Skip to content

Commit

Permalink
feat: add support for CIM v5.3.2 (#853)
Browse files Browse the repository at this point in the history 
Added support for cim v5.3.2.

- Updated data-models with new child data set in various models.
- Updated required fields with updated values as per v5.3.2.
- Added optional fields as per v5.3.2

Detailed comparison and analysis between v4.15.0 and v5.3.2 can be found
here:
https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit#gid=1147250948
  • Loading branch information
@harshilgajera-crest
harshilgajera-crest authored Jul 1, 2024
1 parent 42b6a3b commit 5e7d1e8
Show file tree
Hide file tree
Showing 16 changed files with 542 additions and 74 deletions.
58 changes: 54 additions & 4 deletions pytest_splunk_addon/data_models/Alerts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,44 @@
},
{
"name": "body",
"type": "optional",
"comment":"The body of a message."
},
{
"name": "description",
"type": "required",
"comment":"The body of a message."
"comment": "The description of the alert event."
},
{
"name": "dest",
"type": "required",
"comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name."
"comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name."
},
{
"name": "dest_type",
"type": "optional",
"comment": "The type of the destination object, such as instance, storage, firewall."
},
{
"name": "id",
"type": "required",
"comment":"The unique identifier of a message."
},
{
"name": "mitre_technique_id",
"type": "optional",
"comment": "The MITRE ATT&CK technique ID of the alert event."
},
{
"name": "signature",
"type": "required",
"comment": "A human-readable signature name."
},
{
"name": "signature_id",
"type": "required",
"comment": "The unique identifier or event code of the event signature."
},
{
"name": "severity",
"type": "required",
Expand All @@ -49,8 +74,13 @@
},
{
"name": "src",
"type": "required",
"comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
},
{
"name": "src_type",
"type": "optional",
"comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
"comment": "The type of the source object, such as instance, storage, firewall."
},
{
"name": "subject",
Expand All @@ -67,7 +97,27 @@
"task",
"warning"
],
"comment":"The message type."
"comment":"The message type."
},
{
"name": "user",
"type": "required",
"comment": "The user involved in the alert event."
},
{
"name": "user_name",
"type": "optional",
"comment": "The name of the user involved in the alert event."
},
{
"name": "vendor_account",
"type": "optional",
"comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account."
},
{
"name": "vendor_region",
"type": "optional",
"comment": "The data center region involved in the alert event, such as us-west-2."
}
],
"child_dataset": []
Expand Down
57 changes: 54 additions & 3 deletions pytest_splunk_addon/data_models/Authentication.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,54 @@
{
"name": "action",
"type": "required",
"expected_values": ["success", "failure", "error"],
"expected_values": ["success", "failure", "pending", "error"],
"comment": "The action performed on the resource."
},
{
"name": "app",
"type": "required",
"comment": "The application involved in the event (such as ssh, splunk, win:local)."
},
{
"name": "authentication_method",
"type": "optional",
"comment": "The method used to authenticate the request"
},
{
"name": "authentication_service",
"type": "optional",
"comment": "The service used to authenticate the request"
},
{
"name": "dest",
"type": "required",
"comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host."
},
{
"name": "src_user_type",
"type": "optional",
"comment": "The type of the user who initiated the privilege escalation."
},
{
"name": "user_type",
"type": "optional",
"comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System."
},
{
"name": "src_user_role",
"type": "optional",
"comment": "The role of the user who initiated the privilege escalation."
},
{
"name": "user_role",
"type": "optional",
"comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation."
},
{
"name": "user_agent",
"type": "optional",
"comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4."
},
{
"name": "duration",
"type": "optional",
Expand All @@ -48,19 +83,35 @@
},
{
"name": "src",
"type": "optional",
"type": "required",
"comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation."
},
{
"name": "user",
"type": "required",
"comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation."
},
{
"name": "user_id",
"type": "optional",
"comment": "The unique id of the user involved in the event."
},
{
"name": "reason",
"type": "optional",
"validity": "if(action in ['success', 'failure'], action, null())",
"comment": "The human-readable message associated with the authentication action (success or failure)."
},
{
"name": "src_user",
"condition": "src_user=*",
"condition": "src_user=* tag=privileged",
"type": "conditional",
"comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user."
},
{
"name": "vendor_account",
"type": "optional",
"comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account."
}
],
"child_dataset": [
Expand Down
16 changes: 13 additions & 3 deletions pytest_splunk_addon/data_models/Certificates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
"fields":[
{
"name": "ssl_end_time",
"type": "optional",
"type": "required",
"comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards."
},
{
Expand All @@ -81,7 +81,7 @@
},
{
"name": "ssl_hash",
"type": "optional",
"type": "required",
"comment":"The hash of the certificate."
},
{
Expand Down Expand Up @@ -110,6 +110,11 @@
"type": "optional",
"comment":"The certificate issuer's email address."
},
{
"name": "ssl_issuer_email_domain",
"type": "optional",
"comment":"The domain name contained within the certificate issuer's email address."
},
{
"name": "ssl_issuer_locality",
"type": "optional",
Expand Down Expand Up @@ -167,7 +172,7 @@
},
{
"name": "ssl_start_time",
"type": "optional",
"type": "required",
"comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards."
},
{
Expand All @@ -185,6 +190,11 @@
"type": "optional",
"comment":"The certificate owner's e-mail address."
},
{
"name": "ssl_subject_email_domain",
"type": "optional",
"comment":"The domain name contained within the certificate subject's email address."
},
{
"name": "ssl_subject_locality",
"type": "optional",
Expand Down
107 changes: 101 additions & 6 deletions pytest_splunk_addon/data_models/Change.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
},
{
"name": "object_category",
"validity": "if(like(object_category,'%\\\"%'),null(),object_category)",
"validity": "if(tag==\"account\" AND object_category==user,object_category, null())",
"type": "required",
"comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app."
},
Expand All @@ -61,13 +61,13 @@
{
"name": "object_path",
"validity": "if(like(object_path,'%\\\"%'),null(),object_path)",
"type": "required",
"type": "optional",
"comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)."
},
{
"name": "result",
"type": "optional",
"expected_values": ["lockout"],
"condition": "status=failure",
"type": "conditional",
"comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types."
},
{
Expand All @@ -77,7 +77,7 @@
},
{
"name": "src",
"type": "optional",
"type": "required",
"comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name."
},
{
Expand All @@ -96,6 +96,31 @@
"type": "required",
"comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)."
},
{
"name": "user_agent",
"type": "optional",
"comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4."
},
{
"name": "user_name",
"type": "optional",
"comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)."
},
{
"name": "user_type",
"type": "optional",
"comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request."
},
{
"name": "vendor_account",
"type": "optional",
"comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account."
},
{
"name": "vendor_region",
"type": "optional",
"comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account."
},
{
"name": "vendor_product",
"type": "required",
Expand Down Expand Up @@ -124,6 +149,16 @@
"type": "conditional",
"condition": "object_category=user",
"comment": "For account changes, the user or entity performing the change."
},
{
"name": "src_user_type",
"type": "optional",
"comment": "For account management events, this should represent the type of the user changed by the request."
},
{
"name": "src_user_name",
"type": "optional",
"comment": "For account changes, the user name of the user or entity performing the change."
}
],
"child_dataset": [
Expand Down Expand Up @@ -194,11 +229,71 @@
],
"search_constraints": "tag=endpoint"
},
{
"name": "Instance_Changes",
"tags": [["change", "instance"]],
"fields_cluster": [],
"search_constraints": "tag=instance",
"fields": [
{
"name": "image_id",
"type": "required",
"comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more."
},
{
"name": "instance_type",
"type": "required",
"comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity."
}
],
"child_dataset": []
},
{
"name": "Network_Changes",
"tags": [["change", "network"]],
"fields_cluster": [],
"fields": [],
"fields": [
{
"name": "dest_ip_range",
"type": "optional",
"comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32."
},
{
"name": "dest_port_range",
"type": "optional",
"comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443."
},
{
"name": "direction",
"type": "optional",
"comment": "For network events, this field represents whether the traffic is inbound or outbound."
},
{
"name": "protocol",
"type": "optional",
"comment": "This field represents the protocol for the network event rule."
},
{
"name": "rule_action",
"type": "optional",
"comment": "For network events, this field represents whether to allow or deny traffic."
},
{
"name": "src_ip_range",
"type": "optional",
"comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation."
},
{
"name": "src_port_range",
"type": "optional",
"comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443"
},
{
"name": "device_restarts",
"type": "optional",
"comment": "Monitor all infrastructure device restarts."
}
],
"child_dataset": [
{
"name": "Device_Restarts",
Expand Down
Loading

0 comments on commit 5e7d1e8

Please sign in to comment.