From c2f901a75f5497fcb1fbaff3e0f11b8cef2987f8 Mon Sep 17 00:00:00 2001 From: cwadhwani-splunk Date: Tue, 26 Nov 2024 15:28:47 +0530 Subject: [PATCH 1/3] fix: Non pri cef fix (#2641) * chore(deps): update dependency mkdocs-material to v9.5.42 (#2624) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update splunk/addonfactory-test-matrix-action action to v2.1.9 (#2620) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix: fix CISE_Alarm messages parsing (#2609) * fix: improve SC4S Dashboard performance (#2592) * docs: Removed reference of Cisco eStreamer for Splunk app from ASA/FTD doc (#2629) * docs: Removed reference of Cisco eStreamer for Splunk app * fix: Updated the regex for non pri cef formated logs such that a 'digit' date will be accepted * Updated the regex with some more constraints --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: wojtekzyla <108660584+wojtekzyla@users.noreply.github.com> Co-authored-by: mstopa-splunk <139441697+mstopa-splunk@users.noreply.github.com> --- .../conf.d/conflib/raw/app-raw-bsd_nopri.conf | 2 +- .../conf.d/conflib/raw/app-raw-bsd_nopri.conf | 2 +- tests/test_trellix.py | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf index fc0a6c679b..7f66031700 100644 --- a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf +++ b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf @@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() { }; application app-raw-bsd_nopri[sc4s-raw-syslog] { filter { - message('^\w\w\w \d\d \d\d:\d\d:\d\d '); + message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) '); }; parser { app-raw-bsd_nopri(); }; }; diff --git a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf index fc0a6c679b..7f66031700 100644 --- a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf +++ b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf @@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() { }; application app-raw-bsd_nopri[sc4s-raw-syslog] { filter { - message('^\w\w\w \d\d \d\d:\d\d:\d\d '); + message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) '); }; parser { app-raw-bsd_nopri(); }; }; diff --git a/tests/test_trellix.py b/tests/test_trellix.py index 4f0a3dc968..c461e9ea0d 100644 --- a/tests/test_trellix.py +++ b/tests/test_trellix.py @@ -67,3 +67,37 @@ def test_trellix_cms( record_property("message", message) assert result_count == 1 + + +# Nov 2 00:00:00 trellix-host-xxxx CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt=1030482923264 cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects. +@pytest.mark.addons("trellix") +def test_trellix_cef(record_property, get_host_key, setup_splunk, setup_sc4s): + host = "trellix-host-" + get_host_key + + dt = datetime.datetime(2024, 11, 2, 0, 0) + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # hard coding the bsd to test single digit date (Nov 2 00:00:00) + bsd = "Nov 2 00:00:00" + # Tune time functions + epoch = epoch[:-3] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt={{ epoch }} cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects." + ) + message = mt.render(bsd=bsd, host=host, epoch=epoch) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="cef"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 \ No newline at end of file From 85bfb8f21099fb4fdd4f494422fd9bf94d43fb95 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:01:29 +0530 Subject: [PATCH 2/3] chore(deps): update dependency mkdocs-material to v9.5.47 (#2644) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index 8167cbce42..8cdf906aa3 100644 --- a/poetry.lock +++ b/poetry.lock @@ -680,13 +680,13 @@ mkdocs = ">=1.0.4" [[package]] name = "mkdocs-material" -version = "9.5.44" +version = "9.5.47" description = "Documentation that simply works" optional = false python-versions = ">=3.8" files = [ - {file = "mkdocs_material-9.5.44-py3-none-any.whl", hash = "sha256:47015f9c167d58a5ff5e682da37441fc4d66a1c79334bfc08d774763cacf69ca"}, - {file = "mkdocs_material-9.5.44.tar.gz", hash = "sha256:f3a6c968e524166b3f3ed1fb97d3ed3e0091183b0545cedf7156a2a6804c56c0"}, + {file = "mkdocs_material-9.5.47-py3-none-any.whl", hash = "sha256:53fb9c9624e7865da6ec807d116cd7be24b3cb36ab31b1d1d1a9af58c56009a2"}, + {file = "mkdocs_material-9.5.47.tar.gz", hash = "sha256:fc3b7a8e00ad896660bd3a5cc12ca0cb28bdc2bcbe2a946b5714c23ac91b0ede"}, ] [package.dependencies] From fbfa5f2bb02833a84488534c592da4e002eb3200 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 8 Dec 2024 20:20:40 +0000 Subject: [PATCH 3/3] chore(deps): update dependency mkdocs-material to v9.5.48 --- poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index 8cdf906aa3..a1d32e078b 100644 --- a/poetry.lock +++ b/poetry.lock @@ -680,13 +680,13 @@ mkdocs = ">=1.0.4" [[package]] name = "mkdocs-material" -version = "9.5.47" +version = "9.5.48" description = "Documentation that simply works" optional = false python-versions = ">=3.8" files = [ - {file = "mkdocs_material-9.5.47-py3-none-any.whl", hash = "sha256:53fb9c9624e7865da6ec807d116cd7be24b3cb36ab31b1d1d1a9af58c56009a2"}, - {file = "mkdocs_material-9.5.47.tar.gz", hash = "sha256:fc3b7a8e00ad896660bd3a5cc12ca0cb28bdc2bcbe2a946b5714c23ac91b0ede"}, + {file = "mkdocs_material-9.5.48-py3-none-any.whl", hash = "sha256:b695c998f4b939ce748adbc0d3bff73fa886a670ece948cf27818fa115dc16f8"}, + {file = "mkdocs_material-9.5.48.tar.gz", hash = "sha256:a582531e8b34f4c7ed38c29d5c44763053832cf2a32f7409567e0c74749a47db"}, ] [package.dependencies]