From 5f83003ae461bc629787070a1ad6eff363a0ae4b Mon Sep 17 00:00:00 2001 From: Ilya <138466237+ikheifets-splunk@users.noreply.github.com> Date: Fri, 9 Feb 2024 23:40:46 +0100 Subject: [PATCH] feat: create new parser for epic (#2318) --- docs/sources/vendor/epic/epic_ehr.md | 24 +++++++++ .../conflib/syslog/app-syslog-epic_ehr.conf | 28 +++++++++++ .../lite/etc/addons/epic/addon_metadata.yaml | 2 + .../etc/addons/epic/app-syslog-epic_ehr.conf | 28 +++++++++++ package/lite/etc/config.yaml | 1 + tests/test_epic_ehr.py | 49 +++++++++++++++++++ 6 files changed, 132 insertions(+) create mode 100644 docs/sources/vendor/epic/epic_ehr.md create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-epic_ehr.conf create mode 100644 package/lite/etc/addons/epic/addon_metadata.yaml create mode 100644 package/lite/etc/addons/epic/app-syslog-epic_ehr.conf create mode 100644 tests/test_epic_ehr.py diff --git a/docs/sources/vendor/epic/epic_ehr.md b/docs/sources/vendor/epic/epic_ehr.md new file mode 100644 index 0000000000..e278000e13 --- /dev/null +++ b/docs/sources/vendor/epic/epic_ehr.md @@ -0,0 +1,24 @@ +# Epic EHR + +## Key facts + +* Requires vendor product by source configuration +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | na | + +## Sourcetypes + +| sourcetype | notes | +|-----------------------------|--------------------------------------------------------------------------------------------| +| epic:epic-ehr:syslog | None | + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------------|----------------|----------------| +| epic_epic-ehr | epic:epic-ehr:syslog | main | none | diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-epic_ehr.conf b/package/etc/conf.d/conflib/syslog/app-syslog-epic_ehr.conf new file mode 100644 index 0000000000..e8d69fd0fc --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-epic_ehr.conf @@ -0,0 +1,28 @@ +block parser app-syslog-epic_ehr() { + channel { + rewrite { + r_set_splunk_dest_default( + index("main") + source("epic-ehr") + sourcetype('epic:epic-ehr:syslog') + vendor("epic") + product("epic-ehr") + template('t_json_values') + ); + }; + parser { + xml( + prefix('.values.') + drop-invalid(no) + ); + }; + }; +}; + + +application app-syslog-epic_ehr[sc4s-syslog-pgm] { + filter { + program('Epic' type(string) flags(prefix)); + }; + parser { app-syslog-epic_ehr(); }; +}; diff --git a/package/lite/etc/addons/epic/addon_metadata.yaml b/package/lite/etc/addons/epic/addon_metadata.yaml new file mode 100644 index 0000000000..b3a345bf78 --- /dev/null +++ b/package/lite/etc/addons/epic/addon_metadata.yaml @@ -0,0 +1,2 @@ +--- +name: "epic" \ No newline at end of file diff --git a/package/lite/etc/addons/epic/app-syslog-epic_ehr.conf b/package/lite/etc/addons/epic/app-syslog-epic_ehr.conf new file mode 100644 index 0000000000..e8d69fd0fc --- /dev/null +++ b/package/lite/etc/addons/epic/app-syslog-epic_ehr.conf @@ -0,0 +1,28 @@ +block parser app-syslog-epic_ehr() { + channel { + rewrite { + r_set_splunk_dest_default( + index("main") + source("epic-ehr") + sourcetype('epic:epic-ehr:syslog') + vendor("epic") + product("epic-ehr") + template('t_json_values') + ); + }; + parser { + xml( + prefix('.values.') + drop-invalid(no) + ); + }; + }; +}; + + +application app-syslog-epic_ehr[sc4s-syslog-pgm] { + filter { + program('Epic' type(string) flags(prefix)); + }; + parser { app-syslog-epic_ehr(); }; +}; diff --git a/package/lite/etc/config.yaml b/package/lite/etc/config.yaml index ea092ac449..0b4603ba84 100644 --- a/package/lite/etc/config.yaml +++ b/package/lite/etc/config.yaml @@ -81,3 +81,4 @@ addons: - semperis - powertech - thales + - epic diff --git a/tests/test_epic_ehr.py b/tests/test_epic_ehr.py new file mode 100644 index 0000000000..077a309ac2 --- /dev/null +++ b/tests/test_epic_ehr.py @@ -0,0 +1,49 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations +import datetime +import pytest + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + +epic_ehr_testdata = [r'{{ mark }} {{ iso }}Z {{ host }} Epic 7652 - [origin software="Security-SIEM" swVersion="10.5.0"] IC_SERVICE_AUDIT 1 113^SERVICE, INTERCONNECT^ICSVC poc Query 1/19/2024 Access History^^ 1 1 TST-EPIC-TEST aa:aa:aaa Unknown IP Interconnect aaaaa aa:aaa:aa REST-WebAPI ',] + +@pytest.mark.parametrize("event", epic_ehr_testdata) +@pytest.mark.addons("epic") +def test_epic_ehr( + record_property, get_host_key, setup_splunk, setup_sc4s, event +): + host = get_host_key + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, _, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + iso = dt.isoformat()[0:23] + epoch = epoch[:-3] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<85>1", iso=iso, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="epic:epic-ehr:syslog" source="epic-ehr"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1