feat: release 6.1.0 (#917)

mbruzda-splunk · web-flow · commit d9d456054cb7 · 2025-09-08T14:03:03.000+02:00
This PR releases: - feat: Support for CIM 6.1.0 #907 - fix: improve hec batch to be not a JSON array to conform specification: #904 - ci: Run CI on Splunk 10: #915 Test runs: https://github.com/splunk/splunk-add-on-for-microsoft-office-365/actions/runs/17460304322 https://github.com/splunk/splunk-add-on-for-microsoft-sysmon/actions/runs/17462965055 https://github.com/splunk/splunk-add-on-for-microsoft-sysmon/actions/runs/17545231405/job/49825224041 - after deps bump
diff --git a/NOTICE b/NOTICE
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
@@ -88,6 +88,7 @@ services:
       - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN}
       - SPLUNK_START_ARGS=--accept-license
       - TEST_SC4S_ACTIVATE_EXAMPLES=yes
+      - SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com
 volumes:
   results:
     external: false
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -80,6 +80,7 @@ services:
       - SPLUNK_START_ARGS=--accept-license
       - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN}
       - TEST_SC4S_ACTIVATE_EXAMPLES=yes
+      - SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com
 
   uf:
     build:
@@ -104,4 +105,4 @@ services:
 
 volumes:
   splunk-sc4s-var:
-    external: false
+    external: false
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -16,7 +16,7 @@
 
 [tool.poetry]
 name = "pytest-splunk-addon"
-version = "6.0.0"
+version = "6.1.0-beta.1"
 description = "A Dynamic test tool for Splunk Apps and Add-ons"
 authors = ["Splunk <addonfactory@splunk.com>"]
 license = "APACHE-2.0"
@@ -36,18 +36,20 @@ python = "^3.7"
 pytest = ">5.4.0,<8"
 splunk-sdk = ">=1.6"
 requests = "^2.31.0"
-jsonschema = "^v4.17.3"
+jsonschema = "^4.17.3"
 pytest-xdist = "^3.5.0"
 filelock = "^3.0"
 pytest-ordering = "~0.6"
-junitparser = "^2.2.0"
+junitparser = "^4.0.0"
 addonfactory-splunk-conf-parser-lib = "*"
 defusedxml = "^0.7.1"
-Faker = "^18.0.0"
-xmltodict = "^0.13.0"
+Faker = "^18.12.0"
+xmltodict = "^0.14.0"
 xmlschema = "^2.5.1"
 splunksplwrapper = "^1.1.1"
 urllib3 = "<2"
+certifi = "^2024.7.4"
+zipp = "^3.6.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest-cov = "^4"
diff --git a/pytest_splunk_addon/CIM_Models/datamodel_definition.py b/pytest_splunk_addon/CIM_Models/datamodel_definition.py
@@ -2399,4 +2399,5 @@
 # No fields changes between v6.0.0 and v6.0.2
 datamodels["6.0.1"] = datamodels["6.0.0"]
 datamodels["6.0.2"] = datamodels["6.0.0"]
-datamodels["latest"] = datamodels["6.0.2"]
+datamodels["6.1.0"] = datamodels["6.0.2"]
+datamodels["latest"] = datamodels["6.1.0"]
diff --git a/pytest_splunk_addon/__init__.py b/pytest_splunk_addon/__init__.py
@@ -18,4 +18,4 @@
 
 __author__ = """Splunk Inc."""
 __email__ = "addonfactory@splunk.com"
-__version__ = "6.0.0"
+__version__ = "6.1.0-beta.1"
diff --git a/pytest_splunk_addon/data_models/Authentication.json b/pytest_splunk_addon/data_models/Authentication.json
@@ -107,6 +107,16 @@
           "validity": "if(action in ['success', 'failure'], action, null())",
           "comment": "The human-readable message associated with the authentication action (success or failure)."
         },
+        {
+          "name": "reason_id",
+          "type": "optional",
+          "comment": "The reason why logon failed. For example \\'0xC0000234\\'."
+        },
+        {
+          "name": "process",
+          "type": "optional",
+          "comment": "Full path and the name of the executable for the process that attempted the logon. For example, it is a \\\"Process Name\\\" in Windows such as `C:\\\\Windows\\\\System32\\\\svchost.exe`."
+        },
         {
           "name": "src_user",
           "condition": "src_user=* tag=privileged",
@@ -118,6 +128,7 @@
           "type": "optional",
           "comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account."
         }
+
       ],
       "child_dataset": [
         {
diff --git a/pytest_splunk_addon/data_models/Endpoint.json b/pytest_splunk_addon/data_models/Endpoint.json
@@ -351,6 +351,11 @@
           "name": "vendor_product",
           "type": "required",
           "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data."
+        },
+        {
+          "name": "image",
+          "type": "optional",
+          "comment": "The binary file path or name that is tied to a process ID (PID) in events like process creation or termination."
         }
       ],
       "child_dataset": [],
@@ -469,6 +474,11 @@
           "name": "vendor_product",
           "type": "required",
           "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data."
+        },
+        {
+          "name": "image",
+          "type": "optional",
+          "comment": "The binary file path or name that is tied to a process ID (PID) in events like process creation or termination."
         }
       ],
       "child_dataset": [],
diff --git a/pytest_splunk_addon/data_models/Network_Traffic.json b/pytest_splunk_addon/data_models/Network_Traffic.json
@@ -198,7 +198,12 @@
         {
           "name": "rule",
           "type": "optional",
-          "comment": "The rule which defines the action that was taken in the network event. Note: This is a string value. Use rule_id for rule fields that are integer data types. The rule_id field is optional, so it is not included in the data model"
+          "comment": "The rule which defines the action that was taken in the network event. Note: This is a string value. Use rule_id for rule fields that are integer data types."
+        },
+        {
+          "name": "rule_id",
+          "type": "optional",
+          "comment": "The vendor-specific unique identifier of the rule. Examples: 0x00011f0000011f00, 0x00011f00-syn_flood."
         },
         {
           "name": "session_id",
diff --git a/pytest_splunk_addon/data_models/Updates.json b/pytest_splunk_addon/data_models/Updates.json
@@ -66,7 +66,8 @@
                     "available",
                     "installed",
                     "invalid",
-                    "restart required"
+                    "restart required",
+                    "failure"
                   ],
                 "comment":"Indicates the status of a given patch requirement." 
             },
diff --git a/pytest_splunk_addon/event_ingestors/hec_event_ingestor.py b/pytest_splunk_addon/event_ingestors/hec_event_ingestor.py
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+import json
+
 from .base_event_ingestor import EventIngestor
 import requests
 from time import time, mktime
@@ -52,7 +54,7 @@ def ingest(self, events, thread_count):
         """
         Ingests event and metric data into splunk using HEC token via event endpoint.
 
-        For batch ingestion of events in a single request at event endpoint provide a list of event dict to be ingested.
+        For batch ingestion of events in a single request at event endpoint provide stacked events one after the other to be ingested.
 
         The format of dictionary for ingesting a single event::
 
@@ -63,22 +65,20 @@ def ingest(self, events, thread_count):
                 "event": "event_str"
             }
 
-        The format of dictionary for ingesting a batch of events::
-
-            [
-                {
-                    "sourcetype": "sample_HEC",
-                    "source": "sample_source",
-                    "host": "sample_host",
-                    "event": "event_str1"
-                },
-                {
-                    "sourcetype": "sample_HEC",
-                    "source": "sample_source",
-                    "host": "sample_host",
-                    "event": "event_str2"
-                },
-            ]
+        The format for ingesting a batch of events::
+
+            {
+                "sourcetype": "sample_HEC",
+                "source": "sample_source",
+                "host": "sample_host",
+                "event": "event_str1"
+            }
+            {
+                "sourcetype": "sample_HEC",
+                "source": "sample_source",
+                "host": "sample_host",
+                "event": "event_str2"
+            }
 
         Args:
             events (list): List of events (SampleEvent) to be ingested
@@ -115,20 +115,21 @@ def ingest(self, events, thread_count):
 
     def __ingest(self, data):
         try:
+            batch_data = "\n".join(json.dumps(obj) for obj in data)
             LOGGER.info(
                 "Making a HEC event request with the following params:\nhec_uri:{}\nheaders:{}".format(
                     str(self.hec_uri), str(self.session_headers)
                 )
             )
             LOGGER.debug(
                 "Creating the following sample event to be ingested via HEC event endoipnt:{}".format(
-                    str(data)
+                    str(batch_data)
                 )
             )
             response = requests.post(  # nosemgrep: splunk.disabled-cert-validation
                 "{}/{}".format(self.hec_uri, "event"),
                 auth=None,
-                json=data,
+                data=batch_data,
                 headers=self.session_headers,
                 verify=False,
             )
diff --git a/tests/unit/tests_standard_lib/test_event_ingestors/conftest.py b/tests/unit/tests_standard_lib/test_event_ingestors/conftest.py
@@ -68,26 +68,26 @@ def modinput_posts_sent():
     return [
         (
             f"POST {HEC_URI}/event",
-            "[{"
+            "{"
             '"sourcetype": "test:indextime:sourcetype:modinput_host_event_time_plugin", '
             '"source": "pytest-splunk-addon:modinput", '
             '"event": "test_modinput_1 host=modinput_host_event_time_plugin.samples_1", '
             '"index": "main", '
             '"host": "modinput_host_event_time_plugin.samples_1"'
-            "}, {"
+            "}\n{"
             '"sourcetype": "test:indextime:sourcetype:modinput_host_event_time_plugin", '
             '"source": "pytest-splunk-addon:modinput", '
             '"event": "test_modinput_2 host=modinput_host_event_time_plugin.samples_2", '
             '"index": "main", '
             '"host": "modinput_host_event_time_plugin.samples_2"'
-            "}, {"
+            "}\n{"
             '"sourcetype": "pytest_splunk_addon", '
             '"source": "pytest_splunk_addon:hec:event", '
             '"event": "fake event nothing happened", '
             '"index": "fake_index", '
             '"host": "fake host", '
             '"time": 1234.5678'
-            "}]",
+            "}",
         )
     ]
 

Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,12 @@`
`198`	`198`	`{`
`199`	`199`	`"name": "rule",`
`200`	`200`	`"type": "optional",`
`201`		`- "comment": "The rule which defines the action that was taken in the network event. Note: This is a string value. Use rule_id for rule fields that are integer data types. The rule_id field is optional, so it is not included in the data model"`
	`201`	`+ "comment": "The rule which defines the action that was taken in the network event. Note: This is a string value. Use rule_id for rule fields that are integer data types."`
	`202`	`+ },`
	`203`	`+ {`
	`204`	`+ "name": "rule_id",`
	`205`	`+ "type": "optional",`
	`206`	`+ "comment": "The vendor-specific unique identifier of the rule. Examples: 0x00011f0000011f00, 0x00011f00-syn_flood."`
`202`	`207`	`},`
`203`	`208`	`{`
`204`	`209`	`"name": "session_id",`