From 34b04e8641ac17c2861649490ff3993f0d113085 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Thu, 12 Feb 2026 12:54:25 +0100 Subject: [PATCH 01/16] chore: psa design proposal --- cim-separation-proposal.md | 85 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 cim-separation-proposal.md diff --git a/cim-separation-proposal.md b/cim-separation-proposal.md new file mode 100644 index 00000000..9cccd7ee --- /dev/null +++ b/cim-separation-proposal.md @@ -0,0 +1,85 @@ +# CIM Separation Proposal + +## Current State + +``` +┌─────────────────────────────────────────────────────┐ +│ pytest-splunk-addon (v6.4.0) │ +│ │ +│ ┌───────────────────────────────────────────────┐ │ +│ │ Core Test Framework │ │ +│ │ ┌──────────────┐ ┌──────────────────────┐ │ │ +│ │ │ fields_tests/│ │ index_tests/ │ │ │ +│ │ └──────────────┘ └──────────────────────┘ │ │ +│ │ ┌──────────────┐ ┌──────────────────────┐ │ │ +│ │ │ cim_tests/ │ │ sample_generation/ │ │ │ +│ │ └──────┬───────┘ └──────────────────────┘ │ │ +│ │ │ │ │ +│ │ ┌──────┴───────────────────────────────────┐ │ │ +│ │ │ addon_parser/ plugin.py splunk.py │ │ │ +│ │ └──────────────────────┬───────────────────┘ │ │ +│ └─────────────────────────┼─────────────────────┘ │ +│ │ │ +│ ┌─────────────────────────┼─────────────────────┐ │ +│ │ CIM Data (bundled) │ │ │ +│ │ ▼ │ │ +│ │ ┌──────────────────────────────────────────┐ │ │ +│ │ │ CIM_Models/datamodel_definition.py │ │ │ +│ │ │ 2,400 lines · 11 CIM versions │ │ │ +│ │ │ (4.18.1 → 6.2.0) recommended fields │ │ │ +│ │ └──────────────────────────────────────────┘ │ │ +│ │ ┌──────────────────────────────────────────┐ │ │ +│ │ │ data_models/ (23 JSON files) │ │ │ +│ │ │ 5,600 lines · tags, fields, schemas │ │ │ +│ │ └──────────────────────────────────────────┘ │ │ +│ └───────────────────────────────────────────────┘ │ +│ │ +│ ⚠ CIM update → must release entire package │ +│ ⚠ CIM 6.3.0 comes out → new PSA release needed │ +└─────────────────────────────────────────────────────┘ +``` + +--- + +## Proposed State (Option A) + +``` +┌─────────────────────────────────────┐ ┌──────────────────────────────┐ +│ pytest-splunk-addon (v7.x) │ │ splunk-cim-models (v1.x) │ +│ │ │ (separate package) │ +│ ┌───────────────────────────────┐ │ │ │ +│ │ Core Test Framework │ │ dep │ ┌────────────────────────┐ │ +│ │ ┌────────────┐ ┌──────────┐ │ │◄─────│ │ datamodel_definition │ │ +│ │ │fields_tests│ │index_test│ │ │ │ │ recommended fields │ │ +│ │ └────────────┘ └──────────┘ │ │ │ │ per CIM version │ │ +│ │ ┌────────────┐ ┌──────────┐ │ │ │ └────────────────────────┘ │ +│ │ │ cim_tests/ │ │sample_gen│ │ │ │ ┌────────────────────────┐ │ +│ │ └────────────┘ └──────────┘ │ │ │ │ data_models/ (JSON) │ │ +│ │ ┌────────────────────────┐ │ │ │ │ tags, fields, schemas │ │ +│ │ │ addon_parser splunk.py│ │ │ │ └────────────────────────┘ │ +│ │ └────────────────────────┘ │ │ │ │ +│ └───────────────────────────────┘ │ │ ✅ Independent releases │ +│ │ │ ✅ CIM 6.3.0 → new version │ +│ ✅ Releases only for framework │ │ without touching PSA │ +│ logic changes │ │ ✅ Pin or range version │ +│ ✅ --splunk-dm-path still works │ │ in PSA dependency │ +│ for custom overrides │ │ │ +└─────────────────────────────────────┘ └──────────────────────────────┘ + + Changes Required + ════════════════ + ┌─────────────────────────────┐ + │ 1. splunk.py (line 31) │ + │ - from .CIM_Models... │ + │ + from splunk_cim_models │ + │ │ + │ 2. app_test_generator.py │ + │ (lines 76-82) │ + │ default path → package │ + │ │ + │ 3. pyproject.toml │ + │ + splunk-cim-models dep │ + │ │ + │ Only 3 touch points! │ + └─────────────────────────────┘ +``` From 40e5118f39874470801d7a8c74ff359723cc392c Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 13 Feb 2026 08:08:46 +0100 Subject: [PATCH 02/16] feat: separate CIM data models into standalone splunk-cim-models package Extract CIM version definitions (datamodel_definition.py), data model JSON schemas (23 files), CommonFields.json, and DatamodelSchema.json into a new splunk-cim-models package. This enables independent CIM version releases without requiring a full PSA release. Changes: - Create splunk-cim-models/ package with setuptools build backend - Update splunk.py to import datamodels from splunk_cim_models - Update app_test_generator.py to use DATA_MODELS_PATH from splunk_cim_models - Update cim_tests/test_generator.py to use COMMON_FIELDS_PATH from splunk_cim_models - Update cim_tests/json_schema.py to use DATAMODEL_SCHEMA_PATH from splunk_cim_models - Add splunk-cim-models as path dependency in pyproject.toml - Keep backward-compat stub in CIM_Models/datamodel_definition.py with deprecation warning - Update unit tests to expect new package paths --- poetry.lock | 92 +- pyproject.toml | 1 + .../CIM_Models/datamodel_definition.py | 2403 +--------------- pytest_splunk_addon/app_test_generator.py | 6 +- pytest_splunk_addon/cim_tests/json_schema.py | 8 +- .../cim_tests/test_generator.py | 7 +- pytest_splunk_addon/splunk.py | 2 +- splunk-cim-models/pyproject.toml | 41 + .../splunk_cim_models/CommonFields.json | 85 + .../splunk_cim_models/DatamodelSchema.json | 123 + .../splunk_cim_models/__init__.py | 33 + .../splunk_cim_models/data_models/Alerts.json | 125 + .../data_models/Authentication.json | 212 ++ .../data_models/Certificates.json | 239 ++ .../splunk_cim_models/data_models/Change.json | 312 +++ .../data_models/Compute_Inventory.json | 405 +++ .../splunk_cim_models/data_models/DLP.json | 116 + .../data_models/Data_Access.json | 197 ++ .../data_models/Databases.json | 490 ++++ .../splunk_cim_models/data_models/Email.json | 251 ++ .../data_models/Endpoint.json | 639 +++++ .../data_models/Event_Signatures.json | 37 + .../data_models/Interprocess Messaging.json | 194 ++ .../data_models/Intrusion_Detection.json | 154 ++ .../splunk_cim_models/data_models/JVM.json | 332 +++ .../data_models/Malware.json | 177 ++ .../data_models/Network_Resolution.json | 282 ++ .../data_models/Network_Sessions.json | 158 ++ .../data_models/Network_Traffic.json | 348 +++ .../data_models/Performance.json | 314 +++ .../data_models/Ticket_Management.json | 129 + .../data_models/Updates.json | 114 + .../data_models/Vulnerabilities.json | 141 + .../splunk_cim_models/data_models/Web.json | 275 ++ .../splunk_cim_models/datamodel_definition.py | 2404 +++++++++++++++++ .../test_app_test_generator.py | 3 +- .../test_cim_tests/test_test_generator.py | 6 +- 37 files changed, 8433 insertions(+), 2422 deletions(-) create mode 100644 splunk-cim-models/pyproject.toml create mode 100644 splunk-cim-models/splunk_cim_models/CommonFields.json create mode 100644 splunk-cim-models/splunk_cim_models/DatamodelSchema.json create mode 100644 splunk-cim-models/splunk_cim_models/__init__.py create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Alerts.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Authentication.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Certificates.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Change.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/DLP.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Data_Access.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Databases.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Email.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Endpoint.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/JVM.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Malware.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Performance.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Updates.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json create mode 100644 splunk-cim-models/splunk_cim_models/data_models/Web.json create mode 100644 splunk-cim-models/splunk_cim_models/datamodel_definition.py diff --git a/poetry.lock b/poetry.lock index f78dd9f1..4e462c4e 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.5.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.1.4 and should not be changed by hand. [[package]] name = "addonfactory-splunk-conf-parser-lib" @@ -6,6 +6,7 @@ version = "0.4.3" description = "Splunk .conf files parser" optional = false python-versions = "<4.0,>=3.7" +groups = ["main"] files = [ {file = "addonfactory_splunk_conf_parser_lib-0.4.3-py3-none-any.whl", hash = "sha256:16a66c1829eec876c21b2d2ee2b2ef305bc23516837fc0e63d5e7512c06d357d"}, {file = "addonfactory_splunk_conf_parser_lib-0.4.3.tar.gz", hash = "sha256:847e2eb34b3be35d1e5d3d5a2cdaec1ccd33cc687b7bbd1f3f746184f16b1479"}, @@ -17,6 +18,7 @@ version = "24.2.0" description = "Classes Without Boilerplate" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "attrs-24.2.0-py3-none-any.whl", hash = "sha256:81921eb96de3191c8258c199618104dd27ac608d9366f5e35d011eae1867ede2"}, {file = "attrs-24.2.0.tar.gz", hash = "sha256:5cfb1b9148b5b086569baec03f20d7b6bf3bcacc9a42bebf87ffaaca362f6346"}, @@ -26,12 +28,12 @@ files = [ importlib-metadata = {version = "*", markers = "python_version < \"3.8\""} [package.extras] -benchmark = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-codspeed", "pytest-mypy-plugins", "pytest-xdist[psutil]"] -cov = ["cloudpickle", "coverage[toml] (>=5.3)", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] -dev = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] +benchmark = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\"", "pympler", "pytest (>=4.3.0)", "pytest-codspeed", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\" and python_version < \"3.13\"", "pytest-xdist[psutil]"] +cov = ["cloudpickle ; platform_python_implementation == \"CPython\"", "coverage[toml] (>=5.3)", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\"", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\" and python_version < \"3.13\"", "pytest-xdist[psutil]"] +dev = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\"", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\" and python_version < \"3.13\"", "pytest-xdist[psutil]"] docs = ["cogapp", "furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier (<24.7)"] -tests = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] -tests-mypy = ["mypy (>=1.11.1)", "pytest-mypy-plugins"] +tests = ["cloudpickle ; platform_python_implementation == \"CPython\"", "hypothesis", "mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\"", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\" and python_version < \"3.13\"", "pytest-xdist[psutil]"] +tests-mypy = ["mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\"", "pytest-mypy-plugins ; platform_python_implementation == \"CPython\" and python_version >= \"3.9\" and python_version < \"3.13\""] [[package]] name = "certifi" @@ -39,6 +41,7 @@ version = "2024.12.14" description = "Python package for providing Mozilla's CA Bundle." optional = false python-versions = ">=3.6" +groups = ["main", "dev"] files = [ {file = "certifi-2024.12.14-py3-none-any.whl", hash = "sha256:1275f7a45be9464efc1173084eaa30f866fe2e47d389406136d332ed4967ec56"}, {file = "certifi-2024.12.14.tar.gz", hash = "sha256:b650d30f370c2b724812bee08008be0c4163b163ddaec3f2546c1caf65f191db"}, @@ -50,6 +53,7 @@ version = "3.4.3" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "charset_normalizer-3.4.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:fb7f67a1bfa6e40b438170ebdc8158b78dc465a5a67b6dde178a46987b244a72"}, {file = "charset_normalizer-3.4.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:cc9370a2da1ac13f0153780040f465839e6cccb4a1e44810124b4e22483c93fe"}, @@ -138,6 +142,8 @@ version = "0.4.6" description = "Cross-platform colored terminal text." optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" +groups = ["main", "dev"] +markers = "sys_platform == \"win32\"" files = [ {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, @@ -149,6 +155,7 @@ version = "7.2.7" description = "Code coverage measurement for Python" optional = false python-versions = ">=3.7" +groups = ["dev"] files = [ {file = "coverage-7.2.7-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d39b5b4f2a66ccae8b7263ac3c8170994b65266797fb96cbbfd3fb5b23921db8"}, {file = "coverage-7.2.7-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:6d040ef7c9859bb11dfeb056ff5b3872436e3b5e401817d87a31e1750b9ae2fb"}, @@ -216,7 +223,7 @@ files = [ tomli = {version = "*", optional = true, markers = "python_full_version <= \"3.11.0a6\" and extra == \"toml\""} [package.extras] -toml = ["tomli"] +toml = ["tomli ; python_full_version <= \"3.11.0a6\""] [[package]] name = "defusedxml" @@ -224,6 +231,7 @@ version = "0.7.1" description = "XML bomb protection for Python stdlib modules" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +groups = ["main"] files = [ {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"}, {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"}, @@ -235,6 +243,7 @@ version = "2.1.0" description = "A library to handle automated deprecations" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "deprecation-2.1.0-py2.py3-none-any.whl", hash = "sha256:a10811591210e1fb0e768a8c25517cabeabcba6f0bf96564f8ff45189f90b14a"}, {file = "deprecation-2.1.0.tar.gz", hash = "sha256:72b3bde64e5d778694b0cf68178aed03d15e15477116add3fb773e581f9518ff"}, @@ -249,6 +258,7 @@ version = "4.1.5" description = "XPath 1.0/2.0/3.0/3.1 parsers and selectors for ElementTree and lxml" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "elementpath-4.1.5-py3-none-any.whl", hash = "sha256:2ac1a2fb31eb22bbbf817f8cf6752f844513216263f0e3892c8e79782fe4bb55"}, {file = "elementpath-4.1.5.tar.gz", hash = "sha256:c2d6dc524b29ef751ecfc416b0627668119d8812441c555d7471da41d4bacb8d"}, @@ -263,6 +273,8 @@ version = "1.3.0" description = "Backport of PEP 654 (exception groups)" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] +markers = "python_version < \"3.11\"" files = [ {file = "exceptiongroup-1.3.0-py3-none-any.whl", hash = "sha256:4d111e6e0c13d0644cad6ddaa7ed0261a0b36971f6d23e7ec9b4b9097da78a10"}, {file = "exceptiongroup-1.3.0.tar.gz", hash = "sha256:b241f5885f560bc56a59ee63ca4c6a8bfa46ae4ad651af316d4e81817bb9fd88"}, @@ -280,6 +292,7 @@ version = "2.0.2" description = "execnet: rapid multi-Python deployment" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "execnet-2.0.2-py3-none-any.whl", hash = "sha256:88256416ae766bc9e8895c76a87928c0012183da3cc4fc18016e6f050e025f41"}, {file = "execnet-2.0.2.tar.gz", hash = "sha256:cc59bc4423742fd71ad227122eb0dd44db51efb3dc4095b45ac9a08c770096af"}, @@ -294,6 +307,7 @@ version = "18.13.0" description = "Faker is a Python package that generates fake data for you." optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "Faker-18.13.0-py3-none-any.whl", hash = "sha256:801d1a2d71f1fc54d332de2ab19de7452454309937233ea2f7485402882d67b3"}, {file = "Faker-18.13.0.tar.gz", hash = "sha256:84bcf92bb725dd7341336eea4685df9a364f16f2470c4d29c1d7e6c5fd5a457d"}, @@ -309,6 +323,7 @@ version = "3.12.2" description = "A platform independent file lock." optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "filelock-3.12.2-py3-none-any.whl", hash = "sha256:cbb791cdea2a72f23da6ac5b5269ab0a0d161e9ef0100e653b69049a7706d1ec"}, {file = "filelock-3.12.2.tar.gz", hash = "sha256:002740518d8aa59a26b0c76e10fb8c6e15eae825d34b6fdf670333fd7b938d81"}, @@ -324,6 +339,7 @@ version = "1.5.1" description = "Let your Python tests travel through time" optional = false python-versions = ">=3.7" +groups = ["dev"] files = [ {file = "freezegun-1.5.1-py3-none-any.whl", hash = "sha256:bf111d7138a8abe55ab48a71755673dbaa4ab87f4cff5634a4442dfec34c15f1"}, {file = "freezegun-1.5.1.tar.gz", hash = "sha256:b29dedfcda6d5e8e083ce71b2b542753ad48cfec44037b3fc79702e2980a89e9"}, @@ -338,6 +354,7 @@ version = "0.30.0" description = "A comprehensive HTTP client library." optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "httplib2-0.30.0-py3-none-any.whl", hash = "sha256:d10443a2bdfe0ea5dbb17e016726146d48b574208dafd41e854cf34e7d78842c"}, {file = "httplib2-0.30.0.tar.gz", hash = "sha256:d5b23c11fcf8e57e00ff91b7008656af0f6242c8886fd97065c97509e4e548c5"}, @@ -352,6 +369,7 @@ version = "3.10" description = "Internationalized Domain Names in Applications (IDNA)" optional = false python-versions = ">=3.6" +groups = ["main", "dev"] files = [ {file = "idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3"}, {file = "idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"}, @@ -366,6 +384,8 @@ version = "6.7.0" description = "Read metadata from Python packages" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] +markers = "python_version == \"3.7\"" files = [ {file = "importlib_metadata-6.7.0-py3-none-any.whl", hash = "sha256:cb52082e659e97afc5dac71e79de97d8681de3aa07ff18578330904a9d18e5b5"}, {file = "importlib_metadata-6.7.0.tar.gz", hash = "sha256:1aaf550d4f73e5d6783e7acb77aec43d49da8017410afae93822cc9cca98c4d4"}, @@ -378,7 +398,7 @@ zipp = ">=0.5" [package.extras] docs = ["furo", "jaraco.packaging (>=9)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] perf = ["ipython"] -testing = ["flufl.flake8", "importlib-resources (>=1.3)", "packaging", "pyfakefs", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-mypy (>=0.9.1)", "pytest-perf (>=0.9.2)", "pytest-ruff"] +testing = ["flufl.flake8", "importlib-resources (>=1.3) ; python_version < \"3.9\"", "packaging", "pyfakefs", "pytest (>=6)", "pytest-black (>=0.3.7) ; platform_python_implementation != \"PyPy\"", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-mypy (>=0.9.1) ; platform_python_implementation != \"PyPy\"", "pytest-perf (>=0.9.2)", "pytest-ruff"] [[package]] name = "importlib-resources" @@ -386,6 +406,8 @@ version = "5.12.0" description = "Read resources from Python packages" optional = false python-versions = ">=3.7" +groups = ["main"] +markers = "python_version < \"3.9\"" files = [ {file = "importlib_resources-5.12.0-py3-none-any.whl", hash = "sha256:7b1deeebbf351c7578e09bf2f63fa2ce8b5ffec296e0d349139d43cca061a81a"}, {file = "importlib_resources-5.12.0.tar.gz", hash = "sha256:4be82589bf5c1d7999aedf2a45159d10cb3ca4f19b2271f8792bc8e6da7b22f6"}, @@ -396,7 +418,7 @@ zipp = {version = ">=3.1.0", markers = "python_version < \"3.10\""} [package.extras] docs = ["furo", "jaraco.packaging (>=9)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] -testing = ["flake8 (<5)", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8", "pytest-mypy (>=0.9.1)"] +testing = ["flake8 (<5)", "pytest (>=6)", "pytest-black (>=0.3.7) ; platform_python_implementation != \"PyPy\"", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8 ; python_version < \"3.12\"", "pytest-mypy (>=0.9.1) ; platform_python_implementation != \"PyPy\""] [[package]] name = "iniconfig" @@ -404,6 +426,7 @@ version = "2.0.0" description = "brain-dead simple config-ini parsing" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, @@ -415,6 +438,7 @@ version = "4.17.3" description = "An implementation of JSON Schema validation for Python" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "jsonschema-4.17.3-py3-none-any.whl", hash = "sha256:a870ad254da1a8ca84b6a2905cac29d265f805acc57af304784962a2aa6508f6"}, {file = "jsonschema-4.17.3.tar.gz", hash = "sha256:0f864437ab8b6076ba6707453ef8f98a6a0d512a80e93f8abdb676f737ecb60d"}, @@ -438,6 +462,7 @@ version = "4.0.2" description = "Manipulates JUnit/xUnit Result XML files" optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "junitparser-4.0.2-py3-none-any.whl", hash = "sha256:94c3570e41fcaedc64cc3c634ca99457fe41a84dd1aa8ff74e9e12e66223a155"}, {file = "junitparser-4.0.2.tar.gz", hash = "sha256:d5d07cece6d4a600ff3b7b96c8db5ffa45a91eed695cb86c45c3db113c1ca0f8"}, @@ -449,6 +474,7 @@ version = "24.0" description = "Core utilities for Python packages" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "packaging-24.0-py3-none-any.whl", hash = "sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5"}, {file = "packaging-24.0.tar.gz", hash = "sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9"}, @@ -460,6 +486,8 @@ version = "1.3.10" description = "Resolve a name to an object." optional = false python-versions = ">=3.6" +groups = ["main"] +markers = "python_version < \"3.9\"" files = [ {file = "pkgutil_resolve_name-1.3.10-py3-none-any.whl", hash = "sha256:ca27cc078d25c5ad71a9de0a7a330146c4e014c2462d9af19c6b828280649c5e"}, {file = "pkgutil_resolve_name-1.3.10.tar.gz", hash = "sha256:357d6c9e6a755653cfd78893817c0853af365dd51ec97f3d358a819373bbd174"}, @@ -471,6 +499,7 @@ version = "1.2.0" description = "plugin and hook calling mechanisms for python" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "pluggy-1.2.0-py3-none-any.whl", hash = "sha256:c2fd55a7d7a3863cba1a013e4e2414658b1d07b6bc57b3919e0c63c9abb99849"}, {file = "pluggy-1.2.0.tar.gz", hash = "sha256:d12f0c4b579b15f5e054301bb226ee85eeeba08ffec228092f8defbaa3a4c4b3"}, @@ -489,6 +518,7 @@ version = "3.1.4" description = "pyparsing module - Classes and methods to define and execute parsing grammars" optional = false python-versions = ">=3.6.8" +groups = ["main"] files = [ {file = "pyparsing-3.1.4-py3-none-any.whl", hash = "sha256:a6a7ee4235a3f944aa1fa2249307708f893fe5717dc603503c6c7969c070fb7c"}, {file = "pyparsing-3.1.4.tar.gz", hash = "sha256:f86ec8d1a83f11977c9a6ea7598e8c27fc5cddfa5b07ea2241edbbde1d7bc032"}, @@ -503,6 +533,7 @@ version = "0.19.3" description = "Persistent/Functional/Immutable data structures" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "pyrsistent-0.19.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:20460ac0ea439a3e79caa1dbd560344b64ed75e85d8703943e0b66c2a6150e4a"}, {file = "pyrsistent-0.19.3-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4c18264cb84b5e68e7085a43723f9e4c1fd1d935ab240ce02c0324a8e01ccb64"}, @@ -539,6 +570,7 @@ version = "7.4.4" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "pytest-7.4.4-py3-none-any.whl", hash = "sha256:b090cdf5ed60bf4c45261be03239c2c1c22df034fbffe691abe93cd80cea01d8"}, {file = "pytest-7.4.4.tar.gz", hash = "sha256:2cf0005922c6ace4a3e2ec8b4080eb0d9753fdc93107415332f50ce9e7994280"}, @@ -562,6 +594,7 @@ version = "4.1.0" description = "Pytest plugin for measuring coverage." optional = false python-versions = ">=3.7" +groups = ["dev"] files = [ {file = "pytest-cov-4.1.0.tar.gz", hash = "sha256:3904b13dfbfec47f003b8e77fd5b589cd11904a21ddf1ab38a64f204d6a10ef6"}, {file = "pytest_cov-4.1.0-py3-none-any.whl", hash = "sha256:6ba70b9e97e69fcc3fb45bfeab2d0a138fb65c4d0d6a41ef33983ad114be8c3a"}, @@ -580,6 +613,7 @@ version = "0.6" description = "pytest plugin to run your tests in a specific order" optional = false python-versions = "*" +groups = ["main"] files = [ {file = "pytest-ordering-0.6.tar.gz", hash = "sha256:561ad653626bb171da78e682f6d39ac33bb13b3e272d406cd555adb6b006bda6"}, {file = "pytest_ordering-0.6-py2-none-any.whl", hash = "sha256:27fba3fc265f5d0f8597e7557885662c1bdc1969497cd58aff6ed21c3b617de2"}, @@ -595,6 +629,7 @@ version = "3.5.0" description = "pytest xdist plugin for distributed testing, most importantly across multiple CPUs" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "pytest-xdist-3.5.0.tar.gz", hash = "sha256:cbb36f3d67e0c478baa57fa4edc8843887e0f6cfc42d677530a36d7472b32d8a"}, {file = "pytest_xdist-3.5.0-py3-none-any.whl", hash = "sha256:d075629c7e00b611df89f490a5063944bee7a4362a5ff11c7cc7824a03dfce24"}, @@ -615,6 +650,7 @@ version = "2.9.0.post0" description = "Extensions to the standard Python datetime module" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" +groups = ["main", "dev"] files = [ {file = "python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3"}, {file = "python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"}, @@ -629,6 +665,7 @@ version = "2024.2" description = "World timezone definitions, modern and historical" optional = false python-versions = "*" +groups = ["dev"] files = [ {file = "pytz-2024.2-py2.py3-none-any.whl", hash = "sha256:31c7c1817eb7fae7ca4b8c7ee50c72f93aa2dd863de768e1ef4245d426aa0725"}, {file = "pytz-2024.2.tar.gz", hash = "sha256:2aa355083c50a0f93fa581709deac0c9ad65cca8a9e9beac660adcbd493c798a"}, @@ -640,6 +677,7 @@ version = "2.31.0" description = "Python HTTP for Humans." optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "requests-2.31.0-py3-none-any.whl", hash = "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"}, {file = "requests-2.31.0.tar.gz", hash = "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"}, @@ -661,6 +699,7 @@ version = "1.12.1" description = "Mock out responses from the requests package" optional = false python-versions = ">=3.5" +groups = ["dev"] files = [ {file = "requests-mock-1.12.1.tar.gz", hash = "sha256:e9e12e333b525156e82a3c852f22016b9158220d2f47454de9cae8a77d371401"}, {file = "requests_mock-1.12.1-py2.py3-none-any.whl", hash = "sha256:b1e37054004cdd5e56c84454cc7df12b25f90f382159087f4b6915aaeef39563"}, @@ -678,17 +717,33 @@ version = "1.17.0" description = "Python 2 and 3 compatibility utilities" optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" +groups = ["main", "dev"] files = [ {file = "six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274"}, {file = "six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81"}, ] +[[package]] +name = "splunk-cim-models" +version = "0.1.0" +description = "Splunk CIM (Common Information Model) data model definitions and schemas" +optional = false +python-versions = "^3.7" +groups = ["main"] +files = [] +develop = true + +[package.source] +type = "directory" +url = "splunk-cim-models" + [[package]] name = "splunk-sdk" version = "2.1.1" description = "The Splunk Software Development Kit for Python." optional = false python-versions = "*" +groups = ["main"] files = [ {file = "splunk-sdk-2.1.1.tar.gz", hash = "sha256:46300d52f09e0aed7e5962ce2ba08ef54421ffb3a538c6af6164dcbf9f075faa"}, ] @@ -702,6 +757,7 @@ version = "1.1.4" description = "Package to interact with Splunk" optional = false python-versions = ">=3.7,<4.0" +groups = ["main"] files = [ {file = "splunksplwrapper-1.1.4-py3-none-any.whl", hash = "sha256:65d62fe00a89b0f0ef849f37b15db068d293ed2fc430a1b74ca8c9bc34436f67"}, {file = "splunksplwrapper-1.1.4.tar.gz", hash = "sha256:d8b319080b0260cc47723fe95afeddbdda35f6cb43fdb6249bbcb3c20c03aa77"}, @@ -718,10 +774,12 @@ version = "2.0.1" description = "A lil' TOML parser" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "tomli-2.0.1-py3-none-any.whl", hash = "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc"}, {file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"}, ] +markers = {main = "python_version < \"3.11\"", dev = "python_full_version <= \"3.11.0a6\""} [[package]] name = "typing-extensions" @@ -729,6 +787,8 @@ version = "4.7.1" description = "Backported and Experimental Type Hints for Python 3.7+" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] +markers = "python_version < \"3.11\"" files = [ {file = "typing_extensions-4.7.1-py3-none-any.whl", hash = "sha256:440d5dd3af93b060174bf433bccd69b0babc3b15b1a8dca43789fd7f61514b36"}, {file = "typing_extensions-4.7.1.tar.gz", hash = "sha256:b75ddc264f0ba5615db7ba217daeb99701ad295353c45f9e95963337ceeeffb2"}, @@ -740,14 +800,15 @@ version = "1.26.20" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7" +groups = ["main", "dev"] files = [ {file = "urllib3-1.26.20-py2.py3-none-any.whl", hash = "sha256:0ed14ccfbf1c30a9072c7ca157e4319b70d65f623e91e7b32fadb2853431016e"}, {file = "urllib3-1.26.20.tar.gz", hash = "sha256:40c2dc0c681e47eb8f90e7e27bf6ff7df2e677421fd46756da1161c39ca70d32"}, ] [package.extras] -brotli = ["brotli (==1.0.9)", "brotli (>=1.0.9)", "brotlicffi (>=0.8.0)", "brotlipy (>=0.6.0)"] -secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress", "pyOpenSSL (>=0.14)", "urllib3-secure-extra"] +brotli = ["brotli (==1.0.9) ; os_name != \"nt\" and python_version < \"3\" and platform_python_implementation == \"CPython\"", "brotli (>=1.0.9) ; python_version >= \"3\" and platform_python_implementation == \"CPython\"", "brotlicffi (>=0.8.0) ; (os_name != \"nt\" or python_version >= \"3\") and platform_python_implementation != \"CPython\"", "brotlipy (>=0.6.0) ; os_name == \"nt\" and python_version < \"3\""] +secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress ; python_version == \"2.7\"", "pyOpenSSL (>=0.14)", "urllib3-secure-extra"] socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"] [[package]] @@ -756,6 +817,7 @@ version = "2.5.1" description = "An XML Schema validator and decoder" optional = false python-versions = ">=3.7" +groups = ["main"] files = [ {file = "xmlschema-2.5.1-py3-none-any.whl", hash = "sha256:ec2b2a15c8896c1fcd14dcee34ca30032b99456c3c43ce793fdb9dca2fb4b869"}, {file = "xmlschema-2.5.1.tar.gz", hash = "sha256:4f7497de6c8b6dc2c28ad7b9ed6e21d186f4afe248a5bea4f54eedab4da44083"}, @@ -775,6 +837,7 @@ version = "0.14.2" description = "Makes working with XML feel like you are working with JSON" optional = false python-versions = ">=3.6" +groups = ["main"] files = [ {file = "xmltodict-0.14.2-py2.py3-none-any.whl", hash = "sha256:20cc7d723ed729276e808f26fb6b3599f786cbc37e06c65e192ba77c40f20aac"}, {file = "xmltodict-0.14.2.tar.gz", hash = "sha256:201e7c28bb210e374999d1dde6382923ab0ed1a8a5faeece48ab525b7810a553"}, @@ -786,6 +849,7 @@ version = "3.15.0" description = "Backport of pathlib-compatible object wrapper for zip files" optional = false python-versions = ">=3.7" +groups = ["main", "dev"] files = [ {file = "zipp-3.15.0-py3-none-any.whl", hash = "sha256:48904fc76a60e542af151aded95726c1a5c34ed43ab4134b597665c86d7ad556"}, {file = "zipp-3.15.0.tar.gz", hash = "sha256:112929ad649da941c23de50f356a2b5570c954b65150642bccdd66bf194d224b"}, @@ -793,9 +857,9 @@ files = [ [package.extras] docs = ["furo", "jaraco.packaging (>=9)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] -testing = ["big-O", "flake8 (<5)", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8", "pytest-mypy (>=0.9.1)"] +testing = ["big-O", "flake8 (<5)", "jaraco.functools", "jaraco.itertools", "more-itertools", "pytest (>=6)", "pytest-black (>=0.3.7) ; platform_python_implementation != \"PyPy\"", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=1.3)", "pytest-flake8 ; python_version < \"3.12\"", "pytest-mypy (>=0.9.1) ; platform_python_implementation != \"PyPy\""] [metadata] -lock-version = "2.0" +lock-version = "2.1" python-versions = "^3.7" -content-hash = "3b5dc6b305e520dc6251b8cb791f9ecbe27e5f9b1ba30f90c243e1cf8f9784e0" +content-hash = "0a39d71a125f0f154f828338065c76098c3f46d5367e61cfe14d1d2e50ccde9a" diff --git a/pyproject.toml b/pyproject.toml index 6d68da59..23dc2806 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -50,6 +50,7 @@ splunksplwrapper = "^1.1.1" urllib3 = "<2" certifi = "^2024.7.4" zipp = "^3.6.0" +splunk-cim-models = {path = "./splunk-cim-models", develop = true} [tool.poetry.group.dev.dependencies] pytest-cov = "^4" diff --git a/pytest_splunk_addon/CIM_Models/datamodel_definition.py b/pytest_splunk_addon/CIM_Models/datamodel_definition.py index a7758962..6186b8b0 100644 --- a/pytest_splunk_addon/CIM_Models/datamodel_definition.py +++ b/pytest_splunk_addon/CIM_Models/datamodel_definition.py @@ -13,2392 +13,17 @@ # See the License for the specific language governing permissions and # limitations under the License. # -datamodels = { - "4.18.1": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "4.19": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - "user_name", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "user_name", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "4.20.2": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - "user_name", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "user_name", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_category", - "object_id", - "object_size", - "src", - "tenant_id", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "original_file_name", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "5.0.0": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - "user_name", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "user_name", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_category", - "object_id", - "object_size", - "src", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "original_file_name", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "5.3.1": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_attrs", - "object_category", - "object_id", - "object_size", - "src", - "user_name", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "loaded_file", - "original_file_name", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "5.3.2": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature", - "signature_id", - "src", - "type", - "user", - "description", - "id", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "dest", "user"], - "Privileged_Authentication": ["src_user"], - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_organization", - "ssl_validity_window", - ] - }, - "Change": { - "Account_Management": [ - "src_user", - "object_category", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_id", - "status", - "result", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - "app", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_attrs", - "object_category", - "object_id", - "object_size", - "src", - "user_name", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - "internal_message_id", - "message_id", - "protocol", - "return_addr", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "transport_dest_port", - "dest", - "vendor_product", - "state", - ], - "Processes": [ - "action", - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "process_id", - "process_path", - "parent_process_id", - "parent_process_path", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - "status", - "registry_hive", - "registry_value_text", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_path", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["dest", "signature", "signature_id"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "vendor_product", - "action", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "dest", - "severity", - "signature", - "file_name", - "file_path", - "vendor_product", - ], - "Malware_Operations": [ - "signature_version", - "dest", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - "src", - "transport", - "answer_count", - "query_count", - "query_type", - "record_type", - "response_time", - "transaction_id", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "vendor_product", - "action", - "signature", - ], - "DHCP": ["lease_duration"], - "VPN": ["user"], - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "src", - "src_port", - "transport", - "vendor_product", - "app", - "packets", - "packets_in", - "packets_out", - "protocol", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Ticket_Management": { - "BaseEvent": [ - "priority", - "severity", - "severity_id", - "status", - "dest", - "ticket_id", - ] - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - "dvc", - "file_name", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - "cvss", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_method", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - "category", - "dest_port", - "http_user_agent_length", - ] - }, - }, - "6.0.0": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature", - "signature_id", - "src", - "type", - "user", - "description", - "id", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "dest", "user"], - "Privileged_Authentication": ["src_user"], - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_organization", - "ssl_validity_window", - ] - }, - "Change": { - "Account_Management": [ - "src_user", - "object_category", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_id", - "status", - "result", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - "app", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_attrs", - "object_category", - "object_id", - "object_size", - "src", - "user_name", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - "internal_message_id", - "message_id", - "protocol", - "return_addr", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "transport_dest_port", - "dest", - "vendor_product", - "state", - ], - "Processes": [ - "action", - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "process_id", - "process_path", - "parent_process_id", - "parent_process_path", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - "status", - "registry_hive", - "registry_value_text", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_path", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["dest", "signature", "signature_id"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "vendor_product", - "action", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "dest", - "severity", - "signature", - "file_name", - "file_path", - "vendor_product", - ], - "Malware_Operations": [ - "signature_version", - "dest", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - "src", - "transport", - "answer_count", - "query_count", - "query_type", - "record_type", - "response_time", - "transaction_id", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "vendor_product", - "action", - "signature", - ], - "DHCP": ["lease_duration"], - "VPN": ["user"], - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "src", - "src_port", - "transport", - "vendor_product", - "app", - "packets", - "packets_in", - "packets_out", - "protocol", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Ticket_Management": { - "BaseEvent": [ - "priority", - "severity", - "severity_id", - "status", - "dest", - "ticket_id", - ] - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - "dvc", - "file_name", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - "cvss", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_method", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - "category", - "dest_port", - "http_user_agent_length", - ] - }, - }, -} -# No recommended/required fields changes between v6.0.0 and v6.2.0 -datamodels["6.0.1"] = datamodels["6.0.0"] -datamodels["6.0.2"] = datamodels["6.0.0"] -datamodels["6.1.0"] = datamodels["6.0.2"] -datamodels["6.2.0"] = datamodels["6.1.0"] -datamodels["latest"] = datamodels["6.2.0"] +# DEPRECATED: This module is kept for backward compatibility. +# Use ``from splunk_cim_models import datamodels`` instead. +import warnings as _warnings + +_warnings.warn( + "Importing datamodels from pytest_splunk_addon.CIM_Models.datamodel_definition " + "is deprecated. Use 'from splunk_cim_models import datamodels' instead.", + DeprecationWarning, + stacklevel=2, +) + +from splunk_cim_models.datamodel_definition import datamodels # noqa: F401, E402 + +__all__ = ["datamodels"] diff --git a/pytest_splunk_addon/app_test_generator.py b/pytest_splunk_addon/app_test_generator.py index 880b27d9..68bc68cc 100644 --- a/pytest_splunk_addon/app_test_generator.py +++ b/pytest_splunk_addon/app_test_generator.py @@ -73,9 +73,9 @@ def __init__(self, pytest_config): splunk_ep=self.splunk_ep, ) - data_model_path = os.path.join( - os.path.dirname(os.path.abspath(__file__)), "data_models" - ) + from splunk_cim_models import DATA_MODELS_PATH + + data_model_path = DATA_MODELS_PATH LOGGER.debug("Initializing CIMTestGenerator to generate the test cases") self.cim_test_generator = CIMTestGenerator( self.pytest_config.getoption("splunk_app"), diff --git a/pytest_splunk_addon/cim_tests/json_schema.py b/pytest_splunk_addon/cim_tests/json_schema.py index 491ffae9..ba398fd9 100644 --- a/pytest_splunk_addon/cim_tests/json_schema.py +++ b/pytest_splunk_addon/cim_tests/json_schema.py @@ -34,15 +34,13 @@ class JSONSchema(BaseSchema): schema_path (str): Relative or absolute path of the schema file """ - SCHEMA_FILE = "DatamodelSchema.json" - def __init__( self, schema_path=None, ): - self.schema_path = schema_path or op.join( - op.dirname(op.abspath(__file__)), self.SCHEMA_FILE - ) + from splunk_cim_models import DATAMODEL_SCHEMA_PATH + + self.schema_path = schema_path or DATAMODEL_SCHEMA_PATH @classmethod def parse_data_model(cls, file_path): diff --git a/pytest_splunk_addon/cim_tests/test_generator.py b/pytest_splunk_addon/cim_tests/test_generator.py index 5e133cfd..5e21155b 100644 --- a/pytest_splunk_addon/cim_tests/test_generator.py +++ b/pytest_splunk_addon/cim_tests/test_generator.py @@ -44,8 +44,6 @@ class CIMTestGenerator(object): Relative or absolute path of the json file with common fields """ - COMMON_FIELDS_PATH = "CommonFields.json" - def __init__( self, addon_path, @@ -55,14 +53,13 @@ def __init__( common_fields_path=None, splunk_ep=False, ): + from splunk_cim_models import COMMON_FIELDS_PATH as DEFAULT_COMMON_FIELDS self.data_model_handler = DataModelHandler(data_model_path) self.addon_parser = AddonParser(addon_path) self.tokenized_events = tokenized_events self.test_field_type = test_field_type - self.common_fields_path = common_fields_path or op.join( - op.dirname(op.abspath(__file__)), self.COMMON_FIELDS_PATH - ) + self.common_fields_path = common_fields_path or DEFAULT_COMMON_FIELDS self.splunk_ep = splunk_ep def generate_tests(self, fixture): diff --git a/pytest_splunk_addon/splunk.py b/pytest_splunk_addon/splunk.py index bcff2cc3..a5c434f8 100644 --- a/pytest_splunk_addon/splunk.py +++ b/pytest_splunk_addon/splunk.py @@ -28,7 +28,7 @@ from splunksplwrapper.SearchUtil import SearchUtil from .event_ingestors import IngestorHelper from .docker_class import Services -from .CIM_Models.datamodel_definition import datamodels +from splunk_cim_models import datamodels import configparser from filelock import FileLock diff --git a/splunk-cim-models/pyproject.toml b/splunk-cim-models/pyproject.toml new file mode 100644 index 00000000..992d6a3f --- /dev/null +++ b/splunk-cim-models/pyproject.toml @@ -0,0 +1,41 @@ +# +# Copyright 2026 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +[project] +name = "splunk-cim-models" +version = "0.1.0" +description = "Splunk CIM (Common Information Model) data model definitions and schemas" +authors = [{name = "Splunk", email = "addonfactory@splunk.com"}] +license = {text = "Apache-2.0"} +requires-python = ">=3.7" +classifiers = [ + "Intended Audience :: Developers", + "Topic :: Software Development :: Testing", + "Programming Language :: Python", + "Programming Language :: Python :: 3.7", + "Operating System :: OS Independent", + "License :: OSI Approved :: Apache Software License", +] + +[build-system] +requires = ["setuptools>=45"] +build-backend = "setuptools.build_meta" + +[tool.setuptools.packages.find] +include = ["splunk_cim_models*"] + +[tool.setuptools.package-data] +splunk_cim_models = ["**/*.json"] diff --git a/splunk-cim-models/splunk_cim_models/CommonFields.json b/splunk-cim-models/splunk_cim_models/CommonFields.json new file mode 100644 index 00000000..e35355f3 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/CommonFields.json @@ -0,0 +1,85 @@ +{ + "description": "This fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.", + "fields": [ + { + "name": "dest_bunit", + "type": "not_allowed_in_search_and_props", + "comment": "The business unit of the authentication target." + }, + { + "name": "dest_category", + "type": "not_allowed_in_search_and_props", + "comment": "The category of the authentication target, such as email_server or SOX-compliant." + }, + { + "name": "dest_priority", + "type": "not_allowed_in_search_and_props", + "comment": "The priority of the authentication target." + }, + { + "name": "dvc_bunit", + "type": "not_allowed_in_search_and_props", + "comment": "The business unit of the DLP target." + }, + { + "name": "dvc_category", + "type": "not_allowed_in_search_and_props", + "comment": "The category of the DLP device." + }, + { + "name": "dvc_priority", + "type": "not_allowed_in_search_and_props", + "comment": "The priority of the DLP device." + }, + { + "name": "src_bunit", + "type": "not_allowed_in_search_and_props", + "comment": "The business unit of the authentication source." + }, + { + "name": "src_category", + "type": "not_allowed_in_search_and_props", + "comment": "The category of the authentication source, such as email_server or SOX-compliant." + }, + { + "name": "src_priority", + "type": "not_allowed_in_search_and_props", + "comment": "The priority of the authentication source." + }, + { + "name": "src_user_bunit", + "type": "not_allowed_in_search_and_props", + "comment": "The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed." + }, + { + "name": "src_user_category", + "type": "not_allowed_in_search_and_props", + "comment": "The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed." + }, + { + "name": "src_user_priority", + "type": "not_allowed_in_search_and_props", + "comment": "The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed." + }, + { + "name": "user_bunit", + "type": "not_allowed_in_search_and_props", + "comment": "The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "user_category", + "type": "not_allowed_in_search_and_props", + "comment": "The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "user_priority", + "type": "not_allowed_in_search_and_props", + "comment": "The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "tag", + "type": "not_allowed_in_props", + "comment": "This automatically-generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons." + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/DatamodelSchema.json b/splunk-cim-models/splunk_cim_models/DatamodelSchema.json new file mode 100644 index 00000000..8659512b --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/DatamodelSchema.json @@ -0,0 +1,123 @@ +{ + "$schema": "http://json-schema.org/draft/2019-09/schema#", + "title": "Schema for DataModel json files used with pytest-splunk-addon.", + "type": "object", + "definitions": { + "dataset": { + "type": "object", + "description": "A dict object representing dataset properties.", + "properties": { + "name": { + "description": "Name of the Dataset.", + "type": "string" + }, + "tags": { + "type": "array", + "description": "A List of List.", + "items": { + "type": "array", + "description": "It contains the list of tags present in the dataset. i.e. 'tags':['endpoint', 'filesystem']", + "items": { "type": "string" } + } + }, + "fields_cluster": { + "type": "array", + "description": "List of clustered field list", + "items": { + "type": "array", + "description": "The fields which are expected to be together must be listed here i.e. ['bytes', 'bytes_in', 'bytes_out']", + "items": { "type": "string" } + } + }, + "fields": { + "type": "array", + "description": "List of field object.", + "items": { "$ref": "#/definitions/field" } + }, + "child_dataset": { + "type": "array", + "description": "List of dataset objects.", + "items": { "$ref": "#/definitions/dataset" } + }, + "search_constraints": { + "type": "string", + "description": "The constraints mentioned for the dataset in datamodel json are listed here." + } + }, + "required": [ + "name", + "tags", + "fields_cluster", + "fields", + "child_dataset", + "search_constraints" + ] + }, + "field": { + "type": "object", + "description": "A dict which describes certain properties of the field.", + "properties": { + "name": { + "type": "string", + "description": "Name of the field" + }, + "type": { + "type": "string", + "description": "Type of the field.", + "enum": [ + "required", + "conditional", + "not_allowed_in_search", + "not_allowed_in_props", + "not_allowed_in_search_and_props", + "optional" + ] + }, + "multi_value": { + "type": "boolean", + "description": "Whether the field is multi-value or not. If true, validity and expected_values is not supported." + }, + "condition": { + "type": "string", + "description": "It holds the condition for the conditional fields mentioned in the doc." + }, + "expected_values": { + "type": "array", + "description": "It is the list of accepted values of the field", + "items": { "type": "string" } + }, + "validity": { + "type": "string", + "description": "Validity of the field, if a numeric field is expected we write query criteria here." + }, + "comment": { + "type": "string", + "description": "Description of the field" + } + }, + "required": ["name", "type", "comment"] + } + }, + "properties": { + "model_name": { + "type": "string", + "description": "Name of the Datamodel" + }, + "version": { + "type": "string", + "description": "Schema Version." + }, + "objects": { + "type": "array", + "description": "List of the datasets defined in the datamodel.", + "items": { + "$ref": "#/definitions/dataset" + } + } + }, + "required": [ + "model_name", + "version", + "objects" + ] +} diff --git a/splunk-cim-models/splunk_cim_models/__init__.py b/splunk-cim-models/splunk_cim_models/__init__.py new file mode 100644 index 00000000..47bee0ad --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/__init__.py @@ -0,0 +1,33 @@ +# +# Copyright 2026 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +""" +Splunk CIM (Common Information Model) data model definitions and schemas. + +This package provides: +- ``datamodels``: A dict mapping CIM versions to per-model recommended field lists. +- ``DATA_MODELS_PATH``: Filesystem path to the directory of data model JSON files. +- ``COMMON_FIELDS_PATH``: Filesystem path to CommonFields.json. +- ``DATAMODEL_SCHEMA_PATH``: Filesystem path to DatamodelSchema.json. +""" +import os + +from .datamodel_definition import datamodels # noqa: F401 + +_PKG_DIR = os.path.dirname(os.path.abspath(__file__)) + +DATA_MODELS_PATH = os.path.join(_PKG_DIR, "data_models") +COMMON_FIELDS_PATH = os.path.join(_PKG_DIR, "CommonFields.json") +DATAMODEL_SCHEMA_PATH = os.path.join(_PKG_DIR, "DatamodelSchema.json") diff --git a/splunk-cim-models/splunk_cim_models/data_models/Alerts.json b/splunk-cim-models/splunk_cim_models/data_models/Alerts.json new file mode 100644 index 00000000..2fbdb312 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Alerts.json @@ -0,0 +1,125 @@ +{ + "model_name": "Alerts", + "version": "1.0.0", + "objects":[ + { + "name": "Alerts", + "tags": [ + ["alert"] + ], + "fields_cluster": [], + "search_constraints": "tag=alert", + "fields": [ + { + "name": "app", + "type": "required", + "comment":"The application involved in the event, such as win:app:trendmicro, vmware, nagios." + }, + { + "name": "body", + "type": "optional", + "comment":"The body of a message." + }, + { + "name": "description", + "type": "required", + "comment": "The description of the alert event." + }, + { + "name": "dest", + "type": "required", + "comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_type", + "type": "optional", + "comment": "The type of the destination object, such as instance, storage, firewall." + }, + { + "name": "id", + "type": "required", + "comment":"The unique identifier of a message." + }, + { + "name": "mitre_technique_id", + "type": "optional", + "comment": "The MITRE ATT&CK technique ID of the alert event." + }, + { + "name": "signature", + "type": "required", + "comment": "A human-readable signature name." + }, + { + "name": "signature_id", + "type": "required", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "severity", + "type": "required", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment":"The severity of a message." + }, + { + "name": "severity_id", + "type": "optional", + "comment":"A numeric severity indicator for a message." + }, + { + "name": "src", + "type": "required", + "comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_type", + "type": "optional", + "comment": "The type of the source object, such as instance, storage, firewall." + }, + { + "name": "subject", + "type": "optional", + "comment":"The message subject." + }, + { + "name": "type", + "type": "required", + "expected_values":[ + "alarm", + "alert", + "event", + "task", + "warning" + ], + "comment":"The message type." + }, + { + "name": "user", + "type": "required", + "comment": "The user involved in the alert event." + }, + { + "name": "user_name", + "type": "optional", + "comment": "The name of the user involved in the alert event." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The data center region involved in the alert event, such as us-west-2." + } + ], + "child_dataset": [] + }] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Authentication.json b/splunk-cim-models/splunk_cim_models/data_models/Authentication.json new file mode 100644 index 00000000..35d298d4 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Authentication.json @@ -0,0 +1,212 @@ +{ + "model_name": "Authentication", + "version": "1.0.0", + "objects": [ + { + "name": "Authentication", + "tags": [["authentication"]], + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["success", "failure", "pending", "error"], + "comment": "The action performed on the resource." + }, + { + "name": "app", + "type": "required", + "comment": "The application involved in the event (such as ssh, splunk, win:local)." + }, + { + "name": "authentication_method", + "type": "optional", + "comment": "The method used to authenticate the request" + }, + { + "name": "authentication_service", + "type": "optional", + "comment": "The service used to authenticate the request" + }, + { + "name": "dest", + "type": "required", + "comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host." + }, + { + "name": "src_user_type", + "type": "optional", + "comment": "The type of the user who initiated the privilege escalation." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System." + }, + { + "name": "src_user_role", + "type": "optional", + "comment": "The role of the user who initiated the privilege escalation." + }, + { + "name": "user_role", + "type": "optional", + "comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation." + }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration) and duration>0 and duration<3600, duration, null())", + "comment": "The amount of time for the completion of the authentication event, in seconds." + }, + { + "name": "response_time", + "type": "optional", + "validity": "if(isnum(response_time) and response_time>0 AND response_time<3600,response_time,null())", + "comment": "The amount of time it took to receive a response in the authentication event, in seconds." + }, + { + "name": "session_id", + "type": "optional", + "comment": "The unique identifier assigned to the login session." + }, + { + "name": "signature", + "type": "optional", + "condition": "signature_id=*", + "comment": "A human-readable signature name." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "src", + "type": "required", + "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "user", + "type": "required", + "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "user_id", + "type": "optional", + "comment": "The unique id of the user involved in the event." + }, + { + "name": "reason", + "type": "optional", + "validity": "if(action in ['success', 'failure'], action, null())", + "comment": "The human-readable message associated with the authentication action (success or failure)." + }, + { + "name": "reason_id", + "type": "optional", + "comment": "The reason why logon failed. For example \\'0xC0000234\\'." + }, + { + "name": "process", + "type": "optional", + "comment": "Full path and the name of the executable for the process that attempted the logon. For example, it is a \\\"Process Name\\\" in Windows such as `C:\\\\Windows\\\\System32\\\\svchost.exe`." + }, + { + "name": "src_user", + "condition": "src_user=* tag=privileged", + "type": "conditional", + "comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account." + } + + ], + "child_dataset": [ + { + "name": "Failed_Authentication", + "tags": [["authentication"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"failure\"" + }, + { + "name": "Successful_Authentication", + "tags": [["authentication"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"success\"" + }, + { + "name": "Default_Authentication", + "tags": [["authentication", "default"]], + "fields_cluster": [], + "fields": [], + "search_constraints": "tag=\"default\"", + "child_dataset": [ + { + "name": "Failed_Default_Authentication", + "tags": [["authentication", "default"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"failure\"" + }, + { + "name": "Successful_Default_Authentication", + "tags": [["authentication", "default"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"success\"" + } + ] + }, + { + "name": "Insecure_Authentication", + "tags": [["authentication", "insecure"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "tag=\"insecure\" OR tag=\"cleartext\"" + }, + { + "name": "Privileged_Authentication", + "tags": [["authentication", "privileged"]], + "fields_cluster": [], + "fields": [], + "search_constraints": "tag=\"privileged\"", + "child_dataset": [ + { + "name": "Failed_Privileged_Authentication", + "tags": [["authentication", "privileged"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"failure\"" + }, + { + "name": "Successful_Privileged_Authentication", + "tags": [["authentication", "privileged"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"success\"" + } + ] + } + ], + "search_constraints": "tag=authentication NOT (action=success user=*$)" + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Certificates.json b/splunk-cim-models/splunk_cim_models/data_models/Certificates.json new file mode 100644 index 00000000..4fd87347 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Certificates.json @@ -0,0 +1,239 @@ +{ + "model_name": "Certificates", + "version": "1.0.0", + "objects":[ + { + "name": "All_Certificates", + "tags": [ + ["certificate"] + ], + "fields_cluster": [], + "search_constraints": "tag=certificate", + "fields": [ + { + "name": "dest", + "type": "optional", + "comment":"The target in the certificate management event." + }, + { + "name": "dest_port", + "type": "optional", + "validity": "if(isnum(dest_port),dest_port,null())", + "comment":"The port number of the target." + }, + { + "name": "dest_priority", + "type": "optional", + "comment":"The priority of the target." + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration),duration,null())", + "comment":"The amount of time for the completion of the certificate management event, in seconds." + }, + { + "name": "response_time", + "type": "optional", + "validity": "if(isnum(response_time),response_time,null())", + "comment":"The amount of time it took to receive a response in the certificate management event, if applicable." + }, + { + "name": "src", + "type": "optional", + "comment":"The source involved in the certificate management event. You can alias this from more specific fields, such as src_host, src_ip, or src_nt_host." + }, + { + "name": "src_port", + "type": "optional", + "validity": "if(isnum(src_port),src_port,null())", + "comment":"The port number of the source." + }, + { + "name": "src_priority", + "type": "optional", + "comment":"The priority of the certificate management source." + }, + { + "name": "transport", + "type": "optional", + "comment":"The transport protocol of the Network Traffic involved with this certificate." + } + ], + "child_dataset": [ + { + "name":"SSL", + "tags": [ + ["certificate","ssl"] + ], + "search_constraints":"(tag=ssl OR tag=tls)", + "fields_cluster":[], + "fields":[ + { + "name": "ssl_end_time", + "type": "required", + "comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards." + }, + { + "name": "ssl_engine", + "type": "optional", + "comment":"The name of the signature engine that created the certificate." + }, + { + "name": "ssl_hash", + "type": "required", + "comment":"The hash of the certificate." + }, + { + "name": "ssl_is_valid", + "type": "optional", + "expected_values":[ + "true", + "false", + "1", + "0" + ], + "comment":"Indicator of whether the ssl certificate is valid or not." + }, + { + "name": "ssl_issuer", + "type": "required", + "comment":"The certificate issuer's RFC2253 Distinguished Name." + }, + { + "name": "ssl_issuer_common_name", + "type": "required", + "comment":"The certificate issuer's common name." + }, + { + "name": "ssl_issuer_email", + "type": "optional", + "comment":"The certificate issuer's email address." + }, + { + "name": "ssl_issuer_email_domain", + "type": "optional", + "comment":"The domain name contained within the certificate issuer's email address." + }, + { + "name": "ssl_issuer_locality", + "type": "optional", + "comment":"The certificate issuer's locality." + }, + { + "name": "ssl_issuer_organization", + "type": "optional", + "comment":"The certificate issuer's organization." + }, + { + "name": "ssl_issuer_street", + "type": "optional", + "comment":"The certificate issuer's street address." + }, + { + "name": "ssl_issuer_unit", + "type": "optional", + "comment":"The certificate issuer's organizational unit." + }, + { + "name": "ssl_name", + "type": "optional", + "comment":"The name of the ssl certificate." + }, + { + "name": "ssl_policies", + "type": "optional", + "comment":"The Object Identification Numbers's of the certificate's policies in a comma separated string." + }, + { + "name": "ssl_publickey", + "type": "optional", + "comment":"The certificate's public key." + }, + { + "name": "ssl_publickey_algorithm", + "type": "optional", + "comment":"The algorithm used to create the public key." + }, + { + "name": "ssl_serial", + "type": "required", + "comment":"The certificate's serial number." + }, + { + "name": "ssl_session_id", + "type": "optional", + "comment":"The session identifier for this certificate." + }, + { + "name": "ssl_signature_algorithm", + "type": "optional", + "comment":"The algorithm used by the Certificate Authority to sign the certificate." + }, + { + "name": "ssl_start_time", + "type": "required", + "comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards." + }, + { + "name": "ssl_subject", + "type": "required", + "comment":"The certificate owner's RFC2253 Distinguished Name." + }, + { + "name": "ssl_subject_common_name", + "type": "required", + "comment":"This certificate owner's common name." + }, + { + "name": "ssl_subject_email", + "type": "optional", + "comment":"The certificate owner's e-mail address." + }, + { + "name": "ssl_subject_email_domain", + "type": "optional", + "comment":"The domain name contained within the certificate subject's email address." + }, + { + "name": "ssl_subject_locality", + "type": "optional", + "comment":"The certificate owner's locality." + }, + { + "name": "ssl_subject_organization", + "type": "required", + "comment":"The certificate owner's organization." + }, + { + "name": "ssl_subject_state", + "type": "optional", + "comment":"The certificate owner's state of residence." + }, + { + "name": "ssl_subject_street", + "type": "optional", + "comment":"The certificate owner's street address." + }, + { + "name": "ssl_subject_unit", + "type": "optional", + "comment":"The certificate owner's organizational unit." + }, + { + "name": "ssl_validity_window", + "type": "required", + "validity": "if(isnum(ssl_validity_window),ssl_validity_window,null())", + "comment":"The length of time (in seconds) for which this certificate is valid." + }, + { + "name": "ssl_version", + "type": "optional", + "comment":"The ssl version of this certificate." + } + ], + "child_dataset": [] + } + ] + }] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Change.json b/splunk-cim-models/splunk_cim_models/data_models/Change.json new file mode 100644 index 00000000..fd87dc57 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Change.json @@ -0,0 +1,312 @@ +{ + "model_name": "Change", + "version": "1.0.0", + "objects": [ + { + "name": "All_Changes", + "tags": [["change"]], + "fields_cluster": [], + "search_constraints": "tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)", + "fields": [ + { + "name": "action", + "type": "required", + "validity": "if(like(action,'%\\\"%'),null(),action)", + "comment": "The action performed on the resource." + }, + { + "name": "change_type", + "type": "required", + "comment": "The type of change, such as filesystem or AAA (authentication, authorization, and accounting)." + }, + { + "name": "command", + "type": "required", + "comment": "The command that initiated the change." + }, + { + "name": "dest", + "type": "required", + "comment": "The resource where change occurred. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dvc", + "type": "required", + "comment": "The device that reported the change, if applicable, such as a FIP or CIM server. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name." + }, + { + "name": "object", + "type": "required", + "comment": "Name of the affected object on the resource (such as a router interface, user account, or server volume)." + }, + { + "name": "object_attrs", + "multi_value": true, + "validity": "if(like(object_attrs,'%\\\"%'),null(),object_attrs)", + "type": "required", + "comment": "The attributes that were updated on the updated resource object, if applicable." + }, + { + "name": "object_category", + "validity": "if((tag==\"account\" AND object_category==\"user\") OR (tag!=\"account\" AND object_category!=\"user\"),object_category, null())", + "type": "required", + "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." + }, + { + "name": "object_id", + "validity": "if(like(object_id,'%\\\"%'),null(),object_id)", + "type": "required", + "comment": "The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value)." + }, + { + "name": "object_path", + "validity": "if(like(object_path,'%\\\"%'),null(),object_path)", + "type": "optional", + "comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)." + }, + { + "name": "result", + "condition": "status=failure", + "type": "conditional", + "comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types." + }, + { + "name": "result_id", + "type": "optional", + "comment": "A result indicator for an action status." + }, + { + "name": "src", + "type": "required", + "comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name." + }, + { + "name": "status", + "type": "required", + "expected_values": ["success", "failure"], + "comment": "Status of the update." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + }, + { + "name": "user", + "type": "required", + "comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)." + }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, + { + "name": "user_name", + "type": "optional", + "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product or service that detected the change. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name": "Account_Management", + "tags": [["change", "account"]], + "fields_cluster": [], + "search_constraints": "tag=account", + "fields": [ + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the destination, if applicable." + }, + { + "name": "src_nt_domain", + "type": "optional", + "comment": "The NT domain of the source, if applicable." + }, + { + "name": "src_user", + "type": "conditional", + "condition": "object_category=user", + "comment": "For account changes, the user or entity performing the change." + }, + { + "name": "src_user_type", + "type": "optional", + "comment": "For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "src_user_name", + "type": "optional", + "comment": "For account changes, the user name of the user or entity performing the change." + } + ], + "child_dataset": [ + { + "name": "Accounts_Created", + "tags": [["change", "account"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"created\"" + }, + { + "name": "Accounts_Deleted", + "tags": [["change", "account"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"deleted\"" + }, + { + "name": "Account_Lockouts", + "tags": [["change", "account"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "result=\"lockout\"" + }, + { + "name": "Accounts_Updated", + "tags": [["change", "account"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=\"updated\" OR action=\"modified\"" + } + ] + }, + { + "name": "Auditing_Changes", + "tags": [["change", "audit"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "tag=audit" + }, + { + "name": "Endpoint_Changes", + "tags": [["change", "endpoint"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [ + { + "name": "Endpoint_Restarts", + "tags": [["change", "endpoint"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=modified change_type=restart" + }, + { + "name": "Other_Endpoint_Changes", + "tags": [["change", "endpoint"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "NOT change_type=restart" + } + ], + "search_constraints": "tag=endpoint" + }, + { + "name": "Instance_Changes", + "tags": [["change", "instance"]], + "fields_cluster": [], + "search_constraints": "tag=instance", + "fields": [ + { + "name": "image_id", + "type": "required", + "comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more." + }, + { + "name": "instance_type", + "type": "required", + "comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity." + } + ], + "child_dataset": [] + }, + { + "name": "Network_Changes", + "tags": [["change", "network"]], + "fields_cluster": [], + "fields": [ + { + "name": "dest_ip_range", + "type": "optional", + "comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32." + }, + { + "name": "dest_port_range", + "type": "optional", + "comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443." + }, + { + "name": "direction", + "type": "optional", + "comment": "For network events, this field represents whether the traffic is inbound or outbound." + }, + { + "name": "protocol", + "type": "optional", + "comment": "This field represents the protocol for the network event rule." + }, + { + "name": "rule_action", + "type": "optional", + "comment": "For network events, this field represents whether to allow or deny traffic." + }, + { + "name": "src_ip_range", + "type": "optional", + "comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation." + }, + { + "name": "src_port_range", + "type": "optional", + "comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443" + }, + { + "name": "device_restarts", + "type": "optional", + "comment": "Monitor all infrastructure device restarts." + } + ], + "child_dataset": [ + { + "name": "Device_Restarts", + "tags": [["change", "network"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=modified change_type=restart" + } + ], + "search_constraints": "tag=network" + } + ] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json b/splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json new file mode 100644 index 00000000..a08e5606 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json @@ -0,0 +1,405 @@ +{ + "model_name": "Compute_Inventory", + "version": "1.0.0", + "objects": [ + { + "name": "All_Inventory", + "tags": [["inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=inventory (tag=cpu OR tag=memory OR tag=network OR tag=storage OR (tag=system tag=version) OR tag=user OR tag=virtual)", + "fields": [ + { + "name": "dest", + "type": "required", + "comment": "The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "description", + "type": "optional", + "comment": "The description of the inventory system." + }, + { + "name": "dest_bunit", + "type": "optional", + "comment": "The business unit of the system where the data originated. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_category", + "type": "optional", + "comment": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the system where the data originated." + }, + { + "name": "enabled", + "type": "optional", + "comment": "Indicates whether the resource is enabled or disabled." + }, + { + "name": "family", + "type": "optional", + "comment": "The product family of the resource, such as 686_64 or RISC." + }, + { + "name": "hypervisor_id", + "type": "optional", + "comment": "The hypervisor identifier, if applicable." + }, + { + "name": "serial", + "type": "optional", + "comment": "The serial number of the resource." + }, + { + "name": "status", + "type": "optional", + "comment": "The current reported state of the resource." + }, + { + "name": "version", + "type": "optional", + "comment": "The version of a computer resource, such as 2008r2 or 3.0.0." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the resource, such as Cisco Catalyst 3850. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name": "CPU", + "tags": [ + ["cpu","inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=cpu", + "fields": [ + { + "name": "cpu_cores", + "type": "required", + "comment": "The number of CPU cores reported by the resource (total, not per CPU)." + }, + { + "name": "cpu_count", + "type": "required", + "comment": "The number of CPUs reported by the resource." + }, + { + "name": "cpu_mhz", + "type": "required", + "comment": "The maximum speed of the CPU reported by the resource (in megahertz)." + } + ], + "child_dataset": [] + }, + { + "name": "Memory", + "tags": [["memory"] + ], + "fields_cluster": [], + "search_constraints": "tag=memory", + "fields": [ + { + "name": "mem", + "type": "required", + "comment": "The total amount of memory installed in or allocated to the resource, in megabytes." + } + ], + "child_dataset": [] + }, + { + "name": "Network", + "tags": [ + ["network", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=network", + "fields": [ + { + "name": "dns", + "type": "required", + "comment": "The domain name server for the resource." + }, + { + "name": "interface", + "type": "required", + "comment": "The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface." + }, + { + "name": "ip", + "type": "required", + "comment": "The network addresses of the computing resource, such as 192.168.1.1 or E80:0000:0000:0000:0202:B3FF:FE1E:8329." + }, + { + "name": "dest_ip", + "type": "optional", + "comment": "The IP address for the system that the data is going to." + }, + { + "name": "src_ip", + "type": "optional", + "comment": "The IP address for the system from which the data originates." + }, + { + "name": "mac", + "type": "required", + "comment": "A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." + }, + { + "name": "lb_method", + "type": "optional", + "comment": "The load balancing method used by the computing resource such as method, round robin, or least weight." + }, + { + "name": "node", + "type": "optional", + "comment": "Represents a node hit." + }, + { + "name": "inline_nat", + "type": "optional", + "comment": "Identifies whether the resource is a network address translation pool." + }, + { + "name": "vip_port", + "type": "optional", + "comment": "The port number for the virtual IP address (VIP). A VIP allows multiple MACs to use one IP address. VIPs are often used by load balancers." + }, + { + "name": "node_port", + "type": "optional", + "comment": "The number of the destination port on the server that you requested from." + }, + { + "name": "name", + "type": "required", + "comment": "A name field provided in some data sources." + } + ], + "child_dataset": [] + }, + { + "name": "Storage", + "tags": [["storage", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=storage", + "fields": [ + { + "name": "array", + "type": "optional", + "comment": "The array that the storage resource is a member of, if applicable." + }, + { + "name": "blocksize", + "type": "optional", + "comment": "The block size used by the storage resource, in kilobytes." + }, + { + "name": "cluster", + "type": "optional", + "comment": "The index cluster that the resource is a member of, if applicable." + }, + { + "name": "fd_max", + "type": "optional", + "comment": "The maximum number of file descriptors available." + }, + { + "name": "latency", + "type": "optional", + "comment": "The latency reported by the resource, in milliseconds." + }, + { + "name": "mount", + "type": "required", + "comment": "The path at which a storage resource is mounted." + }, + { + "name": "parent", + "type": "optional", + "comment": "A higher level object that this resource is owned by, if applicable." + }, + { + "name": "read_blocks", + "type": "optional", + "comment": "The maximum possible number of blocks read per second during a polling period." + }, + { + "name": "read_latency", + "type": "optional", + "comment": "For a polling period, the average amount of time elapsed until a read request is filled by the host disks (in ms)." + }, + { + "name": "read_ops", + "type": "optional", + "comment": "The total number of read operations in the polling period." + }, + { + "name": "storage", + "type": "required", + "comment": "The amount of storage capacity allocated to the resource, in megabytes." + }, + { + "name": "write_blocks", + "type": "optional", + "comment": "The maximum possible number of blocks written per second during a polling period." + }, + { + "name": "write_latency", + "type": "optional", + "comment": "For a polling period, the average amount of time elapsed until a write request is filled by the host disks (in ms)." + }, + { + "name": "write_ops", + "type": "optional", + "comment": "The total number of write operations in the polling period." + } + ], + "child_dataset": [] + }, + { + "name": "OS", + "tags": [ + ["system", "version", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=system OR tag=version", + "fields": [ + { + "name": "os", + "type": "required", + "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2. This field is constructed from vendor_product and version fields." + } + ], + "child_dataset": [] + }, + { + "name": "User", + "tags": [ + ["user", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=user", + "fields": [ + { + "name": "shell", + "type": "optional", + "comment": "Indicates the shell program used by a locally defined account." + }, + { + "name": "user_bunit", + "type": "optional", + "comment": "The business unit of the locally-defined user account. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "user_category", + "type": "optional", + "comment": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "user_id", + "type": "optional", + "comment": "The user identification for a locally defined account." + }, + { + "name": "user_priority", + "type": "optional", + "comment": "The priority of a locally-defined account." + }, + { + "name": "interactive", + "type": "required", + "comment": "Indicates whether a locally defined account on a resource can be interactively logged in." + }, + { + "name": "password", + "type": "required", + "comment": "Displays the stored password(s) for a locally defined account, if it has any. For instance, an add-on may report the password column from \/etc\/passwd in this field" + }, + { + "name": "user", + "type": "required", + "comment": "The full name of a locally defined account." + } + ], + "child_dataset": [ + { + "name": "Cleartext_Passwords", + "tags": [ + ["user", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "password=*", + "fields": [], + "child_dataset": [] + }, + { + "name": "Default_Accounts", + "tags": [ + ["user", "inventory", "default"] + ], + "fields_cluster": [], + "search_constraints": "tag=default", + "fields": [], + "child_dataset": [] + } + ] + }, + { + "name": "Virtual_OS", + "tags": [ + ["virtual", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=virtual", + "fields": [ + { + "name": "hypervisor", + "type": "required", + "comment": "The hypervisor parent of a virtual guest OS." + } + ], + "child_dataset": [ + { + "name": "Snapshot", + "tags": [ + ["snapshot", "virtual", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=snapshot", + "fields": [ + { + "name": "size", + "type": "required", + "comment": "The snapshot file size, in megabytes." + }, + { + "name": "snapshot", + "type": "required", + "comment": "The name of a snapshot file." + }, + { + "name": "time", + "type": "optional", + "comment": "The time at which the snapshot was taken." + } + ], + "child_dataset": [] + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/DLP.json b/splunk-cim-models/splunk_cim_models/data_models/DLP.json new file mode 100644 index 00000000..33940918 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/DLP.json @@ -0,0 +1,116 @@ +{ + "model_name": "DLP", + "version": "1.0.0", + "objects": [ + { + "name": "DLP Incidents", + "tags": [["dlp", "incident"]], + "search_constraints": "tag=dlp tag=incident", + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "comment": "The action taken by the DLP device." + }, + { + "name": "app", + "type": "required", + "comment": "The application involved in the event." + }, + { + "name": "category", + "type": "required", + "comment": "The category of the DLP event." + }, + { + "name": "dest", + "type": "required", + "comment": "The target of the DLP event." + }, + { + "name": "dest_zone", + "type": "optional", + "comment": "The zone of the DLP target." + }, + { + "name": "dlp_type", + "type": "required", + "comment": "The type of DLP system that generated the event." + }, + { + "name": "dvc", + "type": "required", + "comment": "The device that reported the DLP event." + }, + { + "name": "dvc_zone", + "type": "optional", + "comment": "The zone of the DLP device." + }, + { + "name": "object", + "type": "required", + "comment": "The name of the affected object." + }, + { + "name": "object_category", + "type": "required", + "comment": "The category of the affected object." + }, + { + "name": "object_path", + "type": "required", + "comment": "The path of the affected object." + }, + { + "name": "severity", + "type": "required", + "comment": "The severity of the DLP event." + }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "signature", + "type": "required", + "comment": "The name of the DLP event." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "src", + "type": "optional", + "comment": "The source of the DLP event." + }, + { + "name": "src_user", + "type": "required", + "comment": "The source user of the DLP event." + }, + { + "name": "src_zone", + "type": "optional", + "comment": "The zone of the DLP source." + }, + { + "name": "user", + "type": "conditional", + "condition": "dlp_type=email OR dlp_type=share_point OR dlp_type=o365 OR dlp_type=google.* OR dlp_type=GWS.*", + "comment": "The target user of the DLP event." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the DLP system" + } + ], + "child_dataset": [] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Data_Access.json b/splunk-cim-models/splunk_cim_models/data_models/Data_Access.json new file mode 100644 index 00000000..14eb065e --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Data_Access.json @@ -0,0 +1,197 @@ +{ + "model_name": "Data_Access", + "version": "1.0.0", + "objects": [ + { + "name": "Data_Access", + "tags": [ + ["data", "access"] + ], + "fields_cluster": [], + "search_constraints": "tag=data tag=access", + "fields": [ + { + "name": "action", + "type": "required", + "comment": "The data access action taken by the user." + }, + { + "name": "app", + "type": "required", + "comment": "he system, service, or application that generated the data access event. Examples include Onedrive, Sharepoint, drive, AzureActiveDirectory." + }, + { + "name": "application_id", + "type": "optional", + "comment": "Application ID of the user" + }, + { + "name": "object", + "type": "required", + "comment": "Resource object name on which the action was performed by a user." + }, + { + "name": "object_attrs", + "type": "required", + "comment": "The attributes that were updated on the updated resource object, if applicable." + }, + { + "name": "object_category", + "type": "required", + "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." + }, + { + "name": "object_id", + "type": "required", + "comment": "The unique updated resource object ID as presented to the system, if applicable. For example, a source_folder_id, doc_id." + }, + { + "name": "object_path", + "type": "optional", + "comment": "The path of the modified resource object, if applicable, such as a file, directory, or volume." + }, + { + "name": "object_size", + "type": "required", + "comment": "The size of the modified resource object." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination where the data resides or where it is being accessed, such as the product or application. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, dest_url or dest_name." + }, + { + "name": "dest_name", + "type": "optional", + "comment": "Name of the destination as defined by the Vendor." + }, + { + "name": "dest_type", + "type": "optional", + "comment": "The type of the destination object, such as 'instance', 'storage', 'firewall', 'printer'." + }, + { + "name": "dest_url", + "type": "optional", + "comment": "Url of the product, application or object." + }, + { + "name": "dvc", + "type": "optional", + "comment": "The device that reported the data access event." + }, + { + "name": "email", + "type": "optional", + "comment": "The email address of the user involved in the event, or who initiated the event." + }, + { + "name": "owner", + "type": "optional", + "comment": "Resource owner." + }, + { + "name": "owner_id", + "type": "optional", + "comment": "ID of the owner as defined by the vendor." + }, + { + "name": "owner_email", + "type": "optional", + "comment": "Email of the resource owner." + }, + { + "name": "parent_object", + "type": "optional", + "comment": "Parent of the object name on which the action was performed by a user." + }, + { + "name": "parent_object_category", + "type": "optional", + "comment": "Object category of the parent object on which action was performed by a user." + }, + { + "name": "parent_object_id", + "type": "optional", + "comment": "Object id of the parent object on which the action was performed by a user." + }, + { + "name": "signature", + "type": "optional", + "comment": "A human-readable signature name." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "src", + "type": "required", + "comment": "The endpoint client host." + }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, + { + "name": "user_email", + "type": "optional", + "comment": "The email address of the user involved in the event, or who initiated the event." + }, + { + "name": "user_group", + "type": "optional", + "comment": "The group of the user involved in the event, or who initiated the event." + }, + { + "name": "user_id", + "type": "optional", + "comment": "The unique id of the user involved in the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "user_name", + "type": "required", + "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed (see src_user_name for user or entity performing the change)" + }, + { + "name": "user_role", + "type": "optional", + "comment": "The role of the user involved in the event, or who initiated the event." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "vendor_account", + "type": "required", + "comment": "The account that manages the user that initiated the request." + }, + { + "name": "vendor_product_id", + "type": "optional", + "comment": "The vendor and product name ID as defined by the vendor." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The data center region where the change occurred, such as us-west-2." + }, + { + "name": "user", + "type": "required", + "comment": "The user involved in the event, or who initiated the event." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the vendor." + } + ], + "child_dataset": [] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Databases.json b/splunk-cim-models/splunk_cim_models/data_models/Databases.json new file mode 100644 index 00000000..00df6911 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Databases.json @@ -0,0 +1,490 @@ +{ + "model_name": "Databases", + "version": "1.0.0", + "objects": [ + { + "name": "All_Databases", + "tags": [["database"]], + "fields_cluster": [], + "search_constraints": "tag=database", + "fields": [ + { + "name": "dest", + "type": "optional", + "comment": "The destination of the database event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_bunit", + "type": "optional", + "comment": "The business unit of the destination." + }, + { + "name": "dest_category", + "type": "optional", + "comment": "The category of the destination." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the destination." + }, + { + "name": "duration", + "type": "optional", + "comment": "The amount of time for the completion of the database event, in seconds." + }, + { + "name": "object", + "type": "optional", + "comment": "The name of the database object." + }, + { + "name": "response_time", + "type": "optional", + "comment": "The amount of time it took to receive a response in the database event, in seconds." + }, + { + "name": "src", + "type": "optional", + "comment": "The source of the database event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_bunit", + "type": "optional", + "comment": "The business unit of the source." + }, + { + "name": "src_category", + "type": "optional", + "comment": "The category of the source." + }, + { + "name": "src_priority", + "type": "optional", + "comment": "The priority of the source." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + }, + { + "name": "user", + "type": "optional", + "comment": "Name of the database process user." + }, + { + "name": "user_bunit", + "type": "optional", + "comment": "The business unit of the user." + }, + { + "name": "user_category", + "type": "optional", + "comment": "The category associated with the user." + }, + { + "name": "user_priority", + "type": "optional", + "comment": "The priority of the user." + }, + { + "name": "vendor_product", + "type": "optional", + "comment": "The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name": "Database_Instance", + "tags": [ + ["instance", "database"] + ], + "search_constraints":"tag=instance", + "fields_cluster":[], + "fields":[ + { + "name": "instance_name", + "type": "optional", + "comment": "The name of the database instance." + }, + { + "name": "instance_version", + "type": "optional", + "comment": "The version of the database instance." + }, + { + "name": "session_limit", + "type": "optional", + "comment": "The maximum number of sessions that the database instance can handle." + }, + { + "name": "process_limit", + "type": "optional", + "comment": "The maximum number of processes that the database instance can handle." + } + ], + "child_dataset": [ + { + "name": "Instance_Stats", + "tags": [ + ["stats", "instance", "database"] + ], + "search_constraints":"tag=stats", + "fields_cluster":[], + "fields":[ + { + "name": "availability", + "type": "optional", + "expected_values": [ + "Available", + "Not Available" + ], + "comment": "The status of the database server." + }, + { + "name": "avg_executions", + "type": "optional", + "comment": "The average number of executions for the database instance." + }, + { + "name": "dump_area_used", + "type": "optional", + "comment": "The amount of the database dump area that has been used." + }, + { + "name": "number_of_users", + "type": "optional", + "comment": "The total number of users for the database instance." + }, + { + "name": "start_time", + "type": "optional", + "comment": "The total amount of uptime for the database instance." + }, + { + "name": "sessions", + "type": "optional", + "comment": "The total number of sessions currently in use for the database instance." + }, + { + "name": "processes", + "type": "optional", + "comment": "The number of processes currently running for the database instance." + }, + { + "name": "tablespace_used", + "type": "optional", + "comment": "The total amount of tablespace used for the database instance, in bytes." + }, + { + "name": "instance_reads", + "type": "optional", + "comment": "The total number of reads for the database instance." + }, + { + "name": "instance_writes", + "type": "optional", + "comment": "The total number of writes for the database instance." + }, + { + "name": "sga_buffer_cache_size", + "type": "optional", + "comment": "The total size of the buffer cache for the database instance, in bytes." + }, + { + "name": "sga_data_dict_hit_ratio", + "type": "optional", + "comment": "The hit-to-miss ratio for the database instance's data dictionary." + }, + { + "name": "sga_buffer_hit_limit", + "type": "optional", + "comment": "The maximum number of buffers that can be hit in the database instance without finding a free buffer." + }, + { + "name": "sga_library_cache_size", + "type": "optional", + "comment": "The total library cache size for the database instance, in bytes." + }, + { + "name": "sga_fixed_area_size", + "type": "optional", + "comment": "The size of the fixed area (also referred to as the fixed SGA) for the database instance, in bytes." + }, + { + "name": "sga_free_memory", + "type": "optional", + "comment": "The total amount of free memory in the database instance SGA, in bytes." + }, + { + "name": "sga_shared_pool_size", + "type": "optional", + "comment": "The total size of the shared pool for this database instance, in bytes." + }, + { + "name": "sga_redo_log_buffer_size", + "type": "optional", + "comment": "The total size of the redo log buffer for the database instance, in bytes." + }, + { + "name": "sga_sql_area_size", + "type": "optional", + "comment": "The total size of the SQL area for this database instance, in bytes." + } + ], + "child_dataset": [] + }, + { + "name": "Session_Info", + "tags": [ + ["session", "database", "database"] + ], + "search_constraints":"tag=session", + "fields_cluster":[], + "fields":[ + { + "name": "session_id", + "type": "optional", + "comment": "The unique id that identifies the session." + }, + { + "name": "session_status", + "type": "optional", + "expected_values": [ + "Online", + "Offline" + ], + "comment": "The current status of the session." + }, + { + "name": "machine", + "type": "optional", + "comment": "The name of the logical host associated with the database instance." + }, + { + "name": "elapsed_time", + "type": "optional", + "comment": "The total amount of time elapsed since the user started the session by logging into the database server, in seconds." + }, + { + "name": "cpu_used", + "type": "optional", + "comment": "The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds." + }, + { + "name": "memory_sorts", + "type": "optional", + "comment": "The total number of memory sorts performed during the session." + }, + { + "name": "table_scans", + "type": "optional", + "comment": "Number of table scans performed during the session." + }, + { + "name": "physical_reads", + "type": "optional", + "comment": "The total number of physical reads performed during the session." + }, + { + "name": "logical_reads", + "type": "optional", + "comment": "The total number of consistent gets and database block gets performed during the session." + }, + { + "name": "commits", + "type": "optional", + "comment": "The number of commits per second performed by the user associated with the session." + }, + { + "name": "cursor", + "type": "optional", + "comment": "The number of the cursor currently in use by the session." + }, + { + "name": "buffer_cache_hit_ratio", + "type": "optional", + "comment": "The percentage of logical reads from the buffer during the session (1-physical reads\/session logical reads*100)." + }, + { + "name": "wait_state", + "type": "optional", + "expected_values": [ + "WAITING", + "WAITED UNKNOWN", + "WAITED SHORT TIME", + "WAITED KNOWN TIME" + ], + "comment": "Provides the current wait state for the session. Can indicate that the session is currently waiting or provide information about the session's last wait. WAITING indicates the session is currently waiting, WAITED UNKNOWN TIME indicates the duration of the last session wait is unknown, WAITED SHORT TIME indicates the last session wait was < 1\/100th of a second, WAITED KNOWN TIME indicates the wait_time is the duration of the last session wait." + }, + { + "name": "wait_time", + "type": "optional", + "comment": "When wait_time = 0, the session is waiting. When wait_time has a nonzero value, it is displaying the last wait time for the session." + }, + { + "name": "seconds_in_wait", + "type": "optional", + "comment": "The seconds_in_wait depends on the value of wait_time. If wait_time = 0, seconds_in_wait is the number of seconds spent in the current wait condition. If wait_time has a nonzero value, seconds_in_wait is the number of seconds that have elapsed since the start of the last wait. You can get the active seconds that have elapsed since the last wait ended by calculating seconds_in_wait - wait_time \/ 100." + } + ], + "child_dataset": [] + + }, + { + "name": "Lock_Info", + "tags": [ + ["lock", "instance", "database"] + ], + "search_constraints":"tag=lock", + "fields_cluster":[], + "fields":[ + { + "name": "obj_name", + "type": "optional", + "comment": "The name of the locked object." + }, + { + "name": "lock_session_id", + "type": "optional", + "comment": "The session identifier of the locked object." + }, + { + "name": "serial_num", + "type": "optional", + "comment": "The serial number of the object." + }, + { + "name": "lock_mode", + "type": "optional", + "comment": "The mode of the lock on the object." + }, + { + "name": "os_pid", + "type": "optional", + "comment": "The process identifier for the operating system." + }, + { + "name": "last_call_minute", + "type": "optional", + "comment": "Represents the amount of time elapsed since the session_status changed to its current status. The definition of this field depends on the session_status value. If session_status = ONLINE, the last_call_minute value represents the time elapsed since the session became active. If session_status = OFFLINE, the last_call_minute value represents the time elapsed since the session became inactive." + }, + { + "name": "logon_time", + "type": "optional", + "comment": "The database logon time for the session." + } + ], + "child_dataset": [] + } + ] + + }, + { + "name": "Database_Query", + "tags": [ + ["query", "database"] + ], + "search_constraints":"tag=query", + "fields_cluster":[], + "fields":[ + { + "name": "query", + "type": "optional", + "comment": "The full database query." + }, + { + "name": "query_id", + "type": "optional", + "comment": "The identifier for the database query." + }, + { + "name": "query_time", + "type": "optional", + "comment": "The time the system initiated the database query." + }, + { + "name": "records_affected", + "type": "optional", + "comment": "The number of records affected by the database query." + } + ], + "child_dataset": [ + { + "name": "Tablespace", + "tags": [ + ["tablespace", "query", "database"] + ], + "search_constraints":"tag=tablespace", + "fields_cluster":[], + "fields":[ + { + "name": "tablespace_name", + "type": "optional", + "comment": "The name of the tablespace." + }, + { + "name": "tablespace_status", + "type": "optional", + "expected_values": [ + "Offline", + "Online", + "Read Only" + ], + "comment": "The status of the tablespace." + }, + { + "name": "free_bytes", + "type": "optional", + "comment": "The total amount of free space in the tablespace, in bytes." + }, + { + "name": "tablespace_reads", + "type": "optional", + "comment": "The number of tablespace reads carried out by the query." + }, + { + "name": "tablespace_writes", + "type": "optional", + "comment": "The number of tablespace writes carried out by the query." + } + ], + "child_dataset": [] + }, + { + "name": "Query_Stats", + "tags": [["stats", "query", "stats"]], + "search_constraints":"tag=stats", + "fields_cluster":[], + "fields":[ + { + "name": "stored_procedures_called", + "type": "optional", + "comment": "The names of the stored procedures called by the query." + }, + { + "name": "tables_hit", + "type": "optional", + "comment": "The names of the tables hit by the query." + }, + { + "name": "indexes_hit", + "type": "optional", + "comment": "The names of the indexes hit by the database query." + }, + { + "name": "query_plan_hit", + "type": "optional", + "comment": "The name of the query plan hit by the query." + } + ], + "child_dataset": [] + } + ] + + } + ] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Email.json b/splunk-cim-models/splunk_cim_models/data_models/Email.json new file mode 100644 index 00000000..d5d61c6f --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Email.json @@ -0,0 +1,251 @@ +{ + "model_name": "Email", + "version": "1.0.0", + "objects": [ + { + "name": "All Email", + "tags": [["email"]], + "search_constraints": "tag=email", + "fields_cluster": [["recipient", "recipient_count"]], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["delivered", "blocked", "quarantined", "deleted"], + "comment": "Action taken by the reporting device" + }, + { + "name": "delay", + "type": "optional", + "validity": "if(isnum(delay),delay,null())", + "comment": "Total sending delay in milliseconds" + }, + { + "name": "dest", + "type": "required", + "comment": "The endpoint system to which the message was delivered" + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration),duration, null())", + "comment": "The amount of time for the completion of the messaging event, in seconds." + }, + { + "name": "file_hash", + "type": "optional", + "comment": "The hashes for the files attached to the message, if any exist." + }, + { + "name": "file_name", + "type": "optional", + "comment": "The names of the files attached to the message, if any exist." + }, + { + "name": "file_size", + "type": "optional", + "validity": "if(isnum(file_size),file_size, null())", + "comment": "The size of the files attached the message, in bytes." + }, + { + "name": "internal_message_id", + "type": "required", + "comment": "Host-specific unique message identifier (such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport)." + }, + { + "name": "message_id", + "type": "required", + "comment": "The globally-unique message identifier." + }, + { + "name": "message_info", + "type": "optional", + "comment": "Additional information about the message." + }, + { + "name": "orig_dest", + "type": "optional", + "comment": "The original destination host of the message. The message destination host can change when a message is relayed or bounced." + }, + { + "name": "orig_recipient", + "type": "optional", + "comment": "The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient." + }, + { + "name": "orig_src", + "type": "optional", + "comment": "The original source of the message." + }, + { + "name": "process", + "type": "conditional", + "condition": "process_id=*", + "comment": "The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client." + }, + { + "name": "process_id", + "type": "optional", + "validity": "if(isnum(process_id), process_id, null())", + "comment": "The numeric identifier of the process invoked to send the message." + }, + { + "name": "protocol", + "type": "required", + "expected_values": ["smtp", "imap", "pop3", "mapi"], + "comment": "The email protocol involved, such as SMTP or RPC." + }, + { + "name": "recipient", + "type": "required", + "multi_value": true, + "comment": "A field listing individual recipient email addresses, such as recipient='foo@splunk.com', recipient='bar@splunk.com'" + }, + { + "name": "recipient_count", + "type": "required", + "validity":"if(isnum(recipient_count) and recipient_count==mvcount(recipient),recipient_count, null())", + "comment": "The total number of intended message recipients." + }, + { + "name": "recipient_domain", + "type": "required", + "comment": "The domain name contained within the recipient email addresses." + }, + { + "name": "recipient_status", + "type": "optional", + "comment": "The recipient delivery status, if available." + }, + { + "name": "response_time", + "type": "optional", + "validity": "if(isnum(response_time),response_time, null())", + "comment": "The amount of time it took to receive a response in the messaging event, in seconds." + }, + { + "name": "retries", + "type": "optional", + "validity": "if(isnum(retries),retries, null())", + "comment": "The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition." + }, + { + "name": "return_addr", + "type": "required", + "comment": "The return address for the message." + }, + { + "name": "size", + "type": "optional", + "validity": "if(isnum(size),size, null())", + "comment": "The size of the message, in bytes." + }, + { + "name": "src", + "type": "required", + "comment": "The system that sent the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_user", + "type": "required", + "comment": "The email address of the message sender." + }, + { + "name": "status_code", + "type": "conditional", + "condition": "protocol=smtp", + "validity": "if(match(status_code, \"(?:(\\d(\\.\\d{1,3}){0,2}))\"))", + "comment": "The status code associated with the message." + }, + { + "name": "src_user_domain", + "type": "required", + "comment": "The domain name contained within the email address of the message sender." + }, + { + "name": "subject", + "type": "optional", + "comment": "The subject of the message." + }, + { + "name": "url", + "type": "optional", + "comment": "The URL associated with the message, if any." + }, + { + "name": "user", + "type": "optional", + "comment": "The user context for the process. This is not the email address for the sender. For that, look at the src_user field." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data." + }, + { + "name": "xdelay", + "type": "optional", + "comment": "Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain." + }, + { + "name": "xref", + "type": "optional", + "comment": "An external reference. Can contain message IDs or recipient addresses from related messages." + } + ], + "child_dataset": [ + { + "name": "Delivery", + "tags": [["email", "delivery"]], + "fields_cluster": [], + "search_constraints": "tag=delivery", + "fields": [], + "child_dataset": [] + }, + { + "name": "Content", + "tags": [["email", "content"]], + "fields_cluster": [], + "search_constraints": "tag=content", + "fields": [], + "child_dataset": [] + }, + { + "name": "Filtering", + "tags": [["email", "filter"]], + "fields_cluster": [], + "search_constraints": "tag=filter", + "fields": [ + { + "name": "filter_action", + "type": "optional", + "comment": "The status produced by the filter, such as 'accepted', 'rejected', or 'dropped'" + }, + { + "name": "filter_score", + "type": "optional", + "validity": "if(isnum(filter_score),filter_score, null())", + "comment": "Numeric indicator assigned to specific emails by an email filter" + }, + { + "name": "signature", + "type": "required", + "comment": "The name of the filter applied." + }, + { + "name": "signature_extra", + "type": "optional", + "comment": "Any additional information about the filter." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The id associated with the filter name." + } + ], + "child_dataset": [] + } + ] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Endpoint.json b/splunk-cim-models/splunk_cim_models/data_models/Endpoint.json new file mode 100644 index 00000000..2f9b2ee4 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Endpoint.json @@ -0,0 +1,639 @@ +{ + "model_name": "Endpoint", + "version": "1.0.0", + "objects": [ + { + "name": "Ports", + "tags": [["listening", "port"]], + "fields_cluster": [], + "fields": [ + { + "name": "creation_time", + "type": "optional", + "comment": "The time at which the network port started listening on the endpoint." + }, + { + "name": "dest", + "type": "required", + "comment": "The endpoint on which the port is listening.Expression: if(isnull(dest) OR dest=\"\",\"unknown\",dest)" + }, + { + "name": "dest_port", + "type": "required", + "validity": "if(isnum(dest_port),dest_port,null())", + "comment": "Network port listening on the endpoint, such as 53." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "process_guid", + "type": "optional", + "comment": "The globally unique identifier of the process assigned by the vendor_product." + }, + { + "name": "process_id", + "type": "optional", + "comment": "The numeric identifier of the process assigned by the operating system." + }, + { + "name": "src", + "type": "required", + "comment": "The 'remote' system connected to the listening port (if applicable)." + }, + { + "name": "src_port", + "type": "required", + "validity": "if(isnum(src_port),src_port,null())", + "comment": "The 'remote' port connected to the listening port (if applicable)." + }, + { + "name": "src_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "src_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "src_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "state", + "type": "required", + "expected_values": ["listening"], + "comment": "The status of the listening port, such as listening, etc." + }, + { + "name": "transport", + "type": "required", + "comment": "The network transport protocol associated with the listening port, such as tcp, udp, etc." + }, + { + "name": "transport_dest_port", + "type": "required", + "validity": "if(match(transport_dest_port, \"(?:tcp|udp|dccp|sctp)\\/(?:(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$)\"), transport_dest_port, null())", + "comment": "Calculated as transport/dest_port, such as tcp/53." + }, + { + "name": "user", + "type": "optional", + "comment": "The user account associated with the listening port." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [], + "search_constraints": "tag=listening tag=port | eval transport=if(isnull(transport) OR transport=\"\",\"unknown\",transport),dest_port=if(isnull(dest_port) OR dest_port=\"\",0,dest_port),transport_dest_port=mvzip(transport,dest_port,\"/\") | mvexpand transport_dest_port" + }, + { + "name": "Processes", + "tags": [["process", "report"]], + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "comment": "The action taken by the endpoint, such as allowed, blocked, deferred." + }, + { + "name": "cpu_load_percent", + "type": "optional", + "validity": "if(isnum(cpu_load_percent),cpu_load_percent,null())", + "comment": "CPU load consumed by the process (in percent)." + }, + { + "name": "dest", + "type": "required", + "comment": "The endpoint for which the process was spawned." + }, + { + "name": "loaded_file", + "type": "optional", + "comment": "File that was loaded." + }, + { + "name": "mem_used", + "type": "optional", + "validity": "if(isnum(mem_used),mem_used,null())", + "comment": "Memory used by the process (in bytes)." + }, + { + "name": "os", + "type": "optional", + "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2." + }, + { + "name": "original_file_name", + "type": "optional", + "comment": "Original name of the file, not including path." + }, + { + "name": "parent_process", + "type": "required", + "comment": "The full command string of the parent process." + }, + { + "name": "parent_process_exec", + "type": "optional", + "comment": "The executable name of the parent process." + }, + { + "name": "parent_process_id", + "type": "required", + "validity": "if(isnum(parent_process_id),parent_process_id,null())", + "comment": "The numeric identifier of the parent process assigned by the operating system." + }, + { + "name": "parent_process_guid", + "type": "optional", + "comment": "The globally unique identifier of the parent process assigned by the vendor_product." + }, + { + "name": "parent_process_name", + "type": "required", + "comment": "The friendly name of the parent process, such as notepad.exe.", + "validity": "if(match(parent_process_name,\"^[^\\\\\\/]+$\"),parent_process_name,null())" + }, + { + "name": "parent_process_path", + "type": "required", + "comment": "The file path of the parent process, such as C:\\Windows\\System32\notepad.exe." + }, + { + "name": "parent_process_hash", + "type": "optional", + "comment": "TThe digest(s) of the parent process, such as , , etc." + }, + { + "name": "process", + "type": "required", + "comment": "The full command string of the spawned process. Such as C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme\"" + }, + { + "name": "process_current_directory", + "type": "optional", + "comment": "The current working directory used to spawn the process." + }, + { + "name": "process_exec", + "type": "optional", + "comment": "The executable name of the process." + }, + { + "name": "process_hash", + "type": "optional", + "comment": "The digests of the parent process, such as , , etc." + }, + { + "name": "process_guid", + "type": "optional", + "comment": "The globally unique identifier of the process assigned by the vendor_product." + }, + { + "name": "process_id", + "type": "required", + "validity": "if(isnum(process_id),process_id,null())", + "comment": "The numeric identifier of the process assigned by the operating system." + }, + { + "name": "process_integrity_level", + "type": "optional", + "expected_values": ["system", "high", "medium", "low", "untrusted"], + "comment": "The Windows integrity level of the process." + }, + { + "name": "process_name", + "type": "required", + "comment": "The friendly name of the process, such as notepad.exe.", + "validity": "if(match(process_name,\"^[^\\\\\\/]+$\"),process_name,null())" + }, + { + "name": "process_path", + "type": "required", + "comment": "The file path of the process, such as C:\\Windows\\System32\notepad.exe." + }, + { + "name": "user", + "type": "required", + "comment": "The user account that spawned the process.Expression: if(isnull(user) OR user=\"\",\"unknown\",user)" + }, + { + "name": "user_id", + "type": "optional", + "comment": "The unique identifier of the user account which spawned the process." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [], + "search_constraints": "tag=process tag=report | eval process_integrity_level=lower(process_integrity_level)" + }, + { + "name": "Filesystem", + "tags": [["endpoint", "filesystem"]], + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": [ + "acl_modified", + "created", + "deleted", + "modified", + "read" + ], + "comment": "The action performed on the resource." + }, + { + "name": "dest", + "type": "required", + "comment": "The endpoint pertaining to the filesystem activity." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "file_access_time", + "type": "optional", + "comment": "The time that the file (the object of the event) was accessed." + }, + { + "name": "file_create_time", + "type": "conditional", + "condition": "action=created ", + "comment": "The time that the file (the object of the event) was created." + }, + { + "name": "file_hash", + "type": "conditional", + "condition": "action=created or action=modified or action=read", + "comment": "A cryptographic identifier assigned to the file object affected by the event." + }, + { + "name": "file_modify_time", + "type": "conditional", + "condition": "action=modified ", + "comment": "The time that the file (the object of the event) was altered." + }, + { + "name": "file_name", + "type": "required", + "comment": "The name of the file, such as notepad.exe." + }, + { + "name": "file_path", + "type": "required", + "comment": "The path of the file, such as C:\\Windows\\System32\notepad.exe." + }, + { + "name": "file_acl", + "type": "conditional", + "condition": "action=acl_modified ", + "comment": "Access controls associated with the file affected by the event.." + }, + { + "name": "file_size", + "type": "required", + "comment": "The size of the file that is the object of the event, in kilobytes." + }, + { + "name": "process_guid", + "type": "optional", + "comment": "The globally unique identifier of the process assigned by the vendor_product." + }, + { + "name": "process_id", + "type": "optional", + "comment": "The numeric identifier of the process assigned by the operating system." + }, + { + "name": "user", + "type": "required", + "comment": "The user account associated with the filesystem access." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + }, + { + "name": "image", + "type": "optional", + "comment": "The binary file path or name that is tied to a process ID (PID) in events like process creation or termination." + } + ], + "child_dataset": [], + "search_constraints": "tag=endpoint tag=filesystem" + }, + { + "name": "Registry", + "tags": [["endpoint", "registry"]], + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["created", "deleted", "modified", "read"], + "comment": "The action performed on the resource. Expected values: created, deleted, modified, read." + }, + { + "name": "dest", + "type": "required", + "comment": "The endpoint pertaining to the registry events." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "process_guid", + "type": "optional", + "comment": "The globally unique identifier of the process assigned by the vendor_product." + }, + { + "name": "process_id", + "type": "optional", + "comment": "The numeric identifier of the process assigned by the operating system." + }, + { + "name": "registry_hive", + "type": "required", + "expected_values": [ + "HKEY_CURRENT_CONFIG", + "HKEY_CURRENT_USER", + "HKEY_LOCAL_MACHINE\\SAM", + "HKEY_LOCAL_MACHINE\\Security", + "HKEY_LOCAL_MACHINE\\Software", + "HKEY_LOCAL_MACHINE\\System", + "HKEY_USERS\\.DEFAULT" + ], + "comment": "The logical grouping of registry keys, subkeys, and values." + }, + { + "name": "registry_path", + "type": "required", + "comment": "The path to the registry value, such as \\win\\directory\\directory2\\{676235CD-B656-42D5-B737-49856E97D072}\\PrinterDriverData." + }, + { + "name": "registry_key_name", + "type": "required", + "comment": "The name of the registry key, such as PrinterDriverData." + }, + { + "name": "registry_value_data", + "type": "required", + "comment": "The unaltered registry value." + }, + { + "name": "registry_value_name", + "type": "required", + "comment": "The name of the registry value." + }, + { + "name": "registry_value_text", + "type": "required", + "comment": "The textual representation of registry_value_data (if applicable)." + }, + { + "name": "registry_value_type", + "type": "required", + "expected_values": [ + "REG_BINARY", + "REG_DWORD", + "REG_DWORD_LITTLE_ENDIAN", + "REG_DWORD_BIG_ENDIAN", + "REG_EXPAND_SZ", + "REG_LINK", + "REG_MULTI_SZ", + "REG_NONE", + "REG_QWORD", + "REG_QWORD_LITTLE_ENDIAN", + "REG_SZ" + ], + "comment": "The type of the registry value." + }, + { + "name": "status", + "type": "required", + "expected_values": ["failure", "success"], + "comment": "The outcome of the registry action." + }, + { + "name": "user", + "type": "required", + "comment": "The user account associated with the registry access." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + }, + { + "name": "image", + "type": "optional", + "comment": "The binary file path or name that is tied to a process ID (PID) in events like process creation or termination." + } + ], + "child_dataset": [], + "search_constraints": "tag=endpoint tag=registry" + }, + { + "name": "Services", + "tags": [["service", "report"]], + "fields_cluster": [], + "fields": [ + { + "name": "description", + "type": "optional", + "validation": "", + "comment": "The description of the service." + }, + { + "name": "dest", + "type": "required", + "validation": "", + "comment": "The endpoint for which the service is installed." + }, + { + "name": "dest_is_expected", + "type": "optional", + "comment": "The endpoint for which the service is installed." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "process_guid", + "type": "optional", + "validation": "", + "comment": "The globally unique identifier of the process assigned by the vendor_product." + }, + { + "name": "process_id", + "type": "optional", + "validation": "", + "comment": "The numeric identifier of the process assigned by the operating system." + }, + { + "name": "service", + "type": "required", + "validation": "", + "comment": "The full service name." + }, + { + "name": "service_dll", + "type": "optional", + "validation": "", + "comment": "The dynamic link library associated with the service." + }, + { + "name": "service_dll_path", + "type": "optional", + "validation": "", + "comment": "The file path to the dynamic link library assocatied with the service, such as C:\\Windows\\System32\\comdlg32.dll." + }, + { + "name": "service_dll_hash", + "type": "optional", + "validation": "", + "comment": "The digests of the dynamic link library associated with the service, such as , , etc." + }, + { + "name": "service_dll_signature_exists", + "type": "optional", + "validation": "", + "comment": "Whether or not the dynamic link library associated with the service has a digitally signed signature." + }, + { + "name": "service_dll_signature_verified", + "type": "optional", + "validation": "", + "comment": "Whether or not the dynamic link library associated with the service has had its digitally signed signature verified." + }, + { + "name": "service_exec", + "type": "optional", + "validation": "", + "comment": "The executable name of the service." + }, + { + "name": "service_hash", + "type": "optional", + "validation": "", + "comment": "The digest(s) of the service, such as , , etc." + }, + { + "name": "service_id", + "type": "optional", + "validation": "", + "comment": "The unique identifier of the service assigned by the operating system." + }, + { + "name": "service_name", + "type": "required", + "validation": "", + "comment": "The friendly service name." + }, + { + "name": "service_path", + "type": "required", + "validation": "", + "comment": "The file path of the service, such as C:\\WINDOWS\\system32\\svchost.exe." + }, + { + "name": "service_signature_exists", + "type": "optional", + "validation": "", + "comment": "Whether or not the service has a digitally signed signature." + }, + { + "name": "service_signature_verified", + "type": "optional", + "validation": "", + "comment": "Whether or not the service has had its digitally signed signature verified." + }, + { + "name": "start_mode", + "type": "required", + "validation": "", + "comment": "The start mode for the service." + }, + { + "name": "status", + "type": "required", + "expected_values": ["critical", "started", "stopped", "warning", "installed"], + "validation": "", + "comment": "The status of the service." + }, + { + "name": "user", + "type": "required", + "validation": "", + "comment": "The user account associated with the service." + }, + { + "name": "vendor_product", + "type": "required", + "validation": "", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [], + "search_constraints": "tag=service tag=report" + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json b/splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json new file mode 100644 index 00000000..ef7c70f4 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json @@ -0,0 +1,37 @@ +{ + "model_name": "Event_Signatures", + "version": "1.0.0", + "objects": [ + { + "name": "Event_Signatures", + "tags": [ + ["track_event_signatures"] + ], + "fields_cluster": [], + "search_constraints": "tag=track_event_signatures (signature=* OR signature_id=*)", + "fields": [ + { + "name": "dest", + "type": "required", + "comment": "System affected by the signature." + }, + { + "name": "signature", + "type": "required", + "comment": "The human readable event name." + }, + { + "name": "signature_id", + "type": "required", + "comment": "The event name identifier (as supplied by the vendor)." + }, + { + "name": "vendor_product", + "type": "optional", + "comment": "The vendor and product name of the technology that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json b/splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json new file mode 100644 index 00000000..6f18178e --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json @@ -0,0 +1,194 @@ +{ + "model_name": "", + "version": "1.0.0", + "objects": [ + { + "name": "All_Messaging", + "tags": [["messaging"] + ], + "fields_cluster": [], + "search_constraints": "tag=messaging", + "fields": [ + { + "name": "dest", + "type": "optional", + "comment": "The destination of the message. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_bunit", + "type": "optional", + "comment": "The business unit of the destination." + }, + { + "name": "dest_category", + "type": "optional", + "expected_values": [ + "queue", + "topic" + ], + "comment": "The type of message destination." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the destination." + }, + { + "name": "duration", + "type": "optional", + "comment": "The number of seconds from message call to message response. Can be derived by getting the difference between the request_sent_time and the message_received_time." + }, + { + "name": "endpoint", + "type": "optional", + "comment": "The endpoint that the message accessed during the RPC (remote procedure call) transaction." + }, + { + "name": "endpoint_version", + "type": "optional", + "comment": "The version of the endpoint accessed during the RPC (remote procedure call) transaction, such as 1.0 or 1.22." + }, + { + "name": "message", + "type": "optional", + "comment": "A command or reference that an RPC (remote procedure call) reads or responds to." + }, + { + "name": "message_id", + "type": "optional", + "comment": "The message identification." + }, + { + "name": "message_consumed_time", + "type": "optional", + "comment": "The time that the RPC (remote procedure call) read the message and was prepared to take some sort of action." + }, + { + "name": "message_correlation_id", + "type": "optional", + "comment": "The message correlation identification value." + }, + { + "name": "message_delivered_time", + "type": "optional", + "comment": "The time that the message producer sent the message." + }, + { + "name": "message_delivery_mode", + "type": "optional", + "comment": "The message delivery mode. Possible values depend on the type of message-oriented middleware (MOM) solution in use. They can be words like Transient (meaning the message is stored in memory and is lost if the server dies or restarts) or Persistent (meaning the message is stored both in memory and on disk and is preserved if the server dies or restarts). They can also be numbers like 1, 2, and so on." + }, + { + "name": "message_expiration_time", + "type": "optional", + "comment": "The time that the message expired." + }, + { + "name": "message_priority", + "type": "optional", + "comment": "The priority of the message. Important jobs that the message queue should answer no matter what receive a higher message_priority than other jobs, ensuring they are completed before the others." + }, + { + "name": "message_properties", + "type": "optional", + "comment": "An arbitrary list of message properties. The set of properties displayed depends on the message-oriented middleware (MOM) solution that you are using." + }, + { + "name": "message_received_time", + "type": "optional", + "comment": "The time that the message was received by a message-oriented middleware (MOM) solution." + }, + { + "name": "message_redelivered", + "type": "optional", + "comment": "Indicates whether or not the message was redelivered." + }, + { + "name": "message_reply_dest", + "type": "optional", + "comment": "The name of the destination for replies to the message." + }, + { + "name": "message_type", + "type": "optional", + "comment": "The type of message, such as call or reply." + }, + { + "name": "parameters", + "type": "optional", + "comment": "Arguments that have been passed to an endpoint by a REST call or something similar. A sample parameter could be something like foo=bar." + }, + { + "name": "payload", + "type": "optional", + "comment": "The message payload." + }, + { + "name": "payload_type", + "type": "optional", + "comment": "The type of payload in the message. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." + }, + { + "name": "request_payload", + "type": "optional", + "comment": "The content of the message request." + }, + { + "name": "request_payload_type", + "type": "optional", + "comment": "The type of payload in the message request. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." + }, + { + "name": "request_sent_time", + "type": "optional", + "comment": "The time that the message request was sent." + }, + { + "name": "response_code", + "type": "optional", + "comment": "The response status code sent by the receiving server. Ranges between 200 and 404." + }, + { + "name": "response_payload_type", + "type": "optional", + "comment": "The type of payload in the message response. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." + }, + { + "name": "response_received_time", + "type": "optional", + "comment": "The time that the message response was received." + }, + { + "name": "response_time", + "type": "optional", + "comment": "The amount of time it took to receive a response, in seconds." + }, + { + "name": "return_message", + "type": "optional", + "comment": "The response status message sent by the message server." + }, + { + "name": "rpc_protocol", + "type": "optional", + "comment": "The protocol that the message server uses for remote procedure calls (RPC). Possible values include HTTP REST, SOAP, and EJB." + }, + { + "name": "status", + "type": "optional", + "expected_values": [ + "pass", + "fail" + ], + "comment": "The status of the message response." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + } + ], + "child_dataset": [] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json b/splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json new file mode 100644 index 00000000..4a492b07 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json @@ -0,0 +1,154 @@ +{ + "model_name": "Intrusion_Detection", + "version": "1.0.0", + "objects": [ + { + "name": "IDS_Attacks", + "tags": [["ids", "attack"]], + "fields_cluster": [], + "search_constraints": "tag=ids tag=attack", + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["allowed", "blocked"], + "comment": "The action performed on the resource." + }, + { + "name": "category", + "type": "required", + "comment": "The vendor-provided category of the triggered signature, such as spyware. This field is a string. Use a category_id field (not included in this data model) for category ID fields that are integer data types." + }, + { + "name": "dest", + "type": "conditional", + "condition": "ids_type=\"network\"", + "comment": "The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dvc", + "type": "required", + "comment": "The device that detected the intrusion event. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name." + }, + { + "name": "file_hash", + "type": "conditional", + "condition": "ids_type=\"host\" ", + "comment": "A cryptographic identifier assigned to the file object affected by the event." + }, + { + "name": "file_name", + "type": "conditional", + "condition": "ids_type=\"host\" ", + "comment": "The name of the file, such as notepad.exe." + }, + { + "name": "file_path", + "type": "conditional", + "condition": "ids_type=\"host\" ", + "comment": "The path of the file, such as C:\\Windows\\System32\\notepad.exe." + }, + { + "name": "ids_type", + "type": "required", + "expected_values": ["network", "host"], + "comment": "The type of IDS that generated the event." + }, + { + "name": "severity", + "type": "required", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment": "The severity of the network protection event. This field is a string. Use a severity_id field (not included in this data model) for severity ID fields that are integer data types. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad." + }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "signature", + "type": "required", + "comment": "The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "dest_type", + "type": "optional", + "comment": "The type of the destination object, such as 'instance', 'storage', 'firewall'." + }, + { + "name": "src", + "type": "conditional", + "condition": "ids_type=\"network\"", + "comment": "The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name." + }, + { + "name": "transport", + "type": "conditional", + "condition": "ids_type=\"network\"", + "comment": "The OSI layer 4 (transport) protocol of the intrusion, in lower case." + }, + { + "name": "src_port", + "type": "conditional", + "condition": "ids_type=\"network\"", + "validity": "if(isnum(src_port),src_port,null())", + "comment": "The source port of the intrusion detection. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field." + }, + { + "name": "dest_port", + "type": "conditional", + "condition": "ids_type=\"network\"", + "validity": "if(isnum(dest_port),dest_port,null())", + "comment": "The destination port of the intrusion detection. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field." + }, + { + "name": "user", + "type": "optional", + "comment": "The user involved with the intrusion detection event." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name": "Application_IDS_Attacks", + "tags": [["ids", "attack"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "ids_type=\"application\"" + }, + { + "name": "Host_IDS_Attacks", + "tags": [["ids", "attack"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "ids_type=\"host\"" + }, + { + "name": "Network_IDS_Attacks", + "tags": [["ids", "attack"]], + "fields_cluster": [], + "fields": [], + "search_constraints": "ids_type=\"network\"", + "child_dataset": [] + } + ] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/JVM.json b/splunk-cim-models/splunk_cim_models/data_models/JVM.json new file mode 100644 index 00000000..612858f0 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/JVM.json @@ -0,0 +1,332 @@ +{ + "model_name": "JVM", + "version": "1.0.0", + "objects": [ + { + "name": "Event_Signatures", + "tags": [["jvm"] + ], + "fields_cluster": [], + "search_constraints": "tag=jvm", + "fields": [ + { + "name": "jvm_description", + "type": "optional", + "comment": "A description field provided in some data sources." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + } + ], + "child_dataset": [ + { + "name": "Threading", + "tags": [ + ["jvm", "threading"] + ], + "fields_cluster": [], + "search_constraints": "tag=threading", + "fields": [ + { + "name": "threads_started", + "type": "optional", + "comment": "The total number of threads started in the JVM." + }, + { + "name": "thread_count", + "type": "optional", + "comment": "The JVM's current thread count." + }, + { + "name": "cpu_time_enabled", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether thread CPU time measurement is enabled." + }, + { + "name": "cm_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the JVM supports thread contention monitoring." + }, + { + "name": "cm_enabled", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether thread contention monitoring is enabled." + }, + { + "name": "synch_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the JVM supports monitoring of ownable synchronizer usage." + }, + { + "name": "peak_thread_count", + "type": "optional", + "comment": "The JVM's peak thread count." + }, + { + "name": "omu_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the JVM supports monitoring of object monitor usage." + }, + { + "name": "daemon_thread_count", + "type": "optional", + "comment": "The JVM's current daemon count." + }, + { + "name": "current_user_time", + "type": "optional", + "comment": "User-space time taken by the JVM, in seconds." + }, + { + "name": "cpu_time_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the Java virtual machine supports CPU time measurement for the current thread." + }, + { + "name": "current_cpu_time", + "type": "optional", + "comment": "CPU-space time taken by the JVM, in seconds." + } + ], + "child_dataset": [] + }, + { + "name": "Runtime", + "tags": [ + ["jvm", "runtime"] + ], + "fields_cluster": [], + "search_constraints": "tag=runtime", + "fields": [ + { + "name": "version", + "type": "optional", + "comment": "Version of the JVM." + }, + { + "name": "uptime", + "type": "optional", + "comment": "Uptime of the JVM process, in seconds." + }, + { + "name": "start_time", + "type": "optional", + "comment": "Start time of the JVM process." + }, + { + "name": "process_name", + "type": "optional", + "comment": "Process name of the JVM process." + }, + { + "name": "vendor_product", + "type": "optional", + "comment": "The JVM product or service. This field can be automatically populated by the the vendor and product fields in your raw data." + } + ], + "child_dataset": [] + }, + { + "name": "OS", + "tags": [ + ["jvm", "os"] + ], + "fields_cluster": [], + "search_constraints": "tag=os", + "fields": [ + { + "name": "os_version", + "type": "optional", + "comment": "OS version that the JVM is running on." + }, + { + "name": "swap_space", + "type": "optional", + "comment": "Swap memory space available to the OS that the JVM is running on, in bytes." + }, + { + "name": "physical_memory", + "type": "optional", + "comment": "Physical memory available to the OS that the JVM is running on, in bytes." + }, + { + "name": "system_load", + "type": "optional", + "comment": "System load of the OS that the JVM is running on." + }, + { + "name": "cpu_time", + "type": "optional", + "comment": "Amount of CPU time taken by the JVM, in seconds." + }, + { + "name": "os", + "type": "optional", + "comment": "OS that the JVM is running on." + }, + { + "name": "open_file_descriptors", + "type": "optional", + "comment": "Number of file descriptors opened by the JVM." + }, + { + "name": "max_file_descriptors", + "type": "optional", + "comment": "Maximum file descriptors available to the JVM." + }, + { + "name": "free_swap", + "type": "optional", + "comment": "Amount of free swap memory remaining to the JVM, in bytes." + }, + { + "name": "free_physical_memory", + "type": "optional", + "comment": "Amount of free physical memory remaining to the JVM, in bytes." + }, + { + "name": "committed_memory", + "type": "optional", + "comment": "Amount of memory committed to the JVM, in bytes." + }, + { + "name": "total_processors", + "type": "optional", + "comment": "Total processor cores available to the OS that the JVM is running on." + }, + { + "name": "os_architecture", + "type": "optional", + "comment": "OS architecture that the JVM is running on." + } + ], + "child_dataset": [] + }, + { + "name": "Compilation", + "tags": [ + ["jvm", "compilation"] + ], + "fields_cluster": [], + "search_constraints": "tag=compilation", + "fields": [ + { + "name": "compilation_time", + "type": "optional", + "comment": "Time taken by JIT compilation, in seconds." + } + ], + "child_dataset": [] + }, + { + "name": "Classloading", + "tags": [ + ["jvm", "classloading"] + ], + "fields_cluster": [], + "search_constraints": "tag=classloading", + "fields": [ + { + "name": "total_loaded", + "type": "optional", + "comment": "The total count of classes loaded in the JVM." + }, + { + "name": "current_loaded", + "type": "optional", + "comment": "The current count of classes loaded in the JVM." + }, + { + "name": "total_unloaded", + "type": "optional", + "comment": "The total count of classes unloaded from the JVM." + } + ], + "child_dataset": [] + }, + { + "name": "Memory", + "tags": [ + ["jvm", "memory"] + ], + "fields_cluster": [], + "search_constraints": "tag=memory", + "fields": [ + { + "name": "non_heap_used", + "type": "optional", + "comment": "Non-heap memory used by the JVM, in bytes." + }, + { + "name": "non_heap_max", + "type": "optional", + "comment": "Maximum amount of non-heap memory used by the JVM, in bytes" + }, + { + "name": "non_heap_initial", + "type": "optional", + "comment": "Initial amount of non-heap memory used by the JVM, in bytes." + }, + { + "name": "non_heap_committed", + "type": "optional", + "comment": "Committed amount of non-heap memory used by the JVM, in bytes." + }, + { + "name": "heap_used", + "type": "optional", + "comment": "Heap memory used by the JVM, in bytes." + }, + { + "name": "heap_max", + "type": "optional", + "comment": "Maximum amount of heap memory used by the JVM, in bytes." + }, + { + "name": "heap_initial", + "type": "optional", + "comment": "Initial amount of heap memory used by the JVM, in bytes." + }, + { + "name": "heap_committed", + "type": "optional", + "comment": "Committed amount of heap memory used by the JVM, in bytes." + }, + { + "name": "objects_pending", + "type": "optional", + "comment": "Number of objects pending in the JVM." + } + ], + "child_dataset": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Malware.json b/splunk-cim-models/splunk_cim_models/data_models/Malware.json new file mode 100644 index 00000000..30dca2b2 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Malware.json @@ -0,0 +1,177 @@ +{ + "model_name": "Malware", + "version": "1.0.0", + "objects": [ + { + "name": "Malware Attacks", + "tags": [["malware", "attack"]], + "search_constraints": "tag=malware tag=attack", + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["allowed", "blocked", "deferred"], + "comment": "Action taken by the reporting device" + }, + { + "name": "category", + "type": "required", + "comment": "The category of the malware event, such as keylogger or ad-supported program." + }, + { + "name": "date", + "type": "optional", + "comment": "The date of the malware event." + }, + { + "name": "dest", + "type": "required", + "comment": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the destination, if applicable." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "file_hash", + "type": "optional", + "comment": "The hash of the file with suspected malware" + }, + { + "name": "file_name", + "type": "required", + "comment": "The name of the file with suspected malware" + }, + { + "name": "file_path", + "type": "required", + "comment": "The full file path of the file with suspected malware" + }, + { + "name": "severity", + "type": "required", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment":"The severity of a message." + }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "signature", + "type": "required", + "comment": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda" + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "src", + "type": "optional", + "comment": "The source of the event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_user", + "type": "optional", + "comment": "The reported sender of an email-based attack." + }, + { + "name": "user", + "type": "optional", + "comment": "The user involved in the malware event." + }, + { + "name": "url", + "type": "optional", + "comment": "The hash of the file with suspected malware" + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The hash of the file with suspected malware" + } + ], + "child_dataset": [ + { + "name": "Allowed Malware", + "tags": [["malware", "attack"]], + "fields_cluster": [], + "search_constraints": "action=\"allowed\"", + "fields": [], + "child_dataset": [] + }, + { + "name": "Blocked Malware", + "tags": [["malware", "attack"]], + "fields_cluster": [], + "search_constraints": "action=\"blocked\"", + "fields": [], + "child_dataset": [] + }, + { + "name": "Quarantined Malware", + "tags": [["malware", "attack"]], + "fields_cluster": [], + "search_constraints": "action=\"deferred\"", + "fields": [], + "child_dataset": [] + } + ] + }, + { + "name": "Malware Operations", + "tags": [["malware", "operations"]], + "search_constraints": "tag=malware tag=operations | tags outputfield=tag", + "fields_cluster": [], + "fields": [ + { + "name": "dest", + "type": "required", + "comment": "The system where the malware operations event occurred" + }, + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the dest system, if applicable." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "product_version", + "type": "optional", + "comment": "The product version of the malware operations product" + }, + { + "name": "signature_version", + "type": "required", + "comment": "The version of the malware signature bundle in a signature update operations event" + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor product name of the malware operations product." + } + ], + "child_dataset": [] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json b/splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json new file mode 100644 index 00000000..e5a0f842 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json @@ -0,0 +1,282 @@ +{ + "model_name": "Network_Resolution", + "version":"1.0.0", + "objects": [{ + "name": "DNS", + "tags": [ + [ + "network", + "resolution", + "dns" + ] + ], + "fields_cluster": [], + "fields": [{ + "name": "additional_answer_count", + "type": "optional", + "validity": "if(isnum(additional_answer_count),additional_answer_count,null())", + "comment": "Number of entries in the 'additional' section of the DNS message." + }, + { + "name": "answer", + "type": "required", + "multi_value": true, + "comment": "Resolved address for the query." + }, + { + "name": "answer_count", + "type": "required", + "validity": "if(isnum(answer_count) and answer_count == mvcount(answer),answer_count,null())", + "comment": "Number of entries in the answer section of the DNS message." + }, + { + "name": "authority_answer_count", + "type": "optional", + "validity": "if(isnum(authority_answer_count),authority_answer_count,null())", + "comment": "Number of entries in the 'authority' section of the DNS message." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination of the network resolution event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "message_type", + "type": "required", + "expected_values": [ + "Query", + "Response" + ], + "comment": "Type of DNS message." + }, + { + "name": "query", + "type": "required", + "multi_value": true, + "comment": "The domain which needs to be resolved. Applies to messages of type 'Query'." + }, + { + "name": "query_count", + "type": "required", + "validity": "if(isnum(query_count) and query_count == mvcount(query),query_count,null())", + "comment": "Number of entries that appear in the 'Questions' section of the DNS query." + }, + { + "name": "query_type", + "type": "required", + "expected_values": [ + "Query", + "IQuery", + "Status", + "Notify", + "Update", + "A", + "MX", + "NS", + "PTR" + ], + "comment": "The field may contain DNS OpCodes or Resource Record Type codes. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site. If a value is not set, the DNS.record_type field is referenced." + }, + { + "name": "record_type", + "type": "required", + "expected_values": [ + "A", + "NS", + "MD", + "MF", + "CNAME", + "SOA", + "MB", + "MG", + "MR", + "NULL", + "WKS", + "PTR", + "HINFO", + "MINFO", + "MX", + "TXT", + "RP", + "AFSDB", + "X25", + "ISDN", + "RT", + "NSAP", + "NSAP-PTR", + "SIG", + "KEY", + "PX", + "GPOS", + "AAAA", + "LOC", + "NXT", + "EID", + "NIMLOC", + "SRV", + "ATMA", + "NAPTR", + "KX", + "CERT", + "A6", + "DNAME", + "SINK", + "OPT", + "APL", + "DS", + "SSHFP", + "IPSECKEY", + "RRSIG", + "NSEC", + "DNSKEY", + "DHCID", + "NSEC3", + "NSEC3PARAM", + "TLSA", + "SMIMEA", + "Unassigned", + "HIP", + "NINFO", + "RKEY", + "TALINK", + "CDS", + "CDNSKEY", + "OPENPGPKEY", + "CSYNC", + "ZONEMD", + "SVCB", + "HTTPS", + "SPF", + "UINFO", + "UID", + "GID", + "UNSPEC", + "NID", + "L32", + "L64", + "LP", + "EUI48", + "EUI64", + "TKEY", + "TSIG", + "IXFR", + "AXFR", + "MAILB", + "MAILA", + "*", + "URI", + "CAA", + "AVC", + "DOA", + "AMTRELAY", + "RESINFO", + "TA", + "DLV", + "Private use", + "Reserved" + ], + "comment": "The DNS resource record type. For details, see the List of DNS record types on Internet Assigned Numbers Authority (IANA) web site." + }, + { + "name": "reply_code", + "type": "required", + "expected_values": [ + "No Error", + "Format Error", + "Server Failure", + "Non-Existent Domain", + "NotImp", + "Refused", + "YXDomain", + "YXRRSet", + "NXRRSet", + "NotAuth", + "NotZone", + "DSOTYPENI", + "BADVERS", + "BADSIG", + "BADKEY", + "BADTIME", + "BADMODE", + "BADNAME", + "BADALG", + "BADTRUNC", + "BADCOOKIE" + ], + "comment": "The return code for the response. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." + }, + { + "name": "reply_code_id", + "type": "required", + "expected_values": [ + "1", + "2", + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "16", + "17", + "18", + "19", + "20", + "21", + "22", + "23" + ], + "comment": "The numerical id of a return code. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." + }, + { + "name": "response_time", + "type": "required", + "validity": "if(isnum(response_time),response_time,null())", + "comment": "The amount of time it took to receive a response in the network resolution event, in seconds." + }, + { + "name": "src", + "type": "required", + "comment": "The source of the network resolution event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "transaction_id", + "type": "required", + "validity": "if(isnum(transaction_id),transaction_id,null())", + "comment": "The unique numerical transaction id of the network resolution event" + }, + { + "name": "transport", + "type": "required", + "comment": "The transport protocol used by the network resolution event." + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration),duration,null())", + "comment": "The time taken by the network resolution event, in seconds." + }, + { + "name": "name", + "type": "optional", + "comment": "The name of the DNS event." + }, + { + "name": "ttl", + "type": "optional", + "validity": "if(isnum(ttl),ttl,null())", + "comment": "The time-to-live of the network resolution event, in seconds." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor product name of the DNS server. The Splunk platform can derive this field from the fields vendor and product in the raw data, if they exist." + } + ], + "child_dataset": [], + "search_constraints": "tag=network tag=resolution tag=dns" + }] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json b/splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json new file mode 100644 index 00000000..406d9de0 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json @@ -0,0 +1,158 @@ +{ + "model_name": "Network_Sessions", + "version": "1.0.0", + "objects": [ + { + "name": "All_Sessions", + "tags": [["network", "session"]], + "search_constraints": "tag=network tag=session", + "fields_cluster": [], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["started", "ended", "blocked"], + "comment": "The action taken by the reporting device." + }, + { + "name": "dest_ip", + "type": "required", + "comment": "The internal IP address allocated to the client initializing a network session. For DHCP and VPN events, this is the IP address leased to the client." + }, + { + "name": "dest_mac", + "type": "required", + "comment": "The internal MAC address of the network session client. For DHCP events, this is the MAC address of the client acquiring an IP address lease. For VPN events, this is the MAC address of the client initializing a network session.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." + }, + { + "name": "signature", + "type": "required", + "comment": "An indication of the type of network session event." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "dest_nt_host", + "type": "optional", + "comment": "The NetBIOS name of the client initializing a network session." + }, + { + "name": "dest_dns", + "type": "optional", + "comment": "The domain name system address of the destination for a network session event." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the destination." + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration),duration,null())", + "comment": "The amount of time for the completion of the network session event, in seconds." + }, + { + "name": "response_time", + "type": "optional", + "validity": "if(isnum(response_time),response_time,null())", + "comment": "The amount of time it took to receive a response in the network session event, in seconds." + }, + { + "name": "src_dns", + "type": "optional", + "comment": "The external domain name of the client initializing a network session. Not applicable for DHCP events." + }, + { + "name": "src_nt_host", + "type": "optional", + "comment": "The NetBIOS name of the client initializing a network session. Not applicable for DHCP events." + }, + { + "name": "src_mac", + "type": "optional", + "condition": "tag != dhcp", + "validity": "if(match(src_mac,\"^([0-9a-f]{2}:){5}([0-9a-f]{2})$\"),src_mac,null())", + "comment": "The MAC address of the client initializing a network session. Not applicable for DHCP events.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such as Microsoft DHCP or ISC BIND. This field is generated by combining the values of the vendor and product fields." + }, + { + "name": "src_ip", + "type": "optional", + "condition": "tag != dhcp", + "comment": "The IP address of the client initializing a network session. Not applicable for DHCP events." + }, + { + "name": "user", + "type": "conditional", + "condition": "tag=vpn", + "comment": "The user in a network session event, where applicable. For example, a VPN session or an authenticated DHCP event." + } + ], + "child_dataset": [ + { + "name": "Session_Start", + "tags": [["network", "session", "start"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "tag=start" + }, + { + "name": "Session_End", + "tags": [["network", "session", "end"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "tag=end" + }, + { + "name": "DHCP", + "tags": [["network", "session", "dhcp"]], + "fields_cluster": [], + "fields": [ + { + "name": "lease_duration", + "type": "conditional", + "condition": "lease_duration=*", + "validity": "if(isnum(lease_duration),lease_duration,null())", + "comment": "The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds." + }, + { + "name": "lease_scope", + "type": "optional", + "comment": "The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered." + }, + { + "name": "src_ip", + "type": "not_allowed_in_search", + "comment": "The IP address of the client initializing a network session. Not applicable for DHCP events." + }, + { + "name": "src_mac", + "type": "not_allowed_in_search", + "comment": "The MAC address of the client initializing a network session. Not applicable for DHCP events.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." + } + ], + "child_dataset": [], + "search_constraints": "tag=dhcp" + }, + { + "name": "VPN", + "tags": [["network", "session", "vpn"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "tag=vpn" + } + ] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json b/splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json new file mode 100644 index 00000000..747cb774 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json @@ -0,0 +1,348 @@ +{ + "model_name": "Network_Traffic", + "version": "1.0.0", + "objects": [ + { + "name": "All_Traffic", + "tags": [["network", "communicate"]], + "fields_cluster": [ + ["bytes", "bytes_in", "bytes_out"], + ["dest_translated_ip", "src_translated_ip"], + ["dest_zone", "src_zone"], + ["icmp_type", "icmp_code"], + ["packets_in", "packets_out"] + ], + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": ["allowed", "blocked", "teardown", "flow"], + "comment": "The action taken by the network device." + }, + { + "name": "app", + "type": "required", + "comment": "The application protocol of the traffic." + }, + { + "name": "bytes", + "type": "conditional", + "condition": "bytes=*", + "validity": "if(isnum(bytes) and bytes>0 and bytes==(bytes_in+bytes_out),bytes,null())", + "comment": "Total count of bytes handled by this device/interface (bytes_in + bytes_out)." + }, + { + "name": "bytes_in", + "type": "conditional", + "condition": "bytes_in=*", + "validity": "if(isnum(bytes_in) and bytes_in>0,bytes_in,null())", + "comment": "How many bytes this device/interface received." + }, + { + "name": "bytes_out", + "type": "conditional", + "condition": "bytes_out=*", + "validity": "if(isnum(bytes_out) and bytes_out>0,bytes_out,null())", + "comment": "How many bytes this device/interface transmitted." + }, + { + "name": "channel", + "type": "not_allowed_in_search", + "comment": "The 802.11 channel used by a wireless network." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_interface", + "type": "optional", + "comment": "The interface that is listening remotely or receiving packets locally. Can also be referred to as the 'egress interface.'" + }, + { + "name": "dest_ip", + "type": "conditional", + "condition": "| where match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "if((!isnull(dest_ip) AND dest == dest_ip), dest_ip, null())", + "comment": "The IP address of the destination." + }, + { + "name": "dest_mac", + "type": "conditional", + "condition": "| where match(dest,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", + "validity": "if((!isnull(dest_mac) AND dest_mac == dest), dest_mac, null())", + "comment": "The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." + }, + { + "name": "dest_port", + "type": "conditional", + "condition": "transport=tcp OR transport=udp", + "validity": "if(isnum(dest_port),dest_port,null())", + "comment": "The destination port of the network traffic. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field." + }, + { + "name": "dest_translated_ip", + "type": "conditional", + "condition": "(protocol=IP OR protocol=ICMP) AND src_translated_ip=*", + "comment": "The NATed IPv4 or IPv6 address to which a packet has been sent." + }, + { + "name": "dest_translated_port", + "type": "conditional", + "condition": "(transport=tcp OR transport=udp) AND dest_translated_ip=*", + "comment": "The NATed port to which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, not http)." + }, + { + "name": "dest_zone", + "type": "conditional", + "condition":"src_zone=*", + "comment": "The network zone of the destination." + }, + { + "name": "direction", + "type": "optional", + "expected_values": ["inbound", "outbound"], + "comment": "The direction the packet is traveling." + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration),duration,null())", + "comment": "The amount of time for the completion of the network event, in seconds." + }, + { + "name": "dvc", + "type": "required", + "comment": "The device that reported the traffic event. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name." + }, + { + "name": "dvc_mac", + "type": "optional", + "comment": "The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." + }, + { + "name": "dvc_ip", + "type": "optional", + "comment": "The ip address of the device." + }, + { + "name": "dvc_zone", + "type": "optional", + "comment": "The network zone of the device." + }, + { + "name": "flow_id", + "type": "optional", + "comment": "Unique identifier for this traffic stream, such as a netflow, jflow, or cflow." + }, + { + "name": "icmp_code", + "type": "conditional", + "condition": "protocol=icmp", + "validity": "if(isnum(icmp_code),icmp_code,null())", + "comment": "The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the ICMP Type Numbers and the ICMPv6 Type Numbers." + }, + { + "name": "icmp_type", + "type": "conditional", + "condition": "protocol=icmp", + "validity": "if(isnum(duration) and duration>0 and duration<254,icmp_type,null())", + "comment": "The RFC 2780 or RFC 4443 numeric value of the traffic. See the ICMP Type Numbers and the ICMPv6 Type Numbers." + }, + { + "name": "packets", + "type": "conditional", + "condition": "packets_in=* OR packets_out=*", + "validity": "if(isnum(packets),packets,null())", + "comment": "The total count of packets handled by this device/interface (packets_in + packets_out)." + }, + { + "name": "packets_in", + "type": "optional", + "validity": "if(isnum(packets_in),packets_in,null())", + "comment": "The total count of packets received by this device/interface." + }, + { + "name": "packets_out", + "type": "optional", + "validity": "if(isnum(packets_out),packets_out,null())", + "comment": "The total count of packets transmitted by this device/interface." + }, + { + "name": "process_id", + "type": "optional", + "comment": "The numeric identifier of the process (PID) or service generating the network traffic." + }, + { + "name": "protocol", + "type": "conditional", + "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",protocol ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),protocol,true(), null())", + "expected_values": ["ip", "icmp"], + "comment": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx." + }, + { + "name": "protocol_version", + "type": "conditional", + "condition": "protocol=ip", + "expected_values": ["ipv4", "ipv6"], + "comment": "Version of the OSI layer 3 protocol, in lower case." + }, + { + "name": "response_time", + "type": "optional", + "validity": "if(isnum(response_time),response_time,null())", + "comment": "The amount of time it took to receive a response in the network event, in seconds." + }, + { + "name": "rule", + "type": "optional", + "comment": "The rule which defines the action that was taken in the network event. Note: This is a string value. Use rule_id for rule fields that are integer data types." + }, + { + "name": "rule_id", + "type": "optional", + "comment": "The vendor-specific unique identifier of the rule. Examples: 0x00011f0000011f00, 0x00011f00-syn_flood." + }, + { + "name": "session_id", + "type": "optional", + "comment": "The session identifier. Multiple transactions build a session." + }, + { + "name": "src", + "type": "required", + "comment": "The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.'" + }, + { + "name": "src_interface", + "type": "optional", + "comment": "The interface that is listening locally or sending packets remotely. Can also be referred to as the 'ingress interface.'" + }, + { + "name": "src_translated_ip", + "type": "conditional", + "condition": "dest_translated_ip=*", + "comment": "The interface that is listening locally or sending packets remotely. Can also be referred to as the 'ingress interface.'" + }, + { + "name": "src_zone", + "type": "conditional", + "condition":"dest_zone=*", + "comment": "The network zone of the source." + }, + { + "name": "ssid", + "type": "optional", + "comment": "The 802.11 service set identifier (ssid) assigned to a wireless session." + }, + { + "name": "wifi", + "type": "optional", + "comment": "The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n." + }, + { + "name": "tcp_flag", + "type": "optional", + "expected_values": ["SYN", "ACK", "FIN", "RST", "URG", "PSH"], + "comment": "The TCP flag or multiple flags specified in the event." + }, + { + "name": "tos", + "type": "optional", + "comment": "The combination of source and destination IP ToS (type of service) values in the event." + }, + { + "name": "ttl", + "type": "optional", + "validity": "if(isnum(ttl),ttl,null())", + "comment": "The 'time to live' of a packet or diagram, in seconds." + }, + { + "name": "user", + "type": "optional", + "comment": "The user that requested the traffic flow." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account associated with the network traffic. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product of the device generating the network event. This field can be automatically populated by vendor and product fields in your data." + }, + { + "name": "vlan", + "type": "optional", + "comment": "The virtual local area network (VLAN) specified in the record." + }, + { + "name": "transport", + "type": "required", + "condition": "", + "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",transport ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),transport,true(), null())", + "expected_values": ["tcp", "udp", "icmp"], + "comment": "The OSI layer 4 (transport) protocol of the traffic observed, in lower case." + }, + { + "name": "src_ip", + "type": "conditional", + "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "if((!isnull(src_ip) AND src == src_ip), src_ip, null())", + "comment": "The ip address of the source." + }, + { + "name": "src_mac", + "type": "conditional", + "condition": "| where match(src,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", + "validity": "if((!isnull(src_mac) AND src_mac == src), src_mac, null())", + "comment": "The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." + }, + { + "name": "src_port", + "type": "conditional", + "condition": "transport=tcp OR transport=udp", + "validity": "if(isnum(src_port),src_port,null())", + "comment": "The source port of the network traffic. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field." + }, + { + "name": "src_translated_port", + "type": "conditional", + "condition": "(transport=tcp OR transport=udp) AND src_translated_ip=*", + "validity": "if(isnum(src_translated_port),src_translated_port,null())", + "comment": "The NATed port from which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, not http." + } + ], + "child_dataset": [ + { + "name": "Traffic_By_Action", + "tags": [["network", "communicate"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=*" + }, + { + "name": "Allowed_Traffic", + "tags": [["network", "communicate"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=allowed" + }, + { + "name": "Blocked_Traffic", + "tags": [["network", "communicate"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "action=blocked" + } + ], + "search_constraints": "tag=network tag=communicate" + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Performance.json b/splunk-cim-models/splunk_cim_models/data_models/Performance.json new file mode 100644 index 00000000..7788967f --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Performance.json @@ -0,0 +1,314 @@ +{ + "model_name": "Performance", + "version": "1.0.0", + "objects": [ + { + "name": "All_Performance", + "tags": [["performance"]], + "search_constraints": "tag=performance", + "fields_cluster": [], + "fields": [ + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "hypervisor_id", + "type": "optional", + "comment": "The ID of the virtualization hypervisor." + }, + { + "name": "resource_type", + "type": "optional", + "comment": "The type of facilities resource involved in the performance event, such as a rack, room, or system." + }, + { + "name": "dest", + "type": "required", + "comment": "The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + } + ], + "child_dataset": [ + { + "name": "CPU", + "tags": [["cpu", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=cpu", + "fields": [ + { + "name": "cpu_load_mhz", + "type": "optional", + "comment": "The amount of CPU load reported by the controller in megahertz." + }, + { + "name": "cpu_load_percent", + "type": "required", + "comment": "The amount of CPU load reported by the controller in percentage points." + }, + { + "name": "cpu_time", + "type": "optional", + "comment": "The number of CPU seconds consumed by processes." + }, + { + "name": "cpu_user_percent", + "type": "optional", + "comment": "Percentage of CPU user time consumed by processes." + } + ], + "child_dataset": [] + }, + { + "name": "Facilities", + "tags": [["facilities", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=facilities", + "fields": [ + { + "name": "temperature", + "type": "required", + "comment": "Average temperature of the facilities resource, in degrees Celsius." + }, + { + "name": "power", + "type": "optional", + "comment": "Amount of power consumed by the facilities resource, in kW." + }, + { + "name": "fan_speed", + "type": "optional", + "comment": "The speed of the cooling fan in the facilities resource, in rotations per second." + } + ], + "child_dataset": [] + }, + { + "name": "Memory", + "tags": [["memory", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=memory", + "fields": [ + { + "name": "mem", + "type": "required", + "comment": "The total amount of memory capacity reported by the resource, in megabytes." + }, + { + "name": "mem_committed", + "type": "optional", + "comment": "The committed amount of memory reported by the resource, in megabytes." + }, + { + "name": "mem_free", + "type": "required", + "comment": "The free amount of memory reported by the resource, in megabytes." + }, + { + "name": "mem_used", + "type": "required", + "comment": "The used amount of memory reported by the resource, in megabytes." + }, + { + "name": "swap", + "type": "optional", + "comment": "The total swap space size, in megabytes, if applicable." + }, + { + "name": "swap_free", + "type": "optional", + "comment": "The free swap space size, in megabytes, if applicable." + }, + { + "name": "swap_used", + "type": "optional", + "comment": "The used swap space size, in megabytes, if applicable." + } + ], + "child_dataset": [] + }, + { + "name": "Storage", + "tags": [["storage", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=storage", + "fields": [ + { + "name": "array", + "type": "optional", + "comment": "The array that the resource is a member of, if applicable." + }, + { + "name": "blocksize", + "type": "optional", + "comment": "Block size used by the storage resource, in kilobytes." + }, + { + "name": "cluster", + "type": "optional", + "comment": "The cluster that the resource is a member of, if applicable." + }, + { + "name": "fd_max", + "type": "optional", + "comment": "The maximum number of available file descriptors." + }, + { + "name": "fd_used", + "type": "optional", + "comment": "The current number of open file descriptors." + }, + { + "name": "latency", + "type": "optional", + "comment": "The latency reported by the resource, in milliseconds." + }, + { + "name": "mount", + "type": "optional", + "comment": "The mount point of a storage resource." + }, + { + "name": "parent", + "type": "optional", + "comment": "A generic indicator of hierarchy. For instance, a disk event might include the array id here." + }, + { + "name": "read_blocks", + "type": "optional", + "comment": "Number of blocks read." + }, + { + "name": "read_latency", + "type": "optional", + "comment": "The latency of read operations, in milliseconds." + }, + { + "name": "read_ops", + "type": "optional", + "comment": "Number of read operations." + }, + { + "name": "storage", + "type": "optional", + "comment": "The total amount of storage capacity reported by the resource, in megabytes." + }, + { + "name": "storage_free", + "type": "required", + "comment": "The free amount of storage capacity reported by the resource, in megabytes." + }, + { + "name": "storage_free_percent", + "type": "required", + "comment": "The percentage of storage capacity reported by the resource that is free." + }, + { + "name": "storage_used", + "type": "required", + "comment": "The used amount of storage capacity reported by the resource, in megabytes." + }, + { + "name": "storage_used_percent", + "type": "required", + "comment": "The percentage of storage capacity reported by the resource that is used." + }, + { + "name": "write_blocks", + "type": "optional", + "comment": "The number of blocks written by the resource." + }, + { + "name": "write_latency", + "type": "optional", + "comment": "The latency of write operations, in milliseconds." + }, + { + "name": "write_ops", + "type": "optional", + "comment": "The total number of write operations processed by the resource." + } + ], + "child_dataset": [] + }, + { + "name": "Network", + "tags": [["network", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=network", + "fields": [ + { + "name": "thruput", + "type": "required", + "comment": "The current throughput reported by the service, in bytes." + }, + { + "name": "thruput_max", + "type": "optional", + "comment": "The maximum possible throughput reported by the service, in bytes." + } + ], + "child_dataset": [] + }, + { + "name": "OS", + "tags": [["os", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=os", + "fields": [ + { + "name": "signature", + "type": "required", + "comment": "The event description signature, if available." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + } + ], + "child_dataset": [ + { + "name": "Timesync", + "tags": [["performance", "os", "performance", "synchronize"]], + "fields_cluster": [], + "search_constraints": "tag=synchronize tag=time", + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": [ + "success", + "failure" + ], + "comment": "The result of a time sync event." + } + ], + "child_dataset": [] + }, + { + "name": "Uptime", + "tags": [["uptime", "os", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=uptime", + "fields": [ + { + "name": "uptime", + "type": "required", + "comment": "The uptime of the compute resource, in seconds." + } + ], + "child_dataset": [] + } + ] + } + + ] + } + ] +} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json b/splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json new file mode 100644 index 00000000..fa809ad7 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json @@ -0,0 +1,129 @@ + +{ + "model_name": "Ticket_Management", + "version": "1.0.0", + "objects": [ + { + "name": "All_Ticket_Management", + "tags": [["ticketing"]], + "search_constraints": "tag=ticketing", + "fields_cluster": [], + "fields": [ + { + "name": "affect_dest", + "type": "optional", + "comment": "Destinations affected by the service request." + }, + { + "name": "comments", + "type": "optional", + "comment": "Comments about the service request." + }, + { + "name": "description", + "type": "optional", + "comment": "The description of the service request." + }, + { + "name": "priority", + "type": "required", + "comment": "The relative priority of the service request." + }, + { + "name": "severity", + "type": "required", + "comment": "The relative severity of the service request." + }, + { + "name": "severity_id", + "type": "required", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "splunk_id", + "type": "optional", + "comment": "The unique identifier of the service request as it pertains to Splunk. For example, 14DA67E8-6084-4FA8-9568-48D05969C522@@_internal@@0533eff241db0d892509be46cd3126e30e0f6046." + }, + { + "name": "splunk_realm", + "type": "optional", + "comment": "The Splunk application or use case associated with the unique identifier (splunk_id). For example, es_notable." + }, + { + "name": "src_user", + "type": "optional", + "comment": "The user or entity that created or triggered the service request, if applicable." + }, + { + "name": "status", + "type": "required", + "comment": "The relative status of the service request." + }, + { + "name": "time_submitted", + "type": "optional", + "comment": "The time that the src_user submitted the service request." + }, + { + "name": "user", + "type": "optional", + "comment": "The name of the user or entity that is assigned to carry out the service request, if applicable." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "ticket_id", + "type": "required", + "comment": "An identification name, code, or number for the service request." + } + ], + "child_dataset": [ + { + "name": "Change", + "tags": [["change", "ticketing"]], + "search_constraints": "tag=change", + "fields_cluster": [], + "fields": [ + { + "name": "change", + "type": "optional", + "comment": "Designation for a request for change (RFC) that is raised to modify an IT service to resolve an incident or problem." + } + ], + "child_dataset": [] + }, + { + "name": "Incident", + "tags": [["incident", "ticketing"]], + "search_constraints": "tag=incident", + "fields_cluster": [], + "fields": [ + { + "name": "incident", + "type": "optional", + "comment": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + } + ], + "child_dataset": [] + }, + { + "name": "Problem", + "tags": [["problem", "ticketing"]], + "search_constraints": "tag=problem", + "fields_cluster": [], + "fields": [ + { + "name": "problem", + "type": "optional", + "comment": "When multiple occurrences of related incidents are observed, they are collectively designated with a single problem value. Problem management differs from the process of managing an isolated incident. Often problems are managed by a specific set of staff and through a problem management process." + } + ], + "child_dataset": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Updates.json b/splunk-cim-models/splunk_cim_models/data_models/Updates.json new file mode 100644 index 00000000..8d2f5b0d --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Updates.json @@ -0,0 +1,114 @@ +{ + "version":"1.0.0", + "model_name": "Updates", + "objects":[ + { + "name": "Updates", + "tags": [ + ["update","status"] + ], + "fields_cluster": [], + "search_constraints": "tag=update tag=status", + "fields": [ + { + "name": "dest", + "type": "required", + "comment":"The system that is affected by the patch change. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dvc", + "type": "required", + "comment":"The device that detected the patch event, such as a patching or configuration management server. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name." + }, + { + "name": "file_hash", + "type": "optional", + "comment":"The checksum of the patch package that was installed or attempted." + }, + { + "name": "file_name", + "type": "required", + "multi_value": true, + "comment":"The name of the patch package that was installed or attempted." + }, + { + "name": "severity", + "type": "optional", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment":"The severity associated with the patch event." + }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "signature", + "type": "required", + "multi_value": true, + "comment":"The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739." + }, + { + "name": "signature_id", + "type": "required", + "multi_value": true, + "comment":"The ID of the patch requirement detected on the client (the src)." + }, + { + "name": "status", + "type": "required", + "expected_values": [ + "available", + "installed", + "invalid", + "restart required", + "failure" + ], + "comment":"Indicates the status of a given patch requirement." + }, + { + "name": "vendor_product", + "type": "required", + "comment":"The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name":"Available_Updates", + "tags": [ + ["update","status"] + ], + "fields_cluster":[], + "fields":[], + "child_dataset": [], + "search_constraints":"status=\"available\"" + }, + { + "name":"Installed_Updates", + "tags": [ + ["update","status"] + ], + "fields_cluster":[], + "fields":[], + "child_dataset": [], + "search_constraints":"status=\"installed\"" + }, + { + "name":"Restart_Required_Updates", + "tags": [ + ["update","status"] + ], + "fields_cluster":[], + "fields":[], + "child_dataset": [], + "search_constraints":"status=\"restart_required\"" + } + ] + }] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json b/splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json new file mode 100644 index 00000000..96eb322a --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json @@ -0,0 +1,141 @@ +{ + "model_name": "Vulnerabilities", + "version": "1.0.0", + "objects": + [{ + "name": "Vulnerabilities", + "tags": [ + ["vulnerability","report"] + ], + "fields_cluster": [], + "search_constraints": "tag=vulnerability tag=report", + "fields": [ + { + "name": "bugtraq", + "type": "optional", + "comment":"Corresponds to an identifier in the vulnerability database provided by the Security Focus website." + }, + { + "name": "category", + "type": "required", + "comment":"The category of the discovered vulnerability, such as DoS." + }, + { + "name": "cert", + "type": "optional", + "comment":"Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team" + }, + { + "name": "cve", + "type": "required", + "multi_value": true, + "comment":"Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index" + }, + { + "name": "cvss", + "type": "required", + "validity": "if(isnum(cvss),cvss,null())", + "comment":"Numeric indicator of the common vulnerability scoring system." + }, + { + "name": "dest", + "type": "required", + "comment":"The host with the discovered vulnerability. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dvc", + "type": "required", + "comment":"The system that discovered the vulnerability. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name." + }, + { + "name": "msft", + "type": "optional", + "comment":"Corresponds to a Microsoft Security Advisory number." + }, + { + "name": "mskb", + "type": "optional", + "comment":"Corresponds to a Microsoft Knowledge Base article number." + }, + { + "name": "severity", + "type": "required", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment":"The severity of the vulnerability detection event. Specific values are required." + }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "signature", + "type": "required", + "comment":"The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "url", + "type": "optional", + "comment":"The URL involved in the discovered vulnerability." + }, + { + "name": "user", + "type": "optional", + "comment":"The user involved in the discovered vulnerability." + }, + { + "name": "vendor_product", + "type": "required", + "comment":"The vendor and product that detected the vulnerability. This field can be automatically populated by vendor and product fields in your data." + }, + { + "name": "xref", + "type": "optional", + "comment":"A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database." + } + ], + "child_dataset": [ + { + "name":"High_Critical_Vulnerabilities", + "tags": [ + ["vulnerability","report"] + ], + "fields_cluster":[], + "fields":[], + "child_dataset": [], + "search_constraints":"(severity=\"high\" OR severity=\"critical\")" + }, + { + "name":"Medium_Vulnerabilities", + "tags": [ + ["vulnerability","report"] + ], + "fields_cluster":[], + "fields":[], + "child_dataset": [], + "search_constraints":"severity=\"medium\"" + }, + { + "name":"Low_Informational_Vulnerabilities", + "tags": [ + ["vulnerability","report"] + ], + "fields_cluster":[], + "fields":[], + "child_dataset": [], + "search_constraints":"(severity=\"low\" OR severity=\"informational\")" + } + ] + }] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Web.json b/splunk-cim-models/splunk_cim_models/data_models/Web.json new file mode 100644 index 00000000..0aaaf56a --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/data_models/Web.json @@ -0,0 +1,275 @@ +{ + "model_name": "Web", + "version": "1.0.0", + "objects": [ + { + "name": "Web", + "tags": [["web"]], + "fields_cluster": [ + ["bytes", "bytes_in", "bytes_out"], + ["http_user_agent", "http_user_agent_length"] + ], + "fields": [ + { + "name": "action", + "type": "required", + "comment": "The action taken by the server or proxy." + }, + { + "name": "app", + "type": "conditional", + "condition": "app=*", + "validity": "if(isstr(app),app,null())", + "comment": "The application detected or hosted by the server/site such as wordpress, splunk, or facebook." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_port", + "type": "required", + "validity": "if(isnum(dest_port),dest_port,null())", + "comment": "The destination port of the web traffic." + }, + { + "name": "src", + "type": "required", + "comment": "The source of the network traffic (the client requesting the connection)." + }, + { + "name": "status", + "type": "required", + "expected_values": [ + "100", + "101", + "102", + "200", + "201", + "202", + "203", + "204", + "205", + "206", + "207", + "208", + "226", + "300", + "301", + "302", + "303", + "304", + "305", + "306", + "307", + "308", + "400", + "401", + "402", + "403", + "404", + "405", + "406", + "407", + "408", + "409", + "410", + "411", + "412", + "413", + "414", + "415", + "416", + "417", + "422", + "423", + "424", + "426", + "428", + "429", + "431", + "500", + "501", + "502", + "503", + "504", + "505", + "506", + "507", + "508", + "510", + "511" + ], + "comment": "The HTTP response code indicating the status of the proxy request." + }, + { + "name": "uri_path", + "type": "conditional", + "condition": "uri_path=*", + "validity": "if(match(uri_path, \"^\/[/.a-zA-Z0-9- _%]*\"),uri_path,null())", + "comment": "The path of the resource served by the webserver or proxy." + }, + { + "name": "url", + "type": "required", + "comment": "The URL of the requested HTTP resource." + }, + { + "name": "url_domain", + "type": "required", + "comment": "The domain name contained within the URL of the requested HTTP resource." + }, + { + "name": "url_length", + "type": "optional", + "validity": "if(url_length == len(url), url_length, null())", + "comment": "The length of the URL." + }, + { + "name": "category", + "type": "required", + "comment": "The category of traffic, such as may be provided by a proxy server." + }, + { + "name": "bytes", + "type": "required", + "validity": "if(isnum(bytes) and bytes == (bytes_in+bytes_out),bytes,null())", + "comment": "The total number of bytes transferred (bytes_in + bytes_out)." + }, + { + "name": "bytes_in", + "type": "required", + "validity": "if(isnum(bytes_in),bytes_in,null())", + "comment": "The number of inbound bytes transferred." + }, + { + "name": "bytes_out", + "type": "required", + "validity": "if(isnum(bytes_out),bytes_out,null())", + "comment": "The number of outbound bytes transferred." + }, + { + "name": "http_method", + "type": "required", + "expected_values": [ + "GET", + "PUT", + "POST", + "DELETE", + "HEAD", + "OPTIONS", + "CONNECT", + "TRACE" + ], + "comment": "The HTTP method used in the request." + }, + { + "name": "http_user_agent", + "type": "required", + "comment": "The user agent used in the request." + }, + { + "name": "http_user_agent_length", + "type": "required", + "validity": "if(http_user_agent_length == len(http_user_agent), http_user_agent_length, null())", + "comment": "The length of the user agent used in the request." + }, + { + "name": "cached", + "type": "optional", + "expected_values": ["true", "false", "1", "0"], + "comment": "Indicates whether the event data is cached or not." + }, + { + "name": "duration", + "type": "optional", + "validity": "if(isnum(duration),duration,null())", + "comment": "The time taken by the proxy event, in milliseconds." + }, + { + "name": "http_content_type", + "type": "optional", + "comment": "The content-type of the requested HTTP resource." + }, + { + "name": "response_time", + "type": "optional", + "validity": "if(isnum(response_time),response_time,null())", + "comment": "The amount of time it took to receive a response, if applicable, in milliseconds." + }, + { + "name": "uri_query", + "type": "optional", + "comment": "The path of the resource requested by the client." + }, + { + "name": "user", + "type": "optional", + "comment": "The user that requested the HTTP resource." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product of the proxy server, such as Squid Proxy Server. This field can be automatically populated by vendor and product fields in your data." + }, + { + "name": "cookie", + "type": "optional", + "comment": "The cookie file recorded in the event." + }, + { + "name": "http_referrer", + "type": "optional", + "comment": "The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. Use a FIELDALIAS to handle both key names." + }, + { + "name": "http_referrer_domain", + "type": "optional", + "comment": "The domain name contained within the HTTP referrer used in the request." + }, + { + "name": "site", + "type": "optional", + "comment": "The virtual site which services the request, if applicable." + } + ], + "child_dataset": [ + { + "name": "Proxy", + "tags": [["proxy", "web"]], + "fields_cluster": [], + "fields": [], + "child_dataset": [], + "search_constraints": "tag=proxy" + }, + { + "name": "Storage", + "tags": [["storage", "web"]], + "fields_cluster": [], + "fields":[ + { + "name": "error_code", + "type": "optional", + "comment": "The error code that occurred while accessing the storage account" + }, + { + "name": "operation", + "type": "optional", + "comment": "The operation performed on the storage account." + }, + { + "name": "storage_name", + "type": "optional", + "comment": "The name of the bucket or storage account." + } + ], + "child_dataset": [], + "search_constraints": "tag=storage" + + } + ], + "search_constraints": "tag=web" + } + ] +} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/datamodel_definition.py b/splunk-cim-models/splunk_cim_models/datamodel_definition.py new file mode 100644 index 00000000..a7758962 --- /dev/null +++ b/splunk-cim-models/splunk_cim_models/datamodel_definition.py @@ -0,0 +1,2404 @@ +# +# Copyright 2026 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +datamodels = { + "4.18.1": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature_id", + "src", + "type", + "user", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "4.19": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature_id", + "src", + "type", + "user", + "user_name", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "user_name", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "4.20.2": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature_id", + "src", + "type", + "user", + "user_name", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "user_name", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + ] + }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_category", + "object_id", + "object_size", + "src", + "tenant_id", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "original_file_name", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "5.0.0": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature_id", + "src", + "type", + "user", + "user_name", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "user_name", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + ] + }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_category", + "object_id", + "object_size", + "src", + "vendor_account", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "original_file_name", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "5.3.1": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature_id", + "src", + "type", + "user", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + ] + }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_attrs", + "object_category", + "object_id", + "object_size", + "src", + "user_name", + "vendor_account", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "loaded_file", + "original_file_name", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "5.3.2": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature", + "signature_id", + "src", + "type", + "user", + "description", + "id", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "dest", "user"], + "Privileged_Authentication": ["src_user"], + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_organization", + "ssl_validity_window", + ] + }, + "Change": { + "Account_Management": [ + "src_user", + "object_category", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_id", + "status", + "result", + "src", + "user", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + "app", + ] + }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_attrs", + "object_category", + "object_id", + "object_size", + "src", + "user_name", + "vendor_account", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + "internal_message_id", + "message_id", + "protocol", + "return_addr", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "transport_dest_port", + "dest", + "vendor_product", + "state", + ], + "Processes": [ + "action", + "dest", + "parent_process", + "parent_process_name", + "process", + "process_name", + "process_id", + "process_path", + "parent_process_id", + "parent_process_path", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + "status", + "registry_hive", + "registry_value_text", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_path", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["dest", "signature", "signature_id"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "vendor_product", + "action", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "dest", + "severity", + "signature", + "file_name", + "file_path", + "vendor_product", + ], + "Malware_Operations": [ + "signature_version", + "dest", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + "src", + "transport", + "answer_count", + "query_count", + "query_type", + "record_type", + "response_time", + "transaction_id", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "vendor_product", + "action", + "signature", + ], + "DHCP": ["lease_duration"], + "VPN": ["user"], + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "src", + "src_port", + "transport", + "vendor_product", + "app", + "packets", + "packets_in", + "packets_out", + "protocol", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Ticket_Management": { + "BaseEvent": [ + "priority", + "severity", + "severity_id", + "status", + "dest", + "ticket_id", + ] + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + "dvc", + "file_name", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + "cvss", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_method", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + "category", + "dest_port", + "http_user_agent_length", + ] + }, + }, + "6.0.0": { + "Alerts": { + "BaseEvent": [ + "app", + "dest", + "severity", + "signature", + "signature_id", + "src", + "type", + "user", + "description", + "id", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "dest", "user"], + "Privileged_Authentication": ["src_user"], + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_organization", + "ssl_validity_window", + ] + }, + "Change": { + "Account_Management": [ + "src_user", + "object_category", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_id", + "status", + "result", + "src", + "user", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", + "user", + "vendor_product", + "app", + ] + }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_attrs", + "object_category", + "object_id", + "object_size", + "src", + "user_name", + "vendor_account", + "user", + "vendor_product", + ] + }, + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + "internal_message_id", + "message_id", + "protocol", + "return_addr", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "transport_dest_port", + "dest", + "vendor_product", + "state", + ], + "Processes": [ + "action", + "dest", + "parent_process", + "parent_process_name", + "process", + "process_name", + "process_id", + "process_path", + "parent_process_id", + "parent_process_path", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + "status", + "registry_hive", + "registry_value_text", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_path", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["dest", "signature", "signature_id"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "vendor_product", + "action", + ] + }, + "Malware": { + "BaseEvent": [ + "action", + "category", + "dest", + "severity", + "signature", + "file_name", + "file_path", + "vendor_product", + ], + "Malware_Operations": [ + "signature_version", + "dest", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + "src", + "transport", + "answer_count", + "query_count", + "query_type", + "record_type", + "response_time", + "transaction_id", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "vendor_product", + "action", + "signature", + ], + "DHCP": ["lease_duration"], + "VPN": ["user"], + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "src", + "src_port", + "transport", + "vendor_product", + "app", + "packets", + "packets_in", + "packets_out", + "protocol", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Ticket_Management": { + "BaseEvent": [ + "priority", + "severity", + "severity_id", + "status", + "dest", + "ticket_id", + ] + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + "dvc", + "file_name", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + "cvss", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_method", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + "category", + "dest_port", + "http_user_agent_length", + ] + }, + }, +} +# No recommended/required fields changes between v6.0.0 and v6.2.0 +datamodels["6.0.1"] = datamodels["6.0.0"] +datamodels["6.0.2"] = datamodels["6.0.0"] +datamodels["6.1.0"] = datamodels["6.0.2"] +datamodels["6.2.0"] = datamodels["6.1.0"] +datamodels["latest"] = datamodels["6.2.0"] diff --git a/tests/unit/tests_standard_lib/test_app_test_generator.py b/tests/unit/tests_standard_lib/test_app_test_generator.py index e117d628..ef76caec 100644 --- a/tests/unit/tests_standard_lib/test_app_test_generator.py +++ b/tests/unit/tests_standard_lib/test_app_test_generator.py @@ -2,6 +2,7 @@ from unittest.mock import patch from collections import namedtuple from pytest_splunk_addon.app_test_generator import AppTestGenerator +from splunk_cim_models import DATA_MODELS_PATH module = "pytest_splunk_addon.app_test_generator" config = { @@ -38,7 +39,7 @@ def app_test_generator(mock_object): "simple_config, path", [ (test_config, "fake_path"), - (test_config_without_dm_path, "/fake_dir/data_models"), + (test_config_without_dm_path, DATA_MODELS_PATH), ], ) def test_app_test_generator_instantiation( diff --git a/tests/unit/tests_standard_lib/test_cim_tests/test_test_generator.py b/tests/unit/tests_standard_lib/test_cim_tests/test_test_generator.py index 2f5758d6..0be80a5e 100644 --- a/tests/unit/tests_standard_lib/test_cim_tests/test_test_generator.py +++ b/tests/unit/tests_standard_lib/test_cim_tests/test_test_generator.py @@ -2,6 +2,7 @@ from unittest.mock import patch, MagicMock from collections import namedtuple from pytest_splunk_addon.cim_tests.test_generator import CIMTestGenerator +from splunk_cim_models import COMMON_FIELDS_PATH field = namedtuple("Field", ["type", "name"], defaults=["", ""]) data_set = namedtuple("DataSet", ["fields", "fields_cluster"]) @@ -99,10 +100,7 @@ def test_cim_test_generator_instantiation(args): ap_mock.assert_called_once_with("addon_path") if len(args) == 3: assert cim.test_field_type == ["required", "conditional"] - assert ( - "pytest_splunk_addon/cim_tests/CommonFields.json" - in cim.common_fields_path - ) + assert cim.common_fields_path == COMMON_FIELDS_PATH else: assert cim.test_field_type == args[3] assert cim.common_fields_path == args[4] From 782e4f4850b33be48d7c41ce8d3aaf825bb22602 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 13 Feb 2026 08:15:28 +0100 Subject: [PATCH 03/16] fix: add splunk-cim-models to licenserc paths-ignore --- .licenserc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.licenserc.yaml b/.licenserc.yaml index eeaa31d2..1b25cf7b 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -38,3 +38,4 @@ header: - "pytest_splunk_addon/.ignore_splunk_internal_errors" - "pytest_splunk_addon/docker_class.py" - "deps" + - "splunk-cim-models/**" From 37a2d853a45146921a2b9188c5906f30d43acb90 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 13 Feb 2026 11:50:39 +0100 Subject: [PATCH 04/16] fix: use version constraint for splunk-cim-models instead of path dep Change splunk-cim-models dependency from path reference to standard version constraint so pip consumers (e.g. TAs) can specify their own source for splunk-cim-models without conflicting with PSA's internal path reference in the built wheel metadata. --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 23dc2806..2c88d3e5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -50,7 +50,7 @@ splunksplwrapper = "^1.1.1" urllib3 = "<2" certifi = "^2024.7.4" zipp = "^3.6.0" -splunk-cim-models = {path = "./splunk-cim-models", develop = true} +splunk-cim-models = ">=0.1.0" [tool.poetry.group.dev.dependencies] pytest-cov = "^4" From afa6da9cd03e996d978f137858a522b96c6da7a6 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:08:27 +0100 Subject: [PATCH 05/16] feat: reference psa-cim-models@v2 from standalone GitHub repo --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 2c88d3e5..84e48087 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -50,7 +50,7 @@ splunksplwrapper = "^1.1.1" urllib3 = "<2" certifi = "^2024.7.4" zipp = "^3.6.0" -splunk-cim-models = ">=0.1.0" +splunk-cim-models = {git = "https://github.com/splunk/psa-cim-models.git", branch = "v2"} [tool.poetry.group.dev.dependencies] pytest-cov = "^4" From c7c87d2f4b14354dca2ec83d56574055ce9e2f8d Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:18:49 +0100 Subject: [PATCH 06/16] chore: update poetry.lock for psa-cim-models git dependency --- poetry.lock | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/poetry.lock b/poetry.lock index 4e462c4e..6e145fa6 100644 --- a/poetry.lock +++ b/poetry.lock @@ -725,17 +725,19 @@ files = [ [[package]] name = "splunk-cim-models" -version = "0.1.0" +version = "2.0.0" description = "Splunk CIM (Common Information Model) data model definitions and schemas" optional = false -python-versions = "^3.7" +python-versions = ">=3.7" groups = ["main"] files = [] -develop = true +develop = false [package.source] -type = "directory" -url = "splunk-cim-models" +type = "git" +url = "https://github.com/splunk/psa-cim-models.git" +reference = "v2" +resolved_reference = "3533d7fd6a449b7c2424a3eed2321e872af416a2" [[package]] name = "splunk-sdk" @@ -862,4 +864,4 @@ testing = ["big-O", "flake8 (<5)", "jaraco.functools", "jaraco.itertools", "more [metadata] lock-version = "2.1" python-versions = "^3.7" -content-hash = "0a39d71a125f0f154f828338065c76098c3f46d5367e61cfe14d1d2e50ccde9a" +content-hash = "b305649581489cf6eeb62240aff083718b086521384a54f09ab74546b5a345cf" From 821d08c340b9e994278ac74b057c5d960c73b6a0 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:23:46 +0100 Subject: [PATCH 07/16] ci: add git credential config for private psa-cim-models access --- .github/workflows/build-test-release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index 868317c4..d73eb917 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -74,6 +74,8 @@ jobs: submodules: true - name: Install dependencies run: | + git config --global --add url."https://${{ secrets.GH_TOKEN_ADMIN }}@github.com".insteadOf https://github.com + git config --global --add url."https://${{ secrets.GH_TOKEN_ADMIN }}@github.com".insteadOf ssh://git@github.com curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1 poetry install poetry run pytest -v tests/unit @@ -159,6 +161,8 @@ jobs: with: python-version: 3.7 - run: | + git config --global --add url."https://${{ secrets.GH_TOKEN_ADMIN }}@github.com".insteadOf https://github.com + git config --global --add url."https://${{ secrets.GH_TOKEN_ADMIN }}@github.com".insteadOf ssh://git@github.com curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1 poetry install poetry run pytest -v --splunk-version=${{ matrix.splunk.version }} -m docker -m ${{ matrix.test-marker }} tests/e2e From e71e962d570fd0ab4f21c911538b983fb167b0ab Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:29:19 +0100 Subject: [PATCH 08/16] fix: move splunk-cim-models to dev dependency - add-ons own their CIM version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 84e48087..2dad66c6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -50,13 +50,13 @@ splunksplwrapper = "^1.1.1" urllib3 = "<2" certifi = "^2024.7.4" zipp = "^3.6.0" -splunk-cim-models = {git = "https://github.com/splunk/psa-cim-models.git", branch = "v2"} [tool.poetry.group.dev.dependencies] pytest-cov = "^4" requests-mock = "^1.8.0" freezegun = "^1.5.1" pytz = "^2024.1" +splunk-cim-models = {git = "https://github.com/splunk/psa-cim-models.git", branch = "v2"} [tool.poetry.plugins] pytest11 = { plugin = "pytest_splunk_addon.plugin", "splunk" = "pytest_splunk_addon.splunk" } From 466e9c426bafb06d5fdcbb9373032d43e4055f51 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:33:04 +0100 Subject: [PATCH 09/16] chore: update poetry.lock after psa-cim-models@v2 ghost file fix --- poetry.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/poetry.lock b/poetry.lock index 6e145fa6..c5c356be 100644 --- a/poetry.lock +++ b/poetry.lock @@ -729,7 +729,7 @@ version = "2.0.0" description = "Splunk CIM (Common Information Model) data model definitions and schemas" optional = false python-versions = ">=3.7" -groups = ["main"] +groups = ["dev"] files = [] develop = false @@ -864,4 +864,4 @@ testing = ["big-O", "flake8 (<5)", "jaraco.functools", "jaraco.itertools", "more [metadata] lock-version = "2.1" python-versions = "^3.7" -content-hash = "b305649581489cf6eeb62240aff083718b086521384a54f09ab74546b5a345cf" +content-hash = "8957c4a2f9ff0a6a1e1c919643b3b4ad9b1e5b17ed6691c9ff0d2fe11598a112" From 3fe8177f115ea2616cf1bee046b50a66cc20c668 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:45:15 +0100 Subject: [PATCH 10/16] chore: update poetry.lock to psa-cim-models@v2 338dc37 (ghost files removed) --- poetry.lock | 210 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 122 insertions(+), 88 deletions(-) diff --git a/poetry.lock b/poetry.lock index c5c356be..d96b8ab4 100644 --- a/poetry.lock +++ b/poetry.lock @@ -49,91 +49,125 @@ files = [ [[package]] name = "charset-normalizer" -version = "3.4.3" +version = "3.4.4" description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." optional = false python-versions = ">=3.7" groups = ["main", "dev"] files = [ - {file = "charset_normalizer-3.4.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:fb7f67a1bfa6e40b438170ebdc8158b78dc465a5a67b6dde178a46987b244a72"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:cc9370a2da1ac13f0153780040f465839e6cccb4a1e44810124b4e22483c93fe"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:07a0eae9e2787b586e129fdcbe1af6997f8d0e5abaa0bc98c0e20e124d67e601"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:74d77e25adda8581ffc1c720f1c81ca082921329452eba58b16233ab1842141c"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d0e909868420b7049dafd3a31d45125b31143eec59235311fc4c57ea26a4acd2"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:c6f162aabe9a91a309510d74eeb6507fab5fff92337a15acbe77753d88d9dcf0"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:4ca4c094de7771a98d7fbd67d9e5dbf1eb73efa4f744a730437d8a3a5cf994f0"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:02425242e96bcf29a49711b0ca9f37e451da7c70562bc10e8ed992a5a7a25cc0"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:78deba4d8f9590fe4dae384aeff04082510a709957e968753ff3c48399f6f92a"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-win32.whl", hash = "sha256:d79c198e27580c8e958906f803e63cddb77653731be08851c7df0b1a14a8fc0f"}, - {file = "charset_normalizer-3.4.3-cp310-cp310-win_amd64.whl", hash = "sha256:c6e490913a46fa054e03699c70019ab869e990270597018cef1d8562132c2669"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:b256ee2e749283ef3ddcff51a675ff43798d92d746d1a6e4631bf8c707d22d0b"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:13faeacfe61784e2559e690fc53fa4c5ae97c6fcedb8eb6fb8d0a15b475d2c64"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:00237675befef519d9af72169d8604a067d92755e84fe76492fef5441db05b91"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:585f3b2a80fbd26b048a0be90c5aae8f06605d3c92615911c3a2b03a8a3b796f"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0e78314bdc32fa80696f72fa16dc61168fda4d6a0c014e0380f9d02f0e5d8a07"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:96b2b3d1a83ad55310de8c7b4a2d04d9277d5591f40761274856635acc5fcb30"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:939578d9d8fd4299220161fdd76e86c6a251987476f5243e8864a7844476ba14"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:fd10de089bcdcd1be95a2f73dbe6254798ec1bda9f450d5828c96f93e2536b9c"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:1e8ac75d72fa3775e0b7cb7e4629cec13b7514d928d15ef8ea06bca03ef01cae"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-win32.whl", hash = "sha256:6cf8fd4c04756b6b60146d98cd8a77d0cdae0e1ca20329da2ac85eed779b6849"}, - {file = "charset_normalizer-3.4.3-cp311-cp311-win_amd64.whl", hash = "sha256:31a9a6f775f9bcd865d88ee350f0ffb0e25936a7f930ca98995c05abf1faf21c"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:e28e334d3ff134e88989d90ba04b47d84382a828c061d0d1027b1b12a62b39b1"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0cacf8f7297b0c4fcb74227692ca46b4a5852f8f4f24b3c766dd94a1075c4884"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:c6fd51128a41297f5409deab284fecbe5305ebd7e5a1f959bee1c054622b7018"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:3cfb2aad70f2c6debfbcb717f23b7eb55febc0bb23dcffc0f076009da10c6392"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:1606f4a55c0fd363d754049cdf400175ee96c992b1f8018b993941f221221c5f"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:027b776c26d38b7f15b26a5da1044f376455fb3766df8fc38563b4efbc515154"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:42e5088973e56e31e4fa58eb6bd709e42fc03799c11c42929592889a2e54c491"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:cc34f233c9e71701040d772aa7490318673aa7164a0efe3172b2981218c26d93"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:320e8e66157cc4e247d9ddca8e21f427efc7a04bbd0ac8a9faf56583fa543f9f"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-win32.whl", hash = "sha256:fb6fecfd65564f208cbf0fba07f107fb661bcd1a7c389edbced3f7a493f70e37"}, - {file = "charset_normalizer-3.4.3-cp312-cp312-win_amd64.whl", hash = "sha256:86df271bf921c2ee3818f0522e9a5b8092ca2ad8b065ece5d7d9d0e9f4849bcc"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:14c2a87c65b351109f6abfc424cab3927b3bdece6f706e4d12faaf3d52ee5efe"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:41d1fc408ff5fdfb910200ec0e74abc40387bccb3252f3f27c0676731df2b2c8"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:1bb60174149316da1c35fa5233681f7c0f9f514509b8e399ab70fea5f17e45c9"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:30d006f98569de3459c2fc1f2acde170b7b2bd265dc1943e87e1a4efe1b67c31"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:416175faf02e4b0810f1f38bcb54682878a4af94059a1cd63b8747244420801f"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:6aab0f181c486f973bc7262a97f5aca3ee7e1437011ef0c2ec04b5a11d16c927"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:fdabf8315679312cfa71302f9bd509ded4f2f263fb5b765cf1433b39106c3cc9"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:bd28b817ea8c70215401f657edef3a8aa83c29d447fb0b622c35403780ba11d5"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:18343b2d246dc6761a249ba1fb13f9ee9a2bcd95decc767319506056ea4ad4dc"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-win32.whl", hash = "sha256:6fb70de56f1859a3f71261cbe41005f56a7842cc348d3aeb26237560bfa5e0ce"}, - {file = "charset_normalizer-3.4.3-cp313-cp313-win_amd64.whl", hash = "sha256:cf1ebb7d78e1ad8ec2a8c4732c7be2e736f6e5123a4146c5b89c9d1f585f8cef"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:3cd35b7e8aedeb9e34c41385fda4f73ba609e561faedfae0a9e75e44ac558a15"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b89bc04de1d83006373429975f8ef9e7932534b8cc9ca582e4db7d20d91816db"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:2001a39612b241dae17b4687898843f254f8748b796a2e16f1051a17078d991d"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:8dcfc373f888e4fb39a7bc57e93e3b845e7f462dacc008d9749568b1c4ece096"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:18b97b8404387b96cdbd30ad660f6407799126d26a39ca65729162fd810a99aa"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:ccf600859c183d70eb47e05a44cd80a4ce77394d1ac0f79dbd2dd90a69a3a049"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:53cd68b185d98dde4ad8990e56a58dea83a4162161b1ea9272e5c9182ce415e0"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:30a96e1e1f865f78b030d65241c1ee850cdf422d869e9028e2fc1d5e4db73b92"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:d716a916938e03231e86e43782ca7878fb602a125a91e7acb8b5112e2e96ac16"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-win32.whl", hash = "sha256:c6dbd0ccdda3a2ba7c2ecd9d77b37f3b5831687d8dc1b6ca5f56a4880cc7b7ce"}, - {file = "charset_normalizer-3.4.3-cp314-cp314-win_amd64.whl", hash = "sha256:73dc19b562516fc9bcf6e5d6e596df0b4eb98d87e4f79f3ae71840e6ed21361c"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:0f2be7e0cf7754b9a30eb01f4295cc3d4358a479843b31f328afd210e2c7598c"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c60e092517a73c632ec38e290eba714e9627abe9d301c8c8a12ec32c314a2a4b"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:252098c8c7a873e17dd696ed98bbe91dbacd571da4b87df3736768efa7a792e4"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:3653fad4fe3ed447a596ae8638b437f827234f01a8cd801842e43f3d0a6b281b"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:8999f965f922ae054125286faf9f11bc6932184b93011d138925a1773830bbe9"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:d95bfb53c211b57198bb91c46dd5a2d8018b3af446583aab40074bf7988401cb"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:5b413b0b1bfd94dbf4023ad6945889f374cd24e3f62de58d6bb102c4d9ae534a"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:b5e3b2d152e74e100a9e9573837aba24aab611d39428ded46f4e4022ea7d1942"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:a2d08ac246bb48479170408d6c19f6385fa743e7157d716e144cad849b2dd94b"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-win32.whl", hash = "sha256:ec557499516fc90fd374bf2e32349a2887a876fbf162c160e3c01b6849eaf557"}, - {file = "charset_normalizer-3.4.3-cp38-cp38-win_amd64.whl", hash = "sha256:5d8d01eac18c423815ed4f4a2ec3b439d654e55ee4ad610e153cf02faf67ea40"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:70bfc5f2c318afece2f5838ea5e4c3febada0be750fcf4775641052bbba14d05"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:23b6b24d74478dc833444cbd927c338349d6ae852ba53a0d02a2de1fce45b96e"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:34a7f768e3f985abdb42841e20e17b330ad3aaf4bb7e7aeeb73db2e70f077b99"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:fb731e5deb0c7ef82d698b0f4c5bb724633ee2a489401594c5c88b02e6cb15f7"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:257f26fed7d7ff59921b78244f3cd93ed2af1800ff048c33f624c87475819dd7"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:1ef99f0456d3d46a50945c98de1774da86f8e992ab5c77865ea8b8195341fc19"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:2c322db9c8c89009a990ef07c3bcc9f011a3269bc06782f916cd3d9eed7c9312"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:511729f456829ef86ac41ca78c63a5cb55240ed23b4b737faca0eb1abb1c41bc"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:88ab34806dea0671532d3f82d82b85e8fc23d7b2dd12fa837978dad9bb392a34"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-win32.whl", hash = "sha256:16a8770207946ac75703458e2c743631c79c59c5890c80011d536248f8eaa432"}, - {file = "charset_normalizer-3.4.3-cp39-cp39-win_amd64.whl", hash = "sha256:d22dbedd33326a4a5190dd4fe9e9e693ef12160c77382d9e87919bce54f3d4ca"}, - {file = "charset_normalizer-3.4.3-py3-none-any.whl", hash = "sha256:ce571ab16d890d23b5c278547ba694193a45011ff86a9162a71307ed9f86759a"}, - {file = "charset_normalizer-3.4.3.tar.gz", hash = "sha256:6fce4b8500244f6fcb71465d4a4930d132ba9ab8e71a7859e6a5d59851068d14"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e824f1492727fa856dd6eda4f7cee25f8518a12f3c4a56a74e8095695089cf6d"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4bd5d4137d500351a30687c2d3971758aac9a19208fc110ccb9d7188fbe709e8"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:027f6de494925c0ab2a55eab46ae5129951638a49a34d87f4c3eda90f696b4ad"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f820802628d2694cb7e56db99213f930856014862f3fd943d290ea8438d07ca8"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:798d75d81754988d2565bff1b97ba5a44411867c0cf32b77a7e8f8d84796b10d"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9d1bb833febdff5c8927f922386db610b49db6e0d4f4ee29601d71e7c2694313"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:9cd98cdc06614a2f768d2b7286d66805f94c48cde050acdbbb7db2600ab3197e"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:077fbb858e903c73f6c9db43374fd213b0b6a778106bc7032446a8e8b5b38b93"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:244bfb999c71b35de57821b8ea746b24e863398194a4014e4c76adc2bbdfeff0"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:64b55f9dce520635f018f907ff1b0df1fdc31f2795a922fb49dd14fbcdf48c84"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:faa3a41b2b66b6e50f84ae4a68c64fcd0c44355741c6374813a800cd6695db9e"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:6515f3182dbe4ea06ced2d9e8666d97b46ef4c75e326b79bb624110f122551db"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:cc00f04ed596e9dc0da42ed17ac5e596c6ccba999ba6bd92b0e0aef2f170f2d6"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-win32.whl", hash = "sha256:f34be2938726fc13801220747472850852fe6b1ea75869a048d6f896838c896f"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-win_amd64.whl", hash = "sha256:a61900df84c667873b292c3de315a786dd8dac506704dea57bc957bd31e22c7d"}, + {file = "charset_normalizer-3.4.4-cp310-cp310-win_arm64.whl", hash = "sha256:cead0978fc57397645f12578bfd2d5ea9138ea0fac82b2f63f7f7c6877986a69"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6e1fcf0720908f200cd21aa4e6750a48ff6ce4afe7ff5a79a90d5ed8a08296f8"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5f819d5fe9234f9f82d75bdfa9aef3a3d72c4d24a6e57aeaebba32a704553aa0"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:a59cb51917aa591b1c4e6a43c132f0cdc3c76dbad6155df4e28ee626cc77a0a3"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:8ef3c867360f88ac904fd3f5e1f902f13307af9052646963ee08ff4f131adafc"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d9e45d7faa48ee908174d8fe84854479ef838fc6a705c9315372eacbc2f02897"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:840c25fb618a231545cbab0564a799f101b63b9901f2569faecd6b222ac72381"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:ca5862d5b3928c4940729dacc329aa9102900382fea192fc5e52eb69d6093815"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d9c7f57c3d666a53421049053eaacdd14bbd0a528e2186fcb2e672effd053bb0"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:277e970e750505ed74c832b4bf75dac7476262ee2a013f5574dd49075879e161"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:31fd66405eaf47bb62e8cd575dc621c56c668f27d46a61d975a249930dd5e2a4"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:0d3d8f15c07f86e9ff82319b3d9ef6f4bf907608f53fe9d92b28ea9ae3d1fd89"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:9f7fcd74d410a36883701fafa2482a6af2ff5ba96b9a620e9e0721e28ead5569"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:ebf3e58c7ec8a8bed6d66a75d7fb37b55e5015b03ceae72a8e7c74495551e224"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-win32.whl", hash = "sha256:eecbc200c7fd5ddb9a7f16c7decb07b566c29fa2161a16cf67b8d068bd21690a"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-win_amd64.whl", hash = "sha256:5ae497466c7901d54b639cf42d5b8c1b6a4fead55215500d2f486d34db48d016"}, + {file = "charset_normalizer-3.4.4-cp311-cp311-win_arm64.whl", hash = "sha256:65e2befcd84bc6f37095f5961e68a6f077bf44946771354a28ad434c2cce0ae1"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:0a98e6759f854bd25a58a73fa88833fba3b7c491169f86ce1180c948ab3fd394"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b5b290ccc2a263e8d185130284f8501e3e36c5e02750fc6b6bdeb2e9e96f1e25"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74bb723680f9f7a6234dcf67aea57e708ec1fbdf5699fb91dfd6f511b0a320ef"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f1e34719c6ed0b92f418c7c780480b26b5d9c50349e9a9af7d76bf757530350d"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2437418e20515acec67d86e12bf70056a33abdacb5cb1655042f6538d6b085a8"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:11d694519d7f29d6cd09f6ac70028dba10f92f6cdd059096db198c283794ac86"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:ac1c4a689edcc530fc9d9aa11f5774b9e2f33f9a0c6a57864e90908f5208d30a"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:21d142cc6c0ec30d2efee5068ca36c128a30b0f2c53c1c07bd78cb6bc1d3be5f"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:5dbe56a36425d26d6cfb40ce79c314a2e4dd6211d51d6d2191c00bed34f354cc"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:5bfbb1b9acf3334612667b61bd3002196fe2a1eb4dd74d247e0f2a4d50ec9bbf"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:d055ec1e26e441f6187acf818b73564e6e6282709e9bcb5b63f5b23068356a15"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:af2d8c67d8e573d6de5bc30cdb27e9b95e49115cd9baad5ddbd1a6207aaa82a9"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:780236ac706e66881f3b7f2f32dfe90507a09e67d1d454c762cf642e6e1586e0"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-win32.whl", hash = "sha256:5833d2c39d8896e4e19b689ffc198f08ea58116bee26dea51e362ecc7cd3ed26"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-win_amd64.whl", hash = "sha256:a79cfe37875f822425b89a82333404539ae63dbdddf97f84dcbc3d339aae9525"}, + {file = "charset_normalizer-3.4.4-cp312-cp312-win_arm64.whl", hash = "sha256:376bec83a63b8021bb5c8ea75e21c4ccb86e7e45ca4eb81146091b56599b80c3"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:e1f185f86a6f3403aa2420e815904c67b2f9ebc443f045edd0de921108345794"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b39f987ae8ccdf0d2642338faf2abb1862340facc796048b604ef14919e55ed"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3162d5d8ce1bb98dd51af660f2121c55d0fa541b46dff7bb9b9f86ea1d87de72"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:81d5eb2a312700f4ecaa977a8235b634ce853200e828fbadf3a9c50bab278328"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5bd2293095d766545ec1a8f612559f6b40abc0eb18bb2f5d1171872d34036ede"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a8a8b89589086a25749f471e6a900d3f662d1d3b6e2e59dcecf787b1cc3a1894"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:bc7637e2f80d8530ee4a78e878bce464f70087ce73cf7c1caf142416923b98f1"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f8bf04158c6b607d747e93949aa60618b61312fe647a6369f88ce2ff16043490"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:554af85e960429cf30784dd47447d5125aaa3b99a6f0683589dbd27e2f45da44"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:74018750915ee7ad843a774364e13a3db91682f26142baddf775342c3f5b1133"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:c0463276121fdee9c49b98908b3a89c39be45d86d1dbaa22957e38f6321d4ce3"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:362d61fd13843997c1c446760ef36f240cf81d3ebf74ac62652aebaf7838561e"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:9a26f18905b8dd5d685d6d07b0cdf98a79f3c7a918906af7cc143ea2e164c8bc"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-win32.whl", hash = "sha256:9b35f4c90079ff2e2edc5b26c0c77925e5d2d255c42c74fdb70fb49b172726ac"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-win_amd64.whl", hash = "sha256:b435cba5f4f750aa6c0a0d92c541fb79f69a387c91e61f1795227e4ed9cece14"}, + {file = "charset_normalizer-3.4.4-cp313-cp313-win_arm64.whl", hash = "sha256:542d2cee80be6f80247095cc36c418f7bddd14f4a6de45af91dfad36d817bba2"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:da3326d9e65ef63a817ecbcc0df6e94463713b754fe293eaa03da99befb9a5bd"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:8af65f14dc14a79b924524b1e7fffe304517b2bff5a58bf64f30b98bbc5079eb"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74664978bb272435107de04e36db5a9735e78232b85b77d45cfb38f758efd33e"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:752944c7ffbfdd10c074dc58ec2d5a8a4cd9493b314d367c14d24c17684ddd14"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d1f13550535ad8cff21b8d757a3257963e951d96e20ec82ab44bc64aeb62a191"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ecaae4149d99b1c9e7b88bb03e3221956f68fd6d50be2ef061b2381b61d20838"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:cb6254dc36b47a990e59e1068afacdcd02958bdcce30bb50cc1700a8b9d624a6"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:c8ae8a0f02f57a6e61203a31428fa1d677cbe50c93622b4149d5c0f319c1d19e"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:47cc91b2f4dd2833fddaedd2893006b0106129d4b94fdb6af1f4ce5a9965577c"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:82004af6c302b5d3ab2cfc4cc5f29db16123b1a8417f2e25f9066f91d4411090"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:2b7d8f6c26245217bd2ad053761201e9f9680f8ce52f0fcd8d0755aeae5b2152"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:799a7a5e4fb2d5898c60b640fd4981d6a25f1c11790935a44ce38c54e985f828"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:99ae2cffebb06e6c22bdc25801d7b30f503cc87dbd283479e7b606f70aff57ec"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-win32.whl", hash = "sha256:f9d332f8c2a2fcbffe1378594431458ddbef721c1769d78e2cbc06280d8155f9"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-win_amd64.whl", hash = "sha256:8a6562c3700cce886c5be75ade4a5db4214fda19fede41d9792d100288d8f94c"}, + {file = "charset_normalizer-3.4.4-cp314-cp314-win_arm64.whl", hash = "sha256:de00632ca48df9daf77a2c65a484531649261ec9f25489917f09e455cb09ddb2"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:ce8a0633f41a967713a59c4139d29110c07e826d131a316b50ce11b1d79b4f84"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:eaabd426fe94daf8fd157c32e571c85cb12e66692f15516a83a03264b08d06c3"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:c4ef880e27901b6cc782f1b95f82da9313c0eb95c3af699103088fa0ac3ce9ac"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:2aaba3b0819274cc41757a1da876f810a3e4d7b6eb25699253a4effef9e8e4af"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:778d2e08eda00f4256d7f672ca9fef386071c9202f5e4607920b86d7803387f2"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:f155a433c2ec037d4e8df17d18922c3a0d9b3232a396690f17175d2946f0218d"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a8bf8d0f749c5757af2142fe7903a9df1d2e8aa3841559b2bad34b08d0e2bcf3"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:194f08cbb32dc406d6e1aea671a68be0823673db2832b38405deba2fb0d88f63"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-musllinux_1_2_armv7l.whl", hash = "sha256:6aee717dcfead04c6eb1ce3bd29ac1e22663cdea57f943c87d1eab9a025438d7"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:cd4b7ca9984e5e7985c12bc60a6f173f3c958eae74f3ef6624bb6b26e2abbae4"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-musllinux_1_2_riscv64.whl", hash = "sha256:b7cf1017d601aa35e6bb650b6ad28652c9cd78ee6caff19f3c28d03e1c80acbf"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:e912091979546adf63357d7e2ccff9b44f026c075aeaf25a52d0e95ad2281074"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:5cb4d72eea50c8868f5288b7f7f33ed276118325c1dfd3957089f6b519e1382a"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-win32.whl", hash = "sha256:837c2ce8c5a65a2035be9b3569c684358dfbf109fd3b6969630a87535495ceaa"}, + {file = "charset_normalizer-3.4.4-cp38-cp38-win_amd64.whl", hash = "sha256:44c2a8734b333e0578090c4cd6b16f275e07aa6614ca8715e6c038e865e70576"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:a9768c477b9d7bd54bc0c86dbaebdec6f03306675526c9927c0e8a04e8f94af9"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:1bee1e43c28aa63cb16e5c14e582580546b08e535299b8b6158a7c9c768a1f3d"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:fd44c878ea55ba351104cb93cc85e74916eb8fa440ca7903e57575e97394f608"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:0f04b14ffe5fdc8c4933862d8306109a2c51e0704acfa35d51598eb45a1e89fc"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:cd09d08005f958f370f539f186d10aec3377d55b9eeb0d796025d4886119d76e"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4fe7859a4e3e8457458e2ff592f15ccb02f3da787fcd31e0183879c3ad4692a1"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:fa09f53c465e532f4d3db095e0c55b615f010ad81803d383195b6b5ca6cbf5f3"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:7fa17817dc5625de8a027cb8b26d9fefa3ea28c8253929b8d6649e705d2835b6"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:5947809c8a2417be3267efc979c47d76a079758166f7d43ef5ae8e9f92751f88"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:4902828217069c3c5c71094537a8e623f5d097858ac6ca8252f7b4d10b7560f1"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-musllinux_1_2_riscv64.whl", hash = "sha256:7c308f7e26e4363d79df40ca5b2be1c6ba9f02bdbccfed5abddb7859a6ce72cf"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:2c9d3c380143a1fedbff95a312aa798578371eb29da42106a29019368a475318"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:cb01158d8b88ee68f15949894ccc6712278243d95f344770fa7593fa2d94410c"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-win32.whl", hash = "sha256:2677acec1a2f8ef614c6888b5b4ae4060cc184174a938ed4e8ef690e15d3e505"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-win_amd64.whl", hash = "sha256:f8e160feb2aed042cd657a72acc0b481212ed28b1b9a95c0cee1621b524e1966"}, + {file = "charset_normalizer-3.4.4-cp39-cp39-win_arm64.whl", hash = "sha256:b5d84d37db046c5ca74ee7bb47dd6cbc13f80665fdde3e8040bdd3fb015ecb50"}, + {file = "charset_normalizer-3.4.4-py3-none-any.whl", hash = "sha256:7a32c560861a02ff789ad905a2fe94e3f840803362c84fecf1851cb4cf3dc37f"}, + {file = "charset_normalizer-3.4.4.tar.gz", hash = "sha256:94537985111c35f28720e43603b8e7b43a6ecfb2ce1d3058bbe955b73404e21a"}, ] [[package]] @@ -269,15 +303,15 @@ dev = ["Sphinx", "coverage", "flake8", "lxml", "lxml-stubs", "memory-profiler", [[package]] name = "exceptiongroup" -version = "1.3.0" +version = "1.3.1" description = "Backport of PEP 654 (exception groups)" optional = false python-versions = ">=3.7" groups = ["main", "dev"] markers = "python_version < \"3.11\"" files = [ - {file = "exceptiongroup-1.3.0-py3-none-any.whl", hash = "sha256:4d111e6e0c13d0644cad6ddaa7ed0261a0b36971f6d23e7ec9b4b9097da78a10"}, - {file = "exceptiongroup-1.3.0.tar.gz", hash = "sha256:b241f5885f560bc56a59ee63ca4c6a8bfa46ae4ad651af316d4e81817bb9fd88"}, + {file = "exceptiongroup-1.3.1-py3-none-any.whl", hash = "sha256:a7a39a3bd276781e98394987d3a5701d0c4edffb633bb7a5144577f82c773598"}, + {file = "exceptiongroup-1.3.1.tar.gz", hash = "sha256:8b412432c6055b0b7d14c310000ae93352ed6754f70fa8f7c34141f91c4e3219"}, ] [package.dependencies] @@ -350,18 +384,18 @@ python-dateutil = ">=2.7" [[package]] name = "httplib2" -version = "0.30.0" +version = "0.31.2" description = "A comprehensive HTTP client library." optional = false python-versions = ">=3.6" groups = ["main"] files = [ - {file = "httplib2-0.30.0-py3-none-any.whl", hash = "sha256:d10443a2bdfe0ea5dbb17e016726146d48b574208dafd41e854cf34e7d78842c"}, - {file = "httplib2-0.30.0.tar.gz", hash = "sha256:d5b23c11fcf8e57e00ff91b7008656af0f6242c8886fd97065c97509e4e548c5"}, + {file = "httplib2-0.31.2-py3-none-any.whl", hash = "sha256:dbf0c2fa3862acf3c55c078ea9c0bc4481d7dc5117cae71be9514912cf9f8349"}, + {file = "httplib2-0.31.2.tar.gz", hash = "sha256:385e0869d7397484f4eab426197a4c020b606edd43372492337c0b4010ae5d24"}, ] [package.dependencies] -pyparsing = ">=3.0.4,<4" +pyparsing = ">=3.1,<4" [[package]] name = "idna" @@ -737,7 +771,7 @@ develop = false type = "git" url = "https://github.com/splunk/psa-cim-models.git" reference = "v2" -resolved_reference = "3533d7fd6a449b7c2424a3eed2321e872af416a2" +resolved_reference = "338dc37836126a1ee372a8cf160b763840f45bf1" [[package]] name = "splunk-sdk" From a74ded63e51cc1be01103e0fb91b546269dd6a12 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 04:56:16 +0100 Subject: [PATCH 11/16] fix: pass GH_TOKEN into Docker test container for psa-cim-models clone --- .github/workflows/build-test-release.yml | 2 ++ docker-compose-ci.yml | 2 ++ entrypoint.sh | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index d73eb917..363832df 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -166,6 +166,8 @@ jobs: curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1 poetry install poetry run pytest -v --splunk-version=${{ matrix.splunk.version }} -m docker -m ${{ matrix.test-marker }} tests/e2e + env: + GH_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} publish: needs: diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml index ade2fe76..93587562 100644 --- a/docker-compose-ci.yml +++ b/docker-compose-ci.yml @@ -32,6 +32,8 @@ services: - sc4s volumes: - results:/work/test-results + environment: + - GH_TOKEN sc4s: image: ghcr.io/splunk/splunk-connect-for-syslog/container2:latest diff --git a/entrypoint.sh b/entrypoint.sh index 3664f2a4..2e168999 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -9,6 +9,10 @@ pyenv local 3.7.8 curl -sSL https://install.python-poetry.org | python - --version 1.5.1 export PATH="/root/.local/bin:$PATH" source ~/.poetry/env +if [ -n "$GH_TOKEN" ]; then + git config --global --add url."https://$GH_TOKEN@github.com".insteadOf https://github.com + git config --global --add url."https://$GH_TOKEN@github.com".insteadOf ssh://git@github.com +fi sleep 15 poetry install exec poetry run pytest -vv $@ From 57aea8df30eb61ed75478e359f7c60076ebf8eb3 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Wed, 4 Mar 2026 06:25:16 +0100 Subject: [PATCH 12/16] fix: pass GH_TOKEN into docker-compose test container for e2e tests The test-splunk-external job's Test step never exported GH_TOKEN to the runner environment, so docker-compose couldn't pass it through to the container (even though docker-compose-ci.yml declared '- GH_TOKEN'). Without the token, entrypoint.sh had no credentials to clone the private psa-cim-models repo, causing poetry install to fail entirely. --- .github/workflows/build-test-release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index 363832df..3147ed33 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -101,6 +101,8 @@ jobs: run: | mkdir test-results-${{ matrix.splunk.version }} - name: Test + env: + GH_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} run: | export SPLUNK_APP_PACKAGE=./tests/e2e/addons/TA_fiction_indextime export SPLUNK_ADDON=TA_fiction_indextime From 0a061586ef1e9936e954513dd3d6cd00b9cc6985 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 6 Mar 2026 08:22:38 +0100 Subject: [PATCH 13/16] chore: remove splunk-cim-models from psa --- splunk-cim-models/pyproject.toml | 41 - .../splunk_cim_models/CommonFields.json | 85 - .../splunk_cim_models/DatamodelSchema.json | 123 - .../splunk_cim_models/__init__.py | 33 - .../splunk_cim_models/data_models/Alerts.json | 125 - .../data_models/Authentication.json | 212 -- .../data_models/Certificates.json | 239 -- .../splunk_cim_models/data_models/Change.json | 312 --- .../data_models/Compute_Inventory.json | 405 --- .../splunk_cim_models/data_models/DLP.json | 116 - .../data_models/Data_Access.json | 197 -- .../data_models/Databases.json | 490 ---- .../splunk_cim_models/data_models/Email.json | 251 -- .../data_models/Endpoint.json | 639 ----- .../data_models/Event_Signatures.json | 37 - .../data_models/Interprocess Messaging.json | 194 -- .../data_models/Intrusion_Detection.json | 154 -- .../splunk_cim_models/data_models/JVM.json | 332 --- .../data_models/Malware.json | 177 -- .../data_models/Network_Resolution.json | 282 -- .../data_models/Network_Sessions.json | 158 -- .../data_models/Network_Traffic.json | 348 --- .../data_models/Performance.json | 314 --- .../data_models/Ticket_Management.json | 129 - .../data_models/Updates.json | 114 - .../data_models/Vulnerabilities.json | 141 - .../splunk_cim_models/data_models/Web.json | 275 -- .../splunk_cim_models/datamodel_definition.py | 2404 ----------------- 28 files changed, 8327 deletions(-) delete mode 100644 splunk-cim-models/pyproject.toml delete mode 100644 splunk-cim-models/splunk_cim_models/CommonFields.json delete mode 100644 splunk-cim-models/splunk_cim_models/DatamodelSchema.json delete mode 100644 splunk-cim-models/splunk_cim_models/__init__.py delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Alerts.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Authentication.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Certificates.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Change.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/DLP.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Data_Access.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Databases.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Email.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Endpoint.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/JVM.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Malware.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Performance.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Updates.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json delete mode 100644 splunk-cim-models/splunk_cim_models/data_models/Web.json delete mode 100644 splunk-cim-models/splunk_cim_models/datamodel_definition.py diff --git a/splunk-cim-models/pyproject.toml b/splunk-cim-models/pyproject.toml deleted file mode 100644 index 992d6a3f..00000000 --- a/splunk-cim-models/pyproject.toml +++ /dev/null @@ -1,41 +0,0 @@ -# -# Copyright 2026 Splunk Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -[project] -name = "splunk-cim-models" -version = "0.1.0" -description = "Splunk CIM (Common Information Model) data model definitions and schemas" -authors = [{name = "Splunk", email = "addonfactory@splunk.com"}] -license = {text = "Apache-2.0"} -requires-python = ">=3.7" -classifiers = [ - "Intended Audience :: Developers", - "Topic :: Software Development :: Testing", - "Programming Language :: Python", - "Programming Language :: Python :: 3.7", - "Operating System :: OS Independent", - "License :: OSI Approved :: Apache Software License", -] - -[build-system] -requires = ["setuptools>=45"] -build-backend = "setuptools.build_meta" - -[tool.setuptools.packages.find] -include = ["splunk_cim_models*"] - -[tool.setuptools.package-data] -splunk_cim_models = ["**/*.json"] diff --git a/splunk-cim-models/splunk_cim_models/CommonFields.json b/splunk-cim-models/splunk_cim_models/CommonFields.json deleted file mode 100644 index e35355f3..00000000 --- a/splunk-cim-models/splunk_cim_models/CommonFields.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "description": "This fields are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for these fields when writing add-ons.", - "fields": [ - { - "name": "dest_bunit", - "type": "not_allowed_in_search_and_props", - "comment": "The business unit of the authentication target." - }, - { - "name": "dest_category", - "type": "not_allowed_in_search_and_props", - "comment": "The category of the authentication target, such as email_server or SOX-compliant." - }, - { - "name": "dest_priority", - "type": "not_allowed_in_search_and_props", - "comment": "The priority of the authentication target." - }, - { - "name": "dvc_bunit", - "type": "not_allowed_in_search_and_props", - "comment": "The business unit of the DLP target." - }, - { - "name": "dvc_category", - "type": "not_allowed_in_search_and_props", - "comment": "The category of the DLP device." - }, - { - "name": "dvc_priority", - "type": "not_allowed_in_search_and_props", - "comment": "The priority of the DLP device." - }, - { - "name": "src_bunit", - "type": "not_allowed_in_search_and_props", - "comment": "The business unit of the authentication source." - }, - { - "name": "src_category", - "type": "not_allowed_in_search_and_props", - "comment": "The category of the authentication source, such as email_server or SOX-compliant." - }, - { - "name": "src_priority", - "type": "not_allowed_in_search_and_props", - "comment": "The priority of the authentication source." - }, - { - "name": "src_user_bunit", - "type": "not_allowed_in_search_and_props", - "comment": "The business unit of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed." - }, - { - "name": "src_user_category", - "type": "not_allowed_in_search_and_props", - "comment": "The category of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed." - }, - { - "name": "src_user_priority", - "type": "not_allowed_in_search_and_props", - "comment": "The priority of the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed." - }, - { - "name": "user_bunit", - "type": "not_allowed_in_search_and_props", - "comment": "The business unit of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." - }, - { - "name": "user_category", - "type": "not_allowed_in_search_and_props", - "comment": "The category of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." - }, - { - "name": "user_priority", - "type": "not_allowed_in_search_and_props", - "comment": "The priority of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." - }, - { - "name": "tag", - "type": "not_allowed_in_props", - "comment": "This automatically-generated field is used to access tags from within data models. Do not define extractions for this field when writing add-ons." - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/DatamodelSchema.json b/splunk-cim-models/splunk_cim_models/DatamodelSchema.json deleted file mode 100644 index 8659512b..00000000 --- a/splunk-cim-models/splunk_cim_models/DatamodelSchema.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft/2019-09/schema#", - "title": "Schema for DataModel json files used with pytest-splunk-addon.", - "type": "object", - "definitions": { - "dataset": { - "type": "object", - "description": "A dict object representing dataset properties.", - "properties": { - "name": { - "description": "Name of the Dataset.", - "type": "string" - }, - "tags": { - "type": "array", - "description": "A List of List.", - "items": { - "type": "array", - "description": "It contains the list of tags present in the dataset. i.e. 'tags':['endpoint', 'filesystem']", - "items": { "type": "string" } - } - }, - "fields_cluster": { - "type": "array", - "description": "List of clustered field list", - "items": { - "type": "array", - "description": "The fields which are expected to be together must be listed here i.e. ['bytes', 'bytes_in', 'bytes_out']", - "items": { "type": "string" } - } - }, - "fields": { - "type": "array", - "description": "List of field object.", - "items": { "$ref": "#/definitions/field" } - }, - "child_dataset": { - "type": "array", - "description": "List of dataset objects.", - "items": { "$ref": "#/definitions/dataset" } - }, - "search_constraints": { - "type": "string", - "description": "The constraints mentioned for the dataset in datamodel json are listed here." - } - }, - "required": [ - "name", - "tags", - "fields_cluster", - "fields", - "child_dataset", - "search_constraints" - ] - }, - "field": { - "type": "object", - "description": "A dict which describes certain properties of the field.", - "properties": { - "name": { - "type": "string", - "description": "Name of the field" - }, - "type": { - "type": "string", - "description": "Type of the field.", - "enum": [ - "required", - "conditional", - "not_allowed_in_search", - "not_allowed_in_props", - "not_allowed_in_search_and_props", - "optional" - ] - }, - "multi_value": { - "type": "boolean", - "description": "Whether the field is multi-value or not. If true, validity and expected_values is not supported." - }, - "condition": { - "type": "string", - "description": "It holds the condition for the conditional fields mentioned in the doc." - }, - "expected_values": { - "type": "array", - "description": "It is the list of accepted values of the field", - "items": { "type": "string" } - }, - "validity": { - "type": "string", - "description": "Validity of the field, if a numeric field is expected we write query criteria here." - }, - "comment": { - "type": "string", - "description": "Description of the field" - } - }, - "required": ["name", "type", "comment"] - } - }, - "properties": { - "model_name": { - "type": "string", - "description": "Name of the Datamodel" - }, - "version": { - "type": "string", - "description": "Schema Version." - }, - "objects": { - "type": "array", - "description": "List of the datasets defined in the datamodel.", - "items": { - "$ref": "#/definitions/dataset" - } - } - }, - "required": [ - "model_name", - "version", - "objects" - ] -} diff --git a/splunk-cim-models/splunk_cim_models/__init__.py b/splunk-cim-models/splunk_cim_models/__init__.py deleted file mode 100644 index 47bee0ad..00000000 --- a/splunk-cim-models/splunk_cim_models/__init__.py +++ /dev/null @@ -1,33 +0,0 @@ -# -# Copyright 2026 Splunk Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -""" -Splunk CIM (Common Information Model) data model definitions and schemas. - -This package provides: -- ``datamodels``: A dict mapping CIM versions to per-model recommended field lists. -- ``DATA_MODELS_PATH``: Filesystem path to the directory of data model JSON files. -- ``COMMON_FIELDS_PATH``: Filesystem path to CommonFields.json. -- ``DATAMODEL_SCHEMA_PATH``: Filesystem path to DatamodelSchema.json. -""" -import os - -from .datamodel_definition import datamodels # noqa: F401 - -_PKG_DIR = os.path.dirname(os.path.abspath(__file__)) - -DATA_MODELS_PATH = os.path.join(_PKG_DIR, "data_models") -COMMON_FIELDS_PATH = os.path.join(_PKG_DIR, "CommonFields.json") -DATAMODEL_SCHEMA_PATH = os.path.join(_PKG_DIR, "DatamodelSchema.json") diff --git a/splunk-cim-models/splunk_cim_models/data_models/Alerts.json b/splunk-cim-models/splunk_cim_models/data_models/Alerts.json deleted file mode 100644 index 2fbdb312..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Alerts.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "model_name": "Alerts", - "version": "1.0.0", - "objects":[ - { - "name": "Alerts", - "tags": [ - ["alert"] - ], - "fields_cluster": [], - "search_constraints": "tag=alert", - "fields": [ - { - "name": "app", - "type": "required", - "comment":"The application involved in the event, such as win:app:trendmicro, vmware, nagios." - }, - { - "name": "body", - "type": "optional", - "comment":"The body of a message." - }, - { - "name": "description", - "type": "required", - "comment": "The description of the alert event." - }, - { - "name": "dest", - "type": "required", - "comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dest_type", - "type": "optional", - "comment": "The type of the destination object, such as instance, storage, firewall." - }, - { - "name": "id", - "type": "required", - "comment":"The unique identifier of a message." - }, - { - "name": "mitre_technique_id", - "type": "optional", - "comment": "The MITRE ATT&CK technique ID of the alert event." - }, - { - "name": "signature", - "type": "required", - "comment": "A human-readable signature name." - }, - { - "name": "signature_id", - "type": "required", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "severity", - "type": "required", - "expected_values": [ - "critical", - "high", - "medium", - "low", - "informational" - ], - "comment":"The severity of a message." - }, - { - "name": "severity_id", - "type": "optional", - "comment":"A numeric severity indicator for a message." - }, - { - "name": "src", - "type": "required", - "comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." - }, - { - "name": "src_type", - "type": "optional", - "comment": "The type of the source object, such as instance, storage, firewall." - }, - { - "name": "subject", - "type": "optional", - "comment":"The message subject." - }, - { - "name": "type", - "type": "required", - "expected_values":[ - "alarm", - "alert", - "event", - "task", - "warning" - ], - "comment":"The message type." - }, - { - "name": "user", - "type": "required", - "comment": "The user involved in the alert event." - }, - { - "name": "user_name", - "type": "optional", - "comment": "The name of the user involved in the alert event." - }, - { - "name": "vendor_account", - "type": "optional", - "comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account." - }, - { - "name": "vendor_region", - "type": "optional", - "comment": "The data center region involved in the alert event, such as us-west-2." - } - ], - "child_dataset": [] - }] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Authentication.json b/splunk-cim-models/splunk_cim_models/data_models/Authentication.json deleted file mode 100644 index 35d298d4..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Authentication.json +++ /dev/null @@ -1,212 +0,0 @@ -{ - "model_name": "Authentication", - "version": "1.0.0", - "objects": [ - { - "name": "Authentication", - "tags": [["authentication"]], - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["success", "failure", "pending", "error"], - "comment": "The action performed on the resource." - }, - { - "name": "app", - "type": "required", - "comment": "The application involved in the event (such as ssh, splunk, win:local)." - }, - { - "name": "authentication_method", - "type": "optional", - "comment": "The method used to authenticate the request" - }, - { - "name": "authentication_service", - "type": "optional", - "comment": "The service used to authenticate the request" - }, - { - "name": "dest", - "type": "required", - "comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host." - }, - { - "name": "src_user_type", - "type": "optional", - "comment": "The type of the user who initiated the privilege escalation." - }, - { - "name": "user_type", - "type": "optional", - "comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System." - }, - { - "name": "src_user_role", - "type": "optional", - "comment": "The role of the user who initiated the privilege escalation." - }, - { - "name": "user_role", - "type": "optional", - "comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation." - }, - { - "name": "user_agent", - "type": "optional", - "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration) and duration>0 and duration<3600, duration, null())", - "comment": "The amount of time for the completion of the authentication event, in seconds." - }, - { - "name": "response_time", - "type": "optional", - "validity": "if(isnum(response_time) and response_time>0 AND response_time<3600,response_time,null())", - "comment": "The amount of time it took to receive a response in the authentication event, in seconds." - }, - { - "name": "session_id", - "type": "optional", - "comment": "The unique identifier assigned to the login session." - }, - { - "name": "signature", - "type": "optional", - "condition": "signature_id=*", - "comment": "A human-readable signature name." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "src", - "type": "required", - "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." - }, - { - "name": "user", - "type": "required", - "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." - }, - { - "name": "user_id", - "type": "optional", - "comment": "The unique id of the user involved in the event." - }, - { - "name": "reason", - "type": "optional", - "validity": "if(action in ['success', 'failure'], action, null())", - "comment": "The human-readable message associated with the authentication action (success or failure)." - }, - { - "name": "reason_id", - "type": "optional", - "comment": "The reason why logon failed. For example \\'0xC0000234\\'." - }, - { - "name": "process", - "type": "optional", - "comment": "Full path and the name of the executable for the process that attempted the logon. For example, it is a \\\"Process Name\\\" in Windows such as `C:\\\\Windows\\\\System32\\\\svchost.exe`." - }, - { - "name": "src_user", - "condition": "src_user=* tag=privileged", - "type": "conditional", - "comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user." - }, - { - "name": "vendor_account", - "type": "optional", - "comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account." - } - - ], - "child_dataset": [ - { - "name": "Failed_Authentication", - "tags": [["authentication"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"failure\"" - }, - { - "name": "Successful_Authentication", - "tags": [["authentication"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"success\"" - }, - { - "name": "Default_Authentication", - "tags": [["authentication", "default"]], - "fields_cluster": [], - "fields": [], - "search_constraints": "tag=\"default\"", - "child_dataset": [ - { - "name": "Failed_Default_Authentication", - "tags": [["authentication", "default"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"failure\"" - }, - { - "name": "Successful_Default_Authentication", - "tags": [["authentication", "default"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"success\"" - } - ] - }, - { - "name": "Insecure_Authentication", - "tags": [["authentication", "insecure"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "tag=\"insecure\" OR tag=\"cleartext\"" - }, - { - "name": "Privileged_Authentication", - "tags": [["authentication", "privileged"]], - "fields_cluster": [], - "fields": [], - "search_constraints": "tag=\"privileged\"", - "child_dataset": [ - { - "name": "Failed_Privileged_Authentication", - "tags": [["authentication", "privileged"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"failure\"" - }, - { - "name": "Successful_Privileged_Authentication", - "tags": [["authentication", "privileged"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"success\"" - } - ] - } - ], - "search_constraints": "tag=authentication NOT (action=success user=*$)" - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Certificates.json b/splunk-cim-models/splunk_cim_models/data_models/Certificates.json deleted file mode 100644 index 4fd87347..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Certificates.json +++ /dev/null @@ -1,239 +0,0 @@ -{ - "model_name": "Certificates", - "version": "1.0.0", - "objects":[ - { - "name": "All_Certificates", - "tags": [ - ["certificate"] - ], - "fields_cluster": [], - "search_constraints": "tag=certificate", - "fields": [ - { - "name": "dest", - "type": "optional", - "comment":"The target in the certificate management event." - }, - { - "name": "dest_port", - "type": "optional", - "validity": "if(isnum(dest_port),dest_port,null())", - "comment":"The port number of the target." - }, - { - "name": "dest_priority", - "type": "optional", - "comment":"The priority of the target." - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration),duration,null())", - "comment":"The amount of time for the completion of the certificate management event, in seconds." - }, - { - "name": "response_time", - "type": "optional", - "validity": "if(isnum(response_time),response_time,null())", - "comment":"The amount of time it took to receive a response in the certificate management event, if applicable." - }, - { - "name": "src", - "type": "optional", - "comment":"The source involved in the certificate management event. You can alias this from more specific fields, such as src_host, src_ip, or src_nt_host." - }, - { - "name": "src_port", - "type": "optional", - "validity": "if(isnum(src_port),src_port,null())", - "comment":"The port number of the source." - }, - { - "name": "src_priority", - "type": "optional", - "comment":"The priority of the certificate management source." - }, - { - "name": "transport", - "type": "optional", - "comment":"The transport protocol of the Network Traffic involved with this certificate." - } - ], - "child_dataset": [ - { - "name":"SSL", - "tags": [ - ["certificate","ssl"] - ], - "search_constraints":"(tag=ssl OR tag=tls)", - "fields_cluster":[], - "fields":[ - { - "name": "ssl_end_time", - "type": "required", - "comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards." - }, - { - "name": "ssl_engine", - "type": "optional", - "comment":"The name of the signature engine that created the certificate." - }, - { - "name": "ssl_hash", - "type": "required", - "comment":"The hash of the certificate." - }, - { - "name": "ssl_is_valid", - "type": "optional", - "expected_values":[ - "true", - "false", - "1", - "0" - ], - "comment":"Indicator of whether the ssl certificate is valid or not." - }, - { - "name": "ssl_issuer", - "type": "required", - "comment":"The certificate issuer's RFC2253 Distinguished Name." - }, - { - "name": "ssl_issuer_common_name", - "type": "required", - "comment":"The certificate issuer's common name." - }, - { - "name": "ssl_issuer_email", - "type": "optional", - "comment":"The certificate issuer's email address." - }, - { - "name": "ssl_issuer_email_domain", - "type": "optional", - "comment":"The domain name contained within the certificate issuer's email address." - }, - { - "name": "ssl_issuer_locality", - "type": "optional", - "comment":"The certificate issuer's locality." - }, - { - "name": "ssl_issuer_organization", - "type": "optional", - "comment":"The certificate issuer's organization." - }, - { - "name": "ssl_issuer_street", - "type": "optional", - "comment":"The certificate issuer's street address." - }, - { - "name": "ssl_issuer_unit", - "type": "optional", - "comment":"The certificate issuer's organizational unit." - }, - { - "name": "ssl_name", - "type": "optional", - "comment":"The name of the ssl certificate." - }, - { - "name": "ssl_policies", - "type": "optional", - "comment":"The Object Identification Numbers's of the certificate's policies in a comma separated string." - }, - { - "name": "ssl_publickey", - "type": "optional", - "comment":"The certificate's public key." - }, - { - "name": "ssl_publickey_algorithm", - "type": "optional", - "comment":"The algorithm used to create the public key." - }, - { - "name": "ssl_serial", - "type": "required", - "comment":"The certificate's serial number." - }, - { - "name": "ssl_session_id", - "type": "optional", - "comment":"The session identifier for this certificate." - }, - { - "name": "ssl_signature_algorithm", - "type": "optional", - "comment":"The algorithm used by the Certificate Authority to sign the certificate." - }, - { - "name": "ssl_start_time", - "type": "required", - "comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards." - }, - { - "name": "ssl_subject", - "type": "required", - "comment":"The certificate owner's RFC2253 Distinguished Name." - }, - { - "name": "ssl_subject_common_name", - "type": "required", - "comment":"This certificate owner's common name." - }, - { - "name": "ssl_subject_email", - "type": "optional", - "comment":"The certificate owner's e-mail address." - }, - { - "name": "ssl_subject_email_domain", - "type": "optional", - "comment":"The domain name contained within the certificate subject's email address." - }, - { - "name": "ssl_subject_locality", - "type": "optional", - "comment":"The certificate owner's locality." - }, - { - "name": "ssl_subject_organization", - "type": "required", - "comment":"The certificate owner's organization." - }, - { - "name": "ssl_subject_state", - "type": "optional", - "comment":"The certificate owner's state of residence." - }, - { - "name": "ssl_subject_street", - "type": "optional", - "comment":"The certificate owner's street address." - }, - { - "name": "ssl_subject_unit", - "type": "optional", - "comment":"The certificate owner's organizational unit." - }, - { - "name": "ssl_validity_window", - "type": "required", - "validity": "if(isnum(ssl_validity_window),ssl_validity_window,null())", - "comment":"The length of time (in seconds) for which this certificate is valid." - }, - { - "name": "ssl_version", - "type": "optional", - "comment":"The ssl version of this certificate." - } - ], - "child_dataset": [] - } - ] - }] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Change.json b/splunk-cim-models/splunk_cim_models/data_models/Change.json deleted file mode 100644 index fd87dc57..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Change.json +++ /dev/null @@ -1,312 +0,0 @@ -{ - "model_name": "Change", - "version": "1.0.0", - "objects": [ - { - "name": "All_Changes", - "tags": [["change"]], - "fields_cluster": [], - "search_constraints": "tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)", - "fields": [ - { - "name": "action", - "type": "required", - "validity": "if(like(action,'%\\\"%'),null(),action)", - "comment": "The action performed on the resource." - }, - { - "name": "change_type", - "type": "required", - "comment": "The type of change, such as filesystem or AAA (authentication, authorization, and accounting)." - }, - { - "name": "command", - "type": "required", - "comment": "The command that initiated the change." - }, - { - "name": "dest", - "type": "required", - "comment": "The resource where change occurred. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dvc", - "type": "required", - "comment": "The device that reported the change, if applicable, such as a FIP or CIM server. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name." - }, - { - "name": "object", - "type": "required", - "comment": "Name of the affected object on the resource (such as a router interface, user account, or server volume)." - }, - { - "name": "object_attrs", - "multi_value": true, - "validity": "if(like(object_attrs,'%\\\"%'),null(),object_attrs)", - "type": "required", - "comment": "The attributes that were updated on the updated resource object, if applicable." - }, - { - "name": "object_category", - "validity": "if((tag==\"account\" AND object_category==\"user\") OR (tag!=\"account\" AND object_category!=\"user\"),object_category, null())", - "type": "required", - "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." - }, - { - "name": "object_id", - "validity": "if(like(object_id,'%\\\"%'),null(),object_id)", - "type": "required", - "comment": "The unique updated resource object ID as presented to the system, if applicable (for instance, a SID, UUID, or GUID value)." - }, - { - "name": "object_path", - "validity": "if(like(object_path,'%\\\"%'),null(),object_path)", - "type": "optional", - "comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)." - }, - { - "name": "result", - "condition": "status=failure", - "type": "conditional", - "comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types." - }, - { - "name": "result_id", - "type": "optional", - "comment": "A result indicator for an action status." - }, - { - "name": "src", - "type": "required", - "comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name." - }, - { - "name": "status", - "type": "required", - "expected_values": ["success", "failure"], - "comment": "Status of the update." - }, - { - "name": "tag", - "type": "optional", - "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." - }, - { - "name": "user", - "type": "required", - "comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)." - }, - { - "name": "user_agent", - "type": "optional", - "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." - }, - { - "name": "user_name", - "type": "optional", - "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)." - }, - { - "name": "user_type", - "type": "optional", - "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." - }, - { - "name": "vendor_account", - "type": "optional", - "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." - }, - { - "name": "vendor_region", - "type": "optional", - "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product or service that detected the change. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [ - { - "name": "Account_Management", - "tags": [["change", "account"]], - "fields_cluster": [], - "search_constraints": "tag=account", - "fields": [ - { - "name": "dest_nt_domain", - "type": "optional", - "comment": "The NT domain of the destination, if applicable." - }, - { - "name": "src_nt_domain", - "type": "optional", - "comment": "The NT domain of the source, if applicable." - }, - { - "name": "src_user", - "type": "conditional", - "condition": "object_category=user", - "comment": "For account changes, the user or entity performing the change." - }, - { - "name": "src_user_type", - "type": "optional", - "comment": "For account management events, this should represent the type of the user changed by the request." - }, - { - "name": "src_user_name", - "type": "optional", - "comment": "For account changes, the user name of the user or entity performing the change." - } - ], - "child_dataset": [ - { - "name": "Accounts_Created", - "tags": [["change", "account"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"created\"" - }, - { - "name": "Accounts_Deleted", - "tags": [["change", "account"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"deleted\"" - }, - { - "name": "Account_Lockouts", - "tags": [["change", "account"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "result=\"lockout\"" - }, - { - "name": "Accounts_Updated", - "tags": [["change", "account"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=\"updated\" OR action=\"modified\"" - } - ] - }, - { - "name": "Auditing_Changes", - "tags": [["change", "audit"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "tag=audit" - }, - { - "name": "Endpoint_Changes", - "tags": [["change", "endpoint"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [ - { - "name": "Endpoint_Restarts", - "tags": [["change", "endpoint"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=modified change_type=restart" - }, - { - "name": "Other_Endpoint_Changes", - "tags": [["change", "endpoint"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "NOT change_type=restart" - } - ], - "search_constraints": "tag=endpoint" - }, - { - "name": "Instance_Changes", - "tags": [["change", "instance"]], - "fields_cluster": [], - "search_constraints": "tag=instance", - "fields": [ - { - "name": "image_id", - "type": "required", - "comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more." - }, - { - "name": "instance_type", - "type": "required", - "comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity." - } - ], - "child_dataset": [] - }, - { - "name": "Network_Changes", - "tags": [["change", "network"]], - "fields_cluster": [], - "fields": [ - { - "name": "dest_ip_range", - "type": "optional", - "comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32." - }, - { - "name": "dest_port_range", - "type": "optional", - "comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443." - }, - { - "name": "direction", - "type": "optional", - "comment": "For network events, this field represents whether the traffic is inbound or outbound." - }, - { - "name": "protocol", - "type": "optional", - "comment": "This field represents the protocol for the network event rule." - }, - { - "name": "rule_action", - "type": "optional", - "comment": "For network events, this field represents whether to allow or deny traffic." - }, - { - "name": "src_ip_range", - "type": "optional", - "comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation." - }, - { - "name": "src_port_range", - "type": "optional", - "comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443" - }, - { - "name": "device_restarts", - "type": "optional", - "comment": "Monitor all infrastructure device restarts." - } - ], - "child_dataset": [ - { - "name": "Device_Restarts", - "tags": [["change", "network"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=modified change_type=restart" - } - ], - "search_constraints": "tag=network" - } - ] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json b/splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json deleted file mode 100644 index a08e5606..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Compute_Inventory.json +++ /dev/null @@ -1,405 +0,0 @@ -{ - "model_name": "Compute_Inventory", - "version": "1.0.0", - "objects": [ - { - "name": "All_Inventory", - "tags": [["inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=inventory (tag=cpu OR tag=memory OR tag=network OR tag=storage OR (tag=system tag=version) OR tag=user OR tag=virtual)", - "fields": [ - { - "name": "dest", - "type": "required", - "comment": "The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "description", - "type": "optional", - "comment": "The description of the inventory system." - }, - { - "name": "dest_bunit", - "type": "optional", - "comment": "The business unit of the system where the data originated. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_category", - "type": "optional", - "comment": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_priority", - "type": "optional", - "comment": "The priority of the system where the data originated." - }, - { - "name": "enabled", - "type": "optional", - "comment": "Indicates whether the resource is enabled or disabled." - }, - { - "name": "family", - "type": "optional", - "comment": "The product family of the resource, such as 686_64 or RISC." - }, - { - "name": "hypervisor_id", - "type": "optional", - "comment": "The hypervisor identifier, if applicable." - }, - { - "name": "serial", - "type": "optional", - "comment": "The serial number of the resource." - }, - { - "name": "status", - "type": "optional", - "comment": "The current reported state of the resource." - }, - { - "name": "version", - "type": "optional", - "comment": "The version of a computer resource, such as 2008r2 or 3.0.0." - }, - { - "name": "tag", - "type": "optional", - "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the resource, such as Cisco Catalyst 3850. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [ - { - "name": "CPU", - "tags": [ - ["cpu","inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=cpu", - "fields": [ - { - "name": "cpu_cores", - "type": "required", - "comment": "The number of CPU cores reported by the resource (total, not per CPU)." - }, - { - "name": "cpu_count", - "type": "required", - "comment": "The number of CPUs reported by the resource." - }, - { - "name": "cpu_mhz", - "type": "required", - "comment": "The maximum speed of the CPU reported by the resource (in megahertz)." - } - ], - "child_dataset": [] - }, - { - "name": "Memory", - "tags": [["memory"] - ], - "fields_cluster": [], - "search_constraints": "tag=memory", - "fields": [ - { - "name": "mem", - "type": "required", - "comment": "The total amount of memory installed in or allocated to the resource, in megabytes." - } - ], - "child_dataset": [] - }, - { - "name": "Network", - "tags": [ - ["network", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=network", - "fields": [ - { - "name": "dns", - "type": "required", - "comment": "The domain name server for the resource." - }, - { - "name": "interface", - "type": "required", - "comment": "The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface." - }, - { - "name": "ip", - "type": "required", - "comment": "The network addresses of the computing resource, such as 192.168.1.1 or E80:0000:0000:0000:0202:B3FF:FE1E:8329." - }, - { - "name": "dest_ip", - "type": "optional", - "comment": "The IP address for the system that the data is going to." - }, - { - "name": "src_ip", - "type": "optional", - "comment": "The IP address for the system from which the data originates." - }, - { - "name": "mac", - "type": "required", - "comment": "A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." - }, - { - "name": "lb_method", - "type": "optional", - "comment": "The load balancing method used by the computing resource such as method, round robin, or least weight." - }, - { - "name": "node", - "type": "optional", - "comment": "Represents a node hit." - }, - { - "name": "inline_nat", - "type": "optional", - "comment": "Identifies whether the resource is a network address translation pool." - }, - { - "name": "vip_port", - "type": "optional", - "comment": "The port number for the virtual IP address (VIP). A VIP allows multiple MACs to use one IP address. VIPs are often used by load balancers." - }, - { - "name": "node_port", - "type": "optional", - "comment": "The number of the destination port on the server that you requested from." - }, - { - "name": "name", - "type": "required", - "comment": "A name field provided in some data sources." - } - ], - "child_dataset": [] - }, - { - "name": "Storage", - "tags": [["storage", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=storage", - "fields": [ - { - "name": "array", - "type": "optional", - "comment": "The array that the storage resource is a member of, if applicable." - }, - { - "name": "blocksize", - "type": "optional", - "comment": "The block size used by the storage resource, in kilobytes." - }, - { - "name": "cluster", - "type": "optional", - "comment": "The index cluster that the resource is a member of, if applicable." - }, - { - "name": "fd_max", - "type": "optional", - "comment": "The maximum number of file descriptors available." - }, - { - "name": "latency", - "type": "optional", - "comment": "The latency reported by the resource, in milliseconds." - }, - { - "name": "mount", - "type": "required", - "comment": "The path at which a storage resource is mounted." - }, - { - "name": "parent", - "type": "optional", - "comment": "A higher level object that this resource is owned by, if applicable." - }, - { - "name": "read_blocks", - "type": "optional", - "comment": "The maximum possible number of blocks read per second during a polling period." - }, - { - "name": "read_latency", - "type": "optional", - "comment": "For a polling period, the average amount of time elapsed until a read request is filled by the host disks (in ms)." - }, - { - "name": "read_ops", - "type": "optional", - "comment": "The total number of read operations in the polling period." - }, - { - "name": "storage", - "type": "required", - "comment": "The amount of storage capacity allocated to the resource, in megabytes." - }, - { - "name": "write_blocks", - "type": "optional", - "comment": "The maximum possible number of blocks written per second during a polling period." - }, - { - "name": "write_latency", - "type": "optional", - "comment": "For a polling period, the average amount of time elapsed until a write request is filled by the host disks (in ms)." - }, - { - "name": "write_ops", - "type": "optional", - "comment": "The total number of write operations in the polling period." - } - ], - "child_dataset": [] - }, - { - "name": "OS", - "tags": [ - ["system", "version", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=system OR tag=version", - "fields": [ - { - "name": "os", - "type": "required", - "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2. This field is constructed from vendor_product and version fields." - } - ], - "child_dataset": [] - }, - { - "name": "User", - "tags": [ - ["user", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=user", - "fields": [ - { - "name": "shell", - "type": "optional", - "comment": "Indicates the shell program used by a locally defined account." - }, - { - "name": "user_bunit", - "type": "optional", - "comment": "The business unit of the locally-defined user account. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "user_category", - "type": "optional", - "comment": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "user_id", - "type": "optional", - "comment": "The user identification for a locally defined account." - }, - { - "name": "user_priority", - "type": "optional", - "comment": "The priority of a locally-defined account." - }, - { - "name": "interactive", - "type": "required", - "comment": "Indicates whether a locally defined account on a resource can be interactively logged in." - }, - { - "name": "password", - "type": "required", - "comment": "Displays the stored password(s) for a locally defined account, if it has any. For instance, an add-on may report the password column from \/etc\/passwd in this field" - }, - { - "name": "user", - "type": "required", - "comment": "The full name of a locally defined account." - } - ], - "child_dataset": [ - { - "name": "Cleartext_Passwords", - "tags": [ - ["user", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "password=*", - "fields": [], - "child_dataset": [] - }, - { - "name": "Default_Accounts", - "tags": [ - ["user", "inventory", "default"] - ], - "fields_cluster": [], - "search_constraints": "tag=default", - "fields": [], - "child_dataset": [] - } - ] - }, - { - "name": "Virtual_OS", - "tags": [ - ["virtual", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=virtual", - "fields": [ - { - "name": "hypervisor", - "type": "required", - "comment": "The hypervisor parent of a virtual guest OS." - } - ], - "child_dataset": [ - { - "name": "Snapshot", - "tags": [ - ["snapshot", "virtual", "inventory"] - ], - "fields_cluster": [], - "search_constraints": "tag=snapshot", - "fields": [ - { - "name": "size", - "type": "required", - "comment": "The snapshot file size, in megabytes." - }, - { - "name": "snapshot", - "type": "required", - "comment": "The name of a snapshot file." - }, - { - "name": "time", - "type": "optional", - "comment": "The time at which the snapshot was taken." - } - ], - "child_dataset": [] - } - ] - } - ] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/DLP.json b/splunk-cim-models/splunk_cim_models/data_models/DLP.json deleted file mode 100644 index 33940918..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/DLP.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "model_name": "DLP", - "version": "1.0.0", - "objects": [ - { - "name": "DLP Incidents", - "tags": [["dlp", "incident"]], - "search_constraints": "tag=dlp tag=incident", - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "comment": "The action taken by the DLP device." - }, - { - "name": "app", - "type": "required", - "comment": "The application involved in the event." - }, - { - "name": "category", - "type": "required", - "comment": "The category of the DLP event." - }, - { - "name": "dest", - "type": "required", - "comment": "The target of the DLP event." - }, - { - "name": "dest_zone", - "type": "optional", - "comment": "The zone of the DLP target." - }, - { - "name": "dlp_type", - "type": "required", - "comment": "The type of DLP system that generated the event." - }, - { - "name": "dvc", - "type": "required", - "comment": "The device that reported the DLP event." - }, - { - "name": "dvc_zone", - "type": "optional", - "comment": "The zone of the DLP device." - }, - { - "name": "object", - "type": "required", - "comment": "The name of the affected object." - }, - { - "name": "object_category", - "type": "required", - "comment": "The category of the affected object." - }, - { - "name": "object_path", - "type": "required", - "comment": "The path of the affected object." - }, - { - "name": "severity", - "type": "required", - "comment": "The severity of the DLP event." - }, - { - "name": "severity_id", - "type": "optional", - "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." - }, - { - "name": "signature", - "type": "required", - "comment": "The name of the DLP event." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "src", - "type": "optional", - "comment": "The source of the DLP event." - }, - { - "name": "src_user", - "type": "required", - "comment": "The source user of the DLP event." - }, - { - "name": "src_zone", - "type": "optional", - "comment": "The zone of the DLP source." - }, - { - "name": "user", - "type": "conditional", - "condition": "dlp_type=email OR dlp_type=share_point OR dlp_type=o365 OR dlp_type=google.* OR dlp_type=GWS.*", - "comment": "The target user of the DLP event." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the DLP system" - } - ], - "child_dataset": [] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Data_Access.json b/splunk-cim-models/splunk_cim_models/data_models/Data_Access.json deleted file mode 100644 index 14eb065e..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Data_Access.json +++ /dev/null @@ -1,197 +0,0 @@ -{ - "model_name": "Data_Access", - "version": "1.0.0", - "objects": [ - { - "name": "Data_Access", - "tags": [ - ["data", "access"] - ], - "fields_cluster": [], - "search_constraints": "tag=data tag=access", - "fields": [ - { - "name": "action", - "type": "required", - "comment": "The data access action taken by the user." - }, - { - "name": "app", - "type": "required", - "comment": "he system, service, or application that generated the data access event. Examples include Onedrive, Sharepoint, drive, AzureActiveDirectory." - }, - { - "name": "application_id", - "type": "optional", - "comment": "Application ID of the user" - }, - { - "name": "object", - "type": "required", - "comment": "Resource object name on which the action was performed by a user." - }, - { - "name": "object_attrs", - "type": "required", - "comment": "The attributes that were updated on the updated resource object, if applicable." - }, - { - "name": "object_category", - "type": "required", - "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." - }, - { - "name": "object_id", - "type": "required", - "comment": "The unique updated resource object ID as presented to the system, if applicable. For example, a source_folder_id, doc_id." - }, - { - "name": "object_path", - "type": "optional", - "comment": "The path of the modified resource object, if applicable, such as a file, directory, or volume." - }, - { - "name": "object_size", - "type": "required", - "comment": "The size of the modified resource object." - }, - { - "name": "dest", - "type": "required", - "comment": "The destination where the data resides or where it is being accessed, such as the product or application. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, dest_url or dest_name." - }, - { - "name": "dest_name", - "type": "optional", - "comment": "Name of the destination as defined by the Vendor." - }, - { - "name": "dest_type", - "type": "optional", - "comment": "The type of the destination object, such as 'instance', 'storage', 'firewall', 'printer'." - }, - { - "name": "dest_url", - "type": "optional", - "comment": "Url of the product, application or object." - }, - { - "name": "dvc", - "type": "optional", - "comment": "The device that reported the data access event." - }, - { - "name": "email", - "type": "optional", - "comment": "The email address of the user involved in the event, or who initiated the event." - }, - { - "name": "owner", - "type": "optional", - "comment": "Resource owner." - }, - { - "name": "owner_id", - "type": "optional", - "comment": "ID of the owner as defined by the vendor." - }, - { - "name": "owner_email", - "type": "optional", - "comment": "Email of the resource owner." - }, - { - "name": "parent_object", - "type": "optional", - "comment": "Parent of the object name on which the action was performed by a user." - }, - { - "name": "parent_object_category", - "type": "optional", - "comment": "Object category of the parent object on which action was performed by a user." - }, - { - "name": "parent_object_id", - "type": "optional", - "comment": "Object id of the parent object on which the action was performed by a user." - }, - { - "name": "signature", - "type": "optional", - "comment": "A human-readable signature name." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "src", - "type": "required", - "comment": "The endpoint client host." - }, - { - "name": "user_agent", - "type": "optional", - "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." - }, - { - "name": "user_email", - "type": "optional", - "comment": "The email address of the user involved in the event, or who initiated the event." - }, - { - "name": "user_group", - "type": "optional", - "comment": "The group of the user involved in the event, or who initiated the event." - }, - { - "name": "user_id", - "type": "optional", - "comment": "The unique id of the user involved in the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." - }, - { - "name": "user_name", - "type": "required", - "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed (see src_user_name for user or entity performing the change)" - }, - { - "name": "user_role", - "type": "optional", - "comment": "The role of the user involved in the event, or who initiated the event." - }, - { - "name": "user_type", - "type": "optional", - "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." - }, - { - "name": "vendor_account", - "type": "required", - "comment": "The account that manages the user that initiated the request." - }, - { - "name": "vendor_product_id", - "type": "optional", - "comment": "The vendor and product name ID as defined by the vendor." - }, - { - "name": "vendor_region", - "type": "optional", - "comment": "The data center region where the change occurred, such as us-west-2." - }, - { - "name": "user", - "type": "required", - "comment": "The user involved in the event, or who initiated the event." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the vendor." - } - ], - "child_dataset": [] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Databases.json b/splunk-cim-models/splunk_cim_models/data_models/Databases.json deleted file mode 100644 index 00df6911..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Databases.json +++ /dev/null @@ -1,490 +0,0 @@ -{ - "model_name": "Databases", - "version": "1.0.0", - "objects": [ - { - "name": "All_Databases", - "tags": [["database"]], - "fields_cluster": [], - "search_constraints": "tag=database", - "fields": [ - { - "name": "dest", - "type": "optional", - "comment": "The destination of the database event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dest_bunit", - "type": "optional", - "comment": "The business unit of the destination." - }, - { - "name": "dest_category", - "type": "optional", - "comment": "The category of the destination." - }, - { - "name": "dest_priority", - "type": "optional", - "comment": "The priority of the destination." - }, - { - "name": "duration", - "type": "optional", - "comment": "The amount of time for the completion of the database event, in seconds." - }, - { - "name": "object", - "type": "optional", - "comment": "The name of the database object." - }, - { - "name": "response_time", - "type": "optional", - "comment": "The amount of time it took to receive a response in the database event, in seconds." - }, - { - "name": "src", - "type": "optional", - "comment": "The source of the database event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." - }, - { - "name": "src_bunit", - "type": "optional", - "comment": "The business unit of the source." - }, - { - "name": "src_category", - "type": "optional", - "comment": "The category of the source." - }, - { - "name": "src_priority", - "type": "optional", - "comment": "The priority of the source." - }, - { - "name": "tag", - "type": "optional", - "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." - }, - { - "name": "user", - "type": "optional", - "comment": "Name of the database process user." - }, - { - "name": "user_bunit", - "type": "optional", - "comment": "The business unit of the user." - }, - { - "name": "user_category", - "type": "optional", - "comment": "The category associated with the user." - }, - { - "name": "user_priority", - "type": "optional", - "comment": "The priority of the user." - }, - { - "name": "vendor_product", - "type": "optional", - "comment": "The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [ - { - "name": "Database_Instance", - "tags": [ - ["instance", "database"] - ], - "search_constraints":"tag=instance", - "fields_cluster":[], - "fields":[ - { - "name": "instance_name", - "type": "optional", - "comment": "The name of the database instance." - }, - { - "name": "instance_version", - "type": "optional", - "comment": "The version of the database instance." - }, - { - "name": "session_limit", - "type": "optional", - "comment": "The maximum number of sessions that the database instance can handle." - }, - { - "name": "process_limit", - "type": "optional", - "comment": "The maximum number of processes that the database instance can handle." - } - ], - "child_dataset": [ - { - "name": "Instance_Stats", - "tags": [ - ["stats", "instance", "database"] - ], - "search_constraints":"tag=stats", - "fields_cluster":[], - "fields":[ - { - "name": "availability", - "type": "optional", - "expected_values": [ - "Available", - "Not Available" - ], - "comment": "The status of the database server." - }, - { - "name": "avg_executions", - "type": "optional", - "comment": "The average number of executions for the database instance." - }, - { - "name": "dump_area_used", - "type": "optional", - "comment": "The amount of the database dump area that has been used." - }, - { - "name": "number_of_users", - "type": "optional", - "comment": "The total number of users for the database instance." - }, - { - "name": "start_time", - "type": "optional", - "comment": "The total amount of uptime for the database instance." - }, - { - "name": "sessions", - "type": "optional", - "comment": "The total number of sessions currently in use for the database instance." - }, - { - "name": "processes", - "type": "optional", - "comment": "The number of processes currently running for the database instance." - }, - { - "name": "tablespace_used", - "type": "optional", - "comment": "The total amount of tablespace used for the database instance, in bytes." - }, - { - "name": "instance_reads", - "type": "optional", - "comment": "The total number of reads for the database instance." - }, - { - "name": "instance_writes", - "type": "optional", - "comment": "The total number of writes for the database instance." - }, - { - "name": "sga_buffer_cache_size", - "type": "optional", - "comment": "The total size of the buffer cache for the database instance, in bytes." - }, - { - "name": "sga_data_dict_hit_ratio", - "type": "optional", - "comment": "The hit-to-miss ratio for the database instance's data dictionary." - }, - { - "name": "sga_buffer_hit_limit", - "type": "optional", - "comment": "The maximum number of buffers that can be hit in the database instance without finding a free buffer." - }, - { - "name": "sga_library_cache_size", - "type": "optional", - "comment": "The total library cache size for the database instance, in bytes." - }, - { - "name": "sga_fixed_area_size", - "type": "optional", - "comment": "The size of the fixed area (also referred to as the fixed SGA) for the database instance, in bytes." - }, - { - "name": "sga_free_memory", - "type": "optional", - "comment": "The total amount of free memory in the database instance SGA, in bytes." - }, - { - "name": "sga_shared_pool_size", - "type": "optional", - "comment": "The total size of the shared pool for this database instance, in bytes." - }, - { - "name": "sga_redo_log_buffer_size", - "type": "optional", - "comment": "The total size of the redo log buffer for the database instance, in bytes." - }, - { - "name": "sga_sql_area_size", - "type": "optional", - "comment": "The total size of the SQL area for this database instance, in bytes." - } - ], - "child_dataset": [] - }, - { - "name": "Session_Info", - "tags": [ - ["session", "database", "database"] - ], - "search_constraints":"tag=session", - "fields_cluster":[], - "fields":[ - { - "name": "session_id", - "type": "optional", - "comment": "The unique id that identifies the session." - }, - { - "name": "session_status", - "type": "optional", - "expected_values": [ - "Online", - "Offline" - ], - "comment": "The current status of the session." - }, - { - "name": "machine", - "type": "optional", - "comment": "The name of the logical host associated with the database instance." - }, - { - "name": "elapsed_time", - "type": "optional", - "comment": "The total amount of time elapsed since the user started the session by logging into the database server, in seconds." - }, - { - "name": "cpu_used", - "type": "optional", - "comment": "The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds." - }, - { - "name": "memory_sorts", - "type": "optional", - "comment": "The total number of memory sorts performed during the session." - }, - { - "name": "table_scans", - "type": "optional", - "comment": "Number of table scans performed during the session." - }, - { - "name": "physical_reads", - "type": "optional", - "comment": "The total number of physical reads performed during the session." - }, - { - "name": "logical_reads", - "type": "optional", - "comment": "The total number of consistent gets and database block gets performed during the session." - }, - { - "name": "commits", - "type": "optional", - "comment": "The number of commits per second performed by the user associated with the session." - }, - { - "name": "cursor", - "type": "optional", - "comment": "The number of the cursor currently in use by the session." - }, - { - "name": "buffer_cache_hit_ratio", - "type": "optional", - "comment": "The percentage of logical reads from the buffer during the session (1-physical reads\/session logical reads*100)." - }, - { - "name": "wait_state", - "type": "optional", - "expected_values": [ - "WAITING", - "WAITED UNKNOWN", - "WAITED SHORT TIME", - "WAITED KNOWN TIME" - ], - "comment": "Provides the current wait state for the session. Can indicate that the session is currently waiting or provide information about the session's last wait. WAITING indicates the session is currently waiting, WAITED UNKNOWN TIME indicates the duration of the last session wait is unknown, WAITED SHORT TIME indicates the last session wait was < 1\/100th of a second, WAITED KNOWN TIME indicates the wait_time is the duration of the last session wait." - }, - { - "name": "wait_time", - "type": "optional", - "comment": "When wait_time = 0, the session is waiting. When wait_time has a nonzero value, it is displaying the last wait time for the session." - }, - { - "name": "seconds_in_wait", - "type": "optional", - "comment": "The seconds_in_wait depends on the value of wait_time. If wait_time = 0, seconds_in_wait is the number of seconds spent in the current wait condition. If wait_time has a nonzero value, seconds_in_wait is the number of seconds that have elapsed since the start of the last wait. You can get the active seconds that have elapsed since the last wait ended by calculating seconds_in_wait - wait_time \/ 100." - } - ], - "child_dataset": [] - - }, - { - "name": "Lock_Info", - "tags": [ - ["lock", "instance", "database"] - ], - "search_constraints":"tag=lock", - "fields_cluster":[], - "fields":[ - { - "name": "obj_name", - "type": "optional", - "comment": "The name of the locked object." - }, - { - "name": "lock_session_id", - "type": "optional", - "comment": "The session identifier of the locked object." - }, - { - "name": "serial_num", - "type": "optional", - "comment": "The serial number of the object." - }, - { - "name": "lock_mode", - "type": "optional", - "comment": "The mode of the lock on the object." - }, - { - "name": "os_pid", - "type": "optional", - "comment": "The process identifier for the operating system." - }, - { - "name": "last_call_minute", - "type": "optional", - "comment": "Represents the amount of time elapsed since the session_status changed to its current status. The definition of this field depends on the session_status value. If session_status = ONLINE, the last_call_minute value represents the time elapsed since the session became active. If session_status = OFFLINE, the last_call_minute value represents the time elapsed since the session became inactive." - }, - { - "name": "logon_time", - "type": "optional", - "comment": "The database logon time for the session." - } - ], - "child_dataset": [] - } - ] - - }, - { - "name": "Database_Query", - "tags": [ - ["query", "database"] - ], - "search_constraints":"tag=query", - "fields_cluster":[], - "fields":[ - { - "name": "query", - "type": "optional", - "comment": "The full database query." - }, - { - "name": "query_id", - "type": "optional", - "comment": "The identifier for the database query." - }, - { - "name": "query_time", - "type": "optional", - "comment": "The time the system initiated the database query." - }, - { - "name": "records_affected", - "type": "optional", - "comment": "The number of records affected by the database query." - } - ], - "child_dataset": [ - { - "name": "Tablespace", - "tags": [ - ["tablespace", "query", "database"] - ], - "search_constraints":"tag=tablespace", - "fields_cluster":[], - "fields":[ - { - "name": "tablespace_name", - "type": "optional", - "comment": "The name of the tablespace." - }, - { - "name": "tablespace_status", - "type": "optional", - "expected_values": [ - "Offline", - "Online", - "Read Only" - ], - "comment": "The status of the tablespace." - }, - { - "name": "free_bytes", - "type": "optional", - "comment": "The total amount of free space in the tablespace, in bytes." - }, - { - "name": "tablespace_reads", - "type": "optional", - "comment": "The number of tablespace reads carried out by the query." - }, - { - "name": "tablespace_writes", - "type": "optional", - "comment": "The number of tablespace writes carried out by the query." - } - ], - "child_dataset": [] - }, - { - "name": "Query_Stats", - "tags": [["stats", "query", "stats"]], - "search_constraints":"tag=stats", - "fields_cluster":[], - "fields":[ - { - "name": "stored_procedures_called", - "type": "optional", - "comment": "The names of the stored procedures called by the query." - }, - { - "name": "tables_hit", - "type": "optional", - "comment": "The names of the tables hit by the query." - }, - { - "name": "indexes_hit", - "type": "optional", - "comment": "The names of the indexes hit by the database query." - }, - { - "name": "query_plan_hit", - "type": "optional", - "comment": "The name of the query plan hit by the query." - } - ], - "child_dataset": [] - } - ] - - } - ] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Email.json b/splunk-cim-models/splunk_cim_models/data_models/Email.json deleted file mode 100644 index d5d61c6f..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Email.json +++ /dev/null @@ -1,251 +0,0 @@ -{ - "model_name": "Email", - "version": "1.0.0", - "objects": [ - { - "name": "All Email", - "tags": [["email"]], - "search_constraints": "tag=email", - "fields_cluster": [["recipient", "recipient_count"]], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["delivered", "blocked", "quarantined", "deleted"], - "comment": "Action taken by the reporting device" - }, - { - "name": "delay", - "type": "optional", - "validity": "if(isnum(delay),delay,null())", - "comment": "Total sending delay in milliseconds" - }, - { - "name": "dest", - "type": "required", - "comment": "The endpoint system to which the message was delivered" - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration),duration, null())", - "comment": "The amount of time for the completion of the messaging event, in seconds." - }, - { - "name": "file_hash", - "type": "optional", - "comment": "The hashes for the files attached to the message, if any exist." - }, - { - "name": "file_name", - "type": "optional", - "comment": "The names of the files attached to the message, if any exist." - }, - { - "name": "file_size", - "type": "optional", - "validity": "if(isnum(file_size),file_size, null())", - "comment": "The size of the files attached the message, in bytes." - }, - { - "name": "internal_message_id", - "type": "required", - "comment": "Host-specific unique message identifier (such as aid in sendmail, IMI in Domino, Internal-Message-ID in Exchange, and MID in Ironport)." - }, - { - "name": "message_id", - "type": "required", - "comment": "The globally-unique message identifier." - }, - { - "name": "message_info", - "type": "optional", - "comment": "Additional information about the message." - }, - { - "name": "orig_dest", - "type": "optional", - "comment": "The original destination host of the message. The message destination host can change when a message is relayed or bounced." - }, - { - "name": "orig_recipient", - "type": "optional", - "comment": "The original recipient of the message. The message recipient can change when the original email address is an alias and has to be resolved to the actual recipient." - }, - { - "name": "orig_src", - "type": "optional", - "comment": "The original source of the message." - }, - { - "name": "process", - "type": "conditional", - "condition": "process_id=*", - "comment": "The name of the email executable that carries out the message transaction, such as sendmail, postfix, or the name of an email client." - }, - { - "name": "process_id", - "type": "optional", - "validity": "if(isnum(process_id), process_id, null())", - "comment": "The numeric identifier of the process invoked to send the message." - }, - { - "name": "protocol", - "type": "required", - "expected_values": ["smtp", "imap", "pop3", "mapi"], - "comment": "The email protocol involved, such as SMTP or RPC." - }, - { - "name": "recipient", - "type": "required", - "multi_value": true, - "comment": "A field listing individual recipient email addresses, such as recipient='foo@splunk.com', recipient='bar@splunk.com'" - }, - { - "name": "recipient_count", - "type": "required", - "validity":"if(isnum(recipient_count) and recipient_count==mvcount(recipient),recipient_count, null())", - "comment": "The total number of intended message recipients." - }, - { - "name": "recipient_domain", - "type": "required", - "comment": "The domain name contained within the recipient email addresses." - }, - { - "name": "recipient_status", - "type": "optional", - "comment": "The recipient delivery status, if available." - }, - { - "name": "response_time", - "type": "optional", - "validity": "if(isnum(response_time),response_time, null())", - "comment": "The amount of time it took to receive a response in the messaging event, in seconds." - }, - { - "name": "retries", - "type": "optional", - "validity": "if(isnum(retries),retries, null())", - "comment": "The number of times that the message was automatically resent because it was bounced back, or a similar transmission error condition." - }, - { - "name": "return_addr", - "type": "required", - "comment": "The return address for the message." - }, - { - "name": "size", - "type": "optional", - "validity": "if(isnum(size),size, null())", - "comment": "The size of the message, in bytes." - }, - { - "name": "src", - "type": "required", - "comment": "The system that sent the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." - }, - { - "name": "src_user", - "type": "required", - "comment": "The email address of the message sender." - }, - { - "name": "status_code", - "type": "conditional", - "condition": "protocol=smtp", - "validity": "if(match(status_code, \"(?:(\\d(\\.\\d{1,3}){0,2}))\"))", - "comment": "The status code associated with the message." - }, - { - "name": "src_user_domain", - "type": "required", - "comment": "The domain name contained within the email address of the message sender." - }, - { - "name": "subject", - "type": "optional", - "comment": "The subject of the message." - }, - { - "name": "url", - "type": "optional", - "comment": "The URL associated with the message, if any." - }, - { - "name": "user", - "type": "optional", - "comment": "The user context for the process. This is not the email address for the sender. For that, look at the src_user field." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data." - }, - { - "name": "xdelay", - "type": "optional", - "comment": "Extended delay information for the message transaction. May contain details of all the delays from all the servers in the message transmission chain." - }, - { - "name": "xref", - "type": "optional", - "comment": "An external reference. Can contain message IDs or recipient addresses from related messages." - } - ], - "child_dataset": [ - { - "name": "Delivery", - "tags": [["email", "delivery"]], - "fields_cluster": [], - "search_constraints": "tag=delivery", - "fields": [], - "child_dataset": [] - }, - { - "name": "Content", - "tags": [["email", "content"]], - "fields_cluster": [], - "search_constraints": "tag=content", - "fields": [], - "child_dataset": [] - }, - { - "name": "Filtering", - "tags": [["email", "filter"]], - "fields_cluster": [], - "search_constraints": "tag=filter", - "fields": [ - { - "name": "filter_action", - "type": "optional", - "comment": "The status produced by the filter, such as 'accepted', 'rejected', or 'dropped'" - }, - { - "name": "filter_score", - "type": "optional", - "validity": "if(isnum(filter_score),filter_score, null())", - "comment": "Numeric indicator assigned to specific emails by an email filter" - }, - { - "name": "signature", - "type": "required", - "comment": "The name of the filter applied." - }, - { - "name": "signature_extra", - "type": "optional", - "comment": "Any additional information about the filter." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The id associated with the filter name." - } - ], - "child_dataset": [] - } - ] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Endpoint.json b/splunk-cim-models/splunk_cim_models/data_models/Endpoint.json deleted file mode 100644 index 2f9b2ee4..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Endpoint.json +++ /dev/null @@ -1,639 +0,0 @@ -{ - "model_name": "Endpoint", - "version": "1.0.0", - "objects": [ - { - "name": "Ports", - "tags": [["listening", "port"]], - "fields_cluster": [], - "fields": [ - { - "name": "creation_time", - "type": "optional", - "comment": "The time at which the network port started listening on the endpoint." - }, - { - "name": "dest", - "type": "required", - "comment": "The endpoint on which the port is listening.Expression: if(isnull(dest) OR dest=\"\",\"unknown\",dest)" - }, - { - "name": "dest_port", - "type": "required", - "validity": "if(isnum(dest_port),dest_port,null())", - "comment": "Network port listening on the endpoint, such as 53." - }, - { - "name": "dest_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_timesync", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_update", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "process_guid", - "type": "optional", - "comment": "The globally unique identifier of the process assigned by the vendor_product." - }, - { - "name": "process_id", - "type": "optional", - "comment": "The numeric identifier of the process assigned by the operating system." - }, - { - "name": "src", - "type": "required", - "comment": "The 'remote' system connected to the listening port (if applicable)." - }, - { - "name": "src_port", - "type": "required", - "validity": "if(isnum(src_port),src_port,null())", - "comment": "The 'remote' port connected to the listening port (if applicable)." - }, - { - "name": "src_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "src_should_timesync", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "src_should_update", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "state", - "type": "required", - "expected_values": ["listening"], - "comment": "The status of the listening port, such as listening, etc." - }, - { - "name": "transport", - "type": "required", - "comment": "The network transport protocol associated with the listening port, such as tcp, udp, etc." - }, - { - "name": "transport_dest_port", - "type": "required", - "validity": "if(match(transport_dest_port, \"(?:tcp|udp|dccp|sctp)\\/(?:(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$)\"), transport_dest_port, null())", - "comment": "Calculated as transport/dest_port, such as tcp/53." - }, - { - "name": "user", - "type": "optional", - "comment": "The user account associated with the listening port." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [], - "search_constraints": "tag=listening tag=port | eval transport=if(isnull(transport) OR transport=\"\",\"unknown\",transport),dest_port=if(isnull(dest_port) OR dest_port=\"\",0,dest_port),transport_dest_port=mvzip(transport,dest_port,\"/\") | mvexpand transport_dest_port" - }, - { - "name": "Processes", - "tags": [["process", "report"]], - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "comment": "The action taken by the endpoint, such as allowed, blocked, deferred." - }, - { - "name": "cpu_load_percent", - "type": "optional", - "validity": "if(isnum(cpu_load_percent),cpu_load_percent,null())", - "comment": "CPU load consumed by the process (in percent)." - }, - { - "name": "dest", - "type": "required", - "comment": "The endpoint for which the process was spawned." - }, - { - "name": "loaded_file", - "type": "optional", - "comment": "File that was loaded." - }, - { - "name": "mem_used", - "type": "optional", - "validity": "if(isnum(mem_used),mem_used,null())", - "comment": "Memory used by the process (in bytes)." - }, - { - "name": "os", - "type": "optional", - "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2." - }, - { - "name": "original_file_name", - "type": "optional", - "comment": "Original name of the file, not including path." - }, - { - "name": "parent_process", - "type": "required", - "comment": "The full command string of the parent process." - }, - { - "name": "parent_process_exec", - "type": "optional", - "comment": "The executable name of the parent process." - }, - { - "name": "parent_process_id", - "type": "required", - "validity": "if(isnum(parent_process_id),parent_process_id,null())", - "comment": "The numeric identifier of the parent process assigned by the operating system." - }, - { - "name": "parent_process_guid", - "type": "optional", - "comment": "The globally unique identifier of the parent process assigned by the vendor_product." - }, - { - "name": "parent_process_name", - "type": "required", - "comment": "The friendly name of the parent process, such as notepad.exe.", - "validity": "if(match(parent_process_name,\"^[^\\\\\\/]+$\"),parent_process_name,null())" - }, - { - "name": "parent_process_path", - "type": "required", - "comment": "The file path of the parent process, such as C:\\Windows\\System32\notepad.exe." - }, - { - "name": "parent_process_hash", - "type": "optional", - "comment": "TThe digest(s) of the parent process, such as , , etc." - }, - { - "name": "process", - "type": "required", - "comment": "The full command string of the spawned process. Such as C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\SplunkUniversalForwarder\\etc\\system\\bin\\powershell.cmd\" --scheme\"" - }, - { - "name": "process_current_directory", - "type": "optional", - "comment": "The current working directory used to spawn the process." - }, - { - "name": "process_exec", - "type": "optional", - "comment": "The executable name of the process." - }, - { - "name": "process_hash", - "type": "optional", - "comment": "The digests of the parent process, such as , , etc." - }, - { - "name": "process_guid", - "type": "optional", - "comment": "The globally unique identifier of the process assigned by the vendor_product." - }, - { - "name": "process_id", - "type": "required", - "validity": "if(isnum(process_id),process_id,null())", - "comment": "The numeric identifier of the process assigned by the operating system." - }, - { - "name": "process_integrity_level", - "type": "optional", - "expected_values": ["system", "high", "medium", "low", "untrusted"], - "comment": "The Windows integrity level of the process." - }, - { - "name": "process_name", - "type": "required", - "comment": "The friendly name of the process, such as notepad.exe.", - "validity": "if(match(process_name,\"^[^\\\\\\/]+$\"),process_name,null())" - }, - { - "name": "process_path", - "type": "required", - "comment": "The file path of the process, such as C:\\Windows\\System32\notepad.exe." - }, - { - "name": "user", - "type": "required", - "comment": "The user account that spawned the process.Expression: if(isnull(user) OR user=\"\",\"unknown\",user)" - }, - { - "name": "user_id", - "type": "optional", - "comment": "The unique identifier of the user account which spawned the process." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [], - "search_constraints": "tag=process tag=report | eval process_integrity_level=lower(process_integrity_level)" - }, - { - "name": "Filesystem", - "tags": [["endpoint", "filesystem"]], - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": [ - "acl_modified", - "created", - "deleted", - "modified", - "read" - ], - "comment": "The action performed on the resource." - }, - { - "name": "dest", - "type": "required", - "comment": "The endpoint pertaining to the filesystem activity." - }, - { - "name": "dest_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_timesync", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_update", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "file_access_time", - "type": "optional", - "comment": "The time that the file (the object of the event) was accessed." - }, - { - "name": "file_create_time", - "type": "conditional", - "condition": "action=created ", - "comment": "The time that the file (the object of the event) was created." - }, - { - "name": "file_hash", - "type": "conditional", - "condition": "action=created or action=modified or action=read", - "comment": "A cryptographic identifier assigned to the file object affected by the event." - }, - { - "name": "file_modify_time", - "type": "conditional", - "condition": "action=modified ", - "comment": "The time that the file (the object of the event) was altered." - }, - { - "name": "file_name", - "type": "required", - "comment": "The name of the file, such as notepad.exe." - }, - { - "name": "file_path", - "type": "required", - "comment": "The path of the file, such as C:\\Windows\\System32\notepad.exe." - }, - { - "name": "file_acl", - "type": "conditional", - "condition": "action=acl_modified ", - "comment": "Access controls associated with the file affected by the event.." - }, - { - "name": "file_size", - "type": "required", - "comment": "The size of the file that is the object of the event, in kilobytes." - }, - { - "name": "process_guid", - "type": "optional", - "comment": "The globally unique identifier of the process assigned by the vendor_product." - }, - { - "name": "process_id", - "type": "optional", - "comment": "The numeric identifier of the process assigned by the operating system." - }, - { - "name": "user", - "type": "required", - "comment": "The user account associated with the filesystem access." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." - }, - { - "name": "image", - "type": "optional", - "comment": "The binary file path or name that is tied to a process ID (PID) in events like process creation or termination." - } - ], - "child_dataset": [], - "search_constraints": "tag=endpoint tag=filesystem" - }, - { - "name": "Registry", - "tags": [["endpoint", "registry"]], - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["created", "deleted", "modified", "read"], - "comment": "The action performed on the resource. Expected values: created, deleted, modified, read." - }, - { - "name": "dest", - "type": "required", - "comment": "The endpoint pertaining to the registry events." - }, - { - "name": "dest_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_timesync", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_update", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "process_guid", - "type": "optional", - "comment": "The globally unique identifier of the process assigned by the vendor_product." - }, - { - "name": "process_id", - "type": "optional", - "comment": "The numeric identifier of the process assigned by the operating system." - }, - { - "name": "registry_hive", - "type": "required", - "expected_values": [ - "HKEY_CURRENT_CONFIG", - "HKEY_CURRENT_USER", - "HKEY_LOCAL_MACHINE\\SAM", - "HKEY_LOCAL_MACHINE\\Security", - "HKEY_LOCAL_MACHINE\\Software", - "HKEY_LOCAL_MACHINE\\System", - "HKEY_USERS\\.DEFAULT" - ], - "comment": "The logical grouping of registry keys, subkeys, and values." - }, - { - "name": "registry_path", - "type": "required", - "comment": "The path to the registry value, such as \\win\\directory\\directory2\\{676235CD-B656-42D5-B737-49856E97D072}\\PrinterDriverData." - }, - { - "name": "registry_key_name", - "type": "required", - "comment": "The name of the registry key, such as PrinterDriverData." - }, - { - "name": "registry_value_data", - "type": "required", - "comment": "The unaltered registry value." - }, - { - "name": "registry_value_name", - "type": "required", - "comment": "The name of the registry value." - }, - { - "name": "registry_value_text", - "type": "required", - "comment": "The textual representation of registry_value_data (if applicable)." - }, - { - "name": "registry_value_type", - "type": "required", - "expected_values": [ - "REG_BINARY", - "REG_DWORD", - "REG_DWORD_LITTLE_ENDIAN", - "REG_DWORD_BIG_ENDIAN", - "REG_EXPAND_SZ", - "REG_LINK", - "REG_MULTI_SZ", - "REG_NONE", - "REG_QWORD", - "REG_QWORD_LITTLE_ENDIAN", - "REG_SZ" - ], - "comment": "The type of the registry value." - }, - { - "name": "status", - "type": "required", - "expected_values": ["failure", "success"], - "comment": "The outcome of the registry action." - }, - { - "name": "user", - "type": "required", - "comment": "The user account associated with the registry access." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." - }, - { - "name": "image", - "type": "optional", - "comment": "The binary file path or name that is tied to a process ID (PID) in events like process creation or termination." - } - ], - "child_dataset": [], - "search_constraints": "tag=endpoint tag=registry" - }, - { - "name": "Services", - "tags": [["service", "report"]], - "fields_cluster": [], - "fields": [ - { - "name": "description", - "type": "optional", - "validation": "", - "comment": "The description of the service." - }, - { - "name": "dest", - "type": "required", - "validation": "", - "comment": "The endpoint for which the service is installed." - }, - { - "name": "dest_is_expected", - "type": "optional", - "comment": "The endpoint for which the service is installed." - }, - { - "name": "dest_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "dest_should_timesync", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "process_guid", - "type": "optional", - "validation": "", - "comment": "The globally unique identifier of the process assigned by the vendor_product." - }, - { - "name": "process_id", - "type": "optional", - "validation": "", - "comment": "The numeric identifier of the process assigned by the operating system." - }, - { - "name": "service", - "type": "required", - "validation": "", - "comment": "The full service name." - }, - { - "name": "service_dll", - "type": "optional", - "validation": "", - "comment": "The dynamic link library associated with the service." - }, - { - "name": "service_dll_path", - "type": "optional", - "validation": "", - "comment": "The file path to the dynamic link library assocatied with the service, such as C:\\Windows\\System32\\comdlg32.dll." - }, - { - "name": "service_dll_hash", - "type": "optional", - "validation": "", - "comment": "The digests of the dynamic link library associated with the service, such as , , etc." - }, - { - "name": "service_dll_signature_exists", - "type": "optional", - "validation": "", - "comment": "Whether or not the dynamic link library associated with the service has a digitally signed signature." - }, - { - "name": "service_dll_signature_verified", - "type": "optional", - "validation": "", - "comment": "Whether or not the dynamic link library associated with the service has had its digitally signed signature verified." - }, - { - "name": "service_exec", - "type": "optional", - "validation": "", - "comment": "The executable name of the service." - }, - { - "name": "service_hash", - "type": "optional", - "validation": "", - "comment": "The digest(s) of the service, such as , , etc." - }, - { - "name": "service_id", - "type": "optional", - "validation": "", - "comment": "The unique identifier of the service assigned by the operating system." - }, - { - "name": "service_name", - "type": "required", - "validation": "", - "comment": "The friendly service name." - }, - { - "name": "service_path", - "type": "required", - "validation": "", - "comment": "The file path of the service, such as C:\\WINDOWS\\system32\\svchost.exe." - }, - { - "name": "service_signature_exists", - "type": "optional", - "validation": "", - "comment": "Whether or not the service has a digitally signed signature." - }, - { - "name": "service_signature_verified", - "type": "optional", - "validation": "", - "comment": "Whether or not the service has had its digitally signed signature verified." - }, - { - "name": "start_mode", - "type": "required", - "validation": "", - "comment": "The start mode for the service." - }, - { - "name": "status", - "type": "required", - "expected_values": ["critical", "started", "stopped", "warning", "installed"], - "validation": "", - "comment": "The status of the service." - }, - { - "name": "user", - "type": "required", - "validation": "", - "comment": "The user account associated with the service." - }, - { - "name": "vendor_product", - "type": "required", - "validation": "", - "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [], - "search_constraints": "tag=service tag=report" - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json b/splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json deleted file mode 100644 index ef7c70f4..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Event_Signatures.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "model_name": "Event_Signatures", - "version": "1.0.0", - "objects": [ - { - "name": "Event_Signatures", - "tags": [ - ["track_event_signatures"] - ], - "fields_cluster": [], - "search_constraints": "tag=track_event_signatures (signature=* OR signature_id=*)", - "fields": [ - { - "name": "dest", - "type": "required", - "comment": "System affected by the signature." - }, - { - "name": "signature", - "type": "required", - "comment": "The human readable event name." - }, - { - "name": "signature_id", - "type": "required", - "comment": "The event name identifier (as supplied by the vendor)." - }, - { - "name": "vendor_product", - "type": "optional", - "comment": "The vendor and product name of the technology that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json b/splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json deleted file mode 100644 index 6f18178e..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Interprocess Messaging.json +++ /dev/null @@ -1,194 +0,0 @@ -{ - "model_name": "", - "version": "1.0.0", - "objects": [ - { - "name": "All_Messaging", - "tags": [["messaging"] - ], - "fields_cluster": [], - "search_constraints": "tag=messaging", - "fields": [ - { - "name": "dest", - "type": "optional", - "comment": "The destination of the message. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dest_bunit", - "type": "optional", - "comment": "The business unit of the destination." - }, - { - "name": "dest_category", - "type": "optional", - "expected_values": [ - "queue", - "topic" - ], - "comment": "The type of message destination." - }, - { - "name": "dest_priority", - "type": "optional", - "comment": "The priority of the destination." - }, - { - "name": "duration", - "type": "optional", - "comment": "The number of seconds from message call to message response. Can be derived by getting the difference between the request_sent_time and the message_received_time." - }, - { - "name": "endpoint", - "type": "optional", - "comment": "The endpoint that the message accessed during the RPC (remote procedure call) transaction." - }, - { - "name": "endpoint_version", - "type": "optional", - "comment": "The version of the endpoint accessed during the RPC (remote procedure call) transaction, such as 1.0 or 1.22." - }, - { - "name": "message", - "type": "optional", - "comment": "A command or reference that an RPC (remote procedure call) reads or responds to." - }, - { - "name": "message_id", - "type": "optional", - "comment": "The message identification." - }, - { - "name": "message_consumed_time", - "type": "optional", - "comment": "The time that the RPC (remote procedure call) read the message and was prepared to take some sort of action." - }, - { - "name": "message_correlation_id", - "type": "optional", - "comment": "The message correlation identification value." - }, - { - "name": "message_delivered_time", - "type": "optional", - "comment": "The time that the message producer sent the message." - }, - { - "name": "message_delivery_mode", - "type": "optional", - "comment": "The message delivery mode. Possible values depend on the type of message-oriented middleware (MOM) solution in use. They can be words like Transient (meaning the message is stored in memory and is lost if the server dies or restarts) or Persistent (meaning the message is stored both in memory and on disk and is preserved if the server dies or restarts). They can also be numbers like 1, 2, and so on." - }, - { - "name": "message_expiration_time", - "type": "optional", - "comment": "The time that the message expired." - }, - { - "name": "message_priority", - "type": "optional", - "comment": "The priority of the message. Important jobs that the message queue should answer no matter what receive a higher message_priority than other jobs, ensuring they are completed before the others." - }, - { - "name": "message_properties", - "type": "optional", - "comment": "An arbitrary list of message properties. The set of properties displayed depends on the message-oriented middleware (MOM) solution that you are using." - }, - { - "name": "message_received_time", - "type": "optional", - "comment": "The time that the message was received by a message-oriented middleware (MOM) solution." - }, - { - "name": "message_redelivered", - "type": "optional", - "comment": "Indicates whether or not the message was redelivered." - }, - { - "name": "message_reply_dest", - "type": "optional", - "comment": "The name of the destination for replies to the message." - }, - { - "name": "message_type", - "type": "optional", - "comment": "The type of message, such as call or reply." - }, - { - "name": "parameters", - "type": "optional", - "comment": "Arguments that have been passed to an endpoint by a REST call or something similar. A sample parameter could be something like foo=bar." - }, - { - "name": "payload", - "type": "optional", - "comment": "The message payload." - }, - { - "name": "payload_type", - "type": "optional", - "comment": "The type of payload in the message. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." - }, - { - "name": "request_payload", - "type": "optional", - "comment": "The content of the message request." - }, - { - "name": "request_payload_type", - "type": "optional", - "comment": "The type of payload in the message request. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." - }, - { - "name": "request_sent_time", - "type": "optional", - "comment": "The time that the message request was sent." - }, - { - "name": "response_code", - "type": "optional", - "comment": "The response status code sent by the receiving server. Ranges between 200 and 404." - }, - { - "name": "response_payload_type", - "type": "optional", - "comment": "The type of payload in the message response. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." - }, - { - "name": "response_received_time", - "type": "optional", - "comment": "The time that the message response was received." - }, - { - "name": "response_time", - "type": "optional", - "comment": "The amount of time it took to receive a response, in seconds." - }, - { - "name": "return_message", - "type": "optional", - "comment": "The response status message sent by the message server." - }, - { - "name": "rpc_protocol", - "type": "optional", - "comment": "The protocol that the message server uses for remote procedure calls (RPC). Possible values include HTTP REST, SOAP, and EJB." - }, - { - "name": "status", - "type": "optional", - "expected_values": [ - "pass", - "fail" - ], - "comment": "The status of the message response." - }, - { - "name": "tag", - "type": "optional", - "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." - } - ], - "child_dataset": [] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json b/splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json deleted file mode 100644 index 4a492b07..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Intrusion_Detection.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "model_name": "Intrusion_Detection", - "version": "1.0.0", - "objects": [ - { - "name": "IDS_Attacks", - "tags": [["ids", "attack"]], - "fields_cluster": [], - "search_constraints": "tag=ids tag=attack", - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["allowed", "blocked"], - "comment": "The action performed on the resource." - }, - { - "name": "category", - "type": "required", - "comment": "The vendor-provided category of the triggered signature, such as spyware. This field is a string. Use a category_id field (not included in this data model) for category ID fields that are integer data types." - }, - { - "name": "dest", - "type": "conditional", - "condition": "ids_type=\"network\"", - "comment": "The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dvc", - "type": "required", - "comment": "The device that detected the intrusion event. You can alias this from more specific fields not included in this data model, such as dvc_host, dvc_ip, or dvc_name." - }, - { - "name": "file_hash", - "type": "conditional", - "condition": "ids_type=\"host\" ", - "comment": "A cryptographic identifier assigned to the file object affected by the event." - }, - { - "name": "file_name", - "type": "conditional", - "condition": "ids_type=\"host\" ", - "comment": "The name of the file, such as notepad.exe." - }, - { - "name": "file_path", - "type": "conditional", - "condition": "ids_type=\"host\" ", - "comment": "The path of the file, such as C:\\Windows\\System32\\notepad.exe." - }, - { - "name": "ids_type", - "type": "required", - "expected_values": ["network", "host"], - "comment": "The type of IDS that generated the event." - }, - { - "name": "severity", - "type": "required", - "expected_values": [ - "critical", - "high", - "medium", - "low", - "informational" - ], - "comment": "The severity of the network protection event. This field is a string. Use a severity_id field (not included in this data model) for severity ID fields that are integer data types. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad." - }, - { - "name": "severity_id", - "type": "optional", - "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." - }, - { - "name": "signature", - "type": "required", - "comment": "The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "dest_type", - "type": "optional", - "comment": "The type of the destination object, such as 'instance', 'storage', 'firewall'." - }, - { - "name": "src", - "type": "conditional", - "condition": "ids_type=\"network\"", - "comment": "The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name." - }, - { - "name": "transport", - "type": "conditional", - "condition": "ids_type=\"network\"", - "comment": "The OSI layer 4 (transport) protocol of the intrusion, in lower case." - }, - { - "name": "src_port", - "type": "conditional", - "condition": "ids_type=\"network\"", - "validity": "if(isnum(src_port),src_port,null())", - "comment": "The source port of the intrusion detection. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field." - }, - { - "name": "dest_port", - "type": "conditional", - "condition": "ids_type=\"network\"", - "validity": "if(isnum(dest_port),dest_port,null())", - "comment": "The destination port of the intrusion detection. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field." - }, - { - "name": "user", - "type": "optional", - "comment": "The user involved with the intrusion detection event." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [ - { - "name": "Application_IDS_Attacks", - "tags": [["ids", "attack"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "ids_type=\"application\"" - }, - { - "name": "Host_IDS_Attacks", - "tags": [["ids", "attack"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "ids_type=\"host\"" - }, - { - "name": "Network_IDS_Attacks", - "tags": [["ids", "attack"]], - "fields_cluster": [], - "fields": [], - "search_constraints": "ids_type=\"network\"", - "child_dataset": [] - } - ] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/JVM.json b/splunk-cim-models/splunk_cim_models/data_models/JVM.json deleted file mode 100644 index 612858f0..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/JVM.json +++ /dev/null @@ -1,332 +0,0 @@ -{ - "model_name": "JVM", - "version": "1.0.0", - "objects": [ - { - "name": "Event_Signatures", - "tags": [["jvm"] - ], - "fields_cluster": [], - "search_constraints": "tag=jvm", - "fields": [ - { - "name": "jvm_description", - "type": "optional", - "comment": "A description field provided in some data sources." - }, - { - "name": "tag", - "type": "optional", - "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." - } - ], - "child_dataset": [ - { - "name": "Threading", - "tags": [ - ["jvm", "threading"] - ], - "fields_cluster": [], - "search_constraints": "tag=threading", - "fields": [ - { - "name": "threads_started", - "type": "optional", - "comment": "The total number of threads started in the JVM." - }, - { - "name": "thread_count", - "type": "optional", - "comment": "The JVM's current thread count." - }, - { - "name": "cpu_time_enabled", - "type": "optional", - "expected_values": [ - "true", - "false" - ], - "comment": "Indicates whether thread CPU time measurement is enabled." - }, - { - "name": "cm_supported", - "type": "optional", - "expected_values": [ - "true", - "false" - ], - "comment": "Indicates whether the JVM supports thread contention monitoring." - }, - { - "name": "cm_enabled", - "type": "optional", - "expected_values": [ - "true", - "false" - ], - "comment": "Indicates whether thread contention monitoring is enabled." - }, - { - "name": "synch_supported", - "type": "optional", - "expected_values": [ - "true", - "false" - ], - "comment": "Indicates whether the JVM supports monitoring of ownable synchronizer usage." - }, - { - "name": "peak_thread_count", - "type": "optional", - "comment": "The JVM's peak thread count." - }, - { - "name": "omu_supported", - "type": "optional", - "expected_values": [ - "true", - "false" - ], - "comment": "Indicates whether the JVM supports monitoring of object monitor usage." - }, - { - "name": "daemon_thread_count", - "type": "optional", - "comment": "The JVM's current daemon count." - }, - { - "name": "current_user_time", - "type": "optional", - "comment": "User-space time taken by the JVM, in seconds." - }, - { - "name": "cpu_time_supported", - "type": "optional", - "expected_values": [ - "true", - "false" - ], - "comment": "Indicates whether the Java virtual machine supports CPU time measurement for the current thread." - }, - { - "name": "current_cpu_time", - "type": "optional", - "comment": "CPU-space time taken by the JVM, in seconds." - } - ], - "child_dataset": [] - }, - { - "name": "Runtime", - "tags": [ - ["jvm", "runtime"] - ], - "fields_cluster": [], - "search_constraints": "tag=runtime", - "fields": [ - { - "name": "version", - "type": "optional", - "comment": "Version of the JVM." - }, - { - "name": "uptime", - "type": "optional", - "comment": "Uptime of the JVM process, in seconds." - }, - { - "name": "start_time", - "type": "optional", - "comment": "Start time of the JVM process." - }, - { - "name": "process_name", - "type": "optional", - "comment": "Process name of the JVM process." - }, - { - "name": "vendor_product", - "type": "optional", - "comment": "The JVM product or service. This field can be automatically populated by the the vendor and product fields in your raw data." - } - ], - "child_dataset": [] - }, - { - "name": "OS", - "tags": [ - ["jvm", "os"] - ], - "fields_cluster": [], - "search_constraints": "tag=os", - "fields": [ - { - "name": "os_version", - "type": "optional", - "comment": "OS version that the JVM is running on." - }, - { - "name": "swap_space", - "type": "optional", - "comment": "Swap memory space available to the OS that the JVM is running on, in bytes." - }, - { - "name": "physical_memory", - "type": "optional", - "comment": "Physical memory available to the OS that the JVM is running on, in bytes." - }, - { - "name": "system_load", - "type": "optional", - "comment": "System load of the OS that the JVM is running on." - }, - { - "name": "cpu_time", - "type": "optional", - "comment": "Amount of CPU time taken by the JVM, in seconds." - }, - { - "name": "os", - "type": "optional", - "comment": "OS that the JVM is running on." - }, - { - "name": "open_file_descriptors", - "type": "optional", - "comment": "Number of file descriptors opened by the JVM." - }, - { - "name": "max_file_descriptors", - "type": "optional", - "comment": "Maximum file descriptors available to the JVM." - }, - { - "name": "free_swap", - "type": "optional", - "comment": "Amount of free swap memory remaining to the JVM, in bytes." - }, - { - "name": "free_physical_memory", - "type": "optional", - "comment": "Amount of free physical memory remaining to the JVM, in bytes." - }, - { - "name": "committed_memory", - "type": "optional", - "comment": "Amount of memory committed to the JVM, in bytes." - }, - { - "name": "total_processors", - "type": "optional", - "comment": "Total processor cores available to the OS that the JVM is running on." - }, - { - "name": "os_architecture", - "type": "optional", - "comment": "OS architecture that the JVM is running on." - } - ], - "child_dataset": [] - }, - { - "name": "Compilation", - "tags": [ - ["jvm", "compilation"] - ], - "fields_cluster": [], - "search_constraints": "tag=compilation", - "fields": [ - { - "name": "compilation_time", - "type": "optional", - "comment": "Time taken by JIT compilation, in seconds." - } - ], - "child_dataset": [] - }, - { - "name": "Classloading", - "tags": [ - ["jvm", "classloading"] - ], - "fields_cluster": [], - "search_constraints": "tag=classloading", - "fields": [ - { - "name": "total_loaded", - "type": "optional", - "comment": "The total count of classes loaded in the JVM." - }, - { - "name": "current_loaded", - "type": "optional", - "comment": "The current count of classes loaded in the JVM." - }, - { - "name": "total_unloaded", - "type": "optional", - "comment": "The total count of classes unloaded from the JVM." - } - ], - "child_dataset": [] - }, - { - "name": "Memory", - "tags": [ - ["jvm", "memory"] - ], - "fields_cluster": [], - "search_constraints": "tag=memory", - "fields": [ - { - "name": "non_heap_used", - "type": "optional", - "comment": "Non-heap memory used by the JVM, in bytes." - }, - { - "name": "non_heap_max", - "type": "optional", - "comment": "Maximum amount of non-heap memory used by the JVM, in bytes" - }, - { - "name": "non_heap_initial", - "type": "optional", - "comment": "Initial amount of non-heap memory used by the JVM, in bytes." - }, - { - "name": "non_heap_committed", - "type": "optional", - "comment": "Committed amount of non-heap memory used by the JVM, in bytes." - }, - { - "name": "heap_used", - "type": "optional", - "comment": "Heap memory used by the JVM, in bytes." - }, - { - "name": "heap_max", - "type": "optional", - "comment": "Maximum amount of heap memory used by the JVM, in bytes." - }, - { - "name": "heap_initial", - "type": "optional", - "comment": "Initial amount of heap memory used by the JVM, in bytes." - }, - { - "name": "heap_committed", - "type": "optional", - "comment": "Committed amount of heap memory used by the JVM, in bytes." - }, - { - "name": "objects_pending", - "type": "optional", - "comment": "Number of objects pending in the JVM." - } - ], - "child_dataset": [] - } - ] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Malware.json b/splunk-cim-models/splunk_cim_models/data_models/Malware.json deleted file mode 100644 index 30dca2b2..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Malware.json +++ /dev/null @@ -1,177 +0,0 @@ -{ - "model_name": "Malware", - "version": "1.0.0", - "objects": [ - { - "name": "Malware Attacks", - "tags": [["malware", "attack"]], - "search_constraints": "tag=malware tag=attack", - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["allowed", "blocked", "deferred"], - "comment": "Action taken by the reporting device" - }, - { - "name": "category", - "type": "required", - "comment": "The category of the malware event, such as keylogger or ad-supported program." - }, - { - "name": "date", - "type": "optional", - "comment": "The date of the malware event." - }, - { - "name": "dest", - "type": "required", - "comment": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dest_nt_domain", - "type": "optional", - "comment": "The NT domain of the destination, if applicable." - }, - { - "name": "dest_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "file_hash", - "type": "optional", - "comment": "The hash of the file with suspected malware" - }, - { - "name": "file_name", - "type": "required", - "comment": "The name of the file with suspected malware" - }, - { - "name": "file_path", - "type": "required", - "comment": "The full file path of the file with suspected malware" - }, - { - "name": "severity", - "type": "required", - "expected_values": [ - "critical", - "high", - "medium", - "low", - "informational" - ], - "comment":"The severity of a message." - }, - { - "name": "severity_id", - "type": "optional", - "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." - }, - { - "name": "signature", - "type": "required", - "comment": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda" - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "src", - "type": "optional", - "comment": "The source of the event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name." - }, - { - "name": "src_user", - "type": "optional", - "comment": "The reported sender of an email-based attack." - }, - { - "name": "user", - "type": "optional", - "comment": "The user involved in the malware event." - }, - { - "name": "url", - "type": "optional", - "comment": "The hash of the file with suspected malware" - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The hash of the file with suspected malware" - } - ], - "child_dataset": [ - { - "name": "Allowed Malware", - "tags": [["malware", "attack"]], - "fields_cluster": [], - "search_constraints": "action=\"allowed\"", - "fields": [], - "child_dataset": [] - }, - { - "name": "Blocked Malware", - "tags": [["malware", "attack"]], - "fields_cluster": [], - "search_constraints": "action=\"blocked\"", - "fields": [], - "child_dataset": [] - }, - { - "name": "Quarantined Malware", - "tags": [["malware", "attack"]], - "fields_cluster": [], - "search_constraints": "action=\"deferred\"", - "fields": [], - "child_dataset": [] - } - ] - }, - { - "name": "Malware Operations", - "tags": [["malware", "operations"]], - "search_constraints": "tag=malware tag=operations | tags outputfield=tag", - "fields_cluster": [], - "fields": [ - { - "name": "dest", - "type": "required", - "comment": "The system where the malware operations event occurred" - }, - { - "name": "dest_nt_domain", - "type": "optional", - "comment": "The NT domain of the dest system, if applicable." - }, - { - "name": "dest_requires_av", - "type": "optional", - "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "product_version", - "type": "optional", - "comment": "The product version of the malware operations product" - }, - { - "name": "signature_version", - "type": "required", - "comment": "The version of the malware signature bundle in a signature update operations event" - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor product name of the malware operations product." - } - ], - "child_dataset": [] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json b/splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json deleted file mode 100644 index e5a0f842..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Network_Resolution.json +++ /dev/null @@ -1,282 +0,0 @@ -{ - "model_name": "Network_Resolution", - "version":"1.0.0", - "objects": [{ - "name": "DNS", - "tags": [ - [ - "network", - "resolution", - "dns" - ] - ], - "fields_cluster": [], - "fields": [{ - "name": "additional_answer_count", - "type": "optional", - "validity": "if(isnum(additional_answer_count),additional_answer_count,null())", - "comment": "Number of entries in the 'additional' section of the DNS message." - }, - { - "name": "answer", - "type": "required", - "multi_value": true, - "comment": "Resolved address for the query." - }, - { - "name": "answer_count", - "type": "required", - "validity": "if(isnum(answer_count) and answer_count == mvcount(answer),answer_count,null())", - "comment": "Number of entries in the answer section of the DNS message." - }, - { - "name": "authority_answer_count", - "type": "optional", - "validity": "if(isnum(authority_answer_count),authority_answer_count,null())", - "comment": "Number of entries in the 'authority' section of the DNS message." - }, - { - "name": "dest", - "type": "required", - "comment": "The destination of the network resolution event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "message_type", - "type": "required", - "expected_values": [ - "Query", - "Response" - ], - "comment": "Type of DNS message." - }, - { - "name": "query", - "type": "required", - "multi_value": true, - "comment": "The domain which needs to be resolved. Applies to messages of type 'Query'." - }, - { - "name": "query_count", - "type": "required", - "validity": "if(isnum(query_count) and query_count == mvcount(query),query_count,null())", - "comment": "Number of entries that appear in the 'Questions' section of the DNS query." - }, - { - "name": "query_type", - "type": "required", - "expected_values": [ - "Query", - "IQuery", - "Status", - "Notify", - "Update", - "A", - "MX", - "NS", - "PTR" - ], - "comment": "The field may contain DNS OpCodes or Resource Record Type codes. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site. If a value is not set, the DNS.record_type field is referenced." - }, - { - "name": "record_type", - "type": "required", - "expected_values": [ - "A", - "NS", - "MD", - "MF", - "CNAME", - "SOA", - "MB", - "MG", - "MR", - "NULL", - "WKS", - "PTR", - "HINFO", - "MINFO", - "MX", - "TXT", - "RP", - "AFSDB", - "X25", - "ISDN", - "RT", - "NSAP", - "NSAP-PTR", - "SIG", - "KEY", - "PX", - "GPOS", - "AAAA", - "LOC", - "NXT", - "EID", - "NIMLOC", - "SRV", - "ATMA", - "NAPTR", - "KX", - "CERT", - "A6", - "DNAME", - "SINK", - "OPT", - "APL", - "DS", - "SSHFP", - "IPSECKEY", - "RRSIG", - "NSEC", - "DNSKEY", - "DHCID", - "NSEC3", - "NSEC3PARAM", - "TLSA", - "SMIMEA", - "Unassigned", - "HIP", - "NINFO", - "RKEY", - "TALINK", - "CDS", - "CDNSKEY", - "OPENPGPKEY", - "CSYNC", - "ZONEMD", - "SVCB", - "HTTPS", - "SPF", - "UINFO", - "UID", - "GID", - "UNSPEC", - "NID", - "L32", - "L64", - "LP", - "EUI48", - "EUI64", - "TKEY", - "TSIG", - "IXFR", - "AXFR", - "MAILB", - "MAILA", - "*", - "URI", - "CAA", - "AVC", - "DOA", - "AMTRELAY", - "RESINFO", - "TA", - "DLV", - "Private use", - "Reserved" - ], - "comment": "The DNS resource record type. For details, see the List of DNS record types on Internet Assigned Numbers Authority (IANA) web site." - }, - { - "name": "reply_code", - "type": "required", - "expected_values": [ - "No Error", - "Format Error", - "Server Failure", - "Non-Existent Domain", - "NotImp", - "Refused", - "YXDomain", - "YXRRSet", - "NXRRSet", - "NotAuth", - "NotZone", - "DSOTYPENI", - "BADVERS", - "BADSIG", - "BADKEY", - "BADTIME", - "BADMODE", - "BADNAME", - "BADALG", - "BADTRUNC", - "BADCOOKIE" - ], - "comment": "The return code for the response. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." - }, - { - "name": "reply_code_id", - "type": "required", - "expected_values": [ - "1", - "2", - "3", - "4", - "5", - "6", - "7", - "8", - "9", - "10", - "11", - "16", - "17", - "18", - "19", - "20", - "21", - "22", - "23" - ], - "comment": "The numerical id of a return code. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." - }, - { - "name": "response_time", - "type": "required", - "validity": "if(isnum(response_time),response_time,null())", - "comment": "The amount of time it took to receive a response in the network resolution event, in seconds." - }, - { - "name": "src", - "type": "required", - "comment": "The source of the network resolution event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." - }, - { - "name": "transaction_id", - "type": "required", - "validity": "if(isnum(transaction_id),transaction_id,null())", - "comment": "The unique numerical transaction id of the network resolution event" - }, - { - "name": "transport", - "type": "required", - "comment": "The transport protocol used by the network resolution event." - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration),duration,null())", - "comment": "The time taken by the network resolution event, in seconds." - }, - { - "name": "name", - "type": "optional", - "comment": "The name of the DNS event." - }, - { - "name": "ttl", - "type": "optional", - "validity": "if(isnum(ttl),ttl,null())", - "comment": "The time-to-live of the network resolution event, in seconds." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor product name of the DNS server. The Splunk platform can derive this field from the fields vendor and product in the raw data, if they exist." - } - ], - "child_dataset": [], - "search_constraints": "tag=network tag=resolution tag=dns" - }] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json b/splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json deleted file mode 100644 index 406d9de0..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Network_Sessions.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "model_name": "Network_Sessions", - "version": "1.0.0", - "objects": [ - { - "name": "All_Sessions", - "tags": [["network", "session"]], - "search_constraints": "tag=network tag=session", - "fields_cluster": [], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["started", "ended", "blocked"], - "comment": "The action taken by the reporting device." - }, - { - "name": "dest_ip", - "type": "required", - "comment": "The internal IP address allocated to the client initializing a network session. For DHCP and VPN events, this is the IP address leased to the client." - }, - { - "name": "dest_mac", - "type": "required", - "comment": "The internal MAC address of the network session client. For DHCP events, this is the MAC address of the client acquiring an IP address lease. For VPN events, this is the MAC address of the client initializing a network session.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." - }, - { - "name": "signature", - "type": "required", - "comment": "An indication of the type of network session event." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "dest_nt_host", - "type": "optional", - "comment": "The NetBIOS name of the client initializing a network session." - }, - { - "name": "dest_dns", - "type": "optional", - "comment": "The domain name system address of the destination for a network session event." - }, - { - "name": "dest_priority", - "type": "optional", - "comment": "The priority of the destination." - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration),duration,null())", - "comment": "The amount of time for the completion of the network session event, in seconds." - }, - { - "name": "response_time", - "type": "optional", - "validity": "if(isnum(response_time),response_time,null())", - "comment": "The amount of time it took to receive a response in the network session event, in seconds." - }, - { - "name": "src_dns", - "type": "optional", - "comment": "The external domain name of the client initializing a network session. Not applicable for DHCP events." - }, - { - "name": "src_nt_host", - "type": "optional", - "comment": "The NetBIOS name of the client initializing a network session. Not applicable for DHCP events." - }, - { - "name": "src_mac", - "type": "optional", - "condition": "tag != dhcp", - "validity": "if(match(src_mac,\"^([0-9a-f]{2}:){5}([0-9a-f]{2})$\"),src_mac,null())", - "comment": "The MAC address of the client initializing a network session. Not applicable for DHCP events.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such as Microsoft DHCP or ISC BIND. This field is generated by combining the values of the vendor and product fields." - }, - { - "name": "src_ip", - "type": "optional", - "condition": "tag != dhcp", - "comment": "The IP address of the client initializing a network session. Not applicable for DHCP events." - }, - { - "name": "user", - "type": "conditional", - "condition": "tag=vpn", - "comment": "The user in a network session event, where applicable. For example, a VPN session or an authenticated DHCP event." - } - ], - "child_dataset": [ - { - "name": "Session_Start", - "tags": [["network", "session", "start"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "tag=start" - }, - { - "name": "Session_End", - "tags": [["network", "session", "end"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "tag=end" - }, - { - "name": "DHCP", - "tags": [["network", "session", "dhcp"]], - "fields_cluster": [], - "fields": [ - { - "name": "lease_duration", - "type": "conditional", - "condition": "lease_duration=*", - "validity": "if(isnum(lease_duration),lease_duration,null())", - "comment": "The duration of the Dynamic Host Configuration Protocol (DHCP) lease, in seconds." - }, - { - "name": "lease_scope", - "type": "optional", - "comment": "The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered." - }, - { - "name": "src_ip", - "type": "not_allowed_in_search", - "comment": "The IP address of the client initializing a network session. Not applicable for DHCP events." - }, - { - "name": "src_mac", - "type": "not_allowed_in_search", - "comment": "The MAC address of the client initializing a network session. Not applicable for DHCP events.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." - } - ], - "child_dataset": [], - "search_constraints": "tag=dhcp" - }, - { - "name": "VPN", - "tags": [["network", "session", "vpn"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "tag=vpn" - } - ] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json b/splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json deleted file mode 100644 index 747cb774..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Network_Traffic.json +++ /dev/null @@ -1,348 +0,0 @@ -{ - "model_name": "Network_Traffic", - "version": "1.0.0", - "objects": [ - { - "name": "All_Traffic", - "tags": [["network", "communicate"]], - "fields_cluster": [ - ["bytes", "bytes_in", "bytes_out"], - ["dest_translated_ip", "src_translated_ip"], - ["dest_zone", "src_zone"], - ["icmp_type", "icmp_code"], - ["packets_in", "packets_out"] - ], - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": ["allowed", "blocked", "teardown", "flow"], - "comment": "The action taken by the network device." - }, - { - "name": "app", - "type": "required", - "comment": "The application protocol of the traffic." - }, - { - "name": "bytes", - "type": "conditional", - "condition": "bytes=*", - "validity": "if(isnum(bytes) and bytes>0 and bytes==(bytes_in+bytes_out),bytes,null())", - "comment": "Total count of bytes handled by this device/interface (bytes_in + bytes_out)." - }, - { - "name": "bytes_in", - "type": "conditional", - "condition": "bytes_in=*", - "validity": "if(isnum(bytes_in) and bytes_in>0,bytes_in,null())", - "comment": "How many bytes this device/interface received." - }, - { - "name": "bytes_out", - "type": "conditional", - "condition": "bytes_out=*", - "validity": "if(isnum(bytes_out) and bytes_out>0,bytes_out,null())", - "comment": "How many bytes this device/interface transmitted." - }, - { - "name": "channel", - "type": "not_allowed_in_search", - "comment": "The 802.11 channel used by a wireless network." - }, - { - "name": "dest", - "type": "required", - "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dest_interface", - "type": "optional", - "comment": "The interface that is listening remotely or receiving packets locally. Can also be referred to as the 'egress interface.'" - }, - { - "name": "dest_ip", - "type": "conditional", - "condition": "| where match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", - "validity": "if((!isnull(dest_ip) AND dest == dest_ip), dest_ip, null())", - "comment": "The IP address of the destination." - }, - { - "name": "dest_mac", - "type": "conditional", - "condition": "| where match(dest,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", - "validity": "if((!isnull(dest_mac) AND dest_mac == dest), dest_mac, null())", - "comment": "The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." - }, - { - "name": "dest_port", - "type": "conditional", - "condition": "transport=tcp OR transport=udp", - "validity": "if(isnum(dest_port),dest_port,null())", - "comment": "The destination port of the network traffic. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the dest_svc field." - }, - { - "name": "dest_translated_ip", - "type": "conditional", - "condition": "(protocol=IP OR protocol=ICMP) AND src_translated_ip=*", - "comment": "The NATed IPv4 or IPv6 address to which a packet has been sent." - }, - { - "name": "dest_translated_port", - "type": "conditional", - "condition": "(transport=tcp OR transport=udp) AND dest_translated_ip=*", - "comment": "The NATed port to which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, not http)." - }, - { - "name": "dest_zone", - "type": "conditional", - "condition":"src_zone=*", - "comment": "The network zone of the destination." - }, - { - "name": "direction", - "type": "optional", - "expected_values": ["inbound", "outbound"], - "comment": "The direction the packet is traveling." - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration),duration,null())", - "comment": "The amount of time for the completion of the network event, in seconds." - }, - { - "name": "dvc", - "type": "required", - "comment": "The device that reported the traffic event. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name." - }, - { - "name": "dvc_mac", - "type": "optional", - "comment": "The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." - }, - { - "name": "dvc_ip", - "type": "optional", - "comment": "The ip address of the device." - }, - { - "name": "dvc_zone", - "type": "optional", - "comment": "The network zone of the device." - }, - { - "name": "flow_id", - "type": "optional", - "comment": "Unique identifier for this traffic stream, such as a netflow, jflow, or cflow." - }, - { - "name": "icmp_code", - "type": "conditional", - "condition": "protocol=icmp", - "validity": "if(isnum(icmp_code),icmp_code,null())", - "comment": "The RFC 2780 or RFC 4443 human-readable code value of the traffic, such as Destination Unreachable or Parameter Problem . See the ICMP Type Numbers and the ICMPv6 Type Numbers." - }, - { - "name": "icmp_type", - "type": "conditional", - "condition": "protocol=icmp", - "validity": "if(isnum(duration) and duration>0 and duration<254,icmp_type,null())", - "comment": "The RFC 2780 or RFC 4443 numeric value of the traffic. See the ICMP Type Numbers and the ICMPv6 Type Numbers." - }, - { - "name": "packets", - "type": "conditional", - "condition": "packets_in=* OR packets_out=*", - "validity": "if(isnum(packets),packets,null())", - "comment": "The total count of packets handled by this device/interface (packets_in + packets_out)." - }, - { - "name": "packets_in", - "type": "optional", - "validity": "if(isnum(packets_in),packets_in,null())", - "comment": "The total count of packets received by this device/interface." - }, - { - "name": "packets_out", - "type": "optional", - "validity": "if(isnum(packets_out),packets_out,null())", - "comment": "The total count of packets transmitted by this device/interface." - }, - { - "name": "process_id", - "type": "optional", - "comment": "The numeric identifier of the process (PID) or service generating the network traffic." - }, - { - "name": "protocol", - "type": "conditional", - "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", - "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",protocol ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),protocol,true(), null())", - "expected_values": ["ip", "icmp"], - "comment": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx." - }, - { - "name": "protocol_version", - "type": "conditional", - "condition": "protocol=ip", - "expected_values": ["ipv4", "ipv6"], - "comment": "Version of the OSI layer 3 protocol, in lower case." - }, - { - "name": "response_time", - "type": "optional", - "validity": "if(isnum(response_time),response_time,null())", - "comment": "The amount of time it took to receive a response in the network event, in seconds." - }, - { - "name": "rule", - "type": "optional", - "comment": "The rule which defines the action that was taken in the network event. Note: This is a string value. Use rule_id for rule fields that are integer data types." - }, - { - "name": "rule_id", - "type": "optional", - "comment": "The vendor-specific unique identifier of the rule. Examples: 0x00011f0000011f00, 0x00011f00-syn_flood." - }, - { - "name": "session_id", - "type": "optional", - "comment": "The session identifier. Multiple transactions build a session." - }, - { - "name": "src", - "type": "required", - "comment": "The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.'" - }, - { - "name": "src_interface", - "type": "optional", - "comment": "The interface that is listening locally or sending packets remotely. Can also be referred to as the 'ingress interface.'" - }, - { - "name": "src_translated_ip", - "type": "conditional", - "condition": "dest_translated_ip=*", - "comment": "The interface that is listening locally or sending packets remotely. Can also be referred to as the 'ingress interface.'" - }, - { - "name": "src_zone", - "type": "conditional", - "condition":"dest_zone=*", - "comment": "The network zone of the source." - }, - { - "name": "ssid", - "type": "optional", - "comment": "The 802.11 service set identifier (ssid) assigned to a wireless session." - }, - { - "name": "wifi", - "type": "optional", - "comment": "The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n." - }, - { - "name": "tcp_flag", - "type": "optional", - "expected_values": ["SYN", "ACK", "FIN", "RST", "URG", "PSH"], - "comment": "The TCP flag or multiple flags specified in the event." - }, - { - "name": "tos", - "type": "optional", - "comment": "The combination of source and destination IP ToS (type of service) values in the event." - }, - { - "name": "ttl", - "type": "optional", - "validity": "if(isnum(ttl),ttl,null())", - "comment": "The 'time to live' of a packet or diagram, in seconds." - }, - { - "name": "user", - "type": "optional", - "comment": "The user that requested the traffic flow." - }, - { - "name": "vendor_account", - "type": "optional", - "comment": "The account associated with the network traffic. The account represents the organization, or a Cloud customer or a Cloud account." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product of the device generating the network event. This field can be automatically populated by vendor and product fields in your data." - }, - { - "name": "vlan", - "type": "optional", - "comment": "The virtual local area network (VLAN) specified in the record." - }, - { - "name": "transport", - "type": "required", - "condition": "", - "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",transport ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),transport,true(), null())", - "expected_values": ["tcp", "udp", "icmp"], - "comment": "The OSI layer 4 (transport) protocol of the traffic observed, in lower case." - }, - { - "name": "src_ip", - "type": "conditional", - "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", - "validity": "if((!isnull(src_ip) AND src == src_ip), src_ip, null())", - "comment": "The ip address of the source." - }, - { - "name": "src_mac", - "type": "conditional", - "condition": "| where match(src,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", - "validity": "if((!isnull(src_mac) AND src_mac == src), src_mac, null())", - "comment": "The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." - }, - { - "name": "src_port", - "type": "conditional", - "condition": "transport=tcp OR transport=udp", - "validity": "if(isnum(src_port),src_port,null())", - "comment": "The source port of the network traffic. Note: Do not translate the value of this field to a string (tcp/80 is 80, not http). You can set up the corresponding string value in the src_svc field." - }, - { - "name": "src_translated_port", - "type": "conditional", - "condition": "(transport=tcp OR transport=udp) AND src_translated_ip=*", - "validity": "if(isnum(src_translated_port),src_translated_port,null())", - "comment": "The NATed port from which a packet has been sent. Note: Do not translate the values of this field to strings (tcp/80 is 80, not http." - } - ], - "child_dataset": [ - { - "name": "Traffic_By_Action", - "tags": [["network", "communicate"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=*" - }, - { - "name": "Allowed_Traffic", - "tags": [["network", "communicate"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=allowed" - }, - { - "name": "Blocked_Traffic", - "tags": [["network", "communicate"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "action=blocked" - } - ], - "search_constraints": "tag=network tag=communicate" - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Performance.json b/splunk-cim-models/splunk_cim_models/data_models/Performance.json deleted file mode 100644 index 7788967f..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Performance.json +++ /dev/null @@ -1,314 +0,0 @@ -{ - "model_name": "Performance", - "version": "1.0.0", - "objects": [ - { - "name": "All_Performance", - "tags": [["performance"]], - "search_constraints": "tag=performance", - "fields_cluster": [], - "fields": [ - { - "name": "dest_should_timesync", - "type": "optional", - "comment": "Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security." - }, - { - "name": "dest_should_update", - "type": "optional", - "comment": "Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." - }, - { - "name": "hypervisor_id", - "type": "optional", - "comment": "The ID of the virtualization hypervisor." - }, - { - "name": "resource_type", - "type": "optional", - "comment": "The type of facilities resource involved in the performance event, such as a rack, room, or system." - }, - { - "name": "dest", - "type": "required", - "comment": "The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - } - ], - "child_dataset": [ - { - "name": "CPU", - "tags": [["cpu", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=cpu", - "fields": [ - { - "name": "cpu_load_mhz", - "type": "optional", - "comment": "The amount of CPU load reported by the controller in megahertz." - }, - { - "name": "cpu_load_percent", - "type": "required", - "comment": "The amount of CPU load reported by the controller in percentage points." - }, - { - "name": "cpu_time", - "type": "optional", - "comment": "The number of CPU seconds consumed by processes." - }, - { - "name": "cpu_user_percent", - "type": "optional", - "comment": "Percentage of CPU user time consumed by processes." - } - ], - "child_dataset": [] - }, - { - "name": "Facilities", - "tags": [["facilities", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=facilities", - "fields": [ - { - "name": "temperature", - "type": "required", - "comment": "Average temperature of the facilities resource, in degrees Celsius." - }, - { - "name": "power", - "type": "optional", - "comment": "Amount of power consumed by the facilities resource, in kW." - }, - { - "name": "fan_speed", - "type": "optional", - "comment": "The speed of the cooling fan in the facilities resource, in rotations per second." - } - ], - "child_dataset": [] - }, - { - "name": "Memory", - "tags": [["memory", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=memory", - "fields": [ - { - "name": "mem", - "type": "required", - "comment": "The total amount of memory capacity reported by the resource, in megabytes." - }, - { - "name": "mem_committed", - "type": "optional", - "comment": "The committed amount of memory reported by the resource, in megabytes." - }, - { - "name": "mem_free", - "type": "required", - "comment": "The free amount of memory reported by the resource, in megabytes." - }, - { - "name": "mem_used", - "type": "required", - "comment": "The used amount of memory reported by the resource, in megabytes." - }, - { - "name": "swap", - "type": "optional", - "comment": "The total swap space size, in megabytes, if applicable." - }, - { - "name": "swap_free", - "type": "optional", - "comment": "The free swap space size, in megabytes, if applicable." - }, - { - "name": "swap_used", - "type": "optional", - "comment": "The used swap space size, in megabytes, if applicable." - } - ], - "child_dataset": [] - }, - { - "name": "Storage", - "tags": [["storage", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=storage", - "fields": [ - { - "name": "array", - "type": "optional", - "comment": "The array that the resource is a member of, if applicable." - }, - { - "name": "blocksize", - "type": "optional", - "comment": "Block size used by the storage resource, in kilobytes." - }, - { - "name": "cluster", - "type": "optional", - "comment": "The cluster that the resource is a member of, if applicable." - }, - { - "name": "fd_max", - "type": "optional", - "comment": "The maximum number of available file descriptors." - }, - { - "name": "fd_used", - "type": "optional", - "comment": "The current number of open file descriptors." - }, - { - "name": "latency", - "type": "optional", - "comment": "The latency reported by the resource, in milliseconds." - }, - { - "name": "mount", - "type": "optional", - "comment": "The mount point of a storage resource." - }, - { - "name": "parent", - "type": "optional", - "comment": "A generic indicator of hierarchy. For instance, a disk event might include the array id here." - }, - { - "name": "read_blocks", - "type": "optional", - "comment": "Number of blocks read." - }, - { - "name": "read_latency", - "type": "optional", - "comment": "The latency of read operations, in milliseconds." - }, - { - "name": "read_ops", - "type": "optional", - "comment": "Number of read operations." - }, - { - "name": "storage", - "type": "optional", - "comment": "The total amount of storage capacity reported by the resource, in megabytes." - }, - { - "name": "storage_free", - "type": "required", - "comment": "The free amount of storage capacity reported by the resource, in megabytes." - }, - { - "name": "storage_free_percent", - "type": "required", - "comment": "The percentage of storage capacity reported by the resource that is free." - }, - { - "name": "storage_used", - "type": "required", - "comment": "The used amount of storage capacity reported by the resource, in megabytes." - }, - { - "name": "storage_used_percent", - "type": "required", - "comment": "The percentage of storage capacity reported by the resource that is used." - }, - { - "name": "write_blocks", - "type": "optional", - "comment": "The number of blocks written by the resource." - }, - { - "name": "write_latency", - "type": "optional", - "comment": "The latency of write operations, in milliseconds." - }, - { - "name": "write_ops", - "type": "optional", - "comment": "The total number of write operations processed by the resource." - } - ], - "child_dataset": [] - }, - { - "name": "Network", - "tags": [["network", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=network", - "fields": [ - { - "name": "thruput", - "type": "required", - "comment": "The current throughput reported by the service, in bytes." - }, - { - "name": "thruput_max", - "type": "optional", - "comment": "The maximum possible throughput reported by the service, in bytes." - } - ], - "child_dataset": [] - }, - { - "name": "OS", - "tags": [["os", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=os", - "fields": [ - { - "name": "signature", - "type": "required", - "comment": "The event description signature, if available." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - } - ], - "child_dataset": [ - { - "name": "Timesync", - "tags": [["performance", "os", "performance", "synchronize"]], - "fields_cluster": [], - "search_constraints": "tag=synchronize tag=time", - "fields": [ - { - "name": "action", - "type": "required", - "expected_values": [ - "success", - "failure" - ], - "comment": "The result of a time sync event." - } - ], - "child_dataset": [] - }, - { - "name": "Uptime", - "tags": [["uptime", "os", "performance"]], - "fields_cluster": [], - "search_constraints": "tag=uptime", - "fields": [ - { - "name": "uptime", - "type": "required", - "comment": "The uptime of the compute resource, in seconds." - } - ], - "child_dataset": [] - } - ] - } - - ] - } - ] -} diff --git a/splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json b/splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json deleted file mode 100644 index fa809ad7..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Ticket_Management.json +++ /dev/null @@ -1,129 +0,0 @@ - -{ - "model_name": "Ticket_Management", - "version": "1.0.0", - "objects": [ - { - "name": "All_Ticket_Management", - "tags": [["ticketing"]], - "search_constraints": "tag=ticketing", - "fields_cluster": [], - "fields": [ - { - "name": "affect_dest", - "type": "optional", - "comment": "Destinations affected by the service request." - }, - { - "name": "comments", - "type": "optional", - "comment": "Comments about the service request." - }, - { - "name": "description", - "type": "optional", - "comment": "The description of the service request." - }, - { - "name": "priority", - "type": "required", - "comment": "The relative priority of the service request." - }, - { - "name": "severity", - "type": "required", - "comment": "The relative severity of the service request." - }, - { - "name": "severity_id", - "type": "required", - "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." - }, - { - "name": "splunk_id", - "type": "optional", - "comment": "The unique identifier of the service request as it pertains to Splunk. For example, 14DA67E8-6084-4FA8-9568-48D05969C522@@_internal@@0533eff241db0d892509be46cd3126e30e0f6046." - }, - { - "name": "splunk_realm", - "type": "optional", - "comment": "The Splunk application or use case associated with the unique identifier (splunk_id). For example, es_notable." - }, - { - "name": "src_user", - "type": "optional", - "comment": "The user or entity that created or triggered the service request, if applicable." - }, - { - "name": "status", - "type": "required", - "comment": "The relative status of the service request." - }, - { - "name": "time_submitted", - "type": "optional", - "comment": "The time that the src_user submitted the service request." - }, - { - "name": "user", - "type": "optional", - "comment": "The name of the user or entity that is assigned to carry out the service request, if applicable." - }, - { - "name": "dest", - "type": "required", - "comment": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "ticket_id", - "type": "required", - "comment": "An identification name, code, or number for the service request." - } - ], - "child_dataset": [ - { - "name": "Change", - "tags": [["change", "ticketing"]], - "search_constraints": "tag=change", - "fields_cluster": [], - "fields": [ - { - "name": "change", - "type": "optional", - "comment": "Designation for a request for change (RFC) that is raised to modify an IT service to resolve an incident or problem." - } - ], - "child_dataset": [] - }, - { - "name": "Incident", - "tags": [["incident", "ticketing"]], - "search_constraints": "tag=incident", - "fields_cluster": [], - "fields": [ - { - "name": "incident", - "type": "optional", - "comment": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - } - ], - "child_dataset": [] - }, - { - "name": "Problem", - "tags": [["problem", "ticketing"]], - "search_constraints": "tag=problem", - "fields_cluster": [], - "fields": [ - { - "name": "problem", - "type": "optional", - "comment": "When multiple occurrences of related incidents are observed, they are collectively designated with a single problem value. Problem management differs from the process of managing an isolated incident. Often problems are managed by a specific set of staff and through a problem management process." - } - ], - "child_dataset": [] - } - ] - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Updates.json b/splunk-cim-models/splunk_cim_models/data_models/Updates.json deleted file mode 100644 index 8d2f5b0d..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Updates.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "version":"1.0.0", - "model_name": "Updates", - "objects":[ - { - "name": "Updates", - "tags": [ - ["update","status"] - ], - "fields_cluster": [], - "search_constraints": "tag=update tag=status", - "fields": [ - { - "name": "dest", - "type": "required", - "comment":"The system that is affected by the patch change. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dvc", - "type": "required", - "comment":"The device that detected the patch event, such as a patching or configuration management server. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name." - }, - { - "name": "file_hash", - "type": "optional", - "comment":"The checksum of the patch package that was installed or attempted." - }, - { - "name": "file_name", - "type": "required", - "multi_value": true, - "comment":"The name of the patch package that was installed or attempted." - }, - { - "name": "severity", - "type": "optional", - "expected_values": [ - "critical", - "high", - "medium", - "low", - "informational" - ], - "comment":"The severity associated with the patch event." - }, - { - "name": "severity_id", - "type": "optional", - "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." - }, - { - "name": "signature", - "type": "required", - "multi_value": true, - "comment":"The name of the patch requirement detected on the client (the dest), such as MS08-067 or RHBA-2013:0739." - }, - { - "name": "signature_id", - "type": "required", - "multi_value": true, - "comment":"The ID of the patch requirement detected on the client (the src)." - }, - { - "name": "status", - "type": "required", - "expected_values": [ - "available", - "installed", - "invalid", - "restart required", - "failure" - ], - "comment":"Indicates the status of a given patch requirement." - }, - { - "name": "vendor_product", - "type": "required", - "comment":"The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data." - } - ], - "child_dataset": [ - { - "name":"Available_Updates", - "tags": [ - ["update","status"] - ], - "fields_cluster":[], - "fields":[], - "child_dataset": [], - "search_constraints":"status=\"available\"" - }, - { - "name":"Installed_Updates", - "tags": [ - ["update","status"] - ], - "fields_cluster":[], - "fields":[], - "child_dataset": [], - "search_constraints":"status=\"installed\"" - }, - { - "name":"Restart_Required_Updates", - "tags": [ - ["update","status"] - ], - "fields_cluster":[], - "fields":[], - "child_dataset": [], - "search_constraints":"status=\"restart_required\"" - } - ] - }] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json b/splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json deleted file mode 100644 index 96eb322a..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Vulnerabilities.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "model_name": "Vulnerabilities", - "version": "1.0.0", - "objects": - [{ - "name": "Vulnerabilities", - "tags": [ - ["vulnerability","report"] - ], - "fields_cluster": [], - "search_constraints": "tag=vulnerability tag=report", - "fields": [ - { - "name": "bugtraq", - "type": "optional", - "comment":"Corresponds to an identifier in the vulnerability database provided by the Security Focus website." - }, - { - "name": "category", - "type": "required", - "comment":"The category of the discovered vulnerability, such as DoS." - }, - { - "name": "cert", - "type": "optional", - "comment":"Corresponds to an identifier in the vulnerability database provided by the US Computer Emergency Readiness Team" - }, - { - "name": "cve", - "type": "required", - "multi_value": true, - "comment":"Corresponds to an identifier provided in the Common Vulnerabilities and Exposures index" - }, - { - "name": "cvss", - "type": "required", - "validity": "if(isnum(cvss),cvss,null())", - "comment":"Numeric indicator of the common vulnerability scoring system." - }, - { - "name": "dest", - "type": "required", - "comment":"The host with the discovered vulnerability. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dvc", - "type": "required", - "comment":"The system that discovered the vulnerability. You can alias this from more specific fields, such as dvc_host, dvc_ip, or dvc_name." - }, - { - "name": "msft", - "type": "optional", - "comment":"Corresponds to a Microsoft Security Advisory number." - }, - { - "name": "mskb", - "type": "optional", - "comment":"Corresponds to a Microsoft Knowledge Base article number." - }, - { - "name": "severity", - "type": "required", - "expected_values": [ - "critical", - "high", - "medium", - "low", - "informational" - ], - "comment":"The severity of the vulnerability detection event. Specific values are required." - }, - { - "name": "severity_id", - "type": "optional", - "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." - }, - { - "name": "signature", - "type": "required", - "comment":"The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)." - }, - { - "name": "signature_id", - "type": "optional", - "comment": "The unique identifier or event code of the event signature." - }, - { - "name": "url", - "type": "optional", - "comment":"The URL involved in the discovered vulnerability." - }, - { - "name": "user", - "type": "optional", - "comment":"The user involved in the discovered vulnerability." - }, - { - "name": "vendor_product", - "type": "required", - "comment":"The vendor and product that detected the vulnerability. This field can be automatically populated by vendor and product fields in your data." - }, - { - "name": "xref", - "type": "optional", - "comment":"A cross-reference identifier associated with the vulnerability. In most cases, the xref field contains both the short name of the database being cross-referenced and the unique identifier used in the external database." - } - ], - "child_dataset": [ - { - "name":"High_Critical_Vulnerabilities", - "tags": [ - ["vulnerability","report"] - ], - "fields_cluster":[], - "fields":[], - "child_dataset": [], - "search_constraints":"(severity=\"high\" OR severity=\"critical\")" - }, - { - "name":"Medium_Vulnerabilities", - "tags": [ - ["vulnerability","report"] - ], - "fields_cluster":[], - "fields":[], - "child_dataset": [], - "search_constraints":"severity=\"medium\"" - }, - { - "name":"Low_Informational_Vulnerabilities", - "tags": [ - ["vulnerability","report"] - ], - "fields_cluster":[], - "fields":[], - "child_dataset": [], - "search_constraints":"(severity=\"low\" OR severity=\"informational\")" - } - ] - }] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/data_models/Web.json b/splunk-cim-models/splunk_cim_models/data_models/Web.json deleted file mode 100644 index 0aaaf56a..00000000 --- a/splunk-cim-models/splunk_cim_models/data_models/Web.json +++ /dev/null @@ -1,275 +0,0 @@ -{ - "model_name": "Web", - "version": "1.0.0", - "objects": [ - { - "name": "Web", - "tags": [["web"]], - "fields_cluster": [ - ["bytes", "bytes_in", "bytes_out"], - ["http_user_agent", "http_user_agent_length"] - ], - "fields": [ - { - "name": "action", - "type": "required", - "comment": "The action taken by the server or proxy." - }, - { - "name": "app", - "type": "conditional", - "condition": "app=*", - "validity": "if(isstr(app),app,null())", - "comment": "The application detected or hosted by the server/site such as wordpress, splunk, or facebook." - }, - { - "name": "dest", - "type": "required", - "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." - }, - { - "name": "dest_port", - "type": "required", - "validity": "if(isnum(dest_port),dest_port,null())", - "comment": "The destination port of the web traffic." - }, - { - "name": "src", - "type": "required", - "comment": "The source of the network traffic (the client requesting the connection)." - }, - { - "name": "status", - "type": "required", - "expected_values": [ - "100", - "101", - "102", - "200", - "201", - "202", - "203", - "204", - "205", - "206", - "207", - "208", - "226", - "300", - "301", - "302", - "303", - "304", - "305", - "306", - "307", - "308", - "400", - "401", - "402", - "403", - "404", - "405", - "406", - "407", - "408", - "409", - "410", - "411", - "412", - "413", - "414", - "415", - "416", - "417", - "422", - "423", - "424", - "426", - "428", - "429", - "431", - "500", - "501", - "502", - "503", - "504", - "505", - "506", - "507", - "508", - "510", - "511" - ], - "comment": "The HTTP response code indicating the status of the proxy request." - }, - { - "name": "uri_path", - "type": "conditional", - "condition": "uri_path=*", - "validity": "if(match(uri_path, \"^\/[/.a-zA-Z0-9- _%]*\"),uri_path,null())", - "comment": "The path of the resource served by the webserver or proxy." - }, - { - "name": "url", - "type": "required", - "comment": "The URL of the requested HTTP resource." - }, - { - "name": "url_domain", - "type": "required", - "comment": "The domain name contained within the URL of the requested HTTP resource." - }, - { - "name": "url_length", - "type": "optional", - "validity": "if(url_length == len(url), url_length, null())", - "comment": "The length of the URL." - }, - { - "name": "category", - "type": "required", - "comment": "The category of traffic, such as may be provided by a proxy server." - }, - { - "name": "bytes", - "type": "required", - "validity": "if(isnum(bytes) and bytes == (bytes_in+bytes_out),bytes,null())", - "comment": "The total number of bytes transferred (bytes_in + bytes_out)." - }, - { - "name": "bytes_in", - "type": "required", - "validity": "if(isnum(bytes_in),bytes_in,null())", - "comment": "The number of inbound bytes transferred." - }, - { - "name": "bytes_out", - "type": "required", - "validity": "if(isnum(bytes_out),bytes_out,null())", - "comment": "The number of outbound bytes transferred." - }, - { - "name": "http_method", - "type": "required", - "expected_values": [ - "GET", - "PUT", - "POST", - "DELETE", - "HEAD", - "OPTIONS", - "CONNECT", - "TRACE" - ], - "comment": "The HTTP method used in the request." - }, - { - "name": "http_user_agent", - "type": "required", - "comment": "The user agent used in the request." - }, - { - "name": "http_user_agent_length", - "type": "required", - "validity": "if(http_user_agent_length == len(http_user_agent), http_user_agent_length, null())", - "comment": "The length of the user agent used in the request." - }, - { - "name": "cached", - "type": "optional", - "expected_values": ["true", "false", "1", "0"], - "comment": "Indicates whether the event data is cached or not." - }, - { - "name": "duration", - "type": "optional", - "validity": "if(isnum(duration),duration,null())", - "comment": "The time taken by the proxy event, in milliseconds." - }, - { - "name": "http_content_type", - "type": "optional", - "comment": "The content-type of the requested HTTP resource." - }, - { - "name": "response_time", - "type": "optional", - "validity": "if(isnum(response_time),response_time,null())", - "comment": "The amount of time it took to receive a response, if applicable, in milliseconds." - }, - { - "name": "uri_query", - "type": "optional", - "comment": "The path of the resource requested by the client." - }, - { - "name": "user", - "type": "optional", - "comment": "The user that requested the HTTP resource." - }, - { - "name": "vendor_product", - "type": "required", - "comment": "The vendor and product of the proxy server, such as Squid Proxy Server. This field can be automatically populated by vendor and product fields in your data." - }, - { - "name": "cookie", - "type": "optional", - "comment": "The cookie file recorded in the event." - }, - { - "name": "http_referrer", - "type": "optional", - "comment": "The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. Use a FIELDALIAS to handle both key names." - }, - { - "name": "http_referrer_domain", - "type": "optional", - "comment": "The domain name contained within the HTTP referrer used in the request." - }, - { - "name": "site", - "type": "optional", - "comment": "The virtual site which services the request, if applicable." - } - ], - "child_dataset": [ - { - "name": "Proxy", - "tags": [["proxy", "web"]], - "fields_cluster": [], - "fields": [], - "child_dataset": [], - "search_constraints": "tag=proxy" - }, - { - "name": "Storage", - "tags": [["storage", "web"]], - "fields_cluster": [], - "fields":[ - { - "name": "error_code", - "type": "optional", - "comment": "The error code that occurred while accessing the storage account" - }, - { - "name": "operation", - "type": "optional", - "comment": "The operation performed on the storage account." - }, - { - "name": "storage_name", - "type": "optional", - "comment": "The name of the bucket or storage account." - } - ], - "child_dataset": [], - "search_constraints": "tag=storage" - - } - ], - "search_constraints": "tag=web" - } - ] -} \ No newline at end of file diff --git a/splunk-cim-models/splunk_cim_models/datamodel_definition.py b/splunk-cim-models/splunk_cim_models/datamodel_definition.py deleted file mode 100644 index a7758962..00000000 --- a/splunk-cim-models/splunk_cim_models/datamodel_definition.py +++ /dev/null @@ -1,2404 +0,0 @@ -# -# Copyright 2026 Splunk Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -datamodels = { - "4.18.1": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "4.19": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - "user_name", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "user_name", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "4.20.2": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - "user_name", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "user_name", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_category", - "object_id", - "object_size", - "src", - "tenant_id", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "original_file_name", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "5.0.0": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - "user_name", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "user_name", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_category", - "object_id", - "object_size", - "src", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "original_file_name", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "5.3.1": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature_id", - "src", - "type", - "user", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_issuer_email_domain", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_email_domain", - ] - }, - "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_attrs", - "object_category", - "object_id", - "object_size", - "src", - "user_name", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_access_time", - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "dest", - "user", - "vendor_product", - ], - "Processes": [ - "dest", - "loaded_file", - "original_file_name", - "parent_process", - "parent_process_name", - "process", - "process_name", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["vendor_product"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "user", - "vendor_product", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "date", - "dest", - "dest_nt_domain", - "severity", - "signature", - "user", - "vendor_product", - ], - "Malware_Operations": [ - "product_version", - "signature_version", - "dest", - "dest_nt_domain", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "dest_nt_host", - "dest_dns", - "user", - "vendor_product", - ] - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "rule", - "src", - "src_port", - "transport", - "user", - "vendor_product", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_content_type", - "http_method", - "http_referrer", - "http_referrer_domain", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - ] - }, - }, - "5.3.2": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature", - "signature_id", - "src", - "type", - "user", - "description", - "id", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "dest", "user"], - "Privileged_Authentication": ["src_user"], - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_organization", - "ssl_validity_window", - ] - }, - "Change": { - "Account_Management": [ - "src_user", - "object_category", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_id", - "status", - "result", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - "app", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_attrs", - "object_category", - "object_id", - "object_size", - "src", - "user_name", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - "internal_message_id", - "message_id", - "protocol", - "return_addr", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "transport_dest_port", - "dest", - "vendor_product", - "state", - ], - "Processes": [ - "action", - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "process_id", - "process_path", - "parent_process_id", - "parent_process_path", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - "status", - "registry_hive", - "registry_value_text", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_path", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["dest", "signature", "signature_id"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "vendor_product", - "action", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "dest", - "severity", - "signature", - "file_name", - "file_path", - "vendor_product", - ], - "Malware_Operations": [ - "signature_version", - "dest", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - "src", - "transport", - "answer_count", - "query_count", - "query_type", - "record_type", - "response_time", - "transaction_id", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "vendor_product", - "action", - "signature", - ], - "DHCP": ["lease_duration"], - "VPN": ["user"], - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "src", - "src_port", - "transport", - "vendor_product", - "app", - "packets", - "packets_in", - "packets_out", - "protocol", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Ticket_Management": { - "BaseEvent": [ - "priority", - "severity", - "severity_id", - "status", - "dest", - "ticket_id", - ] - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - "dvc", - "file_name", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - "cvss", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_method", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - "category", - "dest_port", - "http_user_agent_length", - ] - }, - }, - "6.0.0": { - "Alerts": { - "BaseEvent": [ - "app", - "dest", - "severity", - "signature", - "signature_id", - "src", - "type", - "user", - "description", - "id", - ] - }, - "Application_State": { - "BaseEvent": ["dest", "process"], - "Ports": ["dest_port", "transport"], - "Services": ["service", "service_id", "start_mode", "status"], - }, - "Authentication": { - "BaseEvent": ["action", "app", "src", "dest", "user"], - "Privileged_Authentication": ["src_user"], - }, - "Certificates": { - "SSL": [ - "ssl_end_time", - "ssl_serial", - "ssl_start_time", - "ssl_hash", - "ssl_issuer", - "ssl_issuer_common_name", - "ssl_subject", - "ssl_subject_common_name", - "ssl_subject_organization", - "ssl_validity_window", - ] - }, - "Change": { - "Account_Management": [ - "src_user", - "object_category", - ], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_id", - "status", - "result", - "src", - "user", - "vendor_product", - "action", - ], - "Instance_Changes": ["image_id", "instance_type"], - }, - "Change_Analysis": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], - "BaseEvent": [ - "change_type", - "command", - "dest", - "dvc", - "object", - "object_attrs", - "object_category", - "object_id", - "object_path", - "status", - "result", - "result_id", - "src", - "user", - "vendor_product", - "action", - ], - "Filesystem_Changes": [ - "file_access_time", - "file_create_time", - "file_hash", - "file_modify_time", - "file_name", - "file_path", - "file_acl", - "file_size", - ], - }, - "Compute_Inventory": { - "BaseEvent": ["dest", "vendor_product"], - "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], - "Memory": ["mem"], - "Network": ["dns", "interface", "ip", "mac", "name"], - "OS": ["os"], - "Snapshot": ["size", "snapshot"], - "Storage": ["mount", "storage"], - "User": ["interactive", "password", "user"], - "Virtual_OS": ["hypervisor"], - }, - "DLP": { - "BaseEvent": [ - "action", - "category", - "dvc", - "dlp_type", - "object", - "object_path", - "object_category", - "signature", - "severity", - "src", - "src_user", - "dest", - "user", - "vendor_product", - "app", - ] - }, - "Data_Access": { - "BaseEvent": [ - "action", - "app", - "dest", - "object", - "object_attrs", - "object_category", - "object_id", - "object_size", - "src", - "user_name", - "vendor_account", - "user", - "vendor_product", - ] - }, - "Email": { - "BaseEvent": [ - "action", - "dest", - "src", - "recipient", - "recipient_domain", - "src_user", - "src_user_domain", - "vendor_product", - "internal_message_id", - "message_id", - "protocol", - "return_addr", - ], - "Filtering": ["signature"], - }, - "Endpoint": { - "Filesystem": [ - "file_create_time", - "file_modify_time", - "action", - "dest", - "file_hash", - "file_name", - "file_path", - "file_acl", - "file_size", - "user", - "vendor_product", - ], - "Ports": [ - "dest_port", - "transport", - "src", - "src_port", - "transport_dest_port", - "dest", - "vendor_product", - "state", - ], - "Processes": [ - "action", - "dest", - "parent_process", - "parent_process_name", - "process", - "process_name", - "process_id", - "process_path", - "parent_process_id", - "parent_process_path", - "user", - "vendor_product", - ], - "Registry": [ - "action", - "dest", - "registry_path", - "registry_key_name", - "registry_value_data", - "registry_value_name", - "registry_value_type", - "user", - "vendor_product", - "status", - "registry_hive", - "registry_value_text", - ], - "Services": [ - "dest", - "service", - "service_name", - "service_path", - "service_id", - "start_mode", - "status", - "user", - "vendor_product", - ], - }, - "Event_Signatures": {"BaseEvent": ["dest", "signature", "signature_id"]}, - "Intrusion_Detection": { - "BaseEvent": [ - "dvc", - "ids_type", - "category", - "signature", - "severity", - "src", - "dest", - "vendor_product", - "action", - ] - }, - "Malware": { - "BaseEvent": [ - "action", - "category", - "dest", - "severity", - "signature", - "file_name", - "file_path", - "vendor_product", - ], - "Malware_Operations": [ - "signature_version", - "dest", - "vendor_product", - ], - }, - "Network_Resolution": { - "BaseEvent": [ - "answer", - "dest", - "message_type", - "query", - "reply_code_id", - "reply_code", - "vendor_product", - "src", - "transport", - "answer_count", - "query_count", - "query_type", - "record_type", - "response_time", - "transaction_id", - ] - }, - "Network_Sessions": { - "BaseEvent": [ - "dest_ip", - "dest_mac", - "vendor_product", - "action", - "signature", - ], - "DHCP": ["lease_duration"], - "VPN": ["user"], - }, - "Network_Traffic": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "dest_port", - "dvc", - "src", - "src_port", - "transport", - "vendor_product", - "app", - "packets", - "packets_in", - "packets_out", - "protocol", - ] - }, - "Performance": { - "BaseEvent": ["dest"], - "CPU": ["cpu_load_percent"], - "Facilities": ["temperature"], - "Memory": ["mem", "mem_free", "mem_used"], - "Network": ["thruput"], - "OS": ["signature"], - "Storage": [ - "storage_free", - "storage_free_percent", - "storage_used", - "storage_used_percent", - ], - "Timesync": ["action"], - "Uptime": ["uptime"], - }, - "Ticket_Management": { - "BaseEvent": [ - "priority", - "severity", - "severity_id", - "status", - "dest", - "ticket_id", - ] - }, - "Updates": { - "BaseEvent": [ - "dest", - "signature", - "signature_id", - "status", - "vendor_product", - "dvc", - "file_name", - ] - }, - "Vulnerabilities": { - "BaseEvent": [ - "category", - "cve", - "dest", - "dvc", - "severity", - "signature", - "vendor_product", - "cvss", - ] - }, - "Web": { - "BaseEvent": [ - "action", - "bytes", - "bytes_in", - "bytes_out", - "dest", - "http_method", - "http_user_agent", - "src", - "status", - "url", - "url_domain", - "user", - "vendor_product", - "category", - "dest_port", - "http_user_agent_length", - ] - }, - }, -} -# No recommended/required fields changes between v6.0.0 and v6.2.0 -datamodels["6.0.1"] = datamodels["6.0.0"] -datamodels["6.0.2"] = datamodels["6.0.0"] -datamodels["6.1.0"] = datamodels["6.0.2"] -datamodels["6.2.0"] = datamodels["6.1.0"] -datamodels["latest"] = datamodels["6.2.0"] From 2f3e7471881b50c691e3260d3b870d92be86eca8 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 6 Mar 2026 08:46:19 +0100 Subject: [PATCH 14/16] chore: docs and tests adjustments --- .github/workflows/build-test-release.yml | 77 ++++ cim-separation-proposal.md | 85 ----- docs/cim_tests.md | 40 +- docs/contributing.md | 36 ++ docs/how_to_use.md | 12 +- docs/index.md | 12 + .../test_splunk_cim_models_contract.py | 344 ++++++++++++++++++ 7 files changed, 513 insertions(+), 93 deletions(-) delete mode 100644 cim-separation-proposal.md create mode 100644 tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index 3147ed33..09141a66 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -171,10 +171,87 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} + # --------------------------------------------------------------------------- + # Validate PSA against multiple splunk-cim-models package versions. + # + # Matrix axes: + # splunk – every supported Splunk version (from meta job) + # cim-models – every package git ref listed below + # + # How to add a new CIM models release: + # 1. Append a new entry to the cim-models list with the git ref (branch + # or tag) and a short human-readable label. + # 2. The matrix will automatically run the splunk_cim_model e2e test + # for each (Splunk version, CIM models version) combination. + # + # Only the splunk_cim_model marker is used here because the other CIM + # e2e markers (splunk_app_cim_fiction, splunk_app_cim_broken) always pass + # --splunk-dm-path with custom fiction models and are therefore unaffected + # by the installed splunk-cim-models version. + # --------------------------------------------------------------------------- + test-cim-models-versions: + needs: + - meta + - pre-commit + - fossa-scan + - compliance-copyrights + - test-splunk-unit + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: + splunk: ${{ fromJson(needs.meta.outputs.matrix_supportedSplunk) }} + cim-models: + - ref: "v1" + label: "1.x" + - ref: "v2" + label: "2.x" + # Add future releases here, e.g.: + # - ref: "v3" + # label: "3.x" + name: "CIM models ${{ matrix.cim-models.label }} / Splunk ${{ matrix.splunk.version }}" + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - uses: actions/setup-python@v5 + with: + python-version: "3.7" + - name: Install PSA with CIM models ${{ matrix.cim-models.label }} + env: + GH_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} + run: | + git config --global --add url."https://${{ secrets.GH_TOKEN_ADMIN }}@github.com".insteadOf https://github.com + git config --global --add url."https://${{ secrets.GH_TOKEN_ADMIN }}@github.com".insteadOf ssh://git@github.com + curl -sSL https://install.python-poetry.org | python3 - --version 1.5.1 + poetry install + # Override the dev-dependency CIM models with the matrix version. + # Using pip inside the Poetry venv so the pytester subprocess sees + # the same environment. + poetry run pip install \ + "git+https://github.com/splunk/psa-cim-models.git@${{ matrix.cim-models.ref }}" + - name: Verify splunk-cim-models ${{ matrix.cim-models.label }} + run: | + poetry run python - <<'EOF' + import splunk_cim_models as scm + print("DATA_MODELS_PATH:", scm.DATA_MODELS_PATH) + print("CIM versions available:", list(scm.datamodels.keys())) + EOF + - name: Run CIM model e2e tests + env: + GH_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} + run: | + poetry run pytest -v \ + --splunk-version=${{ matrix.splunk.version }} \ + -m docker \ + -m splunk_cim_model \ + tests/e2e + publish: needs: - test-splunk-external - test-splunk-matrix + - test-cim-models-versions runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 diff --git a/cim-separation-proposal.md b/cim-separation-proposal.md deleted file mode 100644 index 9cccd7ee..00000000 --- a/cim-separation-proposal.md +++ /dev/null @@ -1,85 +0,0 @@ -# CIM Separation Proposal - -## Current State - -``` -┌─────────────────────────────────────────────────────┐ -│ pytest-splunk-addon (v6.4.0) │ -│ │ -│ ┌───────────────────────────────────────────────┐ │ -│ │ Core Test Framework │ │ -│ │ ┌──────────────┐ ┌──────────────────────┐ │ │ -│ │ │ fields_tests/│ │ index_tests/ │ │ │ -│ │ └──────────────┘ └──────────────────────┘ │ │ -│ │ ┌──────────────┐ ┌──────────────────────┐ │ │ -│ │ │ cim_tests/ │ │ sample_generation/ │ │ │ -│ │ └──────┬───────┘ └──────────────────────┘ │ │ -│ │ │ │ │ -│ │ ┌──────┴───────────────────────────────────┐ │ │ -│ │ │ addon_parser/ plugin.py splunk.py │ │ │ -│ │ └──────────────────────┬───────────────────┘ │ │ -│ └─────────────────────────┼─────────────────────┘ │ -│ │ │ -│ ┌─────────────────────────┼─────────────────────┐ │ -│ │ CIM Data (bundled) │ │ │ -│ │ ▼ │ │ -│ │ ┌──────────────────────────────────────────┐ │ │ -│ │ │ CIM_Models/datamodel_definition.py │ │ │ -│ │ │ 2,400 lines · 11 CIM versions │ │ │ -│ │ │ (4.18.1 → 6.2.0) recommended fields │ │ │ -│ │ └──────────────────────────────────────────┘ │ │ -│ │ ┌──────────────────────────────────────────┐ │ │ -│ │ │ data_models/ (23 JSON files) │ │ │ -│ │ │ 5,600 lines · tags, fields, schemas │ │ │ -│ │ └──────────────────────────────────────────┘ │ │ -│ └───────────────────────────────────────────────┘ │ -│ │ -│ ⚠ CIM update → must release entire package │ -│ ⚠ CIM 6.3.0 comes out → new PSA release needed │ -└─────────────────────────────────────────────────────┘ -``` - ---- - -## Proposed State (Option A) - -``` -┌─────────────────────────────────────┐ ┌──────────────────────────────┐ -│ pytest-splunk-addon (v7.x) │ │ splunk-cim-models (v1.x) │ -│ │ │ (separate package) │ -│ ┌───────────────────────────────┐ │ │ │ -│ │ Core Test Framework │ │ dep │ ┌────────────────────────┐ │ -│ │ ┌────────────┐ ┌──────────┐ │ │◄─────│ │ datamodel_definition │ │ -│ │ │fields_tests│ │index_test│ │ │ │ │ recommended fields │ │ -│ │ └────────────┘ └──────────┘ │ │ │ │ per CIM version │ │ -│ │ ┌────────────┐ ┌──────────┐ │ │ │ └────────────────────────┘ │ -│ │ │ cim_tests/ │ │sample_gen│ │ │ │ ┌────────────────────────┐ │ -│ │ └────────────┘ └──────────┘ │ │ │ │ data_models/ (JSON) │ │ -│ │ ┌────────────────────────┐ │ │ │ │ tags, fields, schemas │ │ -│ │ │ addon_parser splunk.py│ │ │ │ └────────────────────────┘ │ -│ │ └────────────────────────┘ │ │ │ │ -│ └───────────────────────────────┘ │ │ ✅ Independent releases │ -│ │ │ ✅ CIM 6.3.0 → new version │ -│ ✅ Releases only for framework │ │ without touching PSA │ -│ logic changes │ │ ✅ Pin or range version │ -│ ✅ --splunk-dm-path still works │ │ in PSA dependency │ -│ for custom overrides │ │ │ -└─────────────────────────────────────┘ └──────────────────────────────┘ - - Changes Required - ════════════════ - ┌─────────────────────────────┐ - │ 1. splunk.py (line 31) │ - │ - from .CIM_Models... │ - │ + from splunk_cim_models │ - │ │ - │ 2. app_test_generator.py │ - │ (lines 76-82) │ - │ default path → package │ - │ │ - │ 3. pyproject.toml │ - │ + splunk-cim-models dep │ - │ │ - │ Only 3 touch points! │ - └─────────────────────────────┘ -``` diff --git a/docs/cim_tests.md b/docs/cim_tests.md index 1aae162b..9afbd829 100644 --- a/docs/cim_tests.md +++ b/docs/cim_tests.md @@ -2,12 +2,42 @@ ## Overview -The CIM tests are written with a purpose of testing the compatibility of the add-on with CIM Data Models (Based on Splunk_SA_CIM 4.15.0). +The CIM tests are written with a purpose of testing the compatibility of the add-on with CIM Data Models. An add-on is said to be CIM compatible if it fulfils the following two criteria: -1. The add-on extracts all the fields with valid values, which are marked as required by the [Data Model Definitions](https://github.com/splunk/pytest-splunk-addon/tree/main/pytest_splunk_addon/standard_lib/data_models). +1. The add-on extracts all the fields with valid values, which are marked as required by the [Data Model Definitions](https://github.com/splunk/psa-cim-models). 2. Any event for the add-on is not mapped with more than one data model. +## CIM Data Models Package (`splunk-cim-models`) + +CIM data model definitions are provided by the separate +[`splunk-cim-models`](https://github.com/splunk/psa-cim-models) package. +This lets you update or pin CIM definitions independently of `pytest-splunk-addon` itself. + +**Install for CIM testing:** + +```console +pip install splunk-cim-models +``` + +Or, during development, install the latest from the repository: + +```console +pip install git+https://github.com/splunk/psa-cim-models.git@v2 +``` + +The package exposes: + +| Symbol | Description | +|---|---| +| `DATA_MODELS_PATH` | Path to the directory containing the built-in CIM JSON data model files | +| `COMMON_FIELDS_PATH` | Path to `CommonFields.json` (fields forbidden in props/search) | +| `DATAMODEL_SCHEMA_PATH` | Path to `DatamodelSchema.json` (JSON schema for validating custom data model files) | +| `datamodels` | Dict mapping CIM version strings to recommended fields per model | + +If `splunk-cim-models` is not installed, any test run that exercises CIM functionality +will raise an `ImportError` with a message pointing to the package. + ______________________________________________________________________ To generate test cases only for CIM compatibility, append the following marker to pytest command: @@ -30,7 +60,7 @@ To generate test cases only for CIM compatibility, append the following marker t **Workflow:** - Plugin parses tags.conf to get a list of tags for each eventtype. - - Plugin parses all the [supported datamodels](https://github.com/splunk/pytest-splunk-addon/tree/main/pytest_splunk_addon/standard_lib/data_models). + - Plugin parses all the [supported datamodels](https://github.com/splunk/psa-cim-models). - Then it gets a list of the datasets mapped with an eventtype. - Generates test case for each eventtype. @@ -79,11 +109,11 @@ To generate test cases only for CIM compatibility, append the following marker t **Workflow:** - - Plugin collects the list of not_allowed_in_search fields from mapped datasets and [CommonFields.json](https://github.com/splunk/pytest-splunk-addon/blob/main/pytest_splunk_addon/standard_lib/cim_tests/CommonFields.json). + - Plugin collects the list of not_allowed_in_search fields from mapped datasets and [CommonFields.json](https://github.com/splunk/psa-cim-models/blob/v2/splunk_cim_models/CommonFields.json). - Using search query the test case verifies if not_allowed_in_search fields are populated in search or not. > **_NOTE:_** - [CommonFields.json](https://github.com/splunk/pytest-splunk-addon/blob/main/pytest_splunk_addon/standard_lib/cim_tests/CommonFields.json) contains fields which are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. + [CommonFields.json](https://github.com/splunk/psa-cim-models/blob/v2/splunk_cim_models/CommonFields.json) contains fields which are automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. **4. Testcase for all not_allowed_in_props fields** diff --git a/docs/contributing.md b/docs/contributing.md index 49401576..d366f7cc 100644 --- a/docs/contributing.md +++ b/docs/contributing.md @@ -18,6 +18,42 @@ To install currently checked out version of pytest-splunk-addon use: $ poetry install ``` +This installs `splunk-cim-models` automatically as a dev dependency (from the `v2` branch of +[psa-cim-models](https://github.com/splunk/psa-cim-models)). In CI or when installing from +PyPI, install `splunk-cim-models` separately before running CIM tests: + +``` +$ pip install splunk-cim-models +``` + +### Working with `splunk-cim-models` + +CIM data model definitions live in the separate +[`splunk-cim-models`](https://github.com/splunk/psa-cim-models) package. +PSA imports four symbols from it: + +| Symbol | Used by | +|---|---| +| `DATA_MODELS_PATH` | `app_test_generator.py` — default path for `--splunk_dm_path` | +| `COMMON_FIELDS_PATH` | `cim_tests/test_generator.py` — fields forbidden in props/search | +| `DATAMODEL_SCHEMA_PATH` | `cim_tests/json_schema.py` — JSON schema for custom data models | +| `datamodels` | `splunk.py` — CIM version → recommended fields map | + +To update CIM definitions locally without waiting for a `splunk-cim-models` release: + +```bash +# Edit files under splunk-cim-models/ then reinstall editable +pip install -e path/to/psa-cim-models/ + +# Verify +python -c "from splunk_cim_models import datamodels; print(list(datamodels.keys()))" +``` + +After editing, run the unit tests to confirm nothing is broken: + +```bash +poetry run pytest -v tests/unit +``` ### Unit tests diff --git a/docs/how_to_use.md b/docs/how_to_use.md index e7208370..058d9e80 100644 --- a/docs/how_to_use.md +++ b/docs/how_to_use.md @@ -460,6 +460,12 @@ def splunk_setup(splunk): How can this be achieved : - - Make json representation of the data models, which satisfies this [DataModelSchema](https://github.com/splunk/pytest-splunk-addon/blob/main/pytest_splunk_addon/cim_tests/DatamodelSchema.json). - - Provide the path to the directory having all the data models by adding `--splunk_dm_path path_to_dir` to the pytest command - - The test cases will now be generated for the data models provided to the plugin and not for the [default data models](https://github.com/splunk/pytest-splunk-addon/tree/main/pytest_splunk_addon/data_models). + - Make json representation of the data models, which satisfies the [DatamodelSchema](https://github.com/splunk/psa-cim-models/blob/v2/splunk_cim_models/DatamodelSchema.json) provided by the `splunk-cim-models` package. + - Provide the path to the directory having all the data models by adding `--splunk_dm_path path_to_dir` to the pytest command. + - The test cases will now be generated for the data models provided to the plugin and not for the [default data models](https://github.com/splunk/psa-cim-models/tree/v2/splunk_cim_models/data_models) bundled in `splunk-cim-models`. + +> **_NOTE:_** CIM data model definitions are provided by the [`splunk-cim-models`](https://github.com/splunk/psa-cim-models) package. Install it separately before running CIM tests: +> +> ```console +> pip install splunk-cim-models +> ``` diff --git a/docs/index.md b/docs/index.md index 842acd26..f78ea188 100644 --- a/docs/index.md +++ b/docs/index.md @@ -8,6 +8,7 @@ which allows the user to test [knowledge objects](https://docs.splunk.com/Splexi - Splunk App or Add-on package - Splunk instance with App or Add-on installed (Not required if using Docker) - Docker (Not required if using external Splunk instance) +- [`splunk-cim-models`](https://github.com/splunk/psa-cim-models) — required for [CIM Compatibility Tests](./cim_tests.md) (not installed automatically) ## Support @@ -22,6 +23,17 @@ pytest-splunk-addon can be installed via pip from PyPI: pip3 install pytest-splunk-addon ``` +To run **CIM compatibility tests** you also need the CIM data models package: + +```console +pip3 install splunk-cim-models +``` + +`splunk-cim-models` is versioned independently of `pytest-splunk-addon` so that CIM +definitions can be updated without a full PSA release. See the +[CIM Compatibility Tests](./cim_tests.md) page for details on how the two packages +interact and how to pin or override data model definitions. + ## Features The pytest-splunk-addon works by dynamically generating different types of tests for Splunk apps and add-ons by parsing their configuration files. Specifically, it looks at the .conf files in the provided Splunk app/add-on to create: diff --git a/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py b/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py new file mode 100644 index 00000000..cad605d8 --- /dev/null +++ b/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py @@ -0,0 +1,344 @@ +# +# Copyright 2026 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +""" +Contract tests for the splunk-cim-models package. + +These tests verify that the API surface PSA depends on is present and +structurally correct in the installed version of splunk-cim-models. +They are intentionally version-agnostic: a newer package version should +still satisfy the same contract. + +If any of these tests fail after upgrading splunk-cim-models, the +corresponding PSA import site must be updated to match the new API. +""" +import json +import os +import sys +from pathlib import Path +from unittest.mock import patch + +import pytest + + +# --------------------------------------------------------------------------- +# Helpers +# --------------------------------------------------------------------------- + +REQUIRED_SYMBOLS = [ + "DATA_MODELS_PATH", + "COMMON_FIELDS_PATH", + "DATAMODEL_SCHEMA_PATH", + "datamodels", +] + +KNOWN_CIM_MODELS = { + "Alerts", + "Application_State", + "Authentication", + "Certificates", + "Change", + "Change_Analysis", + "Compute_Inventory", + "DLP", + "Databases", + "Email", + "Endpoint", + "Event_Signatures", + "Interprocess_Messaging", + "Intrusion_Detection", + "JVM", + "Malware", + "Network_Resolution", + "Network_Sessions", + "Network_Traffic", + "Performance", + "Ticket_Management", + "Updates", + "Vulnerabilities", + "Web", +} + + +# --------------------------------------------------------------------------- +# Package availability +# --------------------------------------------------------------------------- + + +def test_splunk_cim_models_importable(): + """splunk_cim_models must be importable; clear error otherwise.""" + import splunk_cim_models # noqa: F401 + + +def test_missing_package_raises_import_error(monkeypatch): + """ + When splunk_cim_models is absent from sys.modules and the import + fails, Python should raise ImportError – not a silent AttributeError + or similar. This test simulates the package being absent. + """ + original = sys.modules.pop("splunk_cim_models", None) + try: + with patch.dict("sys.modules", {"splunk_cim_models": None}): + with pytest.raises((ImportError, AttributeError)): + import splunk_cim_models # noqa: F401 + + _ = splunk_cim_models.DATA_MODELS_PATH + finally: + if original is not None: + sys.modules["splunk_cim_models"] = original + + +# --------------------------------------------------------------------------- +# Required public symbols +# --------------------------------------------------------------------------- + + +@pytest.mark.parametrize("symbol", REQUIRED_SYMBOLS) +def test_required_symbol_exists(symbol): + """Every symbol PSA imports from splunk_cim_models must be present.""" + import splunk_cim_models + + assert hasattr(splunk_cim_models, symbol), ( + f"splunk_cim_models does not export '{symbol}'. " + "Update the package or the PSA import site." + ) + + +# --------------------------------------------------------------------------- +# Path symbols – point to real files / directories +# --------------------------------------------------------------------------- + + +def test_data_models_path_is_directory(): + from splunk_cim_models import DATA_MODELS_PATH + + assert os.path.isdir(DATA_MODELS_PATH), ( + f"DATA_MODELS_PATH '{DATA_MODELS_PATH}' is not a directory." + ) + + +def test_common_fields_path_is_file(): + from splunk_cim_models import COMMON_FIELDS_PATH + + assert os.path.isfile(COMMON_FIELDS_PATH), ( + f"COMMON_FIELDS_PATH '{COMMON_FIELDS_PATH}' is not a file." + ) + + +def test_datamodel_schema_path_is_file(): + from splunk_cim_models import DATAMODEL_SCHEMA_PATH + + assert os.path.isfile(DATAMODEL_SCHEMA_PATH), ( + f"DATAMODEL_SCHEMA_PATH '{DATAMODEL_SCHEMA_PATH}' is not a file." + ) + + +# --------------------------------------------------------------------------- +# DATA_MODELS_PATH – JSON data model files +# --------------------------------------------------------------------------- + + +def test_data_models_directory_contains_json_files(): + from splunk_cim_models import DATA_MODELS_PATH + + json_files = [f for f in os.listdir(DATA_MODELS_PATH) if f.endswith(".json")] + assert json_files, f"No JSON files found in DATA_MODELS_PATH '{DATA_MODELS_PATH}'." + + +def test_data_models_cover_known_cim_models(): + """At least a core subset of well-known CIM data models must be present.""" + from splunk_cim_models import DATA_MODELS_PATH + + present = { + Path(f).stem for f in os.listdir(DATA_MODELS_PATH) if f.endswith(".json") + } + # Require a representative subset rather than the full list so minor + # schema renames don't cause spurious failures. + core_required = { + "Authentication", + "Endpoint", + "Network_Traffic", + "Malware", + "Web", + } + missing = core_required - present + assert not missing, ( + f"Core CIM data models missing from DATA_MODELS_PATH: {missing}" + ) + + +def test_each_data_model_file_is_valid_json(): + from splunk_cim_models import DATA_MODELS_PATH + + for filename in os.listdir(DATA_MODELS_PATH): + if not filename.endswith(".json"): + continue + filepath = os.path.join(DATA_MODELS_PATH, filename) + with open(filepath) as fh: + try: + data = json.load(fh) + except json.JSONDecodeError as exc: + pytest.fail(f"Invalid JSON in {filepath}: {exc}") + assert isinstance(data, dict), ( + f"Expected dict at top level of {filepath}, got {type(data).__name__}" + ) + + +# --------------------------------------------------------------------------- +# COMMON_FIELDS_PATH – fields forbidden in props/search +# --------------------------------------------------------------------------- + + +def test_common_fields_json_is_valid(): + from splunk_cim_models import COMMON_FIELDS_PATH + + with open(COMMON_FIELDS_PATH) as fh: + data = json.load(fh) + assert "fields" in data, ( + "CommonFields.json must have a top-level 'fields' key." + ) + assert isinstance(data["fields"], list), ( + "'fields' in CommonFields.json must be a list." + ) + + +def test_common_fields_entries_have_type_and_name(): + """Each field entry must have at least 'name' and 'type' keys.""" + from splunk_cim_models import COMMON_FIELDS_PATH + + with open(COMMON_FIELDS_PATH) as fh: + data = json.load(fh) + for entry in data["fields"]: + assert "name" in entry, f"Field entry missing 'name': {entry}" + assert "type" in entry, f"Field entry missing 'type': {entry}" + + +# --------------------------------------------------------------------------- +# DATAMODEL_SCHEMA_PATH – JSON schema for custom data models +# --------------------------------------------------------------------------- + + +def test_datamodel_schema_json_is_valid(): + from splunk_cim_models import DATAMODEL_SCHEMA_PATH + + with open(DATAMODEL_SCHEMA_PATH) as fh: + data = json.load(fh) + assert isinstance(data, dict), "DatamodelSchema.json must be a JSON object." + # JSON Schema documents typically have $schema or type at the root. + assert data, "DatamodelSchema.json must not be empty." + + +# --------------------------------------------------------------------------- +# datamodels – CIM version → recommended fields dict +# --------------------------------------------------------------------------- + + +def test_datamodels_is_dict(): + from splunk_cim_models import datamodels + + assert isinstance(datamodels, dict), ( + f"'datamodels' must be a dict, got {type(datamodels).__name__}" + ) + + +def test_datamodels_has_at_least_one_version(): + from splunk_cim_models import datamodels + + assert datamodels, "'datamodels' dict must not be empty." + + +def test_datamodels_latest_key_present(): + """Consumers may rely on the 'latest' sentinel key.""" + from splunk_cim_models import datamodels + + assert "latest" in datamodels, ( + "'datamodels' dict must contain a 'latest' key." + ) + + +def test_datamodels_version_values_are_dicts(): + """Each CIM version entry must map model names to field lists.""" + from splunk_cim_models import datamodels + + for version, models in datamodels.items(): + assert isinstance(models, dict), ( + f"datamodels[{version!r}] must be a dict of model→fields, " + f"got {type(models).__name__}" + ) + + +def test_datamodels_field_lists_are_non_empty(): + """Each model in each version must have at least one entry.""" + from splunk_cim_models import datamodels + + for version, models in datamodels.items(): + for model_name, fields in models.items(): + assert fields, ( + f"datamodels[{version!r}][{model_name!r}] field list is empty." + ) + + +@pytest.mark.parametrize("version", ["latest"]) +def test_datamodels_version_contains_core_models(version): + """Core CIM models must be present in the given version entry.""" + from splunk_cim_models import datamodels + + if version not in datamodels: + pytest.skip(f"Version {version!r} not present in this package release.") + + core = {"Authentication", "Endpoint", "Network_Traffic", "Malware", "Web"} + present = set(datamodels[version].keys()) + missing = core - present + assert not missing, ( + f"datamodels[{version!r}] is missing core models: {missing}" + ) + + +# --------------------------------------------------------------------------- +# PSA import sites – verify they resolve against the installed package +# --------------------------------------------------------------------------- + + +def test_psa_app_test_generator_imports_data_models_path(): + """app_test_generator.py must import DATA_MODELS_PATH without error.""" + from pytest_splunk_addon.app_test_generator import AppTestGenerator # noqa: F401 + from splunk_cim_models import DATA_MODELS_PATH + + assert DATA_MODELS_PATH # truthy path string + + +def test_psa_test_generator_imports_common_fields_path(): + """cim_tests/test_generator.py must import COMMON_FIELDS_PATH without error.""" + from pytest_splunk_addon.cim_tests.test_generator import ( # noqa: F401 + CIMTestGenerator, + ) + from splunk_cim_models import COMMON_FIELDS_PATH + + assert COMMON_FIELDS_PATH + + +def test_psa_json_schema_imports_datamodel_schema_path(): + """cim_tests/json_schema.py must import DATAMODEL_SCHEMA_PATH without error.""" + from pytest_splunk_addon.cim_tests.json_schema import JSONSchema # noqa: F401 + from splunk_cim_models import DATAMODEL_SCHEMA_PATH + + assert DATAMODEL_SCHEMA_PATH + + +def test_psa_splunk_imports_datamodels(): + """splunk.py must be able to import the datamodels dict without error.""" + from splunk_cim_models import datamodels + + assert isinstance(datamodels, dict) From 001ca66e8eb514e7d7a226a31147dae7ef7d373c Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 6 Mar 2026 08:52:07 +0100 Subject: [PATCH 15/16] style: apply black formatting to test_splunk_cim_models_contract.py Fixes pre-commit failure in CI run 22754142433. --- .../test_splunk_cim_models_contract.py | 58 ++++++++----------- 1 file changed, 25 insertions(+), 33 deletions(-) diff --git a/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py b/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py index cad605d8..6599a1b2 100644 --- a/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py +++ b/tests/unit/tests_standard_lib/test_cim_tests/test_splunk_cim_models_contract.py @@ -124,25 +124,25 @@ def test_required_symbol_exists(symbol): def test_data_models_path_is_directory(): from splunk_cim_models import DATA_MODELS_PATH - assert os.path.isdir(DATA_MODELS_PATH), ( - f"DATA_MODELS_PATH '{DATA_MODELS_PATH}' is not a directory." - ) + assert os.path.isdir( + DATA_MODELS_PATH + ), f"DATA_MODELS_PATH '{DATA_MODELS_PATH}' is not a directory." def test_common_fields_path_is_file(): from splunk_cim_models import COMMON_FIELDS_PATH - assert os.path.isfile(COMMON_FIELDS_PATH), ( - f"COMMON_FIELDS_PATH '{COMMON_FIELDS_PATH}' is not a file." - ) + assert os.path.isfile( + COMMON_FIELDS_PATH + ), f"COMMON_FIELDS_PATH '{COMMON_FIELDS_PATH}' is not a file." def test_datamodel_schema_path_is_file(): from splunk_cim_models import DATAMODEL_SCHEMA_PATH - assert os.path.isfile(DATAMODEL_SCHEMA_PATH), ( - f"DATAMODEL_SCHEMA_PATH '{DATAMODEL_SCHEMA_PATH}' is not a file." - ) + assert os.path.isfile( + DATAMODEL_SCHEMA_PATH + ), f"DATAMODEL_SCHEMA_PATH '{DATAMODEL_SCHEMA_PATH}' is not a file." # --------------------------------------------------------------------------- @@ -174,9 +174,7 @@ def test_data_models_cover_known_cim_models(): "Web", } missing = core_required - present - assert not missing, ( - f"Core CIM data models missing from DATA_MODELS_PATH: {missing}" - ) + assert not missing, f"Core CIM data models missing from DATA_MODELS_PATH: {missing}" def test_each_data_model_file_is_valid_json(): @@ -191,9 +189,9 @@ def test_each_data_model_file_is_valid_json(): data = json.load(fh) except json.JSONDecodeError as exc: pytest.fail(f"Invalid JSON in {filepath}: {exc}") - assert isinstance(data, dict), ( - f"Expected dict at top level of {filepath}, got {type(data).__name__}" - ) + assert isinstance( + data, dict + ), f"Expected dict at top level of {filepath}, got {type(data).__name__}" # --------------------------------------------------------------------------- @@ -206,12 +204,10 @@ def test_common_fields_json_is_valid(): with open(COMMON_FIELDS_PATH) as fh: data = json.load(fh) - assert "fields" in data, ( - "CommonFields.json must have a top-level 'fields' key." - ) - assert isinstance(data["fields"], list), ( - "'fields' in CommonFields.json must be a list." - ) + assert "fields" in data, "CommonFields.json must have a top-level 'fields' key." + assert isinstance( + data["fields"], list + ), "'fields' in CommonFields.json must be a list." def test_common_fields_entries_have_type_and_name(): @@ -248,9 +244,9 @@ def test_datamodel_schema_json_is_valid(): def test_datamodels_is_dict(): from splunk_cim_models import datamodels - assert isinstance(datamodels, dict), ( - f"'datamodels' must be a dict, got {type(datamodels).__name__}" - ) + assert isinstance( + datamodels, dict + ), f"'datamodels' must be a dict, got {type(datamodels).__name__}" def test_datamodels_has_at_least_one_version(): @@ -263,9 +259,7 @@ def test_datamodels_latest_key_present(): """Consumers may rely on the 'latest' sentinel key.""" from splunk_cim_models import datamodels - assert "latest" in datamodels, ( - "'datamodels' dict must contain a 'latest' key." - ) + assert "latest" in datamodels, "'datamodels' dict must contain a 'latest' key." def test_datamodels_version_values_are_dicts(): @@ -285,9 +279,9 @@ def test_datamodels_field_lists_are_non_empty(): for version, models in datamodels.items(): for model_name, fields in models.items(): - assert fields, ( - f"datamodels[{version!r}][{model_name!r}] field list is empty." - ) + assert ( + fields + ), f"datamodels[{version!r}][{model_name!r}] field list is empty." @pytest.mark.parametrize("version", ["latest"]) @@ -301,9 +295,7 @@ def test_datamodels_version_contains_core_models(version): core = {"Authentication", "Endpoint", "Network_Traffic", "Malware", "Web"} present = set(datamodels[version].keys()) missing = core - present - assert not missing, ( - f"datamodels[{version!r}] is missing core models: {missing}" - ) + assert not missing, f"datamodels[{version!r}] is missing core models: {missing}" # --------------------------------------------------------------------------- From f66a6508a5dcb3956def25548a03cfd74352fef8 Mon Sep 17 00:00:00 2001 From: Marcin Kolasinski Date: Fri, 6 Mar 2026 09:49:44 +0100 Subject: [PATCH 16/16] fix(ci): use splunk_app_cim_fiction marker in cim-models version matrix test_splunk_cim_model asserts a fixed list of field names drawn from the v2 Change data model (e.g. All_Changes::result). That field doesn't exist in v1, so the assertion always fails for the 1.x matrix cell. Switch the test-cim-models-versions job to splunk_app_cim_fiction, which uses --splunk-dm-path with local fiction data models. Expected outcomes are identical across all splunk-cim-models versions, while all PSA import paths (COMMON_FIELDS_PATH, DATAMODEL_SCHEMA_PATH, datamodels) are still exercised -- an incompatible package will surface as a collection or runtime error. splunk_cim_model stays in test-splunk-matrix where it runs with the default v2 dev dependency and its version-specific field assertions are valid. --- .github/workflows/build-test-release.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index 09141a66..ed0afbe7 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -237,14 +237,24 @@ jobs: print("DATA_MODELS_PATH:", scm.DATA_MODELS_PATH) print("CIM versions available:", list(scm.datamodels.keys())) EOF - - name: Run CIM model e2e tests + - name: Run CIM compatibility e2e tests env: GH_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} run: | + # splunk_app_cim_fiction uses --splunk-dm-path with local fiction + # data models, so expected test outcomes are identical across all + # splunk-cim-models versions. It still exercises all PSA import + # paths (COMMON_FIELDS_PATH, DATAMODEL_SCHEMA_PATH, datamodels) so + # an incompatible package version will surface as a collection or + # runtime error rather than a wrong-field assertion. + # + # splunk_cim_model (real Change/Network_Traffic models) is left to + # test-splunk-matrix, which always uses the default v2 dev + # dependency and asserts version-specific field outcomes. poetry run pytest -v \ --splunk-version=${{ matrix.splunk.version }} \ -m docker \ - -m splunk_cim_model \ + -m splunk_app_cim_fiction \ tests/e2e publish: