Skip to content

feat: add support for CIM v5.3.2 #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Parent: feat: release 6.1.0
merged 11 commits into from
Jul 1, 2024
Merged

feat: add support for CIM v5.3.2 #853

merged 11 commits into from
Jul 1, 2024

Conversation

@harshilgajera-crest
Copy link
Contributor

@harshilgajera-crest harshilgajera-crest commented Jun 21, 2024
edited
Loading

Added support for cim v5.3.2.

  • Updated data-models with new child data set in various models.
  • Updated required fields with updated values as per v5.3.2.
  • Added optional fields as per v5.3.2

Detailed comparison and analysis between v4.15.0 and v5.3.2 can be found here: https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit#gid=1147250948

@harshilgajera-crest harshilgajera-crest changed the base branch from main to develop June 21, 2024 05:31
@harshilgajera-crest harshilgajera-crest marked this pull request as ready for review June 21, 2024 08:20
@harshilgajera-crest harshilgajera-crest requested review from a team as code owners June 21, 2024 08:20
@artemrys artemrys changed the title feat: add support for cim v5.3.2 feat: add support for CIM v5.3.2 Jun 23, 2024
artemrys
artemrys reviewed Jun 24, 2024
View reviewed changes
pytest_splunk_addon/standard_lib/data_models/Alerts.json
Comment on lines 33 to 37
{
"name": "dest_type",
"type": "optional",
"comment": "The type of the destination object, such as instance, storage, firewall."
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please double check if this is provided by A&I framework (similar to fields in https://github.com/splunk/pytest-splunk-addon/blob/3ee0404aa07cd56ee67063c4c86aaeaeb3dbb7be/pytest_splunk_addon/standard_lib/cim_tests/CommonFields.json)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dest_type is not provided by A&I framework, so all fields in https://github.com/splunk/pytest-splunk-addon/blob/3ee0404aa07cd56ee67063c4c86aaeaeb3dbb7be/pytest_splunk_addon/standard_lib/cim_tests/CommonFields.json have the same in description if they are provided by A&I or not.

alexeisuv
alexeisuv requested changes Jun 24, 2024
View reviewed changes
justin-splunk
justin-splunk reviewed Jun 26, 2024
View reviewed changes
pytest_splunk_addon/standard_lib/data_models/Change.json
"name": "result",
"type": "optional",
"expected_values": ["lockout"],
"condition": "status=failure",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is supposed to be the literal string the vendor uses in the log so there no constraint on what may be present.

Copy link
Contributor Author

@harshilgajera-crest harshilgajera-crest Jun 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we mark it as optional? @justin-splunk
or keep it required but not keep the condition?

Copy link

@alexeisuv alexeisuv Jun 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The result provides the reason of the action's failure, so I suggest:

  • if the status=failure, then the result is required (yes it may not always be present in the raw, but it will prompt the SME to investigate why the action failed - directly from the raw or indirectly from the vendor docs).
  • if the status=success, the result is optional.

Is this the current logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexeisuv
So current condition is that if status=failure then result should be required, else it is optional

justin-splunk
justin-splunk reviewed Jun 26, 2024
View reviewed changes
@artemrys artemrys merged commit 5e7d1e8 into develop Jul 1, 2024
@artemrys artemrys deleted the feat/add-cim-5.3.2-support branch July 1, 2024 13:09
@github-actions github-actions bot locked and limited conversation to collaborators Jul 1, 2024
@srv-rr-github-token
Copy link
Contributor

🎉 This PR is included in version 5.3.0-beta.6 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@srv-rr-github-token
Copy link
Contributor

🎉 This issue has been resolved in version 5.4.0-beta.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@artemrys artemrys artemrys left review comments

@alexeisuv alexeisuv alexeisuv approved these changes

@justin-splunk justin-splunk Awaiting requested review from justin-splunk

Assignees

No one assigned

Labels

released on @beta

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@harshilgajera-crest @srv-rr-github-token @artemrys @alexeisuv @justin-splunk