-
Notifications
You must be signed in to change notification settings - Fork 21
feat: schema changes for LR notes #857
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
bee27bb
chore(deps): lock file maintenance (#851)
renovate[bot] 3ee0404
chore(deps): update dependency urllib3 to v1.26.19 [security] (#852)
renovate[bot] a5236e5
Schema changes for LR notes
kkedziak-splunk 30a0350
Fix precommit issue
kkedziak-splunk 6900541
Merge branch 'refs/heads/develop' into feat/schema-notes
kkedziak-splunk c09a4bf
Revert "chore(deps): update dependency urllib3 to v1.26.19 [security]…
kkedziak-splunk 3ffc096
Revert "chore(deps): lock file maintenance (#851)"
kkedziak-splunk c4dc608
Poetry revert
kkedziak-splunk 2878f9f
Poetry fix
kkedziak-splunk File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_incorrect.xml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <device> | ||
| <vendor>Microsoft</vendor> | ||
| <product>Sysmon</product> | ||
| <version id="15.0" /> | ||
| <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format=""> | ||
| <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" /> | ||
| <NONEXISTING>HELLO</NONEXISTING> | ||
| <source> | ||
| <jira id="" /> | ||
| <comment>lab, index = * EventCode=19</comment> | ||
| </source> | ||
| <note>Some event level note!!!</note> | ||
| <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw> | ||
| <cim> | ||
| <models> | ||
| <model>Change:Endpoint_Changes</model> | ||
| </models> | ||
| <cim_fields> | ||
| <field name="action" value="created" note="some field level note!!!" /> | ||
| <field name="change_type" value="filesystem" /> | ||
| <field name="dest" value="server1" /> | ||
| <field name="dvc" value="server1" /> | ||
| <field name="object_category" value="wmi" /> | ||
| <field name="result" value="created" /> | ||
| <field name="src" value="server1" /> | ||
| <field name="status" value="success" /> | ||
| <field name="user" value="Administrator" /> | ||
| <field name="user_name" value="Administrator" /> | ||
| <field name="vendor_product" value="Microsoft Sysmon" /> | ||
| <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" /> | ||
| <field name="signature_id" value="19" /> | ||
| </cim_fields> | ||
| <missing_recommended_fields> | ||
| <field>command</field> | ||
| <field>object</field> | ||
| <field>object_attrs</field> | ||
| <field>object_id</field> | ||
| <field>object_path</field> | ||
| <field>result_id</field> | ||
| </missing_recommended_fields> | ||
| </cim> | ||
| </event> | ||
| </device> | ||
43 changes: 43 additions & 0 deletions
43
tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_notes.xml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <device> | ||
| <vendor>Microsoft</vendor> | ||
| <product>Sysmon</product> | ||
| <version id="15.0" /> | ||
| <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format=""> | ||
| <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" /> | ||
| <source> | ||
| <jira id="" /> | ||
| <comment>lab, index = * EventCode=19</comment> | ||
| </source> | ||
| <note>Some event level note!!!</note> | ||
| <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw> | ||
| <cim> | ||
| <models> | ||
| <model>Change:Endpoint_Changes</model> | ||
| </models> | ||
| <cim_fields> | ||
| <field name="action" value="created" note="some field level note!!!" /> | ||
| <field name="change_type" value="filesystem" /> | ||
| <field name="dest" value="server1" /> | ||
| <field name="dvc" value="server1" /> | ||
| <field name="object_category" value="wmi" /> | ||
| <field name="result" value="created" /> | ||
| <field name="src" value="server1" /> | ||
| <field name="status" value="success" /> | ||
| <field name="user" value="Administrator" /> | ||
| <field name="user_name" value="Administrator" /> | ||
| <field name="vendor_product" value="Microsoft Sysmon" /> | ||
| <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" /> | ||
| <field name="signature_id" value="19" /> | ||
| </cim_fields> | ||
| <missing_recommended_fields> | ||
| <field>command</field> | ||
| <field>object</field> | ||
| <field>object_attrs</field> | ||
| <field>object_id</field> | ||
| <field>object_path</field> | ||
| <field>result_id</field> | ||
| </missing_recommended_fields> | ||
| </cim> | ||
| </event> | ||
| </device> |
43 changes: 43 additions & 0 deletions
43
tests/unit/tests_standard_lib/tests_sample_generation/test_data/xmls/lr_without_notes.xml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <device> | ||
| <vendor>Microsoft</vendor> | ||
| <product>Sysmon</product> | ||
| <version id="15.0" /> | ||
| <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format=""> | ||
| <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" /> | ||
| <source> | ||
| <jira id="" /> | ||
| <comment>lab, index = * EventCode=19</comment> | ||
| </source> | ||
| <note>Some event level note!!!</note> | ||
| <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw> | ||
| <cim> | ||
| <models> | ||
| <model>Change:Endpoint_Changes</model> | ||
| </models> | ||
| <cim_fields> | ||
| <field name="action" value="created" note="some field level note!!!" /> | ||
| <field name="change_type" value="filesystem" /> | ||
| <field name="dest" value="server1" /> | ||
| <field name="dvc" value="server1" /> | ||
| <field name="object_category" value="wmi" /> | ||
| <field name="result" value="created" /> | ||
| <field name="src" value="server1" /> | ||
| <field name="status" value="success" /> | ||
| <field name="user" value="Administrator" /> | ||
| <field name="user_name" value="Administrator" /> | ||
| <field name="vendor_product" value="Microsoft Sysmon" /> | ||
| <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" /> | ||
| <field name="signature_id" value="19" /> | ||
| </cim_fields> | ||
| <missing_recommended_fields> | ||
| <field>command</field> | ||
| <field>object</field> | ||
| <field>object_attrs</field> | ||
| <field>object_id</field> | ||
| <field>object_path</field> | ||
| <field>result_id</field> | ||
| </missing_recommended_fields> | ||
| </cim> | ||
| </event> | ||
| </device> |
31 changes: 31 additions & 0 deletions
31
tests/unit/tests_standard_lib/tests_sample_generation/test_schema.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| import os.path | ||
|
|
||
| import pytest | ||
| from xmlschema import XMLSchema, XMLSchemaChildrenValidationError | ||
|
|
||
| from pytest_splunk_addon.standard_lib.sample_generation.pytest_splunk_addon_data_parser import ( | ||
| SCHEMA_PATH, | ||
| ) | ||
|
|
||
|
|
||
| @pytest.fixture | ||
| def validator() -> XMLSchema: | ||
| return XMLSchema(SCHEMA_PATH) | ||
|
|
||
|
|
||
| def get_xml(name: str) -> str: | ||
| with open(os.path.join(os.path.dirname(__file__), "test_data", "xmls", name)) as fp: | ||
| return fp.read() | ||
|
|
||
|
|
||
| def test_validate_schema(validator): | ||
| validator.validate(get_xml("lr_without_notes.xml")) | ||
|
|
||
|
|
||
| def test_validate_schema_incorrect_event_element(validator): | ||
| with pytest.raises(XMLSchemaChildrenValidationError): | ||
| validator.validate(get_xml("lr_incorrect.xml")) | ||
|
|
||
|
|
||
| def test_validate_schema_notes(validator): | ||
| validator.validate(get_xml("lr_notes.xml")) |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.