chore(release): making a new release v6.0.0 #898
Conversation
Updated 2 fields in Network Resolution model. - Added expected values for reply_code_id which has corresponding reply_code. - Added expected values for reply_code.
Added cim models for v5.3.1 and v5.3.2 Created a runbook:https://docs.google.com/document/d/1sOG0FWM9StzgNJx4tYzsX4Tur33D91V59v3SObrXvks/edit
Added support for cim v5.3.2. - Updated data-models with new child data set in various models. - Updated required fields with updated values as per v5.3.2. - Added optional fields as per v5.3.2 Detailed comparison and analysis between v4.15.0 and v5.3.2 can be found here: https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit#gid=1147250948
Added new data models: - Compute_Inventory - Data_Access - Databases - Event_Signatures - Interprocess Messaging - JVM - Performance - Ticket_Management Updated version in requirement_test_datamodel_tag_constants.py file
This PR removes the feature of generating cim-field-report. ref: [ADDON-73385](https://splunk.atlassian.net/browse/ADDON-73385) NOTE: - moved unit test file (test_report.py) of cim-compliance report generation test from test_tools folder to test_utilities
Added changes based on CIM 6.0.0 and CIM 5.3.2 changes Added Session ID in Authentication Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/545 Signature field description change in Intrusion Detection Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/542 Protocol Version description change in Network Traffic Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/544 Power field description change in Performance Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/543
chore: Downgrading Ubuntu version as python 3.7 is no longer supported on latest
dvarasani-crest
changed the title
- Update datamodel definition for CIM v5.3.2 according to the [sheet](https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit?gid=1873743384#gid=1873743384) - Add datamodel definition for CIM v6.0.0 - Update copyright year
This PR fixes the issue with the token replacement for the fields defined under `other_mappings` for the sample event. - Updated the e2e tests to cover the token replacement scenario for `other_mappings`
dvarasani-crest
requested review from
alexeisuv,
harshilgajera-crest,
justin-splunk and
siddharth-khatsuriya
| "dest_nt_domain", | ||
| "src_nt_domain", | ||
| "src_user", | ||
| "src_user_name", |
There was a problem hiding this comment.
why are we removing this? looks like it's still here https://docs.splunk.com/Documentation/CIM/6.0.2/User/Change
There was a problem hiding this comment.
It was decided that the CIM datamodel jsons should be considered as single source of truth (reference) and the fields user_name and src_user_name are optional and not marked as recommended.
There was a problem hiding this comment.
same as before, I'm not sure what to do here. this is the technically correct call, but the whole point of filing CIM tickets for changes is to actually change CIM and not just the docs. this seems like the worst possible outcome where we spend time fixing things, telling customers what to expect, then don't actually fix them and yet our tests say the docs are wrong.
| "type": "optional", | ||
| "expected_values": ["lockout"], | ||
| "condition": "status=failure", | ||
| "type": "conditional", |
There was a problem hiding this comment.
what is the meaning of type= conditional
There was a problem hiding this comment.
It means that the field is required under certain condition and the condition is also defined.
| "name": "parent_process", | ||
| "name": "original_file_name", | ||
| "type": "optional", | ||
| "comment": "Original name of the file, not including path." |
There was a problem hiding this comment.
Original name of the file, not including path. Sometimes this field is similar to process name but the two do not always match, such as process_name=pwsh and original_file_name=powershell.exe to detect renamed instances of any process executing. per https://docs.splunk.com/Documentation/CIM/6.0.0/User/Endpoint
There was a problem hiding this comment.
This align with the description here. Also, these comments are not being used anywhere in the PSA tests.
There was a problem hiding this comment.
well, the correct response seems to be to get the CIM app updated rather than reject the progress made on giving customers and ourselves clarity. I understand that the CIM app is the ultimate arbiter of what is "correct", but I don't understand where the disconnect is happening between us raising CIM tickets and them being implemented, but only in the docs and not in actual code.
| { | ||
| "name": "file_size", | ||
| "type": "optional", | ||
| "type": "required", |
There was a problem hiding this comment.
recommended not required per https://docs.splunk.com/Documentation/CIM/6.0.0/User/Endpoint
There was a problem hiding this comment.
It was decided here with alexei to keep this field for the "Filesystem" dataset as required
There was a problem hiding this comment.
@alexeisuv, what is the reasoning here, it doesn't align with our docs.
There was a problem hiding this comment.
@justin-splunk @dvarasani-crest The Endpoint.json says it is the recommended field, which means the PSA should fail if it is not extracted. The flag "recommended" is what historically was used in the CIM jsons for the required fields.
So we changed it from "optional" to "required" in the PSA json, because I thought the PSA terminology does not have the "recommended" but "required" instead, is it not so? If this is not correct, then can you clarify the difference between the recommended and required in the PSA specifically?
P.S. On another note, we may need to remove the "recommended" flag from this field in the CIM json. I do not see this field (file_size) is so critical to be recommended/required, but it is up to you, Justin, since you are dealing a lot with the Endpoint DM in your TAs.
This PR updates the condition for the object_category field of the Change DataModel. Added e2e tests to cover this check.
props.conf had invalid syntax using line breakers (issue reported here: https://splunk.atlassian.net/browse/ADDON-72549 ). The incorrect format is causing warnings in the splunkd log, which could be easily prevented by correcting the props conf file like in this [example](https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/pull/1196/files). Related Jira: https://splunk.atlassian.net/browse/ADDON-77954 Example local run: <img width="1707" alt="image" src="https://github.com/user-attachments/assets/33e5247b-0f93-494c-9685-a48ddfb43a67" />
Reverts #901 We decided to keep the check for conf files in app inspect (the check is already implemented, but requires a fix) : https://splunk.atlassian.net/browse/A3-1577 Also upgraded pip for test-splunk-external job: https://github.com/splunk/pytest-splunk-addon/actions/runs/13541590970/job/37843909257#step:3:19
|
🎉 This PR is included in version 5.5.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 6.0.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
7 participants
contains below PRs: