _basename(path)
+
+            hashes = None
+            if i < len(sha256_outcomes) and sha256_outcomes[i].string_val:
+                hashes = {HashAlgorithm.SHA256: sha256_outcomes[i].string_val}
+
+            result.append(
+                File(
+                    name=name,
+                    hashes=hashes,
+                    author=author,
+                    markings=[tlp_marking],
+                )
             )
-        )
 
     return result

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/hostname_mapper.py

@@ -1,9 +1,10 @@
-"""Map Chronicle alert outcomes to a Hostname observable."""
+"""Map alert outcomes to Hostname observables."""
 
 from typing import Any
 
 from connectors_sdk.models import Hostname
-from google_secops_siem_incidents.mappers._utils import find_outcome
+
+from google_secops_siem_incidents.mappers._utils import find_all_outcomes
 from google_secops_siem_incidents.models.rule_alert_response import Outcome
 
 
@@ -12,22 +13,25 @@ def map_hostname(
     *,
     author: Any,
     tlp_marking: Any,
-) -> Hostname | None:
-    """Extract a Hostname observable from the principal_hostname alert outcome.
+) -> list[Hostname]:
+    """Extract Hostname observables from all principal_hostname alert outcomes.
 
     Args:
         outcomes: List of alert outcomes to inspect.
         author: STIX author identity object.
         tlp_marking: TLP marking definition object.
 
     Returns:
-        Hostname observable, or None if the outcome is absent.
+        List of Hostname observables (may be empty).
     """
-    outcome = find_outcome(outcomes, "principal_hostname")
-    if outcome is None or not outcome.string_val:
-        return None
-    return Hostname(
-        value=outcome.string_val,
-        author=author,
-        markings=[tlp_marking],
-    )
+    result = []
+    for outcome in find_all_outcomes(outcomes, "principal_hostname"):
+        if outcome.string_val:
+            result.append(
+                Hostname(
+                    value=outcome.string_val,
+                    author=author,
+                    markings=[tlp_marking],
+                )
+            )
+    return result

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/incident_mapper.py

@@ -1,4 +1,4 @@
-"""Map a Chronicle Alert + RuleMetadata to a connectors_sdk Incident."""
+"""Map a Alert + RuleMetadata to a connectors_sdk Incident."""
 
 from datetime import datetime
 from typing import Any
@@ -16,10 +16,10 @@ def map_incident(
     author: Any,
     tlp_marking: Any,
 ) -> Incident:
-    """Map a Chronicle alert and rule metadata to a connectors_sdk Incident.
+    """Map a alert and rule metadata to a connectors_sdk Incident.
 
     Args:
-        alert: The Chronicle detection alert.
+        alert: The detection alert.
         rule_metadata: Rule metadata associated with the alert.
         author: STIX author identity object.
         tlp_marking: TLP marking definition object.

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/ip_mapper.py

@@ -1,9 +1,10 @@
-"""Map Chronicle alert outcomes to IPv4 or IPv6 address observables."""
+"""Map alert outcomes to IPv4 or IPv6 address observables."""
 
 from typing import Any
 
 from connectors_sdk.models import IPV4Address, IPV6Address
-from google_secops_siem_incidents.mappers._utils import find_outcome
+
+from google_secops_siem_incidents.mappers._utils import find_all_outcomes, find_outcome
 from google_secops_siem_incidents.models.rule_alert_response import Outcome
 
 
@@ -13,7 +14,7 @@ def map_ip_addresses(
     author: Any,
     tlp_marking: Any,
 ) -> list[IPV4Address | IPV6Address]:
-    """Extract IPv4 or IPv6 address observables from the principal_ip alert outcome.
+    """Extract IPv4 or IPv6 address observables from all principal_ip alert outcomes.
 
     Args:
         outcomes: List of alert outcomes to inspect.
@@ -23,23 +24,26 @@ def map_ip_addresses(
     Returns:
         List of IPv4 or IPv6 address observables (may be empty).
     """
-    ip_outcome = find_outcome(outcomes, "principal_ip")
-    if ip_outcome is None or ip_outcome.string_seq is None:
-        return []
-
-    ips = ip_outcome.string_seq.string_vals
-    if not ips:
+    ip_outcomes = find_all_outcomes(outcomes, "principal_ip")
+    if not ip_outcomes:
         return []
 
     ipv6_outcome = find_outcome(outcomes, "SourceIsIpv6")
     is_ipv6 = ipv6_outcome is not None and ipv6_outcome.string_val == "true"
 
     result = []
-    for ip in ips:
-        if not ip or not ip.strip():
+    for ip_outcome in ip_outcomes:
+        if ip_outcome.string_seq is None:
             continue
-        if is_ipv6:
-            result.append(IPV6Address(value=ip, author=author, markings=[tlp_marking]))
-        else:
-            result.append(IPV4Address(value=ip, author=author, markings=[tlp_marking]))
+        for ip in ip_outcome.string_seq.string_vals:
+            if not ip or not ip.strip():
+                continue
+            if is_ipv6:
+                result.append(
+                    IPV6Address(value=ip, author=author, markings=[tlp_marking])
+                )
+            else:
+                result.append(
+                    IPV4Address(value=ip, author=author, markings=[tlp_marking])
+                )
     return result

external-import/google-secops-siem-incidents/src/google_secops_siem_incidents/mappers/user_account_mapper.py

@@ -1,10 +1,11 @@
-"""Map Chronicle alert outcomes to UserAccount observables."""
+"""Map alert outcomes to UserAccount observables."""
 
 from typing import Any
 
 from connectors_sdk.models import UserAccount
 from connectors_sdk.models.enums import AccountType
-from google_secops_siem_incidents.mappers._utils import find_outcome
+
+from google_secops_siem_incidents.mappers._utils import find_all_outcomes
 from google_secops_siem_incidents.models.rule_alert_response import Outcome
 
 
@@ -30,7 +31,7 @@ def map_user_accounts(
     author: Any,
     tlp_marking: Any,
 ) -> list[UserAccount]:
-    """Extract deduplicated UserAccount observables from principal and target user outcomes.
+    """Extract deduplicated UserAccount observables from all principal and target user outcomes.
 
     Args:
         outcomes: List of alert outcomes to inspect.
@@ -40,23 +41,14 @@ def map_user_accounts(
     Returns:
         Deduplicated list of UserAccount observables.
     """
-    principal_outcome = find_outcome(outcomes, "principal_user_userid")
-    target_outcome = find_outcome(outcomes, "target_user_userid")
-
-    principal_ids = (
-        principal_outcome.string_seq.string_vals
-        if principal_outcome and principal_outcome.string_seq
-        else []
-    )
-    target_ids = (
-        target_outcome.string_seq.string_vals
-        if target_outcome and target_outcome.string_seq
-        else []
-    )
-
-    unique_ids = list(
-        dict.fromkeys(uid for uid in principal_ids + target_ids if uid and uid.strip())
-    )
+    all_ids: list[str] = []
+    for outcome in find_all_outcomes(
+        outcomes, "principal_user_userid"
+    ) + find_all_outcomes(outcomes, "target_user_userid"):
+        if outcome.string_seq:
+            all_ids.extend(outcome.string_seq.string_vals)
+
+    unique_ids = list(dict.fromkeys(uid for uid in all_ids if uid and uid.strip()))
 
     return [
         UserAccount(

external-import/google-secops-siem-incidents/tests/test_connector_e2e.py

@@ -18,6 +18,7 @@
     RulePropertiesFactory,
     make_hostname_outcomes,
     make_ip_outcomes,
+    make_multi_hostname_outcomes,
 )
 
 # =====================
@@ -41,26 +42,26 @@ def expected_full_run_log_messages() -> list[str]:
         "[CONNECTOR] Run started - {'start_time':",
         "[CONNECTOR] Batch fetched - {'batch_num': 1, 'rule_alerts': 1, 'alerts': 2}",
         (
-            "[CONNECTOR] Batch converted to STIX - {'batch_num': 1, 'stix_count': '10 (~10 unique)',"
-            " 'type_summary': 'hostname: 2, incident: 2, ipv4-addr: 2, relationship: 4'}"
+            "[CONNECTOR] Batch converted to STIX - {'batch_num': 1, 'stix_count': '14 (~14 unique)',"
+            " 'type_summary': 'hostname: 3, incident: 2, ipv4-addr: 3, relationship: 6'}"
         ),
         (
             "[CONNECTOR] Bundle sent - {'batch_num': 1, 'work_id': 'work-id-123',"
-            " 'stix_count': '12 (~12 unique)',"
-            " 'type_summary': 'hostname: 2, identity: 1, incident: 2, ipv4-addr: 2, marking-definition: 1, relationship: 4'}"
+            " 'stix_count': '16 (~16 unique)',"
+            " 'type_summary': 'hostname: 3, identity: 1, incident: 2, ipv4-addr: 3, marking-definition: 1, relationship: 6'}"
         ),
         "[CONNECTOR] Batch fetched - {'batch_num': 2, 'rule_alerts': 1, 'alerts': 2}",
         (
-            "[CONNECTOR] Batch converted to STIX - {'batch_num': 2, 'stix_count': '10 (~10 unique)',"
-            " 'type_summary': 'hostname: 2, incident: 2, ipv4-addr: 2, relationship: 4'}"
+            "[CONNECTOR] Batch converted to STIX - {'batch_num': 2, 'stix_count': '14 (~14 unique)',"
+            " 'type_summary': 'hostname: 3, incident: 2, ipv4-addr: 3, relationship: 6'}"
         ),
         (
             "[CONNECTOR] Bundle sent - {'batch_num': 2, 'work_id': 'work-id-123',"
-            " 'stix_count': '12 (~12 unique)',"
-            " 'type_summary': 'hostname: 2, identity: 1, incident: 2, ipv4-addr: 2, marking-definition: 1, relationship: 4'}"
+            " 'stix_count': '16 (~16 unique)',"
+            " 'type_summary': 'hostname: 3, identity: 1, incident: 2, ipv4-addr: 3, marking-definition: 1, relationship: 6'}"
         ),
         "[CONNECTOR] State updated - {'total_batches': 2, 'last_alert_timestamp':",
-        "[CONNECTOR] Run completed - {'total_batches': 2, 'total_alerts': 4, 'total_stix_objects': '20 (~16 unique)',",
+        "[CONNECTOR] Run completed - {'total_batches': 2, 'total_alerts': 4, 'total_stix_objects': '28 (~22 unique)',",
     ]
 
 
@@ -71,7 +72,7 @@ def expected_resume_run_log_messages() -> list[str]:
         "[CONNECTOR] Run started - {'start_time': '2024-03-01T12:00:00+00:00',",
         "[CONNECTOR] Batch fetched - {'batch_num': 1, 'rule_alerts': 1, 'alerts': 2}",
         "[CONNECTOR] Batch fetched - {'batch_num': 2, 'rule_alerts': 1, 'alerts': 2}",
-        "[CONNECTOR] Run completed - {'total_batches': 2, 'total_alerts': 4, 'total_stix_objects': '20 (~16 unique)',",
+        "[CONNECTOR] Run completed - {'total_batches': 2, 'total_alerts': 4, 'total_stix_objects': '28 (~22 unique)',",
     ]
 
 
@@ -242,12 +243,12 @@ def _build_batch(detection_ts: str) -> RuleAlertResponse:
     """Build a RuleAlertResponse with 2 alerts sharing the same detection_timestamp."""
     alert1 = AlertFactory.build(
         fields=[AlertFieldFactory.build(name="ip", string_val="10.0.0.1")],
-        outcomes=make_hostname_outcomes("host1.local") + make_ip_outcomes(["10.0.0.1"]),
+        outcomes=make_multi_hostname_outcomes(["host1a.local", "host1b.local"]) + make_ip_outcomes(["10.0.0.1", "10.0.0.2"]),
         detection_timestamp=detection_ts,
     )
     alert2 = AlertFactory.build(
-        fields=[AlertFieldFactory.build(name="ip", string_val="10.0.0.2")],
-        outcomes=make_hostname_outcomes("host2.local") + make_ip_outcomes(["10.0.0.2"]),
+        fields=[AlertFieldFactory.build(name="ip", string_val="10.0.0.3")],
+        outcomes=make_hostname_outcomes("host2.local") + make_ip_outcomes(["10.0.0.3"]),
         detection_timestamp=detection_ts,
     )
     rule_alert = RuleAlertFactory.build(