diff --git a/pytest_splunk_addon/data_models/Alerts.json b/pytest_splunk_addon/data_models/Alerts.json index 7cd84f782..2fbdb312d 100644 --- a/pytest_splunk_addon/data_models/Alerts.json +++ b/pytest_splunk_addon/data_models/Alerts.json @@ -17,19 +17,44 @@ }, { "name": "body", + "type": "optional", + "comment":"The body of a message." + }, + { + "name": "description", "type": "required", - "comment":"The body of a message." + "comment": "The description of the alert event." }, { "name": "dest", "type": "required", - "comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + "comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_type", + "type": "optional", + "comment": "The type of the destination object, such as instance, storage, firewall." }, { "name": "id", "type": "required", "comment":"The unique identifier of a message." }, + { + "name": "mitre_technique_id", + "type": "optional", + "comment": "The MITRE ATT&CK technique ID of the alert event." + }, + { + "name": "signature", + "type": "required", + "comment": "A human-readable signature name." + }, + { + "name": "signature_id", + "type": "required", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "severity", "type": "required", @@ -49,8 +74,13 @@ }, { "name": "src", + "type": "required", + "comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_type", "type": "optional", - "comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + "comment": "The type of the source object, such as instance, storage, firewall." }, { "name": "subject", @@ -67,7 +97,27 @@ "task", "warning" ], - "comment":"The message type." + "comment":"The message type." + }, + { + "name": "user", + "type": "required", + "comment": "The user involved in the alert event." + }, + { + "name": "user_name", + "type": "optional", + "comment": "The name of the user involved in the alert event." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The data center region involved in the alert event, such as us-west-2." } ], "child_dataset": [] diff --git a/pytest_splunk_addon/data_models/Authentication.json b/pytest_splunk_addon/data_models/Authentication.json index dcb4f43d1..0af740237 100644 --- a/pytest_splunk_addon/data_models/Authentication.json +++ b/pytest_splunk_addon/data_models/Authentication.json @@ -10,7 +10,7 @@ { "name": "action", "type": "required", - "expected_values": ["success", "failure", "error"], + "expected_values": ["success", "failure", "pending", "error"], "comment": "The action performed on the resource." }, { @@ -18,11 +18,46 @@ "type": "required", "comment": "The application involved in the event (such as ssh, splunk, win:local)." }, + { + "name": "authentication_method", + "type": "optional", + "comment": "The method used to authenticate the request" + }, + { + "name": "authentication_service", + "type": "optional", + "comment": "The service used to authenticate the request" + }, { "name": "dest", "type": "required", "comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host." }, + { + "name": "src_user_type", + "type": "optional", + "comment": "The type of the user who initiated the privilege escalation." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System." + }, + { + "name": "src_user_role", + "type": "optional", + "comment": "The role of the user who initiated the privilege escalation." + }, + { + "name": "user_role", + "type": "optional", + "comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation." + }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, { "name": "duration", "type": "optional", @@ -48,7 +83,7 @@ }, { "name": "src", - "type": "optional", + "type": "required", "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." }, { @@ -56,11 +91,27 @@ "type": "required", "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." }, + { + "name": "user_id", + "type": "optional", + "comment": "The unique id of the user involved in the event." + }, + { + "name": "reason", + "type": "optional", + "validity": "if(action in ['success', 'failure'], action, null())", + "comment": "The human-readable message associated with the authentication action (success or failure)." + }, { "name": "src_user", - "condition": "src_user=*", + "condition": "src_user=* tag=privileged", "type": "conditional", "comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account." } ], "child_dataset": [ diff --git a/pytest_splunk_addon/data_models/Certificates.json b/pytest_splunk_addon/data_models/Certificates.json index b98a9cfe4..4fd87347d 100644 --- a/pytest_splunk_addon/data_models/Certificates.json +++ b/pytest_splunk_addon/data_models/Certificates.json @@ -71,7 +71,7 @@ "fields":[ { "name": "ssl_end_time", - "type": "optional", + "type": "required", "comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards." }, { @@ -81,7 +81,7 @@ }, { "name": "ssl_hash", - "type": "optional", + "type": "required", "comment":"The hash of the certificate." }, { @@ -110,6 +110,11 @@ "type": "optional", "comment":"The certificate issuer's email address." }, + { + "name": "ssl_issuer_email_domain", + "type": "optional", + "comment":"The domain name contained within the certificate issuer's email address." + }, { "name": "ssl_issuer_locality", "type": "optional", @@ -167,7 +172,7 @@ }, { "name": "ssl_start_time", - "type": "optional", + "type": "required", "comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards." }, { @@ -185,6 +190,11 @@ "type": "optional", "comment":"The certificate owner's e-mail address." }, + { + "name": "ssl_subject_email_domain", + "type": "optional", + "comment":"The domain name contained within the certificate subject's email address." + }, { "name": "ssl_subject_locality", "type": "optional", diff --git a/pytest_splunk_addon/data_models/Change.json b/pytest_splunk_addon/data_models/Change.json index 8ba8611c1..fc3df7052 100644 --- a/pytest_splunk_addon/data_models/Change.json +++ b/pytest_splunk_addon/data_models/Change.json @@ -48,7 +48,7 @@ }, { "name": "object_category", - "validity": "if(like(object_category,'%\\\"%'),null(),object_category)", + "validity": "if(tag==\"account\" AND object_category==user,object_category, null())", "type": "required", "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." }, @@ -61,13 +61,13 @@ { "name": "object_path", "validity": "if(like(object_path,'%\\\"%'),null(),object_path)", - "type": "required", + "type": "optional", "comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)." }, { "name": "result", - "type": "optional", - "expected_values": ["lockout"], + "condition": "status=failure", + "type": "conditional", "comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types." }, { @@ -77,7 +77,7 @@ }, { "name": "src", - "type": "optional", + "type": "required", "comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name." }, { @@ -96,6 +96,31 @@ "type": "required", "comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)." }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, + { + "name": "user_name", + "type": "optional", + "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." + }, { "name": "vendor_product", "type": "required", @@ -124,6 +149,16 @@ "type": "conditional", "condition": "object_category=user", "comment": "For account changes, the user or entity performing the change." + }, + { + "name": "src_user_type", + "type": "optional", + "comment": "For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "src_user_name", + "type": "optional", + "comment": "For account changes, the user name of the user or entity performing the change." } ], "child_dataset": [ @@ -194,11 +229,71 @@ ], "search_constraints": "tag=endpoint" }, + { + "name": "Instance_Changes", + "tags": [["change", "instance"]], + "fields_cluster": [], + "search_constraints": "tag=instance", + "fields": [ + { + "name": "image_id", + "type": "required", + "comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more." + }, + { + "name": "instance_type", + "type": "required", + "comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity." + } + ], + "child_dataset": [] + }, { "name": "Network_Changes", "tags": [["change", "network"]], "fields_cluster": [], - "fields": [], + "fields": [ + { + "name": "dest_ip_range", + "type": "optional", + "comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32." + }, + { + "name": "dest_port_range", + "type": "optional", + "comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443." + }, + { + "name": "direction", + "type": "optional", + "comment": "For network events, this field represents whether the traffic is inbound or outbound." + }, + { + "name": "protocol", + "type": "optional", + "comment": "This field represents the protocol for the network event rule." + }, + { + "name": "rule_action", + "type": "optional", + "comment": "For network events, this field represents whether to allow or deny traffic." + }, + { + "name": "src_ip_range", + "type": "optional", + "comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation." + }, + { + "name": "src_port_range", + "type": "optional", + "comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443" + }, + { + "name": "device_restarts", + "type": "optional", + "comment": "Monitor all infrastructure device restarts." + } + ], "child_dataset": [ { "name": "Device_Restarts", diff --git a/pytest_splunk_addon/data_models/DLP.json b/pytest_splunk_addon/data_models/DLP.json index bb1670051..339409185 100644 --- a/pytest_splunk_addon/data_models/DLP.json +++ b/pytest_splunk_addon/data_models/DLP.json @@ -68,11 +68,21 @@ "type": "required", "comment": "The severity of the DLP event." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", "comment": "The name of the DLP event." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "src", "type": "optional", @@ -91,12 +101,12 @@ { "name": "user", "type": "conditional", - "condition": "dlp_type=email OR dlp_type=im", + "condition": "dlp_type=email OR dlp_type=share_point OR dlp_type=o365 OR dlp_type=google.* OR dlp_type=GWS.*", "comment": "The target user of the DLP event." }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the DLP system" } ], diff --git a/pytest_splunk_addon/data_models/Email.json b/pytest_splunk_addon/data_models/Email.json index 4c1198acd..d5d61c6fe 100644 --- a/pytest_splunk_addon/data_models/Email.json +++ b/pytest_splunk_addon/data_models/Email.json @@ -107,6 +107,11 @@ "validity":"if(isnum(recipient_count) and recipient_count==mvcount(recipient),recipient_count, null())", "comment": "The total number of intended message recipients." }, + { + "name": "recipient_domain", + "type": "required", + "comment": "The domain name contained within the recipient email addresses." + }, { "name": "recipient_status", "type": "optional", @@ -149,8 +154,14 @@ "name": "status_code", "type": "conditional", "condition": "protocol=smtp", + "validity": "if(match(status_code, \"(?:(\\d(\\.\\d{1,3}){0,2}))\"))", "comment": "The status code associated with the message." }, + { + "name": "src_user_domain", + "type": "required", + "comment": "The domain name contained within the email address of the message sender." + }, { "name": "subject", "type": "optional", @@ -163,12 +174,12 @@ }, { "name": "user", - "type": "required", + "type": "optional", "comment": "The user context for the process. This is not the email address for the sender. For that, look at the src_user field." }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data." }, { @@ -218,7 +229,7 @@ }, { "name": "signature", - "type": "optional", + "type": "required", "comment": "The name of the filter applied." }, { diff --git a/pytest_splunk_addon/data_models/Endpoint.json b/pytest_splunk_addon/data_models/Endpoint.json index 8b58c5b09..8a64d128d 100644 --- a/pytest_splunk_addon/data_models/Endpoint.json +++ b/pytest_splunk_addon/data_models/Endpoint.json @@ -23,6 +23,21 @@ "validity": "if(isnum(dest_port),dest_port,null())", "comment": "Network port listening on the endpoint, such as 53." }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "process_guid", "type": "optional", @@ -44,6 +59,21 @@ "validity": "if(isnum(src_port),src_port,null())", "comment": "The 'remote' port connected to the listening port (if applicable)." }, + { + "name": "src_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "src_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "src_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "state", "type": "required", @@ -57,13 +87,19 @@ }, { "name": "transport_dest_port", - "type": "not_allowed_in_search", + "type": "required", + "validity": "(?:tcp|udp|dccp|sctp)\\/(?:(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$)", "comment": "Calculated as transport/dest_port, such as tcp/53." }, { "name": "user", "type": "optional", "comment": "The user account associated with the listening port." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], "child_dataset": [], @@ -90,6 +126,11 @@ "type": "required", "comment": "The endpoint for which the process was spawned." }, + { + "name": "loaded_file", + "type": "optional", + "comment": "File that was loaded." + }, { "name": "mem_used", "type": "optional", @@ -102,8 +143,13 @@ "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2." }, { - "name": "parent_process", + "name": "original_file_name", "type": "optional", + "comment": "Original name of the file, not including path." + }, + { + "name": "parent_process", + "type": "required", "comment": "The full command string of the parent process." }, { @@ -133,6 +179,11 @@ "type": "required", "comment": "The file path of the parent process, such as C:\\Windows\\System32\notepad.exe." }, + { + "name": "parent_process_hash", + "type": "optional", + "comment": "TThe digest(s) of the parent process, such as , , etc." + }, { "name": "process", "type": "required", @@ -145,7 +196,7 @@ }, { "name": "process_exec", - "type": "required", + "type": "optional", "comment": "The executable name of the process." }, { @@ -193,7 +244,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], @@ -222,6 +273,21 @@ "type": "required", "comment": "The endpoint pertaining to the filesystem activity." }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "file_access_time", "type": "optional", @@ -236,7 +302,7 @@ { "name": "file_hash", "type": "conditional", - "condition": "action=created or action=modified ", + "condition": "action=created or action=modified or action=read", "comment": "A cryptographic identifier assigned to the file object affected by the event." }, { @@ -263,7 +329,7 @@ }, { "name": "file_size", - "type": "optional", + "type": "required", "comment": "The size of the file that is the object of the event, in kilobytes." }, { @@ -283,7 +349,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], @@ -306,6 +372,21 @@ "type": "required", "comment": "The endpoint pertaining to the registry events." }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "process_guid", "type": "optional", @@ -386,7 +467,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], @@ -410,6 +491,21 @@ "validation": "", "comment": "The endpoint for which the service is installed." }, + { + "name": "dest_is_expected", + "type": "optional", + "comment": "The endpoint for which the service is installed." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "process_guid", "type": "optional", @@ -521,7 +617,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "validation": "", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } diff --git a/pytest_splunk_addon/data_models/Intrusion_Detection.json b/pytest_splunk_addon/data_models/Intrusion_Detection.json index 9bf6d3394..8e720fc47 100644 --- a/pytest_splunk_addon/data_models/Intrusion_Detection.json +++ b/pytest_splunk_addon/data_models/Intrusion_Detection.json @@ -66,11 +66,21 @@ ], "comment": "The severity of the network protection event. This field is a string. Use a severity_id field (not included in this data model) for severity ID fields that are integer data types. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", "comment": "The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre. This is a string value. Use a signature_id field (not included in this data model) for numeric indicators." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "src", "type": "conditional", @@ -104,7 +114,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor and product fields in your data." } ], diff --git a/pytest_splunk_addon/data_models/Malware.json b/pytest_splunk_addon/data_models/Malware.json index 571946248..30dca2b2d 100644 --- a/pytest_splunk_addon/data_models/Malware.json +++ b/pytest_splunk_addon/data_models/Malware.json @@ -21,7 +21,7 @@ }, { "name": "date", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The date of the malware event." }, { @@ -29,6 +29,16 @@ "type": "required", "comment": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the destination, if applicable." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "file_hash", "type": "optional", @@ -45,20 +55,42 @@ "comment": "The full file path of the file with suspected malware" }, { - "name": "sender", + "name": "severity", + "type": "required", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment":"The severity of a message." + }, + { + "name": "severity_id", "type": "optional", - "comment": "The reported sender of an email-based attack." + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." }, { "name": "signature", "type": "required", "comment": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda" }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "src", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The source of the event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name." }, + { + "name": "src_user", + "type": "optional", + "comment": "The reported sender of an email-based attack." + }, { "name": "user", "type": "optional", @@ -71,7 +103,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The hash of the file with suspected malware" } ], @@ -113,6 +145,16 @@ "type": "required", "comment": "The system where the malware operations event occurred" }, + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the dest system, if applicable." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "product_version", "type": "optional", diff --git a/pytest_splunk_addon/data_models/Network_Resolution.json b/pytest_splunk_addon/data_models/Network_Resolution.json index 348519359..e5a0f8426 100644 --- a/pytest_splunk_addon/data_models/Network_Resolution.json +++ b/pytest_splunk_addon/data_models/Network_Resolution.json @@ -13,7 +13,7 @@ "fields_cluster": [], "fields": [{ "name": "additional_answer_count", - "type": "required", + "type": "optional", "validity": "if(isnum(additional_answer_count),additional_answer_count,null())", "comment": "Number of entries in the 'additional' section of the DNS message." }, @@ -31,7 +31,7 @@ }, { "name": "authority_answer_count", - "type": "required", + "type": "optional", "validity": "if(isnum(authority_answer_count),authority_answer_count,null())", "comment": "Number of entries in the 'authority' section of the DNS message." }, @@ -272,7 +272,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor product name of the DNS server. The Splunk platform can derive this field from the fields vendor and product in the raw data, if they exist." } ], diff --git a/pytest_splunk_addon/data_models/Network_Sessions.json b/pytest_splunk_addon/data_models/Network_Sessions.json index d869232ab..87c5addb1 100644 --- a/pytest_splunk_addon/data_models/Network_Sessions.json +++ b/pytest_splunk_addon/data_models/Network_Sessions.json @@ -11,7 +11,7 @@ { "name": "action", "type": "required", - "expected_values": ["added", "blocked"], + "expected_values": ["started", "ended", "blocked"], "comment": "The action taken by the reporting device." }, { @@ -29,6 +29,21 @@ "type": "required", "comment": "An indication of the type of network session event." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "dest_nt_host", + "type": "optional", + "comment": "The NetBIOS name of the client initializing a network session." + }, + { + "name": "dest_dns", + "type": "optional", + "comment": "The domain name system address of the destination for a network session event." + }, { "name": "dest_priority", "type": "optional", @@ -51,15 +66,21 @@ "type": "optional", "comment": "The external domain name of the client initializing a network session. Not applicable for DHCP events." }, + { + "name": "src_nt_host", + "type": "optional", + "comment": "The NetBIOS name of the client initializing a network session. Not applicable for DHCP events." + }, { "name": "src_mac", "type": "optional", "condition": "tag != dhcp", + "validity": "if(match(src_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),src_mac,null())", "comment": "The MAC address of the client initializing a network session. Not applicable for DHCP events.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such as Microsoft DHCP or ISC BIND. This field is generated by combining the values of the vendor and product fields." }, { @@ -70,7 +91,8 @@ }, { "name": "user", - "type": "required", + "type": "conditional", + "condition": "tag=vpn", "comment": "The user in a network session event, where applicable. For example, a VPN session or an authenticated DHCP event." } ], @@ -105,7 +127,7 @@ }, { "name": "lease_scope", - "type": "required", + "type": "optional", "comment": "The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered." }, { diff --git a/pytest_splunk_addon/data_models/Network_Traffic.json b/pytest_splunk_addon/data_models/Network_Traffic.json index be23dd3ba..739370a5f 100644 --- a/pytest_splunk_addon/data_models/Network_Traffic.json +++ b/pytest_splunk_addon/data_models/Network_Traffic.json @@ -63,15 +63,15 @@ { "name": "dest_ip", "type": "conditional", - "condition": "dest_ip=*", - "validity": "if(match(dest_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),dest_ip,null())", + "condition": "| where match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "if((!isnull(dest_ip) AND dest == dest_ip), dest_ip, null())", "comment": "The IP address of the destination." }, { "name": "dest_mac", "type": "conditional", - "condition": "dest_mac=*", - "validity": "if(match(dest_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),dest_mac,null())", + "condition": "| where match(dest,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", + "validity": "if((!isnull(dest_mac) AND dest_mac == dest), dest_mac, null())", "comment": "The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." }, { @@ -121,6 +121,11 @@ "type": "optional", "comment": "The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." }, + { + "name": "dvc_ip", + "type": "optional", + "comment": "The ip address of the device." + }, { "name": "dvc_zone", "type": "optional", @@ -164,10 +169,16 @@ "validity": "if(isnum(packets_out),packets_out,null())", "comment": "The total count of packets transmitted by this device/interface." }, + { + "name": "process_id", + "type": "optional", + "comment": "The numeric identifier of the process (PID) or service generating the network traffic." + }, { "name": "protocol", "type": "conditional", "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",protocol ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),protocol,true(), null())", "expected_values": ["ip", "icmp"], "comment": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx." }, @@ -218,12 +229,12 @@ }, { "name": "ssid", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The 802.11 service set identifier (ssid) assigned to a wireless session." }, { "name": "wifi", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n." }, { @@ -249,8 +260,13 @@ "comment": "The user that requested the traffic flow." }, { - "name": "vendor_product", + "name": "vendor_account", "type": "optional", + "comment": "The account associated with the network traffic. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_product", + "type": "required", "comment": "The vendor and product of the device generating the network event. This field can be automatically populated by vendor and product fields in your data." }, { @@ -261,21 +277,23 @@ { "name": "transport", "type": "required", + "condition": "", + "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",transport ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),transport,true(), null())", "expected_values": ["tcp", "udp", "icmp"], "comment": "The OSI layer 4 (transport) protocol of the traffic observed, in lower case." }, { "name": "src_ip", "type": "conditional", - "condition": "src_ip=*", - "validity": "if(match(src_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),src_ip,null())", + "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "if((!isnull(src_ip) AND src == src_ip), src_ip, null())", "comment": "The ip address of the source." }, { "name": "src_mac", "type": "conditional", - "condition": "src_mac=*", - "validity": "if(match(src_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),src_mac,null())", + "condition": "| where match(src,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", + "validity": "if((!isnull(src_mac) AND src_mac == src), src_mac, null())", "comment": "The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." }, { diff --git a/pytest_splunk_addon/data_models/Updates.json b/pytest_splunk_addon/data_models/Updates.json index 7478acb94..ba8e35601 100644 --- a/pytest_splunk_addon/data_models/Updates.json +++ b/pytest_splunk_addon/data_models/Updates.json @@ -42,6 +42,11 @@ ], "comment":"The severity associated with the patch event." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", @@ -67,7 +72,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment":"The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data." } ], diff --git a/pytest_splunk_addon/data_models/Vulnerabilities.json b/pytest_splunk_addon/data_models/Vulnerabilities.json index 16bdcc208..96eb322a1 100644 --- a/pytest_splunk_addon/data_models/Vulnerabilities.json +++ b/pytest_splunk_addon/data_models/Vulnerabilities.json @@ -69,11 +69,21 @@ ], "comment":"The severity of the vulnerability detection event. Specific values are required." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", "comment":"The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "url", "type": "optional", @@ -86,7 +96,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment":"The vendor and product that detected the vulnerability. This field can be automatically populated by vendor and product fields in your data." }, { diff --git a/pytest_splunk_addon/data_models/Web.json b/pytest_splunk_addon/data_models/Web.json index 05807c28a..0aaaf56aa 100644 --- a/pytest_splunk_addon/data_models/Web.json +++ b/pytest_splunk_addon/data_models/Web.json @@ -115,6 +115,11 @@ "type": "required", "comment": "The URL of the requested HTTP resource." }, + { + "name": "url_domain", + "type": "required", + "comment": "The domain name contained within the URL of the requested HTTP resource." + }, { "name": "url_length", "type": "optional", @@ -144,6 +149,21 @@ "validity": "if(isnum(bytes_out),bytes_out,null())", "comment": "The number of outbound bytes transferred." }, + { + "name": "http_method", + "type": "required", + "expected_values": [ + "GET", + "PUT", + "POST", + "DELETE", + "HEAD", + "OPTIONS", + "CONNECT", + "TRACE" + ], + "comment": "The HTTP method used in the request." + }, { "name": "http_user_agent", "type": "required", @@ -172,21 +192,6 @@ "type": "optional", "comment": "The content-type of the requested HTTP resource." }, - { - "name": "http_content_type", - "type": "optional", - "expected_values": [ - "GET", - "PUT", - "POST", - "DELETE", - "HEAD", - "OPTIONS", - "CONNECT", - "TRACE" - ], - "comment": "The HTTP method used in the request." - }, { "name": "response_time", "type": "optional", @@ -205,7 +210,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product of the proxy server, such as Squid Proxy Server. This field can be automatically populated by vendor and product fields in your data." }, { @@ -218,6 +223,11 @@ "type": "optional", "comment": "The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. Use a FIELDALIAS to handle both key names." }, + { + "name": "http_referrer_domain", + "type": "optional", + "comment": "The domain name contained within the HTTP referrer used in the request." + }, { "name": "site", "type": "optional", @@ -232,9 +242,34 @@ "fields": [], "child_dataset": [], "search_constraints": "tag=proxy" + }, + { + "name": "Storage", + "tags": [["storage", "web"]], + "fields_cluster": [], + "fields":[ + { + "name": "error_code", + "type": "optional", + "comment": "The error code that occurred while accessing the storage account" + }, + { + "name": "operation", + "type": "optional", + "comment": "The operation performed on the storage account." + }, + { + "name": "storage_name", + "type": "optional", + "comment": "The name of the bucket or storage account." + } + ], + "child_dataset": [], + "search_constraints": "tag=storage" + } ], "search_constraints": "tag=web" } ] -} +} \ No newline at end of file diff --git a/tests/e2e/constants.py b/tests/e2e/constants.py index ead3981cd..5aaa9badd 100644 --- a/tests/e2e/constants.py +++ b/tests/e2e/constants.py @@ -771,6 +771,7 @@ '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::action* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::app* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::dest* PASSED*', + '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src_user* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::user* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Failed_Authentication* PASSED*', @@ -859,12 +860,12 @@ '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_port* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_translated_ip* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_translated_port* PASSED*', - '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::transport* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::Allowed_Traffic* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::Traffic_By_Action* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::action* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::app* PASSED*', + '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::dest* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src_user* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::user* PASSED*', @@ -906,7 +907,9 @@ '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::protocol* FAILED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src* FAILED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_zone* FAILED*', + '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::transport* FAILED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::Blocked_Traffic* FAILED*', + '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::vendor_product* FAILED*', "*test_splunk_app_req_broken.py::Test_App::test_requirements_fields[sample_name::sample_modinput.xml::host::so13* FAILED*", "*test_splunk_app_req_broken.py::Test_App::test_cim_fields_recommended[Authentication-::sample_name::sample_modinput.xml::host::so11* FAILED*", "*test_splunk_app_req_broken.py::Test_App::test_datamodels[Network_Traffic::sample_name::syslog.xml::host::10.0.0.31* FAILED*",