From b56630539b627aa76e3dc9c4915a3bb9163993b2 Mon Sep 17 00:00:00 2001 From: Ilya <138466237+ikheifets-splunk@users.noreply.github.com> Date: Fri, 13 Oct 2023 16:26:22 +0200 Subject: [PATCH] fix: extend filtering for cohesity (#2234) --- docs/sources/vendor/Cohesity/cluster.md | 19 ++++++---- .../syslog/app-syslog-cohesity_api_audit.conf | 27 ++++++++++++++ tests/test_cohesity.py | 37 +++++++++++++++++++ 3 files changed, 75 insertions(+), 8 deletions(-) create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-cohesity_api_audit.conf diff --git a/docs/sources/vendor/Cohesity/cluster.md b/docs/sources/vendor/Cohesity/cluster.md index 6784622421..7ca776c2f9 100644 --- a/docs/sources/vendor/Cohesity/cluster.md +++ b/docs/sources/vendor/Cohesity/cluster.md @@ -14,15 +14,18 @@ ## Sourcetypes -| sourcetype | notes | -|----------------|---------------------------------------------------------------------------------------------------------| -| cohesity:cluster:audit | None | -| cohesity:cluster:dataprotection | None | +| sourcetype | notes | +|----------------------------------------|---------------------------------------------------------------------------------| +| cohesity:cluster:audit | None | +| cohesity:cluster:dataprotection | None | +| cohesity:api:audit | None | + ## Sourcetype and Index Configuration -| key | sourcetype | index | notes | -|----------------|----------------|----------------|----------------| -| cohesity_cluster_audit | cohesity:cluster:audit | infraops | none | -| cohesity_cluster_dataprotection | cohesity:cluster:dataprotection | infraops | none | +| key | sourcetype | index | notes | +|--------------------------------|--------------------------------|----------------|----------------| +| cohesity_cluster_audit | cohesity:cluster:audit | infraops | none | +| cohesity_api_audit | cohesity:api:audit | infraops | none | +| cohesity_cluster_dataprotection| cohesity:cluster:dataprotection| infraops | none | diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_api_audit.conf b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_api_audit.conf new file mode 100644 index 0000000000..705ca09b04 --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-cohesity_api_audit.conf @@ -0,0 +1,27 @@ +block parser app-syslog-cohesity_api_audit() { + channel { + parser { + json-parser( + prefix('.values.') + ); + }; + rewrite { + r_set_splunk_dest_default( + index('infraops') + sourcetype('cohesity:api:audit') + vendor("cohesity") + product("api") + class('audit') + template('t_msg_only') + ); + }; + + }; +}; +application app-syslog-cohesity_api_audit[sc4s-syslog-pgm] { + filter { + program("api_audit" type(string) flags(prefix)); + }; + parser { app-syslog-cohesity_api_audit(); }; +}; + diff --git a/tests/test_cohesity.py b/tests/test_cohesity.py index 56e675efa8..2200c64f7e 100644 --- a/tests/test_cohesity.py +++ b/tests/test_cohesity.py @@ -88,3 +88,40 @@ def test_cohesity_dataprotection_events( record_property("message", message) assert result_count == 1 + + +testdata_api_audit = [ + '{{ mark }}{{ iso }} {{ host }} api_audit[{{ pid }}]: {"username":"admin","domain":"LOCAL","method":"GET","urlPath":"/","requestTimestamp":1696526790076,"statusCode":200,"responseHeader":{"Cache-Control":["no-cache, no-store, must-revalidate"],"Content-Encoding":["gzip"],"Content-Type":["application/json"],"Pragma":["no-cache"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Vary":["Accept-Encoding"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Ratelimit-Limit":["10000"],"X-Ratelimit-Remaining":["9998"],"X-Ratelimit-Reset":["1696526790"],"X-Xss-Protection":["1; mode=block"]},"responseTime":156705634}' +] + + +@pytest.mark.parametrize("event", testdata_api_audit) +def test_cohesity_api_audit( + record_property, get_host_key, get_pid, setup_splunk, setup_sc4s, event +): + host = get_host_key + pid = get_pid + + dt = datetime.datetime.now() + iso, _, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-3] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<14>", host=host, iso=iso, pid=pid) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=infraops _time={{ epoch }} sourcetype="cohesity:api:audit" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1