From 5b4802ae2581816af5cd89ab89d47f136aed28a4 Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Wed, 26 Jun 2024 11:58:39 +0530 Subject: [PATCH 1/2] feat: updating data models --- .../CIM_Models/datamodel_definition.py | 389 ++++++++++++++++-- 1 file changed, 364 insertions(+), 25 deletions(-) diff --git a/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py b/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py index f1590ab66..619d35780 100644 --- a/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py +++ b/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py @@ -1,3 +1,4 @@ + # # Copyright 2024 Splunk Inc. # @@ -14,7 +15,7 @@ # limitations under the License. # datamodels = { - "latest": { + "4.18.1": { "Alerts": { "BaseEvent": [ "app", @@ -24,7 +25,6 @@ "src", "type", "user", - "user_name", ] }, "Application_State": { @@ -50,12 +50,7 @@ ] }, "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], "BaseEvent": [ "change_type", "command", @@ -71,7 +66,6 @@ "result_id", "src", "user", - "user_name", "vendor_product", "action", ], @@ -137,17 +131,322 @@ "vendor_product", ] }, - "Data_Access": { + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { "BaseEvent": [ "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "4.19": { + "Alerts": { + "BaseEvent": [ "app", "dest", + "severity", + "signature_id", + "src", + "type", + "user", + "user_name", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", "object", + "object_attrs", "object_category", "object_id", - "object_size", + "object_path", + "status", + "result", + "result_id", "src", - "vendor_account", + "user", + "user_name", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", "user", "vendor_product", ] @@ -191,7 +490,6 @@ ], "Processes": [ "dest", - "original_file_name", "parent_process", "parent_process_name", "process", @@ -350,7 +648,7 @@ ] }, }, - "4.18.1": { + "4.20.2": { "Alerts": { "BaseEvent": [ "app", @@ -360,6 +658,7 @@ "src", "type", "user", + "user_name", ] }, "Application_State": { @@ -385,7 +684,12 @@ ] }, "Change": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], "BaseEvent": [ "change_type", "command", @@ -401,6 +705,7 @@ "result_id", "src", "user", + "user_name", "vendor_product", "action", ], @@ -466,6 +771,21 @@ "vendor_product", ] }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_category", + "object_id", + "object_size", + "src", + "tenant_id", + "user", + "vendor_product", + ] + }, "Email": { "BaseEvent": [ "action", @@ -505,6 +825,7 @@ ], "Processes": [ "dest", + "original_file_name", "parent_process", "parent_process_name", "process", @@ -663,7 +984,7 @@ ] }, }, - "4.19": { + "5.0.0": { "Alerts": { "BaseEvent": [ "app", @@ -786,6 +1107,21 @@ "vendor_product", ] }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_category", + "object_id", + "object_size", + "src", + "vendor_account", + "user", + "vendor_product", + ] + }, "Email": { "BaseEvent": [ "action", @@ -825,6 +1161,7 @@ ], "Processes": [ "dest", + "original_file_name", "parent_process", "parent_process_name", "process", @@ -983,7 +1320,7 @@ ] }, }, - "4.20.2": { + "5.3.1": { "Alerts": { "BaseEvent": [ "app", @@ -993,7 +1330,6 @@ "src", "type", "user", - "user_name", ] }, "Application_State": { @@ -1023,7 +1359,6 @@ "dest_nt_domain", "src_nt_domain", "src_user", - "src_user_name", ], "BaseEvent": [ "change_type", @@ -1040,7 +1375,6 @@ "result_id", "src", "user", - "user_name", "vendor_product", "action", ], @@ -1112,11 +1446,13 @@ "app", "dest", "object", + "object_attrs", "object_category", "object_id", "object_size", "src", - "tenant_id", + "user_name", + "vendor_account", "user", "vendor_product", ] @@ -1160,6 +1496,7 @@ ], "Processes": [ "dest", + "loaded_file", "original_file_name", "parent_process", "parent_process_name", @@ -1319,7 +1656,7 @@ ] }, }, - "5.0.0": { + "5.3.2": { "Alerts": { "BaseEvent": [ "app", @@ -1329,7 +1666,6 @@ "src", "type", "user", - "user_name", ] }, "Application_State": { @@ -1359,7 +1695,6 @@ "dest_nt_domain", "src_nt_domain", "src_user", - "src_user_name", ], "BaseEvent": [ "change_type", @@ -1376,7 +1711,6 @@ "result_id", "src", "user", - "user_name", "vendor_product", "action", ], @@ -1448,10 +1782,12 @@ "app", "dest", "object", + "object_attrs", "object_category", "object_id", "object_size", "src", + "user_name", "vendor_account", "user", "vendor_product", @@ -1496,6 +1832,7 @@ ], "Processes": [ "dest", + "loaded_file", "original_file_name", "parent_process", "parent_process_name", @@ -1656,3 +1993,5 @@ }, }, } + +datamodels["latest"]=datamodels["5.3.2"] From e9fabbf6c918f7f7e9826aa39c6fe9fffd53b54b Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Wed, 26 Jun 2024 16:16:22 +0530 Subject: [PATCH 2/2] ci: lint changes --- .../standard_lib/CIM_Models/datamodel_definition.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py b/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py index 619d35780..326674983 100644 --- a/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py +++ b/pytest_splunk_addon/standard_lib/CIM_Models/datamodel_definition.py @@ -1,4 +1,3 @@ - # # Copyright 2024 Splunk Inc. # @@ -1994,4 +1993,4 @@ }, } -datamodels["latest"]=datamodels["5.3.2"] +datamodels["latest"] = datamodels["5.3.2"]