Skip to content

Commit 5e7d1e8

Browse files
harshilgajera-crestharshilgajera-crest
authored
feat: add support for CIM v5.3.2 (#853)
Added support for cim v5.3.2. - Updated data-models with new child data set in various models. - Updated required fields with updated values as per v5.3.2. - Added optional fields as per v5.3.2 Detailed comparison and analysis between v4.15.0 and v5.3.2 can be found here: https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit#gid=1147250948
1 parent 42b6a3b commit 5e7d1e8

16 files changed

+542
-74
lines changed

pytest_splunk_addon/data_models/Alerts.json

Lines changed: 54 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,19 +17,44 @@
1717
},
1818
{
1919
"name": "body",
20+
"type": "optional",
21+
"comment":"The body of a message."
22+
},
23+
{
24+
"name": "description",
2025
"type": "required",
21-
"comment":"The body of a message."
26+
"comment": "The description of the alert event."
2227
},
2328
{
2429
"name": "dest",
2530
"type": "required",
26-
"comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name."
31+
"comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name."
32+
},
33+
{
34+
"name": "dest_type",
35+
"type": "optional",
36+
"comment": "The type of the destination object, such as instance, storage, firewall."
2737
},
2838
{
2939
"name": "id",
3040
"type": "required",
3141
"comment":"The unique identifier of a message."
3242
},
43+
{
44+
"name": "mitre_technique_id",
45+
"type": "optional",
46+
"comment": "The MITRE ATT&CK technique ID of the alert event."
47+
},
48+
{
49+
"name": "signature",
50+
"type": "required",
51+
"comment": "A human-readable signature name."
52+
},
53+
{
54+
"name": "signature_id",
55+
"type": "required",
56+
"comment": "The unique identifier or event code of the event signature."
57+
},
3358
{
3459
"name": "severity",
3560
"type": "required",
@@ -49,8 +74,13 @@
4974
},
5075
{
5176
"name": "src",
77+
"type": "required",
78+
"comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
79+
},
80+
{
81+
"name": "src_type",
5282
"type": "optional",
53-
"comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
83+
"comment": "The type of the source object, such as instance, storage, firewall."
5484
},
5585
{
5686
"name": "subject",
@@ -67,7 +97,27 @@
6797
"task",
6898
"warning"
6999
],
70-
"comment":"The message type."
100+
"comment":"The message type."
101+
},
102+
{
103+
"name": "user",
104+
"type": "required",
105+
"comment": "The user involved in the alert event."
106+
},
107+
{
108+
"name": "user_name",
109+
"type": "optional",
110+
"comment": "The name of the user involved in the alert event."
111+
},
112+
{
113+
"name": "vendor_account",
114+
"type": "optional",
115+
"comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account."
116+
},
117+
{
118+
"name": "vendor_region",
119+
"type": "optional",
120+
"comment": "The data center region involved in the alert event, such as us-west-2."
71121
}
72122
],
73123
"child_dataset": []

pytest_splunk_addon/data_models/Authentication.json

Lines changed: 54 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,19 +10,54 @@
1010
{
1111
"name": "action",
1212
"type": "required",
13-
"expected_values": ["success", "failure", "error"],
13+
"expected_values": ["success", "failure", "pending", "error"],
1414
"comment": "The action performed on the resource."
1515
},
1616
{
1717
"name": "app",
1818
"type": "required",
1919
"comment": "The application involved in the event (such as ssh, splunk, win:local)."
2020
},
21+
{
22+
"name": "authentication_method",
23+
"type": "optional",
24+
"comment": "The method used to authenticate the request"
25+
},
26+
{
27+
"name": "authentication_service",
28+
"type": "optional",
29+
"comment": "The service used to authenticate the request"
30+
},
2131
{
2232
"name": "dest",
2333
"type": "required",
2434
"comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host."
2535
},
36+
{
37+
"name": "src_user_type",
38+
"type": "optional",
39+
"comment": "The type of the user who initiated the privilege escalation."
40+
},
41+
{
42+
"name": "user_type",
43+
"type": "optional",
44+
"comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System."
45+
},
46+
{
47+
"name": "src_user_role",
48+
"type": "optional",
49+
"comment": "The role of the user who initiated the privilege escalation."
50+
},
51+
{
52+
"name": "user_role",
53+
"type": "optional",
54+
"comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation."
55+
},
56+
{
57+
"name": "user_agent",
58+
"type": "optional",
59+
"comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4."
60+
},
2661
{
2762
"name": "duration",
2863
"type": "optional",
@@ -48,19 +83,35 @@
4883
},
4984
{
5085
"name": "src",
51-
"type": "optional",
86+
"type": "required",
5287
"comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation."
5388
},
5489
{
5590
"name": "user",
5691
"type": "required",
5792
"comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation."
5893
},
94+
{
95+
"name": "user_id",
96+
"type": "optional",
97+
"comment": "The unique id of the user involved in the event."
98+
},
99+
{
100+
"name": "reason",
101+
"type": "optional",
102+
"validity": "if(action in ['success', 'failure'], action, null())",
103+
"comment": "The human-readable message associated with the authentication action (success or failure)."
104+
},
59105
{
60106
"name": "src_user",
61-
"condition": "src_user=*",
107+
"condition": "src_user=* tag=privileged",
62108
"type": "conditional",
63109
"comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user."
110+
},
111+
{
112+
"name": "vendor_account",
113+
"type": "optional",
114+
"comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account."
64115
}
65116
],
66117
"child_dataset": [

pytest_splunk_addon/data_models/Certificates.json

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@
7171
"fields":[
7272
{
7373
"name": "ssl_end_time",
74-
"type": "optional",
74+
"type": "required",
7575
"comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards."
7676
},
7777
{
@@ -81,7 +81,7 @@
8181
},
8282
{
8383
"name": "ssl_hash",
84-
"type": "optional",
84+
"type": "required",
8585
"comment":"The hash of the certificate."
8686
},
8787
{
@@ -110,6 +110,11 @@
110110
"type": "optional",
111111
"comment":"The certificate issuer's email address."
112112
},
113+
{
114+
"name": "ssl_issuer_email_domain",
115+
"type": "optional",
116+
"comment":"The domain name contained within the certificate issuer's email address."
117+
},
113118
{
114119
"name": "ssl_issuer_locality",
115120
"type": "optional",
@@ -167,7 +172,7 @@
167172
},
168173
{
169174
"name": "ssl_start_time",
170-
"type": "optional",
175+
"type": "required",
171176
"comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards."
172177
},
173178
{
@@ -185,6 +190,11 @@
185190
"type": "optional",
186191
"comment":"The certificate owner's e-mail address."
187192
},
193+
{
194+
"name": "ssl_subject_email_domain",
195+
"type": "optional",
196+
"comment":"The domain name contained within the certificate subject's email address."
197+
},
188198
{
189199
"name": "ssl_subject_locality",
190200
"type": "optional",

pytest_splunk_addon/data_models/Change.json

Lines changed: 101 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
},
4949
{
5050
"name": "object_category",
51-
"validity": "if(like(object_category,'%\\\"%'),null(),object_category)",
51+
"validity": "if(tag==\"account\" AND object_category==user,object_category, null())",
5252
"type": "required",
5353
"comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app."
5454
},
@@ -61,13 +61,13 @@
6161
{
6262
"name": "object_path",
6363
"validity": "if(like(object_path,'%\\\"%'),null(),object_path)",
64-
"type": "required",
64+
"type": "optional",
6565
"comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)."
6666
},
6767
{
6868
"name": "result",
69-
"type": "optional",
70-
"expected_values": ["lockout"],
69+
"condition": "status=failure",
70+
"type": "conditional",
7171
"comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types."
7272
},
7373
{
@@ -77,7 +77,7 @@
7777
},
7878
{
7979
"name": "src",
80-
"type": "optional",
80+
"type": "required",
8181
"comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name."
8282
},
8383
{
@@ -96,6 +96,31 @@
9696
"type": "required",
9797
"comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)."
9898
},
99+
{
100+
"name": "user_agent",
101+
"type": "optional",
102+
"comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4."
103+
},
104+
{
105+
"name": "user_name",
106+
"type": "optional",
107+
"comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)."
108+
},
109+
{
110+
"name": "user_type",
111+
"type": "optional",
112+
"comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request."
113+
},
114+
{
115+
"name": "vendor_account",
116+
"type": "optional",
117+
"comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account."
118+
},
119+
{
120+
"name": "vendor_region",
121+
"type": "optional",
122+
"comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account."
123+
},
99124
{
100125
"name": "vendor_product",
101126
"type": "required",
@@ -124,6 +149,16 @@
124149
"type": "conditional",
125150
"condition": "object_category=user",
126151
"comment": "For account changes, the user or entity performing the change."
152+
},
153+
{
154+
"name": "src_user_type",
155+
"type": "optional",
156+
"comment": "For account management events, this should represent the type of the user changed by the request."
157+
},
158+
{
159+
"name": "src_user_name",
160+
"type": "optional",
161+
"comment": "For account changes, the user name of the user or entity performing the change."
127162
}
128163
],
129164
"child_dataset": [
@@ -194,11 +229,71 @@
194229
],
195230
"search_constraints": "tag=endpoint"
196231
},
232+
{
233+
"name": "Instance_Changes",
234+
"tags": [["change", "instance"]],
235+
"fields_cluster": [],
236+
"search_constraints": "tag=instance",
237+
"fields": [
238+
{
239+
"name": "image_id",
240+
"type": "required",
241+
"comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more."
242+
},
243+
{
244+
"name": "instance_type",
245+
"type": "required",
246+
"comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity."
247+
}
248+
],
249+
"child_dataset": []
250+
},
197251
{
198252
"name": "Network_Changes",
199253
"tags": [["change", "network"]],
200254
"fields_cluster": [],
201-
"fields": [],
255+
"fields": [
256+
{
257+
"name": "dest_ip_range",
258+
"type": "optional",
259+
"comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32."
260+
},
261+
{
262+
"name": "dest_port_range",
263+
"type": "optional",
264+
"comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443."
265+
},
266+
{
267+
"name": "direction",
268+
"type": "optional",
269+
"comment": "For network events, this field represents whether the traffic is inbound or outbound."
270+
},
271+
{
272+
"name": "protocol",
273+
"type": "optional",
274+
"comment": "This field represents the protocol for the network event rule."
275+
},
276+
{
277+
"name": "rule_action",
278+
"type": "optional",
279+
"comment": "For network events, this field represents whether to allow or deny traffic."
280+
},
281+
{
282+
"name": "src_ip_range",
283+
"type": "optional",
284+
"comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation."
285+
},
286+
{
287+
"name": "src_port_range",
288+
"type": "optional",
289+
"comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443"
290+
},
291+
{
292+
"name": "device_restarts",
293+
"type": "optional",
294+
"comment": "Monitor all infrastructure device restarts."
295+
}
296+
],
202297
"child_dataset": [
203298
{
204299
"name": "Device_Restarts",

0 commit comments

Comments
 (0)