Skip to content

feat: add support for CIM v5.3.2 #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Jul 1, 2024
Merged

feat: add support for CIM v5.3.2 #853

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
d574f64
feat: adding support for cimv5.3.2
harshilgajera-crest Jun 21, 2024
3b4618f
ci: updating json
harshilgajera-crest Jun 21, 2024
85d48f4
ci: updating ticket_management model
harshilgajera-crest Jun 21, 2024
7eee342
ci: updating e2e tests
harshilgajera-crest Jun 21, 2024
77fecf9
ci: updating constants
harshilgajera-crest Jun 21, 2024
b8dddfb
ci: updating network traffic model
harshilgajera-crest Jun 21, 2024
b9f1915
Test/cim changs (#855)
harshilgajera-crest Jun 22, 2024
0921ae4
ci: updating models
harshilgajera-crest Jun 25, 2024
3370a93
ci: resolving review comments
harshilgajera-crest Jun 27, 2024
de4d0cb
ci: pulling develop
harshilgajera-crest Jul 1, 2024
20651c7
Merge branch 'develop' into feat/add-cim-5.3.2-support
harshilgajera-crest Jul 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 54 additions & 4 deletions pytest_splunk_addon/standard_lib/data_models/Alerts.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,44 @@
},
{
"name": "body",
"type": "optional",
"comment":"The body of a message."
},
{
"name": "description",
"type": "required",
"comment":"The body of a message."
"comment": "The description of the alert event."
},
{
"name": "dest",
"type": "required",
"comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name."
"comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name."
},
{
"name": "dest_type",
"type": "optional",
"comment": "The type of the destination object, such as instance, storage, firewall."
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please double check if this is provided by A&I framework (similar to fields in https://github.com/splunk/pytest-splunk-addon/blob/3ee0404aa07cd56ee67063c4c86aaeaeb3dbb7be/pytest_splunk_addon/standard_lib/cim_tests/CommonFields.json)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dest_type is not provided by A&I framework, so all fields in https://github.com/splunk/pytest-splunk-addon/blob/3ee0404aa07cd56ee67063c4c86aaeaeb3dbb7be/pytest_splunk_addon/standard_lib/cim_tests/CommonFields.json have the same in description if they are provided by A&I or not.

{
"name": "id",
"type": "required",
"comment":"The unique identifier of a message."
},
{
"name": "mitre_technique_id",
"type": "optional",
"comment": "The MITRE ATT&CK technique ID of the alert event."
},
{
"name": "signature",
"type": "required",
"comment": "A human-readable signature name."
},
{
"name": "signature_id",
"type": "required",
"comment": "The unique identifier or event code of the event signature."
},
{
"name": "severity",
"type": "required",
Expand All @@ -49,8 +74,13 @@
},
{
"name": "src",
"type": "required",
"comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
},
{
"name": "src_type",
"type": "optional",
"comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name."
"comment": "The type of the source object, such as instance, storage, firewall."
},
{
"name": "subject",
Expand All @@ -67,7 +97,27 @@
"task",
"warning"
],
"comment":"The message type."
"comment":"The message type."
},
{
"name": "user",
"type": "required",
"comment": "The user involved in the alert event."
},
{
"name": "user_name",
"type": "optional",
"comment": "The name of the user involved in the alert event."
},
{
"name": "vendor_account",
"type": "optional",
"comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account."
},
{
"name": "vendor_region",
"type": "optional",
"comment": "The data center region involved in the alert event, such as us-west-2."
}
],
"child_dataset": []
Expand Down
57 changes: 54 additions & 3 deletions pytest_splunk_addon/standard_lib/data_models/Authentication.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,54 @@
{
"name": "action",
"type": "required",
"expected_values": ["success", "failure", "error"],
"expected_values": ["success", "failure", "pending", "error"],
"comment": "The action performed on the resource."
},
{
"name": "app",
"type": "required",
"comment": "The application involved in the event (such as ssh, splunk, win:local)."
},
{
"name": "authentication_method",
"type": "optional",
"comment": "The method used to authenticate the request"
},
{
"name": "authentication_service",
"type": "optional",
"comment": "The service used to authenticate the request"
},
{
"name": "dest",
"type": "required",
"comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host."
},
{
"name": "src_user_type",
"type": "optional",
"comment": "The type of the user who initiated the privilege escalation."
},
{
"name": "user_type",
"type": "optional",
"comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System."
},
{
"name": "src_user_role",
"type": "optional",
"comment": "The role of the user who initiated the privilege escalation."
},
{
"name": "user_role",
"type": "optional",
"comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation."
},
{
"name": "user_agent",
"type": "optional",
"comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4."
},
{
"name": "duration",
"type": "optional",
Expand All @@ -48,19 +83,35 @@
},
{
"name": "src",
"type": "optional",
"type": "required",
"comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation."
},
{
"name": "user",
"type": "required",
"comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation."
},
{
"name": "user_id",
"type": "optional",
"comment": "The unique id of the user involved in the event."
},
{
"name": "reason",
"type": "optional",
"validity": "if(action in ['success', 'failure'], action, null())",
"comment": "The human-readable message associated with the authentication action (success or failure)."
},
{
"name": "src_user",
"condition": "src_user=*",
"condition": "src_user=* tag=privileged",
"type": "conditional",
"comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user."
},
{
"name": "vendor_account",
"type": "optional",
"comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account."
}
],
"child_dataset": [
Expand Down
16 changes: 13 additions & 3 deletions pytest_splunk_addon/standard_lib/data_models/Certificates.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
"fields":[
{
"name": "ssl_end_time",
"type": "optional",
"type": "required",
"comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards."
},
{
Expand All @@ -81,7 +81,7 @@
},
{
"name": "ssl_hash",
"type": "optional",
"type": "required",
"comment":"The hash of the certificate."
},
{
Expand Down Expand Up @@ -110,6 +110,11 @@
"type": "optional",
"comment":"The certificate issuer's email address."
},
{
"name": "ssl_issuer_email_domain",
"type": "optional",
"comment":"The domain name contained within the certificate issuer's email address."
},
{
"name": "ssl_issuer_locality",
"type": "optional",
Expand Down Expand Up @@ -167,7 +172,7 @@
},
{
"name": "ssl_start_time",
"type": "optional",
"type": "required",
"comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards."
},
{
Expand All @@ -185,6 +190,11 @@
"type": "optional",
"comment":"The certificate owner's e-mail address."
},
{
"name": "ssl_subject_email_domain",
"type": "optional",
"comment":"The domain name contained within the certificate subject's email address."
},
{
"name": "ssl_subject_locality",
"type": "optional",
Expand Down
105 changes: 100 additions & 5 deletions pytest_splunk_addon/standard_lib/data_models/Change.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,13 @@
{
"name": "object_path",
"validity": "if(like(object_path,'%\\\"%'),null(),object_path)",
"type": "required",
"type": "optional",
"comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)."
},
{
"name": "result",
"type": "optional",
"expected_values": ["lockout"],
"condition": "status=failure",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is supposed to be the literal string the vendor uses in the log so there no constraint on what may be present.

Copy link
Contributor Author

@harshilgajera-crest harshilgajera-crest Jun 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we mark it as optional? @justin-splunk
or keep it required but not keep the condition?

Copy link

@alexeisuv alexeisuv Jun 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The result provides the reason of the action's failure, so I suggest:

  • if the status=failure, then the result is required (yes it may not always be present in the raw, but it will prompt the SME to investigate why the action failed - directly from the raw or indirectly from the vendor docs).
  • if the status=success, the result is optional.

Is this the current logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexeisuv
So current condition is that if status=failure then result should be required, else it is optional

"type": "conditional",
"comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types."
},
{
Expand All @@ -77,7 +77,7 @@
},
{
"name": "src",
"type": "optional",
"type": "required",
"comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name."
},
{
Expand All @@ -96,6 +96,31 @@
"type": "required",
"comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)."
},
{
"name": "user_agent",
"type": "optional",
"comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4."
},
{
"name": "user_name",
"type": "optional",
"comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)."
},
{
"name": "user_type",
"type": "optional",
"comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request."
},
{
"name": "vendor_account",
"type": "optional",
"comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account."
},
{
"name": "vendor_region",
"type": "optional",
"comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account."
},
{
"name": "vendor_product",
"type": "required",
Expand Down Expand Up @@ -124,6 +149,16 @@
"type": "conditional",
"condition": "object_category=user",
"comment": "For account changes, the user or entity performing the change."
},
{
"name": "src_user_type",
"type": "optional",
"comment": "For account management events, this should represent the type of the user changed by the request."
},
{
"name": "src_user_name",
"type": "optional",
"comment": "For account changes, the user name of the user or entity performing the change."
}
],
"child_dataset": [
Expand Down Expand Up @@ -194,11 +229,71 @@
],
"search_constraints": "tag=endpoint"
},
{
"name": "Instance_Changes",
"tags": [["change", "instance"]],
"fields_cluster": [],
"search_constraints": "tag=instance",
"fields": [
{
"name": "image_id",
"type": "required",
"comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more."
},
{
"name": "instance_type",
"type": "required",
"comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity."
}
],
"child_dataset": []
},
{
"name": "Network_Changes",
"tags": [["change", "network"]],
"fields_cluster": [],
"fields": [],
"fields": [
{
"name": "dest_ip_range",
"type": "optional",
"comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32."
},
{
"name": "dest_port_range",
"type": "optional",
"comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443."
},
{
"name": "direction",
"type": "optional",
"comment": "For network events, this field represents whether the traffic is inbound or outbound."
},
{
"name": "protocol",
"type": "optional",
"comment": "This field represents the protocol for the network event rule."
},
{
"name": "rule_action",
"type": "optional",
"comment": "For network events, this field represents whether to allow or deny traffic."
},
{
"name": "src_ip_range",
"type": "optional",
"comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation."
},
{
"name": "src_port_range",
"type": "optional",
"comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443"
},
{
"name": "device_restarts",
"type": "optional",
"comment": "Monitor all infrastructure device restarts."
}
],
"child_dataset": [
{
"name": "Device_Restarts",
Expand Down
Loading