diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index 29e970dcd..4a02291cb 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -15,7 +15,7 @@ concurrency: jobs: meta: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: matrix_supportedSplunk: ${{ steps.matrix.outputs.supportedSplunk }} steps: @@ -25,7 +25,7 @@ jobs: fossa-scan: continue-on-error: true - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: run fossa anlyze and create report @@ -47,13 +47,13 @@ jobs: FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }} compliance-copyrights: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: apache/skywalking-eyes@v0.6.0 pre-commit: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -62,7 +62,7 @@ jobs: - uses: pre-commit/action@v3.0.1 semgrep: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 name: security-sast-semgrep steps: - uses: actions/checkout@v4 @@ -72,7 +72,7 @@ jobs: publishToken: ${{ secrets.SEMGREP_PUBLISH_TOKEN }} test-splunk-unit: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 with: @@ -85,7 +85,7 @@ jobs: test-splunk-external: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: - meta - pre-commit @@ -112,8 +112,8 @@ jobs: export SPLUNK_VERSION=${{ matrix.splunk.version }} export SPLUNK_HEC_TOKEN="9b741d03-43e9-4164-908b-e09102327d22" echo $SPLUNK_VERSION - docker compose -f "docker-compose-ci.yml" build - SPLUNK_PASSWORD=Chang3d! docker compose -f docker-compose-ci.yml up --abort-on-container-exit + docker compose -f "docker-compose.yml" build + SPLUNK_PASSWORD=Chang3d! docker compose -f docker-compose.yml up --abort-on-container-exit docker volume ls - name: Collect Results run: | @@ -129,6 +129,7 @@ jobs: path: | test-results-${{ matrix.splunk.version }} + test-splunk-matrix: needs: - meta @@ -136,7 +137,7 @@ jobs: - fossa-scan - compliance-copyrights - test-splunk-unit - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: @@ -149,7 +150,6 @@ jobs: "splunk_app_cim_broken", "splunk_fiction_indextime", "splunk_fiction_indextime_broken", - "splunk_fiction_indextime_wrong_hec_token", "splunk_setup_fixture", "splunk_app_req", "splunk_app_req_broken", @@ -171,7 +171,7 @@ jobs: needs: - test-splunk-external - test-splunk-matrix - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 with: diff --git a/Dockerfile.tests b/Dockerfile.tests index f0f11fb27..d00b15b8e 100644 --- a/Dockerfile.tests +++ b/Dockerfile.tests @@ -31,7 +31,7 @@ RUN export DEBIAN_FRONTEND=noninteractive ;\ ENV LANG en_US.utf8 -COPY pytest-ci.ini /work/pytest.ini +COPY pytest.ini /work/pytest.ini COPY tests /work/tests/ WORKDIR /work diff --git a/NOTICE b/NOTICE index ddcb961f8..ac6ada58e 100644 --- a/NOTICE +++ b/NOTICE @@ -7,9 +7,9 @@ The following 3rd-party software packages may be used by or distributed with pytest-splunk-addon. Any information relevant to third-party vendors listed below are collected using common, reasonable means. -Date generated: 2024-8-7 +Date generated: 2024-12-11 -Revision ID: ec9101152540485a3cc7b35fbea07c1ea7a5e06d +Revision ID: 1bd0631034bb35df360f79a87c2d9180f2610466 ================================================================================ ================================================================================ @@ -50,6 +50,10 @@ No licenses found -------------------------------------------------------------------------------- Package Title: addonfactory-splunk-conf-parser-lib (0.4.0) + +Package Locator: pip+addonfactory-splunk-conf-parser-lib$0.4.0 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -262,6 +266,10 @@ Apache-2.0 -------------------------------------------------------------------------------- Package Title: attrs (23.2.0) + +Package Locator: pip+attrs$23.2.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -294,6 +302,10 @@ SOFTWARE. -------------------------------------------------------------------------------- Package Title: certifi (2024.6.2) + +Package Locator: pip+certifi$2024.6.2 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -325,6 +337,10 @@ one at http://mozilla.org/MPL/2.0/. -------------------------------------------------------------------------------- Package Title: charset-normalizer (3.3.2) + +Package Locator: pip+charset-normalizer$3.3.2 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -356,6 +372,10 @@ SOFTWARE. -------------------------------------------------------------------------------- Package Title: colorama (0.4.6) + +Package Locator: pip+colorama$0.4.6 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -394,10 +414,14 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Package Title: defusedxml (0.7.1) + +Package Locator: pip+defusedxml$0.7.1 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * -Python-2.0 +PSF-2.0 PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 @@ -454,6 +478,10 @@ Agreement. -------------------------------------------------------------------------------- Package Title: deprecation (2.1.0) + +Package Locator: pip+deprecation$2.1.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -664,32 +692,12 @@ Apache-2.0 -* Other Licenses * -MIT - - -Copyright (c) JS Foundation and other contributors -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Package Title: elementpath (4.1.5) + +Package Locator: pip+elementpath$4.1.5 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -722,6 +730,10 @@ SOFTWARE. -------------------------------------------------------------------------------- Package Title: exceptiongroup (1.2.1) + +Package Locator: pip+exceptiongroup$1.2.1 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -837,6 +849,10 @@ Agreement. -------------------------------------------------------------------------------- Package Title: execnet (2.0.2) + +Package Locator: pip+execnet$2.0.2 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -866,6 +882,10 @@ MIT -------------------------------------------------------------------------------- Package Title: Faker (18.13.0) + +Package Locator: pip+Faker$18.13.0 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -896,6 +916,10 @@ THE SOFTWARE. -------------------------------------------------------------------------------- Package Title: filelock (3.12.2) + +Package Locator: pip+filelock$3.12.2 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -931,6 +955,10 @@ For more information, please refer to -------------------------------------------------------------------------------- Package Title: future (1.0.0) + +Package Locator: pip+future$1.0.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1016,6 +1044,10 @@ SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTW -------------------------------------------------------------------------------- Package Title: httplib2 (0.22.0) + +Package Locator: pip+httplib2$0.22.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1049,7 +1081,7 @@ SOFTWARE. * Other Licenses * -Apache-2.0, BSD-3-Clause, GPL-2.0-only +Apache-2.0, GPL-2.0-only, BSD-3-Clause * Apache-2.0 * @@ -1067,6 +1099,13 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. +* GPL-2.0-only * + +Copyright (C) 2006 Stefan Petre +This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2. +This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. +You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * BSD-3-Clause * Copyright (c) 2006 Dan-Haim. All rights reserved. . All rights reserved. @@ -1096,16 +1135,13 @@ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -* GPL-2.0-only * - -Copyright (C) 2006 Stefan Petre -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2. -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. -You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -------------------------------------------------------------------------------- Package Title: idna (3.7) + +Package Locator: pip+idna$3.7 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1148,6 +1184,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Package Title: importlib-metadata (6.7.0) + +Package Locator: pip+importlib-metadata$6.7.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1361,6 +1401,10 @@ Apache-2.0 -------------------------------------------------------------------------------- Package Title: importlib-resources (5.12.0) + +Package Locator: pip+importlib-resources$5.12.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1574,6 +1618,10 @@ Apache-2.0 -------------------------------------------------------------------------------- Package Title: iniconfig (2.0.0) + +Package Locator: pip+iniconfig$2.0.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1604,6 +1652,10 @@ MIT -------------------------------------------------------------------------------- Package Title: jsonschema (4.17.3) + +Package Locator: pip+jsonschema$4.17.3 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -1653,6 +1705,10 @@ See the License for the specific language governing permissions and limitations -------------------------------------------------------------------------------- Package Title: junitparser (2.8.0) + +Package Locator: pip+junitparser$2.8.0 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -1676,81 +1732,45 @@ Copyright 2020 Joel Wang -------------------------------------------------------------------------------- Package Title: packaging (24.0) --------------------------------------------------------------------------------- - -* Declared Licenses * -BSD-3-Clause, Apache-2.0, BSD-2-Clause - -* BSD-3-Clause * -Copyright (c) . All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: +Package Locator: pip+packaging$24.0 - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - - 3. Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. +Package Depth: Transitive +-------------------------------------------------------------------------------- -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +* Declared Licenses * +Apache-2.0 -* Apache-2.0 * This software is made available under the terms of *either* of the licenses found in LICENSE.APACHE or LICENSE.BSD. Contributions to this software is made under the terms of *both* these licenses. -* BSD-2-Clause * - -Copyright (c) Donald Stufft and individual contributors. -All rights reserved. -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. +-------------------------------------------------------------------------------- +Package Title: pkgutil_resolve_name (1.3.10) - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. +Package Locator: pip+pkgutil_resolve_name$1.3.10 -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +Package Depth: Transitive +-------------------------------------------------------------------------------- +* Declared Licenses * +PSF-2.0, MIT +* PSF-2.0 * --------------------------------------------------------------------------------- -Package Title: pkgutil_resolve_name (1.3.10) --------------------------------------------------------------------------------- +PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 -* Declared Licenses * -MIT, PSF-2.0 + 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. + 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. + 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. + 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. + 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. + 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. * MIT * @@ -1831,22 +1851,13 @@ agrees to be bound by the terms and conditions of this License Agreement. -* PSF-2.0 * - -PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 - - 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. - 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. - 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. - 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. - 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. - -------------------------------------------------------------------------------- Package Title: pluggy (1.2.0) + +Package Locator: pip+pluggy$1.2.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1879,6 +1890,10 @@ SOFTWARE. -------------------------------------------------------------------------------- Package Title: pyparsing (3.1.2) + +Package Locator: pip+pyparsing$3.1.2 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -1956,6 +1971,10 @@ You should have received a copy of the GNU General Public License along with thi -------------------------------------------------------------------------------- Package Title: pyrsistent (0.19.3) + +Package Locator: pip+pyrsistent$0.19.3 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -2020,6 +2039,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Package Title: pytest (7.4.4) + +Package Locator: pip+pytest$7.4.4 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -2052,6 +2075,10 @@ SOFTWARE. -------------------------------------------------------------------------------- Package Title: pytest-ordering (0.6) + +Package Locator: pip+pytest-ordering$0.6 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -2080,6 +2107,10 @@ SOFTWARE. -------------------------------------------------------------------------------- Package Title: pytest-xdist (3.5.0) + +Package Locator: pip+pytest-xdist$3.5.0 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -2109,39 +2140,14 @@ MIT -------------------------------------------------------------------------------- Package Title: python-dateutil (2.9.0.post0) --------------------------------------------------------------------------------- - -* Declared Licenses * -BSD-3-Clause, Apache-2.0 - -* BSD-3-Clause * -Copyright (c) 2017 Paul Ganssle . All rights reserved. +Package Locator: pip+python-dateutil$2.9.0.post0 -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - - 3. Neither the name of the copyright holder nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. +Package Depth: Transitive +-------------------------------------------------------------------------------- -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +* Declared Licenses * +Apache-2.0, BSD-3-Clause * Apache-2.0 * @@ -2200,9 +2206,42 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The above BSD License Applies to all code, even that also covered by Apache 2.0. +* BSD-3-Clause * + +Copyright (c) 2017 Paul Ganssle . All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + + 3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + -------------------------------------------------------------------------------- Package Title: requests (2.31.0) + +Package Locator: pip+requests$2.31.0 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -2389,6 +2428,10 @@ Apache-2.0 -------------------------------------------------------------------------------- Package Title: six (1.16.0) + +Package Locator: pip+six$1.16.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -2418,13 +2461,17 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- Package Title: splunk-sdk (2.0.1) + +Package Locator: pip+splunk-sdk$2.0.1 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * Apache-2.0 -Copyright 2011-2024 Splunk, Inc. +Copyright 2011-2015 Splunk, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -2441,6 +2488,10 @@ See the License for the specific language governing permissions and limitations -------------------------------------------------------------------------------- Package Title: splunksplwrapper (1.1.4) + +Package Locator: pip+splunksplwrapper$1.1.4 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -2653,6 +2704,10 @@ Apache-2.0 -------------------------------------------------------------------------------- Package Title: tomli (2.0.1) + +Package Locator: pip+tomli$2.0.1 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -2676,336 +2731,60 @@ copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - - --------------------------------------------------------------------------------- -Package Title: typing-extensions (4.7.1) --------------------------------------------------------------------------------- - -* Declared Licenses * -Python-2.0, 0BSD - -* Python-2.0 * - -1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. - 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. - 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. - 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. - 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. - 1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the Software"). - 2. Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee. - 3. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - 4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - 5. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - 6. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html may be used according to the permissions granted on that web page. - 7. By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of this License Agreement. - 1. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 1.6, beta 1 software in source or binary form and its associated documentation, as released at the www.python.org Internet site on August 4, 2000 ("Python 1.6b1"). - 2. Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is retained in Python 1.6b1, alone or in any derivative version prepared by Licensee. - Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6, beta 1, is made available subject to the terms and conditions in CNRIs License Agreement. This Agreement may be located on the Internet using the following unique, persistent identifier (known as a handle): 1895.22/1011. This Agreement may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011". - 3. In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1 or any part thereof, and wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any such work the nature of the modifications made to Python 1.6b1. - 4. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. - 5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. - 7. This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. - 8. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee agrees to be bound by the terms and conditions of this License Agreement. -Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved. -Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. -STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -* 0BSD * - -A. HISTORY OF THE SOFTWARE -========================== - -Python was created in the early 1990s by Guido van Rossum at Stichting -Mathematisch Centrum (CWI, see https://www.cwi.nl) in the Netherlands -as a successor of a language called ABC. Guido remains Python's -principal author, although it includes many contributions from others. - -In 1995, Guido continued his work on Python at the Corporation for -National Research Initiatives (CNRI, see https://www.cnri.reston.va.us) -in Reston, Virginia where he released several versions of the -software. - -In May 2000, Guido and the Python core development team moved to -BeOpen.com to form the BeOpen PythonLabs team. In October of the same -year, the PythonLabs team moved to Digital Creations, which became -Zope Corporation. In 2001, the Python Software Foundation (PSF, see -https://www.python.org/psf/) was formed, a non-profit organization -created specifically to own Python-related Intellectual Property. -Zope Corporation was a sponsoring member of the PSF. - -All Python releases are Open Source (see https://opensource.org for -the Open Source Definition). Historically, most, but not all, Python -releases have also been GPL-compatible; the table below summarizes -the various releases. - - Release Derived Year Owner GPL- - from compatible? (1) - - 0.9.0 thru 1.2 1991-1995 CWI yes - 1.3 thru 1.5.2 1.2 1995-1999 CNRI yes - 1.6 1.5.2 2000 CNRI no - 2.0 1.6 2000 BeOpen.com no - 1.6.1 1.6 2001 CNRI yes (2) - 2.1 2.0+1.6.1 2001 PSF no - 2.0.1 2.0+1.6.1 2001 PSF yes - 2.1.1 2.1+2.0.1 2001 PSF yes - 2.1.2 2.1.1 2002 PSF yes - 2.1.3 2.1.2 2002 PSF yes - 2.2 and above 2.1.1 2001-now PSF yes - -Footnotes: - -(1) GPL-compatible doesn't mean that we're distributing Python under - the GPL. All Python licenses, unlike the GPL, let you distribute - a modified version without making your changes open source. The - GPL-compatible licenses make it possible to combine Python with - other software that is released under the GPL; the others don't. - -(2) According to Richard Stallman, 1.6.1 is not GPL-compatible, - because its license has a choice of law clause. According to - CNRI, however, Stallman's lawyer has told CNRI's lawyer that 1.6.1 - is "not incompatible" with the GPL. - -Thanks to the many outside volunteers who have worked under Guido's -direction to make these releases possible. - - -B. TERMS AND CONDITIONS FOR ACCESSING OR OTHERWISE USING PYTHON -=============================================================== - -Python software and documentation are licensed under the -Python Software Foundation License Version 2. - -Starting with Python 3.8.6, examples, recipes, and other code in -the documentation are dual licensed under the PSF License Version 2 -and the Zero-Clause BSD license. - -Some software incorporated into Python is under different licenses. -The licenses are listed with code falling under that license. - - -PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 --------------------------------------------- - -1. This LICENSE AGREEMENT is between the Python Software Foundation -("PSF"), and the Individual or Organization ("Licensee") accessing and -otherwise using this software ("Python") in source or binary form and -its associated documentation. - -2. Subject to the terms and conditions of this License Agreement, PSF hereby -grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, -analyze, test, perform and/or display publicly, prepare derivative works, -distribute, and otherwise use Python alone or in any derivative version, -provided, however, that PSF's License Agreement and PSF's notice of copyright, -i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 Python Software Foundation; -All Rights Reserved" are retained in Python alone or in any derivative version -prepared by Licensee. - -3. In the event Licensee prepares a derivative work that is based on -or incorporates Python or any part thereof, and wants to make -the derivative work available to others as provided herein, then -Licensee hereby agrees to include in any such work a brief summary of -the changes made to Python. - -4. PSF is making Python available to Licensee on an "AS IS" -basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR -IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND -DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS -FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT -INFRINGE ANY THIRD PARTY RIGHTS. - -5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON -FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS -A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, -OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - -6. This License Agreement will automatically terminate upon a material -breach of its terms and conditions. - -7. Nothing in this License Agreement shall be deemed to create any -relationship of agency, partnership, or joint venture between PSF and -Licensee. This License Agreement does not grant permission to use PSF -trademarks or trade name in a trademark sense to endorse or promote -products or services of Licensee, or any third party. - -8. By copying, installing or otherwise using Python, Licensee -agrees to be bound by the terms and conditions of this License -Agreement. - - -BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 -------------------------------------------- - -BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 - -1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an -office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the -Individual or Organization ("Licensee") accessing and otherwise using -this software in source or binary form and its associated -documentation ("the Software"). - -2. Subject to the terms and conditions of this BeOpen Python License -Agreement, BeOpen hereby grants Licensee a non-exclusive, -royalty-free, world-wide license to reproduce, analyze, test, perform -and/or display publicly, prepare derivative works, distribute, and -otherwise use the Software alone or in any derivative version, -provided, however, that the BeOpen Python License is retained in the -Software, alone or in any derivative version prepared by Licensee. - -3. BeOpen is making the Software available to Licensee on an "AS IS" -basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR -IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND -DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS -FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT -INFRINGE ANY THIRD PARTY RIGHTS. - -4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE -SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS -AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY -DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - -5. This License Agreement will automatically terminate upon a material -breach of its terms and conditions. - -6. This License Agreement shall be governed by and interpreted in all -respects by the law of the State of California, excluding conflict of -law provisions. Nothing in this License Agreement shall be deemed to -create any relationship of agency, partnership, or joint venture -between BeOpen and Licensee. This License Agreement does not grant -permission to use BeOpen trademarks or trade names in a trademark -sense to endorse or promote products or services of Licensee, or any -third party. As an exception, the "BeOpen Python" logos available at -http://www.pythonlabs.com/logos.html may be used according to the -permissions granted on that web page. - -7. By copying, installing or otherwise using the software, Licensee -agrees to be bound by the terms and conditions of this License -Agreement. - - -CNRI LICENSE AGREEMENT FOR PYTHON 1.6.1 ---------------------------------------- +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. -1. This LICENSE AGREEMENT is between the Corporation for National -Research Initiatives, having an office at 1895 Preston White Drive, -Reston, VA 20191 ("CNRI"), and the Individual or Organization -("Licensee") accessing and otherwise using Python 1.6.1 software in -source or binary form and its associated documentation. -2. Subject to the terms and conditions of this License Agreement, CNRI -hereby grants Licensee a nonexclusive, royalty-free, world-wide -license to reproduce, analyze, test, perform and/or display publicly, -prepare derivative works, distribute, and otherwise use Python 1.6.1 -alone or in any derivative version, provided, however, that CNRI's -License Agreement and CNRI's notice of copyright, i.e., "Copyright (c) -1995-2001 Corporation for National Research Initiatives; All Rights -Reserved" are retained in Python 1.6.1 alone or in any derivative -version prepared by Licensee. Alternately, in lieu of CNRI's License -Agreement, Licensee may substitute the following text (omitting the -quotes): "Python 1.6.1 is made available subject to the terms and -conditions in CNRI's License Agreement. This Agreement together with -Python 1.6.1 may be located on the internet using the following -unique, persistent identifier (known as a handle): 1895.22/1013. This -Agreement may also be obtained from a proxy server on the internet -using the following URL: http://hdl.handle.net/1895.22/1013". -3. In the event Licensee prepares a derivative work that is based on -or incorporates Python 1.6.1 or any part thereof, and wants to make -the derivative work available to others as provided herein, then -Licensee hereby agrees to include in any such work a brief summary of -the changes made to Python 1.6.1. +-------------------------------------------------------------------------------- +Package Title: typing-extensions (4.7.1) -4. CNRI is making Python 1.6.1 available to Licensee on an "AS IS" -basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR -IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND -DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS -FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6.1 WILL NOT -INFRINGE ANY THIRD PARTY RIGHTS. +Package Locator: pip+typing-extensions$4.7.1 -5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON -1.6.1 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS -A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 1.6.1, -OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. +Package Depth: Transitive +-------------------------------------------------------------------------------- -6. This License Agreement will automatically terminate upon a material -breach of its terms and conditions. +* Declared Licenses * +Python-2.0 -7. This License Agreement shall be governed by the federal -intellectual property law of the United States, including without -limitation the federal copyright law, and, to the extent such -U.S. federal law does not apply, by the law of the Commonwealth of -Virginia, excluding Virginia's conflict of law provisions. -Notwithstanding the foregoing, with regard to derivative works based -on Python 1.6.1 that incorporate non-separable material that was -previously distributed under the GNU General Public License (GPL), the -law of the Commonwealth of Virginia shall govern this License -Agreement only as to issues arising under or with respect to -Paragraphs 4, 5, and 7 of this License Agreement. Nothing in this -License Agreement shall be deemed to create any relationship of -agency, partnership, or joint venture between CNRI and Licensee. This -License Agreement does not grant permission to use CNRI trademarks or -trade name in a trademark sense to endorse or promote products or -services of Licensee, or any third party. - -8. By clicking on the "ACCEPT" button where indicated, or by copying, -installing or otherwise using Python 1.6.1, Licensee agrees to be -bound by the terms and conditions of this License Agreement. - - ACCEPT - - -CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 --------------------------------------------------- - -Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, -The Netherlands. All rights reserved. - -Permission to use, copy, modify, and distribute this software and its -documentation for any purpose and without fee is hereby granted, -provided that the above copyright notice appear in all copies and that -both that copyright notice and this permission notice appear in -supporting documentation, and that the name of Stichting Mathematisch -Centrum or CWI not be used in advertising or publicity pertaining to -distribution of the software without specific, written prior -permission. - -STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO -THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND -FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE -FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT -OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -ZERO-CLAUSE BSD LICENSE FOR CODE IN THE PYTHON DOCUMENTATION ----------------------------------------------------------------------- - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. +1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. + 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. + 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. + 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. + 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. + 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. + 1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the Software"). + 2. Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee. + 3. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + 4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + 5. This License Agreement will automatically terminate upon a material breach of its terms and conditions. + 6. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html may be used according to the permissions granted on that web page. + 7. By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of this License Agreement. + 1. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 1.6, beta 1 software in source or binary form and its associated documentation, as released at the www.python.org Internet site on August 4, 2000 ("Python 1.6b1"). + 2. Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is retained in Python 1.6b1, alone or in any derivative version prepared by Licensee. + Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6, beta 1, is made available subject to the terms and conditions in CNRIs License Agreement. This Agreement may be located on the Internet using the following unique, persistent identifier (known as a handle): 1895.22/1011. This Agreement may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011". + 3. In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1 or any part thereof, and wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any such work the nature of the modifications made to Python 1.6b1. + 4. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + 5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. + 7. This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. + 8. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee agrees to be bound by the terms and conditions of this License Agreement. +Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved. +Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. +STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -------------------------------------------------------------------------------- Package Title: urllib3 (1.26.19) + +Package Locator: pip+urllib3$1.26.19 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -3036,27 +2815,12 @@ SOFTWARE. -* Other Licenses * -Apache-2.0 - - -Copyright 2015 Google Inc. All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - -See the License for the specific language governing permissions and limitations under the License. - - -------------------------------------------------------------------------------- Package Title: xmlschema (2.5.1) + +Package Locator: pip+xmlschema$2.5.1 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -3110,6 +2874,10 @@ The name and trademarks of copyright holders may NOT be used in advertising or p -------------------------------------------------------------------------------- Package Title: xmltodict (0.13.0) + +Package Locator: pip+xmltodict$0.13.0 + +Package Depth: Direct -------------------------------------------------------------------------------- * Declared Licenses * @@ -3128,6 +2896,10 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI -------------------------------------------------------------------------------- Package Title: zipp (3.15.0) + +Package Locator: pip+zipp$3.15.0 + +Package Depth: Transitive -------------------------------------------------------------------------------- * Declared Licenses * @@ -4207,289 +3979,6 @@ IN THE SOFTWARE. limitations under the License. -* 0BSD * - -A. HISTORY OF THE SOFTWARE -========================== - -Python was created in the early 1990s by Guido van Rossum at Stichting -Mathematisch Centrum (CWI, see https://www.cwi.nl) in the Netherlands -as a successor of a language called ABC. Guido remains Python's -principal author, although it includes many contributions from others. - -In 1995, Guido continued his work on Python at the Corporation for -National Research Initiatives (CNRI, see https://www.cnri.reston.va.us) -in Reston, Virginia where he released several versions of the -software. - -In May 2000, Guido and the Python core development team moved to -BeOpen.com to form the BeOpen PythonLabs team. In October of the same -year, the PythonLabs team moved to Digital Creations, which became -Zope Corporation. In 2001, the Python Software Foundation (PSF, see -https://www.python.org/psf/) was formed, a non-profit organization -created specifically to own Python-related Intellectual Property. -Zope Corporation was a sponsoring member of the PSF. - -All Python releases are Open Source (see https://opensource.org for -the Open Source Definition). Historically, most, but not all, Python -releases have also been GPL-compatible; the table below summarizes -the various releases. - - Release Derived Year Owner GPL- - from compatible? (1) - - 0.9.0 thru 1.2 1991-1995 CWI yes - 1.3 thru 1.5.2 1.2 1995-1999 CNRI yes - 1.6 1.5.2 2000 CNRI no - 2.0 1.6 2000 BeOpen.com no - 1.6.1 1.6 2001 CNRI yes (2) - 2.1 2.0+1.6.1 2001 PSF no - 2.0.1 2.0+1.6.1 2001 PSF yes - 2.1.1 2.1+2.0.1 2001 PSF yes - 2.1.2 2.1.1 2002 PSF yes - 2.1.3 2.1.2 2002 PSF yes - 2.2 and above 2.1.1 2001-now PSF yes - -Footnotes: - -(1) GPL-compatible doesn't mean that we're distributing Python under - the GPL. All Python licenses, unlike the GPL, let you distribute - a modified version without making your changes open source. The - GPL-compatible licenses make it possible to combine Python with - other software that is released under the GPL; the others don't. - -(2) According to Richard Stallman, 1.6.1 is not GPL-compatible, - because its license has a choice of law clause. According to - CNRI, however, Stallman's lawyer has told CNRI's lawyer that 1.6.1 - is "not incompatible" with the GPL. - -Thanks to the many outside volunteers who have worked under Guido's -direction to make these releases possible. - - -B. TERMS AND CONDITIONS FOR ACCESSING OR OTHERWISE USING PYTHON -=============================================================== - -Python software and documentation are licensed under the -Python Software Foundation License Version 2. - -Starting with Python 3.8.6, examples, recipes, and other code in -the documentation are dual licensed under the PSF License Version 2 -and the Zero-Clause BSD license. - -Some software incorporated into Python is under different licenses. -The licenses are listed with code falling under that license. - - -PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 --------------------------------------------- - -1. This LICENSE AGREEMENT is between the Python Software Foundation -("PSF"), and the Individual or Organization ("Licensee") accessing and -otherwise using this software ("Python") in source or binary form and -its associated documentation. - -2. Subject to the terms and conditions of this License Agreement, PSF hereby -grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, -analyze, test, perform and/or display publicly, prepare derivative works, -distribute, and otherwise use Python alone or in any derivative version, -provided, however, that PSF's License Agreement and PSF's notice of copyright, -i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, -2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 Python Software Foundation; -All Rights Reserved" are retained in Python alone or in any derivative version -prepared by Licensee. - -3. In the event Licensee prepares a derivative work that is based on -or incorporates Python or any part thereof, and wants to make -the derivative work available to others as provided herein, then -Licensee hereby agrees to include in any such work a brief summary of -the changes made to Python. - -4. PSF is making Python available to Licensee on an "AS IS" -basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR -IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND -DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS -FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT -INFRINGE ANY THIRD PARTY RIGHTS. - -5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON -FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS -A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, -OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - -6. This License Agreement will automatically terminate upon a material -breach of its terms and conditions. - -7. Nothing in this License Agreement shall be deemed to create any -relationship of agency, partnership, or joint venture between PSF and -Licensee. This License Agreement does not grant permission to use PSF -trademarks or trade name in a trademark sense to endorse or promote -products or services of Licensee, or any third party. - -8. By copying, installing or otherwise using Python, Licensee -agrees to be bound by the terms and conditions of this License -Agreement. - - -BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 -------------------------------------------- - -BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 - -1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an -office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the -Individual or Organization ("Licensee") accessing and otherwise using -this software in source or binary form and its associated -documentation ("the Software"). - -2. Subject to the terms and conditions of this BeOpen Python License -Agreement, BeOpen hereby grants Licensee a non-exclusive, -royalty-free, world-wide license to reproduce, analyze, test, perform -and/or display publicly, prepare derivative works, distribute, and -otherwise use the Software alone or in any derivative version, -provided, however, that the BeOpen Python License is retained in the -Software, alone or in any derivative version prepared by Licensee. - -3. BeOpen is making the Software available to Licensee on an "AS IS" -basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR -IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND -DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS -FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT -INFRINGE ANY THIRD PARTY RIGHTS. - -4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE -SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS -AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY -DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - -5. This License Agreement will automatically terminate upon a material -breach of its terms and conditions. - -6. This License Agreement shall be governed by and interpreted in all -respects by the law of the State of California, excluding conflict of -law provisions. Nothing in this License Agreement shall be deemed to -create any relationship of agency, partnership, or joint venture -between BeOpen and Licensee. This License Agreement does not grant -permission to use BeOpen trademarks or trade names in a trademark -sense to endorse or promote products or services of Licensee, or any -third party. As an exception, the "BeOpen Python" logos available at -http://www.pythonlabs.com/logos.html may be used according to the -permissions granted on that web page. - -7. By copying, installing or otherwise using the software, Licensee -agrees to be bound by the terms and conditions of this License -Agreement. - - -CNRI LICENSE AGREEMENT FOR PYTHON 1.6.1 ---------------------------------------- - -1. This LICENSE AGREEMENT is between the Corporation for National -Research Initiatives, having an office at 1895 Preston White Drive, -Reston, VA 20191 ("CNRI"), and the Individual or Organization -("Licensee") accessing and otherwise using Python 1.6.1 software in -source or binary form and its associated documentation. - -2. Subject to the terms and conditions of this License Agreement, CNRI -hereby grants Licensee a nonexclusive, royalty-free, world-wide -license to reproduce, analyze, test, perform and/or display publicly, -prepare derivative works, distribute, and otherwise use Python 1.6.1 -alone or in any derivative version, provided, however, that CNRI's -License Agreement and CNRI's notice of copyright, i.e., "Copyright (c) -1995-2001 Corporation for National Research Initiatives; All Rights -Reserved" are retained in Python 1.6.1 alone or in any derivative -version prepared by Licensee. Alternately, in lieu of CNRI's License -Agreement, Licensee may substitute the following text (omitting the -quotes): "Python 1.6.1 is made available subject to the terms and -conditions in CNRI's License Agreement. This Agreement together with -Python 1.6.1 may be located on the internet using the following -unique, persistent identifier (known as a handle): 1895.22/1013. This -Agreement may also be obtained from a proxy server on the internet -using the following URL: http://hdl.handle.net/1895.22/1013". - -3. In the event Licensee prepares a derivative work that is based on -or incorporates Python 1.6.1 or any part thereof, and wants to make -the derivative work available to others as provided herein, then -Licensee hereby agrees to include in any such work a brief summary of -the changes made to Python 1.6.1. - -4. CNRI is making Python 1.6.1 available to Licensee on an "AS IS" -basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR -IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND -DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS -FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6.1 WILL NOT -INFRINGE ANY THIRD PARTY RIGHTS. - -5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON -1.6.1 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS -A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 1.6.1, -OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. - -6. This License Agreement will automatically terminate upon a material -breach of its terms and conditions. - -7. This License Agreement shall be governed by the federal -intellectual property law of the United States, including without -limitation the federal copyright law, and, to the extent such -U.S. federal law does not apply, by the law of the Commonwealth of -Virginia, excluding Virginia's conflict of law provisions. -Notwithstanding the foregoing, with regard to derivative works based -on Python 1.6.1 that incorporate non-separable material that was -previously distributed under the GNU General Public License (GPL), the -law of the Commonwealth of Virginia shall govern this License -Agreement only as to issues arising under or with respect to -Paragraphs 4, 5, and 7 of this License Agreement. Nothing in this -License Agreement shall be deemed to create any relationship of -agency, partnership, or joint venture between CNRI and Licensee. This -License Agreement does not grant permission to use CNRI trademarks or -trade name in a trademark sense to endorse or promote products or -services of Licensee, or any third party. - -8. By clicking on the "ACCEPT" button where indicated, or by copying, -installing or otherwise using Python 1.6.1, Licensee agrees to be -bound by the terms and conditions of this License Agreement. - - ACCEPT - - -CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 --------------------------------------------------- - -Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, -The Netherlands. All rights reserved. - -Permission to use, copy, modify, and distribute this software and its -documentation for any purpose and without fee is hereby granted, -provided that the above copyright notice appear in all copies and that -both that copyright notice and this permission notice appear in -supporting documentation, and that the name of Stichting Mathematisch -Centrum or CWI not be used in advertising or publicity pertaining to -distribution of the software without specific, written prior -permission. - -STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO -THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND -FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE -FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT -OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -ZERO-CLAUSE BSD LICENSE FOR CODE IN THE PYTHON DOCUMENTATION ----------------------------------------------------------------------- - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH -REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. - - * Apache-2.0 * Apache License @@ -4765,33 +4254,6 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -* BSD-2-Clause * - -Copyright (c) Donald Stufft and individual contributors. -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - * Apache-2.0 * Copyright 2017- Paul Ganssle @@ -5174,7 +4636,7 @@ PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. -* Python-2.0 * +* PSF-2.0 * PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 -------------------------------------------- @@ -5664,22 +5126,6 @@ No license text available ================================================================================ -BSD Zero Clause License - -Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 - -Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 - -Copyright (c) i.e., "Copyright (c) - -Copyright (c) - -Copyright (c) 1991 - 1995 Stichting Mathematisch Centrum Amsterdam, -Copyright (C) 2006 by Rob Landley -Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted. -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - --------------------------------------------------------------------------------- Apache License 2.0 Copyright (c) 2021 Splunk Inc. @@ -5690,13 +5136,7 @@ Copyright (c) 2022 Splunk Inc. Copyright (c) yyyy} {name of copyright owner} -Copyright (c) yyyy} {name of copyright owner} - -Copyright (c) owner} - -Copyright (c) 2011-2024 Splunk, Inc. - -Copyright (c) 2015 Google Inc. All rights reserved. +Copyright (c) 2011-2015 Splunk, Inc. Copyright (c) 2007 Google Inc. @@ -5765,37 +5205,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --------------------------------------------------------------------------------- -BSD 2-Clause "Simplified" License - -Copyright (c) Donald Stufft and individual contributors. - -Copyright (c) Donald Stufft and individual contributors. -Copyright (c) -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -------------------------------------------------------------------------------- BSD 3-Clause "New" or "Revised" License @@ -6006,14 +5415,8 @@ Copyright (c) 2006 Stefan Petre Copyright (c) 2009 by Mark Pilgrim -Copyright (c) JS Foundation and other contributors - Copyright (c) 2008-2020 Andrey Petrov and contributors (see CONTRIBUTORS.txt) -Copyright (c) 2015-2016 Will Bond - -Copyright (c) 2012 Senko Rasic - Copyright (c) 2019 TAHRI Ahmed R. Copyright (c) Ahmed TAHRI @Ousret](https://github.com/Ousret).
@@ -6207,6 +5610,8 @@ Python Software License Agreement 2.0 Copyright (c) 2020 Thomas Grainger. Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 + +Copyright (c) i.e., "Copyright (c) PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. @@ -6221,19 +5626,11 @@ PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 -------------------------------------------------------------------------------- Python License 2.0 -Copyright (c) i.e., "Copyright (c) - -Copyright (c) i.e., "Copyright (c) - -Copyright (c) - Copyright (c) 2022 Alex Grönholm Copyright (c) 2000 Bastian Kleineidam Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 - -Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. @@ -6327,4 +5724,4 @@ Public Domain -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -Report Generated by FOSSA on 2024-8-7 +Report Generated by FOSSA on 2024-12-11 diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml deleted file mode 100644 index 8c3528540..000000000 --- a/docker-compose-ci.yml +++ /dev/null @@ -1,93 +0,0 @@ -# -# Copyright 2024 Splunk Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -#Splunk Connect for Syslog (SC4S) by Splunk, Inc. -# -#To the extent possible under law, the person who associated CC0 with -#Splunk Connect for Syslog (SC4S) has waived all copyright and related or neighboring rights -#to Splunk Connect for Syslog (SC4S). -# -#You should have received a copy of the CC0 legalcode along with this -#work. If not, see . -version: "3.7" -services: - test: - build: - context: . - dockerfile: Dockerfile.tests - links: - - splunk - - sc4s - volumes: - - results:/work/test-results - - sc4s: - image: ghcr.io/splunk/splunk-connect-for-syslog/container2:latest - hostname: sc4s - #When this is enabled test_common will fail - # command: -det - ports: - - "514" - - "601" - - "514/udp" - - "5000-5050" - - "5000-5050/udp" - - "6514" - stdin_open: true - tty: true - links: - - splunk - environment: - - SPLUNK_HEC_URL=https://splunk:8088 - - SPLUNK_HEC_TOKEN=70b6ae71-76b3-4c38-9597-0c5b37ad9630 - - SC4S_SOURCE_TLS_ENABLE=no - - SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no - - SC4S_LISTEN_JUNIPER_NETSCREEN_TCP_PORT=5000 - - SC4S_LISTEN_CISCO_ASA_TCP_PORT=5001 - - SC4S_LISTEN_CISCO_IOS_TCP_PORT=5002 - - SC4S_LISTEN_CISCO_MERAKI_TCP_PORT=5003 - - SC4S_LISTEN_JUNIPER_IDP_TCP_PORT=5004 - - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005 - - SC4S_LISTEN_PFSENSE_TCP_PORT=5006 - - SC4S_LISTEN_CISCO_ASA_UDP_PORT=5001 - - SC4S_LISTEN_CISCO_IOS_UDP_PORT=5002 - - SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5003 - - SC4S_LISTEN_JUNIPER_IDP_UDP_PORT=5004 - - SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT=5005 - - SC4S_LISTEN_PFSENSE_UDP_PORT=5006 - - SC4S_ARCHIVE_GLOBAL=no - - SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL=yes - - splunk: - build: - context: . - dockerfile: Dockerfile.splunk - args: - SPLUNK_APP_ID: ${SPLUNK_APP_ID} - SPLUNK_APP_PACKAGE: ${SPLUNK_APP_PACKAGE} - SPLUNK_VERSION: ${SPLUNK_VERSION} - ports: - - "8000" - - "8088" - - "8089" - - "9997" - environment: - - SPLUNK_PASSWORD=${SPLUNK_PASSWORD} - - SPLUNK_HEC_TOKEN=${SPLUNK_HEC_TOKEN} - - SPLUNK_START_ARGS=--accept-license - - TEST_SC4S_ACTIVATE_EXAMPLES=yes -volumes: - results: - external: false diff --git a/docker-compose.yml b/docker-compose.yml index b502a0ec9..347bd5745 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,6 +23,15 @@ #work. If not, see . version: "3.7" services: + test: + build: + context: . + dockerfile: Dockerfile.tests + links: + - splunk + - sc4s + volumes: + - results:/work/test-results sc4s: image: ghcr.io/splunk/splunk-connect-for-syslog/container2:latest @@ -101,5 +110,5 @@ services: - ${CURRENT_DIR}/uf_files:${CURRENT_DIR}/uf_files volumes: - splunk-sc4s-var: + results: external: false \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 3664f2a46..d350ca6d2 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -11,4 +11,4 @@ export PATH="/root/.local/bin:$PATH" source ~/.poetry/env sleep 15 poetry install -exec poetry run pytest -vv $@ +exec poetry run pytest -vv --junitxml=/work/test-results/test.xml $@ diff --git a/pyproject.toml b/pyproject.toml index 8aec3c3bf..625aa000c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -16,7 +16,7 @@ [tool.poetry] name = "pytest-splunk-addon" -version = "5.3.0" +version = "5.4.0-beta.3" description = "A Dynamic test tool for Splunk Apps and Add-ons" authors = ["Splunk "] license = "APACHE-2.0" @@ -60,7 +60,6 @@ pytest11 = { plugin = "pytest_splunk_addon.plugin", "splunk" = "pytest_splunk_ad [tool.poetry.scripts] cim-report = 'pytest_splunk_addon.utilities.junit_parser:main' -cim-field-report = 'pytest_splunk_addon.tools.cim_field_report:main' sample_splitter = 'pytest_splunk_addon.utilities.sample_splitter:main' [build-system] diff --git a/pytest-ci.ini b/pytest-ci.ini deleted file mode 100644 index e1785e697..000000000 --- a/pytest-ci.ini +++ /dev/null @@ -1,20 +0,0 @@ -# -# Copyright 2024 Splunk Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -[pytest] -testpaths = tests -addopts = -v --tb=long --junitxml=/work/test-results/test.xml -m external tests/e2e -filterwarnings = - ignore::DeprecationWarning diff --git a/pytest.ini b/pytest.ini index 576b89d18..c276c43e9 100644 --- a/pytest.ini +++ b/pytest.ini @@ -15,6 +15,6 @@ # [pytest] testpaths = tests -addopts = -v --tb=long -m docker --log-level=INFO +addopts = -v --tb=long -m external tests/e2e filterwarnings = ignore::DeprecationWarning diff --git a/pytest_splunk_addon/CIM_Models/datamodel_definition.py b/pytest_splunk_addon/CIM_Models/datamodel_definition.py index f1590ab66..326674983 100644 --- a/pytest_splunk_addon/CIM_Models/datamodel_definition.py +++ b/pytest_splunk_addon/CIM_Models/datamodel_definition.py @@ -14,7 +14,7 @@ # limitations under the License. # datamodels = { - "latest": { + "4.18.1": { "Alerts": { "BaseEvent": [ "app", @@ -24,7 +24,6 @@ "src", "type", "user", - "user_name", ] }, "Application_State": { @@ -50,12 +49,7 @@ ] }, "Change": { - "Account_Management": [ - "dest_nt_domain", - "src_nt_domain", - "src_user", - "src_user_name", - ], + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], "BaseEvent": [ "change_type", "command", @@ -71,7 +65,6 @@ "result_id", "src", "user", - "user_name", "vendor_product", "action", ], @@ -137,17 +130,322 @@ "vendor_product", ] }, - "Data_Access": { + "Email": { + "BaseEvent": [ + "action", + "dest", + "src", + "recipient", + "recipient_domain", + "src_user", + "src_user_domain", + "vendor_product", + ], + "Filtering": ["signature"], + }, + "Endpoint": { + "Filesystem": [ + "file_access_time", + "file_create_time", + "file_modify_time", + "action", + "dest", + "file_hash", + "file_name", + "file_path", + "file_acl", + "file_size", + "user", + "vendor_product", + ], + "Ports": [ + "dest_port", + "transport", + "src", + "src_port", + "dest", + "user", + "vendor_product", + ], + "Processes": [ + "dest", + "parent_process", + "parent_process_name", + "process", + "process_name", + "user", + "vendor_product", + ], + "Registry": [ + "action", + "dest", + "registry_path", + "registry_key_name", + "registry_value_data", + "registry_value_name", + "registry_value_type", + "user", + "vendor_product", + ], + "Services": [ + "dest", + "service", + "service_name", + "service_id", + "start_mode", + "status", + "user", + "vendor_product", + ], + }, + "Event_Signatures": {"BaseEvent": ["vendor_product"]}, + "Intrusion_Detection": { + "BaseEvent": [ + "dvc", + "ids_type", + "category", + "signature", + "severity", + "src", + "dest", + "user", + "vendor_product", + ] + }, + "Malware": { "BaseEvent": [ "action", + "category", + "date", + "dest", + "dest_nt_domain", + "severity", + "signature", + "user", + "vendor_product", + ], + "Malware_Operations": [ + "product_version", + "signature_version", + "dest", + "dest_nt_domain", + "vendor_product", + ], + }, + "Network_Resolution": { + "BaseEvent": [ + "answer", + "dest", + "message_type", + "query", + "reply_code_id", + "reply_code", + "vendor_product", + ] + }, + "Network_Sessions": { + "BaseEvent": [ + "dest_ip", + "dest_mac", + "dest_nt_host", + "dest_dns", + "user", + "vendor_product", + ] + }, + "Network_Traffic": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "dest_port", + "dvc", + "rule", + "src", + "src_port", + "transport", + "user", + "vendor_product", + ] + }, + "Performance": { + "BaseEvent": ["dest"], + "CPU": ["cpu_load_percent"], + "Facilities": ["temperature"], + "Memory": ["mem", "mem_free", "mem_used"], + "Network": ["thruput"], + "OS": ["signature"], + "Storage": [ + "storage_free", + "storage_free_percent", + "storage_used", + "storage_used_percent", + ], + "Timesync": ["action"], + "Uptime": ["uptime"], + }, + "Updates": { + "BaseEvent": [ + "dest", + "signature", + "signature_id", + "status", + "vendor_product", + ] + }, + "Vulnerabilities": { + "BaseEvent": [ + "category", + "cve", + "dest", + "dvc", + "severity", + "signature", + "vendor_product", + ] + }, + "Web": { + "BaseEvent": [ + "action", + "bytes", + "bytes_in", + "bytes_out", + "dest", + "http_content_type", + "http_method", + "http_referrer", + "http_referrer_domain", + "http_user_agent", + "src", + "status", + "url", + "url_domain", + "user", + "vendor_product", + ] + }, + }, + "4.19": { + "Alerts": { + "BaseEvent": [ "app", "dest", + "severity", + "signature_id", + "src", + "type", + "user", + "user_name", + ] + }, + "Application_State": { + "BaseEvent": ["dest", "process"], + "Ports": ["dest_port", "transport"], + "Services": ["service", "service_id", "start_mode", "status"], + }, + "Authentication": { + "BaseEvent": ["action", "app", "src", "src_user", "dest", "user"] + }, + "Certificates": { + "SSL": [ + "ssl_end_time", + "ssl_serial", + "ssl_start_time", + "ssl_hash", + "ssl_issuer", + "ssl_issuer_common_name", + "ssl_issuer_email_domain", + "ssl_subject", + "ssl_subject_common_name", + "ssl_subject_email_domain", + ] + }, + "Change": { + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", "object", + "object_attrs", "object_category", "object_id", - "object_size", + "object_path", + "status", + "result", + "result_id", "src", - "vendor_account", + "user", + "user_name", + "vendor_product", + "action", + ], + "Instance_Changes": ["image_id", "instance_type"], + }, + "Change_Analysis": { + "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "BaseEvent": [ + "change_type", + "command", + "dest", + "dvc", + "object", + "object_attrs", + "object_category", + "object_id", + "object_path", + "status", + "result", + "result_id", + "src", + "user", + "vendor_product", + "action", + ], + "Filesystem_Changes": [ + "file_access_time", + "file_create_time", + "file_hash", + "file_modify_time", + "file_name", + "file_path", + "file_acl", + "file_size", + ], + }, + "Compute_Inventory": { + "BaseEvent": ["dest", "vendor_product"], + "CPU": ["cpu_cores", "cpu_count", "cpu_mhz"], + "Memory": ["mem"], + "Network": ["dns", "interface", "ip", "mac", "name"], + "OS": ["os"], + "Snapshot": ["size", "snapshot"], + "Storage": ["mount", "storage"], + "User": ["interactive", "password", "user"], + "Virtual_OS": ["hypervisor"], + }, + "DLP": { + "BaseEvent": [ + "action", + "category", + "dvc", + "dlp_type", + "object", + "object_path", + "object_category", + "signature", + "severity", + "src", + "src_user", + "dest", "user", "vendor_product", ] @@ -191,7 +489,6 @@ ], "Processes": [ "dest", - "original_file_name", "parent_process", "parent_process_name", "process", @@ -350,7 +647,7 @@ ] }, }, - "4.18.1": { + "4.20.2": { "Alerts": { "BaseEvent": [ "app", @@ -360,6 +657,7 @@ "src", "type", "user", + "user_name", ] }, "Application_State": { @@ -385,7 +683,12 @@ ] }, "Change": { - "Account_Management": ["dest_nt_domain", "src_nt_domain", "src_user"], + "Account_Management": [ + "dest_nt_domain", + "src_nt_domain", + "src_user", + "src_user_name", + ], "BaseEvent": [ "change_type", "command", @@ -401,6 +704,7 @@ "result_id", "src", "user", + "user_name", "vendor_product", "action", ], @@ -466,6 +770,21 @@ "vendor_product", ] }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_category", + "object_id", + "object_size", + "src", + "tenant_id", + "user", + "vendor_product", + ] + }, "Email": { "BaseEvent": [ "action", @@ -505,6 +824,7 @@ ], "Processes": [ "dest", + "original_file_name", "parent_process", "parent_process_name", "process", @@ -663,7 +983,7 @@ ] }, }, - "4.19": { + "5.0.0": { "Alerts": { "BaseEvent": [ "app", @@ -786,6 +1106,21 @@ "vendor_product", ] }, + "Data_Access": { + "BaseEvent": [ + "action", + "app", + "dest", + "object", + "object_category", + "object_id", + "object_size", + "src", + "vendor_account", + "user", + "vendor_product", + ] + }, "Email": { "BaseEvent": [ "action", @@ -825,6 +1160,7 @@ ], "Processes": [ "dest", + "original_file_name", "parent_process", "parent_process_name", "process", @@ -983,7 +1319,7 @@ ] }, }, - "4.20.2": { + "5.3.1": { "Alerts": { "BaseEvent": [ "app", @@ -993,7 +1329,6 @@ "src", "type", "user", - "user_name", ] }, "Application_State": { @@ -1023,7 +1358,6 @@ "dest_nt_domain", "src_nt_domain", "src_user", - "src_user_name", ], "BaseEvent": [ "change_type", @@ -1040,7 +1374,6 @@ "result_id", "src", "user", - "user_name", "vendor_product", "action", ], @@ -1112,11 +1445,13 @@ "app", "dest", "object", + "object_attrs", "object_category", "object_id", "object_size", "src", - "tenant_id", + "user_name", + "vendor_account", "user", "vendor_product", ] @@ -1160,6 +1495,7 @@ ], "Processes": [ "dest", + "loaded_file", "original_file_name", "parent_process", "parent_process_name", @@ -1319,7 +1655,7 @@ ] }, }, - "5.0.0": { + "5.3.2": { "Alerts": { "BaseEvent": [ "app", @@ -1329,7 +1665,6 @@ "src", "type", "user", - "user_name", ] }, "Application_State": { @@ -1359,7 +1694,6 @@ "dest_nt_domain", "src_nt_domain", "src_user", - "src_user_name", ], "BaseEvent": [ "change_type", @@ -1376,7 +1710,6 @@ "result_id", "src", "user", - "user_name", "vendor_product", "action", ], @@ -1448,10 +1781,12 @@ "app", "dest", "object", + "object_attrs", "object_category", "object_id", "object_size", "src", + "user_name", "vendor_account", "user", "vendor_product", @@ -1496,6 +1831,7 @@ ], "Processes": [ "dest", + "loaded_file", "original_file_name", "parent_process", "parent_process_name", @@ -1656,3 +1992,5 @@ }, }, } + +datamodels["latest"] = datamodels["5.3.2"] diff --git a/pytest_splunk_addon/__init__.py b/pytest_splunk_addon/__init__.py index 5fd0eeee0..dc71d3913 100644 --- a/pytest_splunk_addon/__init__.py +++ b/pytest_splunk_addon/__init__.py @@ -18,4 +18,4 @@ __author__ = """Splunk Inc.""" __email__ = "addonfactory@splunk.com" -__version__ = "5.3.0" +__version__ = "5.4.0-beta.3" diff --git a/pytest_splunk_addon/addon_parser/props_parser.py b/pytest_splunk_addon/addon_parser/props_parser.py index a44e831be..816716fd0 100644 --- a/pytest_splunk_addon/addon_parser/props_parser.py +++ b/pytest_splunk_addon/addon_parser/props_parser.py @@ -16,7 +16,7 @@ """ Provides props.conf parsing mechanism """ -from typing import Dict +from typing import Dict, List from typing import Generator from typing import Optional import logging @@ -57,6 +57,14 @@ def props(self) -> Optional[Dict]: self._props = self._conf_parser.item_dict() return self._props if self._props else None + def update_field_names(self, field_list: List[str]) -> List[str]: + """ + update field names to remove all the non-alphanumeric chars and replace them with _ + """ + for field in field_list: + field.name = re.sub(r"\W+", "_", field.name) + return field_list + def get_props_fields(self): """ Parse the props.conf and yield all supported fields @@ -82,6 +90,13 @@ def get_props_fields(self): else: for transform_stanza, fields in self._get_report_fields(key, value): field_list = list(fields) + if ( + self.transforms_parser.transforms.get( + transform_stanza, {} + ).get("CLEAN_KEYS") + != "false" + ): + field_list = self.update_field_names(field_list) if field_list: yield { "stanza": stanza_name, diff --git a/pytest_splunk_addon/data_models/Alerts.json b/pytest_splunk_addon/data_models/Alerts.json index 7cd84f782..2fbdb312d 100644 --- a/pytest_splunk_addon/data_models/Alerts.json +++ b/pytest_splunk_addon/data_models/Alerts.json @@ -17,19 +17,44 @@ }, { "name": "body", + "type": "optional", + "comment":"The body of a message." + }, + { + "name": "description", "type": "required", - "comment":"The body of a message." + "comment": "The description of the alert event." }, { "name": "dest", "type": "required", - "comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + "comment":"The destination of the alert message, such as an email address or SNMP trap. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_type", + "type": "optional", + "comment": "The type of the destination object, such as instance, storage, firewall." }, { "name": "id", "type": "required", "comment":"The unique identifier of a message." }, + { + "name": "mitre_technique_id", + "type": "optional", + "comment": "The MITRE ATT&CK technique ID of the alert event." + }, + { + "name": "signature", + "type": "required", + "comment": "A human-readable signature name." + }, + { + "name": "signature_id", + "type": "required", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "severity", "type": "required", @@ -49,8 +74,13 @@ }, { "name": "src", + "type": "required", + "comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_type", "type": "optional", - "comment":"The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + "comment": "The type of the source object, such as instance, storage, firewall." }, { "name": "subject", @@ -67,7 +97,27 @@ "task", "warning" ], - "comment":"The message type." + "comment":"The message type." + }, + { + "name": "user", + "type": "required", + "comment": "The user involved in the alert event." + }, + { + "name": "user_name", + "type": "optional", + "comment": "The name of the user involved in the alert event." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account associated with the alert event. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The data center region involved in the alert event, such as us-west-2." } ], "child_dataset": [] diff --git a/pytest_splunk_addon/data_models/Authentication.json b/pytest_splunk_addon/data_models/Authentication.json index dcb4f43d1..c516ade74 100644 --- a/pytest_splunk_addon/data_models/Authentication.json +++ b/pytest_splunk_addon/data_models/Authentication.json @@ -10,7 +10,7 @@ { "name": "action", "type": "required", - "expected_values": ["success", "failure", "error"], + "expected_values": ["success", "failure", "pending", "error"], "comment": "The action performed on the resource." }, { @@ -18,11 +18,46 @@ "type": "required", "comment": "The application involved in the event (such as ssh, splunk, win:local)." }, + { + "name": "authentication_method", + "type": "optional", + "comment": "The method used to authenticate the request" + }, + { + "name": "authentication_service", + "type": "optional", + "comment": "The service used to authenticate the request" + }, { "name": "dest", "type": "required", "comment": "The target involved in the authentication. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_nt_host." }, + { + "name": "src_user_type", + "type": "optional", + "comment": "The type of the user who initiated the privilege escalation." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event.\nIAMUser, Admin, or System." + }, + { + "name": "src_user_role", + "type": "optional", + "comment": "The role of the user who initiated the privilege escalation." + }, + { + "name": "user_role", + "type": "optional", + "comment": "The role of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user role targeted by the escalation." + }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, { "name": "duration", "type": "optional", @@ -35,6 +70,11 @@ "validity": "if(isnum(response_time) and response_time>0 AND response_time<3600,response_time,null())", "comment": "The amount of time it took to receive a response in the authentication event, in seconds." }, + { + "name": "session_id", + "type": "optional", + "comment": "The unique identifier assigned to the login session." + }, { "name": "signature", "type": "optional", @@ -48,7 +88,7 @@ }, { "name": "src", - "type": "optional", + "type": "required", "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." }, { @@ -56,11 +96,27 @@ "type": "required", "comment": "The name of the user involved in the event, or who initiated the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." }, + { + "name": "user_id", + "type": "optional", + "comment": "The unique id of the user involved in the event." + }, + { + "name": "reason", + "type": "optional", + "validity": "if(action in ['success', 'failure'], action, null())", + "comment": "The human-readable message associated with the authentication action (success or failure)." + }, { "name": "src_user", - "condition": "src_user=*", + "condition": "src_user=* tag=privileged", "type": "conditional", "comment": "In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed. If present it must be a valid user." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, a Cloud customer, or a Cloud account." } ], "child_dataset": [ diff --git a/pytest_splunk_addon/data_models/Certificates.json b/pytest_splunk_addon/data_models/Certificates.json index b98a9cfe4..4fd87347d 100644 --- a/pytest_splunk_addon/data_models/Certificates.json +++ b/pytest_splunk_addon/data_models/Certificates.json @@ -71,7 +71,7 @@ "fields":[ { "name": "ssl_end_time", - "type": "optional", + "type": "required", "comment":"The expiry time of the certificate. Needs to be converted to UNIX time for calculations in dashboards." }, { @@ -81,7 +81,7 @@ }, { "name": "ssl_hash", - "type": "optional", + "type": "required", "comment":"The hash of the certificate." }, { @@ -110,6 +110,11 @@ "type": "optional", "comment":"The certificate issuer's email address." }, + { + "name": "ssl_issuer_email_domain", + "type": "optional", + "comment":"The domain name contained within the certificate issuer's email address." + }, { "name": "ssl_issuer_locality", "type": "optional", @@ -167,7 +172,7 @@ }, { "name": "ssl_start_time", - "type": "optional", + "type": "required", "comment":"This is the start date and time for this certificate's validity. Needs to be converted to UNIX time for calculations in dashboards." }, { @@ -185,6 +190,11 @@ "type": "optional", "comment":"The certificate owner's e-mail address." }, + { + "name": "ssl_subject_email_domain", + "type": "optional", + "comment":"The domain name contained within the certificate subject's email address." + }, { "name": "ssl_subject_locality", "type": "optional", diff --git a/pytest_splunk_addon/data_models/Change.json b/pytest_splunk_addon/data_models/Change.json index 8ba8611c1..fc3df7052 100644 --- a/pytest_splunk_addon/data_models/Change.json +++ b/pytest_splunk_addon/data_models/Change.json @@ -48,7 +48,7 @@ }, { "name": "object_category", - "validity": "if(like(object_category,'%\\\"%'),null(),object_category)", + "validity": "if(tag==\"account\" AND object_category==user,object_category, null())", "type": "required", "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." }, @@ -61,13 +61,13 @@ { "name": "object_path", "validity": "if(like(object_path,'%\\\"%'),null(),object_path)", - "type": "required", + "type": "optional", "comment": "The path of the modified resource object, if applicable (such as a file, directory, or volume)." }, { "name": "result", - "type": "optional", - "expected_values": ["lockout"], + "condition": "status=failure", + "type": "conditional", "comment": "The vendor-specific result of a change, or clarification of an action status. For instance, status=failure may be accompanied by result=blocked by policy or result=disk full. result is a string. Please use a msg_severity_id field (not included in the data model) for severity ID fields that are integer data types." }, { @@ -77,7 +77,7 @@ }, { "name": "src", - "type": "optional", + "type": "required", "comment": "The resource where the change was originated. You can alias this from more specific fields not included in the data model, such as src_host, src_ip, or src_name." }, { @@ -96,6 +96,31 @@ "type": "required", "comment": "The user or entity performing the change. For account changes, this is the account that was changed (see src_user for user or entity performing the change)." }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, + { + "name": "user_name", + "type": "optional", + "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed this is the account that was changed (see src_user_name)." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "vendor_account", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The account that manages the user that initiated the request. The account represents the organization, or a Cloud customer or a Cloud account." + }, { "name": "vendor_product", "type": "required", @@ -124,6 +149,16 @@ "type": "conditional", "condition": "object_category=user", "comment": "For account changes, the user or entity performing the change." + }, + { + "name": "src_user_type", + "type": "optional", + "comment": "For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "src_user_name", + "type": "optional", + "comment": "For account changes, the user name of the user or entity performing the change." } ], "child_dataset": [ @@ -194,11 +229,71 @@ ], "search_constraints": "tag=endpoint" }, + { + "name": "Instance_Changes", + "tags": [["change", "instance"]], + "fields_cluster": [], + "search_constraints": "tag=instance", + "fields": [ + { + "name": "image_id", + "type": "required", + "comment": "For create instance events, this field represents the image ID used for creating the instance such as the OS, applications, installed libraries, and more." + }, + { + "name": "instance_type", + "type": "required", + "comment": "For create instance events, this field represents the type of instance to build such as the combination of CPU, memory, storage, and network capacity." + } + ], + "child_dataset": [] + }, { "name": "Network_Changes", "tags": [["change", "network"]], "fields_cluster": [], - "fields": [], + "fields": [ + { + "name": "dest_ip_range", + "type": "optional", + "comment": "For network events, the outgoing traffic for a specific destination IP address range. Specify a single IP address or an IP address range in CIDR notation. For example, 203.0.113.5 or 203.0.113.5/32." + }, + { + "name": "dest_port_range", + "type": "optional", + "comment": "For network events, this field represents destination port or range. For example, 80 or 8000 - 8080 or 80,443." + }, + { + "name": "direction", + "type": "optional", + "comment": "For network events, this field represents whether the traffic is inbound or outbound." + }, + { + "name": "protocol", + "type": "optional", + "comment": "This field represents the protocol for the network event rule." + }, + { + "name": "rule_action", + "type": "optional", + "comment": "For network events, this field represents whether to allow or deny traffic." + }, + { + "name": "src_ip_range", + "type": "optional", + "comment": "For network events, this field represents the incoming traffic from a specific source IP address or range. Specify a single IP address or an IP address range in CIDR notation." + }, + { + "name": "src_port_range", + "type": "optional", + "comment": "For network events, this field represents source port or range. For example, 80 or 8000 - 8080 or 80,443" + }, + { + "name": "device_restarts", + "type": "optional", + "comment": "Monitor all infrastructure device restarts." + } + ], "child_dataset": [ { "name": "Device_Restarts", diff --git a/pytest_splunk_addon/data_models/Compute_Inventory.json b/pytest_splunk_addon/data_models/Compute_Inventory.json new file mode 100644 index 000000000..a08e56060 --- /dev/null +++ b/pytest_splunk_addon/data_models/Compute_Inventory.json @@ -0,0 +1,405 @@ +{ + "model_name": "Compute_Inventory", + "version": "1.0.0", + "objects": [ + { + "name": "All_Inventory", + "tags": [["inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=inventory (tag=cpu OR tag=memory OR tag=network OR tag=storage OR (tag=system tag=version) OR tag=user OR tag=virtual)", + "fields": [ + { + "name": "dest", + "type": "required", + "comment": "The system where the data originated, the source of the event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "description", + "type": "optional", + "comment": "The description of the inventory system." + }, + { + "name": "dest_bunit", + "type": "optional", + "comment": "The business unit of the system where the data originated. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_category", + "type": "optional", + "comment": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the system where the data originated." + }, + { + "name": "enabled", + "type": "optional", + "comment": "Indicates whether the resource is enabled or disabled." + }, + { + "name": "family", + "type": "optional", + "comment": "The product family of the resource, such as 686_64 or RISC." + }, + { + "name": "hypervisor_id", + "type": "optional", + "comment": "The hypervisor identifier, if applicable." + }, + { + "name": "serial", + "type": "optional", + "comment": "The serial number of the resource." + }, + { + "name": "status", + "type": "optional", + "comment": "The current reported state of the resource." + }, + { + "name": "version", + "type": "optional", + "comment": "The version of a computer resource, such as 2008r2 or 3.0.0." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the resource, such as Cisco Catalyst 3850. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name": "CPU", + "tags": [ + ["cpu","inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=cpu", + "fields": [ + { + "name": "cpu_cores", + "type": "required", + "comment": "The number of CPU cores reported by the resource (total, not per CPU)." + }, + { + "name": "cpu_count", + "type": "required", + "comment": "The number of CPUs reported by the resource." + }, + { + "name": "cpu_mhz", + "type": "required", + "comment": "The maximum speed of the CPU reported by the resource (in megahertz)." + } + ], + "child_dataset": [] + }, + { + "name": "Memory", + "tags": [["memory"] + ], + "fields_cluster": [], + "search_constraints": "tag=memory", + "fields": [ + { + "name": "mem", + "type": "required", + "comment": "The total amount of memory installed in or allocated to the resource, in megabytes." + } + ], + "child_dataset": [] + }, + { + "name": "Network", + "tags": [ + ["network", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=network", + "fields": [ + { + "name": "dns", + "type": "required", + "comment": "The domain name server for the resource." + }, + { + "name": "interface", + "type": "required", + "comment": "The network interfaces of the computing resource, such as eth0, eth1 or Wired Ethernet Connection, Teredo Tunneling Pseudo-Interface." + }, + { + "name": "ip", + "type": "required", + "comment": "The network addresses of the computing resource, such as 192.168.1.1 or E80:0000:0000:0000:0202:B3FF:FE1E:8329." + }, + { + "name": "dest_ip", + "type": "optional", + "comment": "The IP address for the system that the data is going to." + }, + { + "name": "src_ip", + "type": "optional", + "comment": "The IP address for the system from which the data originates." + }, + { + "name": "mac", + "type": "required", + "comment": "A MAC (media access control) address associated with the resource, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." + }, + { + "name": "lb_method", + "type": "optional", + "comment": "The load balancing method used by the computing resource such as method, round robin, or least weight." + }, + { + "name": "node", + "type": "optional", + "comment": "Represents a node hit." + }, + { + "name": "inline_nat", + "type": "optional", + "comment": "Identifies whether the resource is a network address translation pool." + }, + { + "name": "vip_port", + "type": "optional", + "comment": "The port number for the virtual IP address (VIP). A VIP allows multiple MACs to use one IP address. VIPs are often used by load balancers." + }, + { + "name": "node_port", + "type": "optional", + "comment": "The number of the destination port on the server that you requested from." + }, + { + "name": "name", + "type": "required", + "comment": "A name field provided in some data sources." + } + ], + "child_dataset": [] + }, + { + "name": "Storage", + "tags": [["storage", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=storage", + "fields": [ + { + "name": "array", + "type": "optional", + "comment": "The array that the storage resource is a member of, if applicable." + }, + { + "name": "blocksize", + "type": "optional", + "comment": "The block size used by the storage resource, in kilobytes." + }, + { + "name": "cluster", + "type": "optional", + "comment": "The index cluster that the resource is a member of, if applicable." + }, + { + "name": "fd_max", + "type": "optional", + "comment": "The maximum number of file descriptors available." + }, + { + "name": "latency", + "type": "optional", + "comment": "The latency reported by the resource, in milliseconds." + }, + { + "name": "mount", + "type": "required", + "comment": "The path at which a storage resource is mounted." + }, + { + "name": "parent", + "type": "optional", + "comment": "A higher level object that this resource is owned by, if applicable." + }, + { + "name": "read_blocks", + "type": "optional", + "comment": "The maximum possible number of blocks read per second during a polling period." + }, + { + "name": "read_latency", + "type": "optional", + "comment": "For a polling period, the average amount of time elapsed until a read request is filled by the host disks (in ms)." + }, + { + "name": "read_ops", + "type": "optional", + "comment": "The total number of read operations in the polling period." + }, + { + "name": "storage", + "type": "required", + "comment": "The amount of storage capacity allocated to the resource, in megabytes." + }, + { + "name": "write_blocks", + "type": "optional", + "comment": "The maximum possible number of blocks written per second during a polling period." + }, + { + "name": "write_latency", + "type": "optional", + "comment": "For a polling period, the average amount of time elapsed until a write request is filled by the host disks (in ms)." + }, + { + "name": "write_ops", + "type": "optional", + "comment": "The total number of write operations in the polling period." + } + ], + "child_dataset": [] + }, + { + "name": "OS", + "tags": [ + ["system", "version", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=system OR tag=version", + "fields": [ + { + "name": "os", + "type": "required", + "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2. This field is constructed from vendor_product and version fields." + } + ], + "child_dataset": [] + }, + { + "name": "User", + "tags": [ + ["user", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=user", + "fields": [ + { + "name": "shell", + "type": "optional", + "comment": "Indicates the shell program used by a locally defined account." + }, + { + "name": "user_bunit", + "type": "optional", + "comment": "The business unit of the locally-defined user account. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "user_category", + "type": "optional", + "comment": "The category of the system where the data originated, such as email_server or SOX-compliant. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "user_id", + "type": "optional", + "comment": "The user identification for a locally defined account." + }, + { + "name": "user_priority", + "type": "optional", + "comment": "The priority of a locally-defined account." + }, + { + "name": "interactive", + "type": "required", + "comment": "Indicates whether a locally defined account on a resource can be interactively logged in." + }, + { + "name": "password", + "type": "required", + "comment": "Displays the stored password(s) for a locally defined account, if it has any. For instance, an add-on may report the password column from \/etc\/passwd in this field" + }, + { + "name": "user", + "type": "required", + "comment": "The full name of a locally defined account." + } + ], + "child_dataset": [ + { + "name": "Cleartext_Passwords", + "tags": [ + ["user", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "password=*", + "fields": [], + "child_dataset": [] + }, + { + "name": "Default_Accounts", + "tags": [ + ["user", "inventory", "default"] + ], + "fields_cluster": [], + "search_constraints": "tag=default", + "fields": [], + "child_dataset": [] + } + ] + }, + { + "name": "Virtual_OS", + "tags": [ + ["virtual", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=virtual", + "fields": [ + { + "name": "hypervisor", + "type": "required", + "comment": "The hypervisor parent of a virtual guest OS." + } + ], + "child_dataset": [ + { + "name": "Snapshot", + "tags": [ + ["snapshot", "virtual", "inventory"] + ], + "fields_cluster": [], + "search_constraints": "tag=snapshot", + "fields": [ + { + "name": "size", + "type": "required", + "comment": "The snapshot file size, in megabytes." + }, + { + "name": "snapshot", + "type": "required", + "comment": "The name of a snapshot file." + }, + { + "name": "time", + "type": "optional", + "comment": "The time at which the snapshot was taken." + } + ], + "child_dataset": [] + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/DLP.json b/pytest_splunk_addon/data_models/DLP.json index bb1670051..339409185 100644 --- a/pytest_splunk_addon/data_models/DLP.json +++ b/pytest_splunk_addon/data_models/DLP.json @@ -68,11 +68,21 @@ "type": "required", "comment": "The severity of the DLP event." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", "comment": "The name of the DLP event." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "src", "type": "optional", @@ -91,12 +101,12 @@ { "name": "user", "type": "conditional", - "condition": "dlp_type=email OR dlp_type=im", + "condition": "dlp_type=email OR dlp_type=share_point OR dlp_type=o365 OR dlp_type=google.* OR dlp_type=GWS.*", "comment": "The target user of the DLP event." }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the DLP system" } ], diff --git a/pytest_splunk_addon/data_models/Data_Access.json b/pytest_splunk_addon/data_models/Data_Access.json new file mode 100644 index 000000000..bb9ddae9e --- /dev/null +++ b/pytest_splunk_addon/data_models/Data_Access.json @@ -0,0 +1,192 @@ +{ + "model_name": "Data_Access", + "version": "1.0.0", + "objects": [ + { + "name": "Data_Access", + "tags": [ + ["data", "access"] + ], + "fields_cluster": [], + "search_constraints": "tag=data tag=access", + "fields": [ + { + "name": "action", + "type": "required", + "comment": "The data access action taken by the user." + }, + { + "name": "app", + "type": "required", + "comment": "he system, service, or application that generated the data access event. Examples include Onedrive, Sharepoint, drive, AzureActiveDirectory." + }, + { + "name": "application_id", + "type": "optional", + "comment": "Application ID of the user" + }, + { + "name": "object", + "type": "required", + "comment": "Resource object name on which the action was performed by a user." + }, + { + "name": "object_attrs", + "type": "required", + "comment": "The attributes that were updated on the updated resource object, if applicable." + }, + { + "name": "object_category", + "type": "required", + "comment": "Generic name for the class of the updated resource object. Expected values may be specific to an app." + }, + { + "name": "object_id", + "type": "required", + "comment": "The unique updated resource object ID as presented to the system, if applicable. For example, a source_folder_id, doc_id." + }, + { + "name": "object_path", + "type": "optional", + "comment": "The path of the modified resource object, if applicable, such as a file, directory, or volume." + }, + { + "name": "object_size", + "type": "required", + "comment": "The size of the modified resource object." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination where the data resides or where it is being accessed, such as the product or application. You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, dest_url or dest_name." + }, + { + "name": "dest_name", + "type": "optional", + "comment": "Name of the destination as defined by the Vendor." + }, + { + "name": "dest_url", + "type": "optional", + "comment": "Url of the product, application or object." + }, + { + "name": "dvc", + "type": "optional", + "comment": "The device that reported the data access event." + }, + { + "name": "email", + "type": "optional", + "comment": "The email address of the user involved in the event, or who initiated the event." + }, + { + "name": "owner", + "type": "optional", + "comment": "Resource owner." + }, + { + "name": "owner_id", + "type": "optional", + "comment": "ID of the owner as defined by the vendor." + }, + { + "name": "owner_email", + "type": "optional", + "comment": "Email of the resource owner." + }, + { + "name": "parent_object", + "type": "optional", + "comment": "Parent of the object name on which the action was performed by a user." + }, + { + "name": "parent_object_category", + "type": "optional", + "comment": "Object category of the parent object on which action was performed by a user." + }, + { + "name": "parent_object_id", + "type": "optional", + "comment": "Object id of the parent object on which the action was performed by a user." + }, + { + "name": "signature", + "type": "optional", + "comment": "A human-readable signature name." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "src", + "type": "required", + "comment": "The endpoint client host." + }, + { + "name": "user_agent", + "type": "optional", + "comment": "The user agent through which the request was made, such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) or aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4." + }, + { + "name": "user_email", + "type": "optional", + "comment": "The email address of the user involved in the event, or who initiated the event." + }, + { + "name": "user_group", + "type": "optional", + "comment": "The group of the user involved in the event, or who initiated the event." + }, + { + "name": "user_id", + "type": "optional", + "comment": "The unique id of the user involved in the event. For authentication privilege escalation events, this should represent the user targeted by the escalation." + }, + { + "name": "user_name", + "type": "required", + "comment": "The user name of the user or entity performing the change. For account changes, this is the account that was changed (see src_user_name for user or entity performing the change)" + }, + { + "name": "user_role", + "type": "optional", + "comment": "The role of the user involved in the event, or who initiated the event." + }, + { + "name": "user_type", + "type": "optional", + "comment": "The type of the user involved in the event or who initiated the event, such as IAMUser, Admin, or System. For account management events, this should represent the type of the user changed by the request." + }, + { + "name": "vendor_account", + "type": "required", + "comment": "The account that manages the user that initiated the request." + }, + { + "name": "vendor_product_id", + "type": "optional", + "comment": "The vendor and product name ID as defined by the vendor." + }, + { + "name": "vendor_region", + "type": "optional", + "comment": "The data center region where the change occurred, such as us-west-2." + }, + { + "name": "user", + "type": "required", + "comment": "The user involved in the event, or who initiated the event." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the vendor." + } + ], + "child_dataset": [] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/Databases.json b/pytest_splunk_addon/data_models/Databases.json new file mode 100644 index 000000000..00df69114 --- /dev/null +++ b/pytest_splunk_addon/data_models/Databases.json @@ -0,0 +1,490 @@ +{ + "model_name": "Databases", + "version": "1.0.0", + "objects": [ + { + "name": "All_Databases", + "tags": [["database"]], + "fields_cluster": [], + "search_constraints": "tag=database", + "fields": [ + { + "name": "dest", + "type": "optional", + "comment": "The destination of the database event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_bunit", + "type": "optional", + "comment": "The business unit of the destination." + }, + { + "name": "dest_category", + "type": "optional", + "comment": "The category of the destination." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the destination." + }, + { + "name": "duration", + "type": "optional", + "comment": "The amount of time for the completion of the database event, in seconds." + }, + { + "name": "object", + "type": "optional", + "comment": "The name of the database object." + }, + { + "name": "response_time", + "type": "optional", + "comment": "The amount of time it took to receive a response in the database event, in seconds." + }, + { + "name": "src", + "type": "optional", + "comment": "The source of the database event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." + }, + { + "name": "src_bunit", + "type": "optional", + "comment": "The business unit of the source." + }, + { + "name": "src_category", + "type": "optional", + "comment": "The category of the source." + }, + { + "name": "src_priority", + "type": "optional", + "comment": "The priority of the source." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + }, + { + "name": "user", + "type": "optional", + "comment": "Name of the database process user." + }, + { + "name": "user_bunit", + "type": "optional", + "comment": "The business unit of the user." + }, + { + "name": "user_category", + "type": "optional", + "comment": "The category associated with the user." + }, + { + "name": "user_priority", + "type": "optional", + "comment": "The priority of the user." + }, + { + "name": "vendor_product", + "type": "optional", + "comment": "The vendor and product name of the database system. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [ + { + "name": "Database_Instance", + "tags": [ + ["instance", "database"] + ], + "search_constraints":"tag=instance", + "fields_cluster":[], + "fields":[ + { + "name": "instance_name", + "type": "optional", + "comment": "The name of the database instance." + }, + { + "name": "instance_version", + "type": "optional", + "comment": "The version of the database instance." + }, + { + "name": "session_limit", + "type": "optional", + "comment": "The maximum number of sessions that the database instance can handle." + }, + { + "name": "process_limit", + "type": "optional", + "comment": "The maximum number of processes that the database instance can handle." + } + ], + "child_dataset": [ + { + "name": "Instance_Stats", + "tags": [ + ["stats", "instance", "database"] + ], + "search_constraints":"tag=stats", + "fields_cluster":[], + "fields":[ + { + "name": "availability", + "type": "optional", + "expected_values": [ + "Available", + "Not Available" + ], + "comment": "The status of the database server." + }, + { + "name": "avg_executions", + "type": "optional", + "comment": "The average number of executions for the database instance." + }, + { + "name": "dump_area_used", + "type": "optional", + "comment": "The amount of the database dump area that has been used." + }, + { + "name": "number_of_users", + "type": "optional", + "comment": "The total number of users for the database instance." + }, + { + "name": "start_time", + "type": "optional", + "comment": "The total amount of uptime for the database instance." + }, + { + "name": "sessions", + "type": "optional", + "comment": "The total number of sessions currently in use for the database instance." + }, + { + "name": "processes", + "type": "optional", + "comment": "The number of processes currently running for the database instance." + }, + { + "name": "tablespace_used", + "type": "optional", + "comment": "The total amount of tablespace used for the database instance, in bytes." + }, + { + "name": "instance_reads", + "type": "optional", + "comment": "The total number of reads for the database instance." + }, + { + "name": "instance_writes", + "type": "optional", + "comment": "The total number of writes for the database instance." + }, + { + "name": "sga_buffer_cache_size", + "type": "optional", + "comment": "The total size of the buffer cache for the database instance, in bytes." + }, + { + "name": "sga_data_dict_hit_ratio", + "type": "optional", + "comment": "The hit-to-miss ratio for the database instance's data dictionary." + }, + { + "name": "sga_buffer_hit_limit", + "type": "optional", + "comment": "The maximum number of buffers that can be hit in the database instance without finding a free buffer." + }, + { + "name": "sga_library_cache_size", + "type": "optional", + "comment": "The total library cache size for the database instance, in bytes." + }, + { + "name": "sga_fixed_area_size", + "type": "optional", + "comment": "The size of the fixed area (also referred to as the fixed SGA) for the database instance, in bytes." + }, + { + "name": "sga_free_memory", + "type": "optional", + "comment": "The total amount of free memory in the database instance SGA, in bytes." + }, + { + "name": "sga_shared_pool_size", + "type": "optional", + "comment": "The total size of the shared pool for this database instance, in bytes." + }, + { + "name": "sga_redo_log_buffer_size", + "type": "optional", + "comment": "The total size of the redo log buffer for the database instance, in bytes." + }, + { + "name": "sga_sql_area_size", + "type": "optional", + "comment": "The total size of the SQL area for this database instance, in bytes." + } + ], + "child_dataset": [] + }, + { + "name": "Session_Info", + "tags": [ + ["session", "database", "database"] + ], + "search_constraints":"tag=session", + "fields_cluster":[], + "fields":[ + { + "name": "session_id", + "type": "optional", + "comment": "The unique id that identifies the session." + }, + { + "name": "session_status", + "type": "optional", + "expected_values": [ + "Online", + "Offline" + ], + "comment": "The current status of the session." + }, + { + "name": "machine", + "type": "optional", + "comment": "The name of the logical host associated with the database instance." + }, + { + "name": "elapsed_time", + "type": "optional", + "comment": "The total amount of time elapsed since the user started the session by logging into the database server, in seconds." + }, + { + "name": "cpu_used", + "type": "optional", + "comment": "The number of CPU centiseconds used by the session. Divide this value by 100 to get the CPU seconds." + }, + { + "name": "memory_sorts", + "type": "optional", + "comment": "The total number of memory sorts performed during the session." + }, + { + "name": "table_scans", + "type": "optional", + "comment": "Number of table scans performed during the session." + }, + { + "name": "physical_reads", + "type": "optional", + "comment": "The total number of physical reads performed during the session." + }, + { + "name": "logical_reads", + "type": "optional", + "comment": "The total number of consistent gets and database block gets performed during the session." + }, + { + "name": "commits", + "type": "optional", + "comment": "The number of commits per second performed by the user associated with the session." + }, + { + "name": "cursor", + "type": "optional", + "comment": "The number of the cursor currently in use by the session." + }, + { + "name": "buffer_cache_hit_ratio", + "type": "optional", + "comment": "The percentage of logical reads from the buffer during the session (1-physical reads\/session logical reads*100)." + }, + { + "name": "wait_state", + "type": "optional", + "expected_values": [ + "WAITING", + "WAITED UNKNOWN", + "WAITED SHORT TIME", + "WAITED KNOWN TIME" + ], + "comment": "Provides the current wait state for the session. Can indicate that the session is currently waiting or provide information about the session's last wait. WAITING indicates the session is currently waiting, WAITED UNKNOWN TIME indicates the duration of the last session wait is unknown, WAITED SHORT TIME indicates the last session wait was < 1\/100th of a second, WAITED KNOWN TIME indicates the wait_time is the duration of the last session wait." + }, + { + "name": "wait_time", + "type": "optional", + "comment": "When wait_time = 0, the session is waiting. When wait_time has a nonzero value, it is displaying the last wait time for the session." + }, + { + "name": "seconds_in_wait", + "type": "optional", + "comment": "The seconds_in_wait depends on the value of wait_time. If wait_time = 0, seconds_in_wait is the number of seconds spent in the current wait condition. If wait_time has a nonzero value, seconds_in_wait is the number of seconds that have elapsed since the start of the last wait. You can get the active seconds that have elapsed since the last wait ended by calculating seconds_in_wait - wait_time \/ 100." + } + ], + "child_dataset": [] + + }, + { + "name": "Lock_Info", + "tags": [ + ["lock", "instance", "database"] + ], + "search_constraints":"tag=lock", + "fields_cluster":[], + "fields":[ + { + "name": "obj_name", + "type": "optional", + "comment": "The name of the locked object." + }, + { + "name": "lock_session_id", + "type": "optional", + "comment": "The session identifier of the locked object." + }, + { + "name": "serial_num", + "type": "optional", + "comment": "The serial number of the object." + }, + { + "name": "lock_mode", + "type": "optional", + "comment": "The mode of the lock on the object." + }, + { + "name": "os_pid", + "type": "optional", + "comment": "The process identifier for the operating system." + }, + { + "name": "last_call_minute", + "type": "optional", + "comment": "Represents the amount of time elapsed since the session_status changed to its current status. The definition of this field depends on the session_status value. If session_status = ONLINE, the last_call_minute value represents the time elapsed since the session became active. If session_status = OFFLINE, the last_call_minute value represents the time elapsed since the session became inactive." + }, + { + "name": "logon_time", + "type": "optional", + "comment": "The database logon time for the session." + } + ], + "child_dataset": [] + } + ] + + }, + { + "name": "Database_Query", + "tags": [ + ["query", "database"] + ], + "search_constraints":"tag=query", + "fields_cluster":[], + "fields":[ + { + "name": "query", + "type": "optional", + "comment": "The full database query." + }, + { + "name": "query_id", + "type": "optional", + "comment": "The identifier for the database query." + }, + { + "name": "query_time", + "type": "optional", + "comment": "The time the system initiated the database query." + }, + { + "name": "records_affected", + "type": "optional", + "comment": "The number of records affected by the database query." + } + ], + "child_dataset": [ + { + "name": "Tablespace", + "tags": [ + ["tablespace", "query", "database"] + ], + "search_constraints":"tag=tablespace", + "fields_cluster":[], + "fields":[ + { + "name": "tablespace_name", + "type": "optional", + "comment": "The name of the tablespace." + }, + { + "name": "tablespace_status", + "type": "optional", + "expected_values": [ + "Offline", + "Online", + "Read Only" + ], + "comment": "The status of the tablespace." + }, + { + "name": "free_bytes", + "type": "optional", + "comment": "The total amount of free space in the tablespace, in bytes." + }, + { + "name": "tablespace_reads", + "type": "optional", + "comment": "The number of tablespace reads carried out by the query." + }, + { + "name": "tablespace_writes", + "type": "optional", + "comment": "The number of tablespace writes carried out by the query." + } + ], + "child_dataset": [] + }, + { + "name": "Query_Stats", + "tags": [["stats", "query", "stats"]], + "search_constraints":"tag=stats", + "fields_cluster":[], + "fields":[ + { + "name": "stored_procedures_called", + "type": "optional", + "comment": "The names of the stored procedures called by the query." + }, + { + "name": "tables_hit", + "type": "optional", + "comment": "The names of the tables hit by the query." + }, + { + "name": "indexes_hit", + "type": "optional", + "comment": "The names of the indexes hit by the database query." + }, + { + "name": "query_plan_hit", + "type": "optional", + "comment": "The name of the query plan hit by the query." + } + ], + "child_dataset": [] + } + ] + + } + ] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/Email.json b/pytest_splunk_addon/data_models/Email.json index 4c1198acd..d5d61c6fe 100644 --- a/pytest_splunk_addon/data_models/Email.json +++ b/pytest_splunk_addon/data_models/Email.json @@ -107,6 +107,11 @@ "validity":"if(isnum(recipient_count) and recipient_count==mvcount(recipient),recipient_count, null())", "comment": "The total number of intended message recipients." }, + { + "name": "recipient_domain", + "type": "required", + "comment": "The domain name contained within the recipient email addresses." + }, { "name": "recipient_status", "type": "optional", @@ -149,8 +154,14 @@ "name": "status_code", "type": "conditional", "condition": "protocol=smtp", + "validity": "if(match(status_code, \"(?:(\\d(\\.\\d{1,3}){0,2}))\"))", "comment": "The status code associated with the message." }, + { + "name": "src_user_domain", + "type": "required", + "comment": "The domain name contained within the email address of the message sender." + }, { "name": "subject", "type": "optional", @@ -163,12 +174,12 @@ }, { "name": "user", - "type": "required", + "type": "optional", "comment": "The user context for the process. This is not the email address for the sender. For that, look at the src_user field." }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product of the email server used for the email transaction. This field can be automatically populated by vendor and product fields in your data." }, { @@ -218,7 +229,7 @@ }, { "name": "signature", - "type": "optional", + "type": "required", "comment": "The name of the filter applied." }, { diff --git a/pytest_splunk_addon/data_models/Endpoint.json b/pytest_splunk_addon/data_models/Endpoint.json index 8b58c5b09..8a64d128d 100644 --- a/pytest_splunk_addon/data_models/Endpoint.json +++ b/pytest_splunk_addon/data_models/Endpoint.json @@ -23,6 +23,21 @@ "validity": "if(isnum(dest_port),dest_port,null())", "comment": "Network port listening on the endpoint, such as 53." }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "process_guid", "type": "optional", @@ -44,6 +59,21 @@ "validity": "if(isnum(src_port),src_port,null())", "comment": "The 'remote' port connected to the listening port (if applicable)." }, + { + "name": "src_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "src_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "src_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "state", "type": "required", @@ -57,13 +87,19 @@ }, { "name": "transport_dest_port", - "type": "not_allowed_in_search", + "type": "required", + "validity": "(?:tcp|udp|dccp|sctp)\\/(?:(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$)", "comment": "Calculated as transport/dest_port, such as tcp/53." }, { "name": "user", "type": "optional", "comment": "The user account associated with the listening port." + }, + { + "name": "vendor_product", + "type": "required", + "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], "child_dataset": [], @@ -90,6 +126,11 @@ "type": "required", "comment": "The endpoint for which the process was spawned." }, + { + "name": "loaded_file", + "type": "optional", + "comment": "File that was loaded." + }, { "name": "mem_used", "type": "optional", @@ -102,8 +143,13 @@ "comment": "The operating system of the resource, such as Microsoft Windows Server 2008r2." }, { - "name": "parent_process", + "name": "original_file_name", "type": "optional", + "comment": "Original name of the file, not including path." + }, + { + "name": "parent_process", + "type": "required", "comment": "The full command string of the parent process." }, { @@ -133,6 +179,11 @@ "type": "required", "comment": "The file path of the parent process, such as C:\\Windows\\System32\notepad.exe." }, + { + "name": "parent_process_hash", + "type": "optional", + "comment": "TThe digest(s) of the parent process, such as , , etc." + }, { "name": "process", "type": "required", @@ -145,7 +196,7 @@ }, { "name": "process_exec", - "type": "required", + "type": "optional", "comment": "The executable name of the process." }, { @@ -193,7 +244,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], @@ -222,6 +273,21 @@ "type": "required", "comment": "The endpoint pertaining to the filesystem activity." }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "file_access_time", "type": "optional", @@ -236,7 +302,7 @@ { "name": "file_hash", "type": "conditional", - "condition": "action=created or action=modified ", + "condition": "action=created or action=modified or action=read", "comment": "A cryptographic identifier assigned to the file object affected by the event." }, { @@ -263,7 +329,7 @@ }, { "name": "file_size", - "type": "optional", + "type": "required", "comment": "The size of the file that is the object of the event, in kilobytes." }, { @@ -283,7 +349,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], @@ -306,6 +372,21 @@ "type": "required", "comment": "The endpoint pertaining to the registry events." }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "process_guid", "type": "optional", @@ -386,7 +467,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } ], @@ -410,6 +491,21 @@ "validation": "", "comment": "The endpoint for which the service is installed." }, + { + "name": "dest_is_expected", + "type": "optional", + "comment": "The endpoint for which the service is installed." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "process_guid", "type": "optional", @@ -521,7 +617,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "validation": "", "comment": "The vendor and product name of the Endpoint solution that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." } diff --git a/pytest_splunk_addon/data_models/Event_Signatures.json b/pytest_splunk_addon/data_models/Event_Signatures.json new file mode 100644 index 000000000..ef7c70f49 --- /dev/null +++ b/pytest_splunk_addon/data_models/Event_Signatures.json @@ -0,0 +1,37 @@ +{ + "model_name": "Event_Signatures", + "version": "1.0.0", + "objects": [ + { + "name": "Event_Signatures", + "tags": [ + ["track_event_signatures"] + ], + "fields_cluster": [], + "search_constraints": "tag=track_event_signatures (signature=* OR signature_id=*)", + "fields": [ + { + "name": "dest", + "type": "required", + "comment": "System affected by the signature." + }, + { + "name": "signature", + "type": "required", + "comment": "The human readable event name." + }, + { + "name": "signature_id", + "type": "required", + "comment": "The event name identifier (as supplied by the vendor)." + }, + { + "name": "vendor_product", + "type": "optional", + "comment": "The vendor and product name of the technology that reported the event, such as Carbon Black Cb Response. This field can be automatically populated by vendor and product fields in your data." + } + ], + "child_dataset": [] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/Interprocess Messaging.json b/pytest_splunk_addon/data_models/Interprocess Messaging.json new file mode 100644 index 000000000..6f18178e4 --- /dev/null +++ b/pytest_splunk_addon/data_models/Interprocess Messaging.json @@ -0,0 +1,194 @@ +{ + "model_name": "", + "version": "1.0.0", + "objects": [ + { + "name": "All_Messaging", + "tags": [["messaging"] + ], + "fields_cluster": [], + "search_constraints": "tag=messaging", + "fields": [ + { + "name": "dest", + "type": "optional", + "comment": "The destination of the message. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "dest_bunit", + "type": "optional", + "comment": "The business unit of the destination." + }, + { + "name": "dest_category", + "type": "optional", + "expected_values": [ + "queue", + "topic" + ], + "comment": "The type of message destination." + }, + { + "name": "dest_priority", + "type": "optional", + "comment": "The priority of the destination." + }, + { + "name": "duration", + "type": "optional", + "comment": "The number of seconds from message call to message response. Can be derived by getting the difference between the request_sent_time and the message_received_time." + }, + { + "name": "endpoint", + "type": "optional", + "comment": "The endpoint that the message accessed during the RPC (remote procedure call) transaction." + }, + { + "name": "endpoint_version", + "type": "optional", + "comment": "The version of the endpoint accessed during the RPC (remote procedure call) transaction, such as 1.0 or 1.22." + }, + { + "name": "message", + "type": "optional", + "comment": "A command or reference that an RPC (remote procedure call) reads or responds to." + }, + { + "name": "message_id", + "type": "optional", + "comment": "The message identification." + }, + { + "name": "message_consumed_time", + "type": "optional", + "comment": "The time that the RPC (remote procedure call) read the message and was prepared to take some sort of action." + }, + { + "name": "message_correlation_id", + "type": "optional", + "comment": "The message correlation identification value." + }, + { + "name": "message_delivered_time", + "type": "optional", + "comment": "The time that the message producer sent the message." + }, + { + "name": "message_delivery_mode", + "type": "optional", + "comment": "The message delivery mode. Possible values depend on the type of message-oriented middleware (MOM) solution in use. They can be words like Transient (meaning the message is stored in memory and is lost if the server dies or restarts) or Persistent (meaning the message is stored both in memory and on disk and is preserved if the server dies or restarts). They can also be numbers like 1, 2, and so on." + }, + { + "name": "message_expiration_time", + "type": "optional", + "comment": "The time that the message expired." + }, + { + "name": "message_priority", + "type": "optional", + "comment": "The priority of the message. Important jobs that the message queue should answer no matter what receive a higher message_priority than other jobs, ensuring they are completed before the others." + }, + { + "name": "message_properties", + "type": "optional", + "comment": "An arbitrary list of message properties. The set of properties displayed depends on the message-oriented middleware (MOM) solution that you are using." + }, + { + "name": "message_received_time", + "type": "optional", + "comment": "The time that the message was received by a message-oriented middleware (MOM) solution." + }, + { + "name": "message_redelivered", + "type": "optional", + "comment": "Indicates whether or not the message was redelivered." + }, + { + "name": "message_reply_dest", + "type": "optional", + "comment": "The name of the destination for replies to the message." + }, + { + "name": "message_type", + "type": "optional", + "comment": "The type of message, such as call or reply." + }, + { + "name": "parameters", + "type": "optional", + "comment": "Arguments that have been passed to an endpoint by a REST call or something similar. A sample parameter could be something like foo=bar." + }, + { + "name": "payload", + "type": "optional", + "comment": "The message payload." + }, + { + "name": "payload_type", + "type": "optional", + "comment": "The type of payload in the message. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." + }, + { + "name": "request_payload", + "type": "optional", + "comment": "The content of the message request." + }, + { + "name": "request_payload_type", + "type": "optional", + "comment": "The type of payload in the message request. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." + }, + { + "name": "request_sent_time", + "type": "optional", + "comment": "The time that the message request was sent." + }, + { + "name": "response_code", + "type": "optional", + "comment": "The response status code sent by the receiving server. Ranges between 200 and 404." + }, + { + "name": "response_payload_type", + "type": "optional", + "comment": "The type of payload in the message response. The payload type can be text (such as json, xml, and raw) or binary (such as compressed, object, encrypted, and image)." + }, + { + "name": "response_received_time", + "type": "optional", + "comment": "The time that the message response was received." + }, + { + "name": "response_time", + "type": "optional", + "comment": "The amount of time it took to receive a response, in seconds." + }, + { + "name": "return_message", + "type": "optional", + "comment": "The response status message sent by the message server." + }, + { + "name": "rpc_protocol", + "type": "optional", + "comment": "The protocol that the message server uses for remote procedure calls (RPC). Possible values include HTTP REST, SOAP, and EJB." + }, + { + "name": "status", + "type": "optional", + "expected_values": [ + "pass", + "fail" + ], + "comment": "The status of the message response." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + } + ], + "child_dataset": [] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/Intrusion_Detection.json b/pytest_splunk_addon/data_models/Intrusion_Detection.json index a0d121013..077c3e3b0 100644 --- a/pytest_splunk_addon/data_models/Intrusion_Detection.json +++ b/pytest_splunk_addon/data_models/Intrusion_Detection.json @@ -23,7 +23,6 @@ "name": "dest", "type": "conditional", "condition": "ids_type=\"network\"", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." }, { @@ -67,16 +66,25 @@ ], "comment": "The severity of the network protection event. This field is a string. Use a severity_id field (not included in this data model) for severity ID fields that are integer data types. Also, specific values are required for this field. Use vendor_severity for the vendor's own human readable severity strings, such as Good, Bad, and Really Bad." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", - "comment": "The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre. This is a string value. Use a signature_id field (not included in this data model) for numeric indicators." + "comment": "The name of the intrusion detected on the client (the src), such as PlugAndPlay_BO and JavaScript_Obfuscation_Fre." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." }, { "name": "src", "type": "conditional", "condition": "ids_type=\"network\"", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name." }, { @@ -106,7 +114,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product name of the IDS or IPS system that detected the vulnerability, such as HP Tipping Point. This field can be automatically populated by vendor and product fields in your data." } ], diff --git a/pytest_splunk_addon/data_models/JVM.json b/pytest_splunk_addon/data_models/JVM.json new file mode 100644 index 000000000..612858f03 --- /dev/null +++ b/pytest_splunk_addon/data_models/JVM.json @@ -0,0 +1,332 @@ +{ + "model_name": "JVM", + "version": "1.0.0", + "objects": [ + { + "name": "Event_Signatures", + "tags": [["jvm"] + ], + "fields_cluster": [], + "search_constraints": "tag=jvm", + "fields": [ + { + "name": "jvm_description", + "type": "optional", + "comment": "A description field provided in some data sources." + }, + { + "name": "tag", + "type": "optional", + "comment": "This automatically generated field is used to access tags from within data models. Add-on builders do not need to populate it." + } + ], + "child_dataset": [ + { + "name": "Threading", + "tags": [ + ["jvm", "threading"] + ], + "fields_cluster": [], + "search_constraints": "tag=threading", + "fields": [ + { + "name": "threads_started", + "type": "optional", + "comment": "The total number of threads started in the JVM." + }, + { + "name": "thread_count", + "type": "optional", + "comment": "The JVM's current thread count." + }, + { + "name": "cpu_time_enabled", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether thread CPU time measurement is enabled." + }, + { + "name": "cm_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the JVM supports thread contention monitoring." + }, + { + "name": "cm_enabled", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether thread contention monitoring is enabled." + }, + { + "name": "synch_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the JVM supports monitoring of ownable synchronizer usage." + }, + { + "name": "peak_thread_count", + "type": "optional", + "comment": "The JVM's peak thread count." + }, + { + "name": "omu_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the JVM supports monitoring of object monitor usage." + }, + { + "name": "daemon_thread_count", + "type": "optional", + "comment": "The JVM's current daemon count." + }, + { + "name": "current_user_time", + "type": "optional", + "comment": "User-space time taken by the JVM, in seconds." + }, + { + "name": "cpu_time_supported", + "type": "optional", + "expected_values": [ + "true", + "false" + ], + "comment": "Indicates whether the Java virtual machine supports CPU time measurement for the current thread." + }, + { + "name": "current_cpu_time", + "type": "optional", + "comment": "CPU-space time taken by the JVM, in seconds." + } + ], + "child_dataset": [] + }, + { + "name": "Runtime", + "tags": [ + ["jvm", "runtime"] + ], + "fields_cluster": [], + "search_constraints": "tag=runtime", + "fields": [ + { + "name": "version", + "type": "optional", + "comment": "Version of the JVM." + }, + { + "name": "uptime", + "type": "optional", + "comment": "Uptime of the JVM process, in seconds." + }, + { + "name": "start_time", + "type": "optional", + "comment": "Start time of the JVM process." + }, + { + "name": "process_name", + "type": "optional", + "comment": "Process name of the JVM process." + }, + { + "name": "vendor_product", + "type": "optional", + "comment": "The JVM product or service. This field can be automatically populated by the the vendor and product fields in your raw data." + } + ], + "child_dataset": [] + }, + { + "name": "OS", + "tags": [ + ["jvm", "os"] + ], + "fields_cluster": [], + "search_constraints": "tag=os", + "fields": [ + { + "name": "os_version", + "type": "optional", + "comment": "OS version that the JVM is running on." + }, + { + "name": "swap_space", + "type": "optional", + "comment": "Swap memory space available to the OS that the JVM is running on, in bytes." + }, + { + "name": "physical_memory", + "type": "optional", + "comment": "Physical memory available to the OS that the JVM is running on, in bytes." + }, + { + "name": "system_load", + "type": "optional", + "comment": "System load of the OS that the JVM is running on." + }, + { + "name": "cpu_time", + "type": "optional", + "comment": "Amount of CPU time taken by the JVM, in seconds." + }, + { + "name": "os", + "type": "optional", + "comment": "OS that the JVM is running on." + }, + { + "name": "open_file_descriptors", + "type": "optional", + "comment": "Number of file descriptors opened by the JVM." + }, + { + "name": "max_file_descriptors", + "type": "optional", + "comment": "Maximum file descriptors available to the JVM." + }, + { + "name": "free_swap", + "type": "optional", + "comment": "Amount of free swap memory remaining to the JVM, in bytes." + }, + { + "name": "free_physical_memory", + "type": "optional", + "comment": "Amount of free physical memory remaining to the JVM, in bytes." + }, + { + "name": "committed_memory", + "type": "optional", + "comment": "Amount of memory committed to the JVM, in bytes." + }, + { + "name": "total_processors", + "type": "optional", + "comment": "Total processor cores available to the OS that the JVM is running on." + }, + { + "name": "os_architecture", + "type": "optional", + "comment": "OS architecture that the JVM is running on." + } + ], + "child_dataset": [] + }, + { + "name": "Compilation", + "tags": [ + ["jvm", "compilation"] + ], + "fields_cluster": [], + "search_constraints": "tag=compilation", + "fields": [ + { + "name": "compilation_time", + "type": "optional", + "comment": "Time taken by JIT compilation, in seconds." + } + ], + "child_dataset": [] + }, + { + "name": "Classloading", + "tags": [ + ["jvm", "classloading"] + ], + "fields_cluster": [], + "search_constraints": "tag=classloading", + "fields": [ + { + "name": "total_loaded", + "type": "optional", + "comment": "The total count of classes loaded in the JVM." + }, + { + "name": "current_loaded", + "type": "optional", + "comment": "The current count of classes loaded in the JVM." + }, + { + "name": "total_unloaded", + "type": "optional", + "comment": "The total count of classes unloaded from the JVM." + } + ], + "child_dataset": [] + }, + { + "name": "Memory", + "tags": [ + ["jvm", "memory"] + ], + "fields_cluster": [], + "search_constraints": "tag=memory", + "fields": [ + { + "name": "non_heap_used", + "type": "optional", + "comment": "Non-heap memory used by the JVM, in bytes." + }, + { + "name": "non_heap_max", + "type": "optional", + "comment": "Maximum amount of non-heap memory used by the JVM, in bytes" + }, + { + "name": "non_heap_initial", + "type": "optional", + "comment": "Initial amount of non-heap memory used by the JVM, in bytes." + }, + { + "name": "non_heap_committed", + "type": "optional", + "comment": "Committed amount of non-heap memory used by the JVM, in bytes." + }, + { + "name": "heap_used", + "type": "optional", + "comment": "Heap memory used by the JVM, in bytes." + }, + { + "name": "heap_max", + "type": "optional", + "comment": "Maximum amount of heap memory used by the JVM, in bytes." + }, + { + "name": "heap_initial", + "type": "optional", + "comment": "Initial amount of heap memory used by the JVM, in bytes." + }, + { + "name": "heap_committed", + "type": "optional", + "comment": "Committed amount of heap memory used by the JVM, in bytes." + }, + { + "name": "objects_pending", + "type": "optional", + "comment": "Number of objects pending in the JVM." + } + ], + "child_dataset": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/Malware.json b/pytest_splunk_addon/data_models/Malware.json index 571946248..30dca2b2d 100644 --- a/pytest_splunk_addon/data_models/Malware.json +++ b/pytest_splunk_addon/data_models/Malware.json @@ -21,7 +21,7 @@ }, { "name": "date", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The date of the malware event." }, { @@ -29,6 +29,16 @@ "type": "required", "comment": "The system that was affected by the malware event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the destination, if applicable." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "file_hash", "type": "optional", @@ -45,20 +55,42 @@ "comment": "The full file path of the file with suspected malware" }, { - "name": "sender", + "name": "severity", + "type": "required", + "expected_values": [ + "critical", + "high", + "medium", + "low", + "informational" + ], + "comment":"The severity of a message." + }, + { + "name": "severity_id", "type": "optional", - "comment": "The reported sender of an email-based attack." + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." }, { "name": "signature", "type": "required", "comment": "The name of the malware infection detected on the client (the dest), such as Trojan.Vundo, Spyware.Gaobot, and W32.Nimbda" }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "src", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The source of the event, such as a DAT file relay server. You can alias this from more specific fields, such as src_host, src_ip, or src_name." }, + { + "name": "src_user", + "type": "optional", + "comment": "The reported sender of an email-based attack." + }, { "name": "user", "type": "optional", @@ -71,7 +103,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The hash of the file with suspected malware" } ], @@ -113,6 +145,16 @@ "type": "required", "comment": "The system where the malware operations event occurred" }, + { + "name": "dest_nt_domain", + "type": "optional", + "comment": "The NT domain of the dest system, if applicable." + }, + { + "name": "dest_requires_av", + "type": "optional", + "comment": "This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, { "name": "product_version", "type": "optional", diff --git a/pytest_splunk_addon/data_models/Network_Resolution.json b/pytest_splunk_addon/data_models/Network_Resolution.json index 021079943..e5a0f8426 100644 --- a/pytest_splunk_addon/data_models/Network_Resolution.json +++ b/pytest_splunk_addon/data_models/Network_Resolution.json @@ -13,7 +13,7 @@ "fields_cluster": [], "fields": [{ "name": "additional_answer_count", - "type": "required", + "type": "optional", "validity": "if(isnum(additional_answer_count),additional_answer_count,null())", "comment": "Number of entries in the 'additional' section of the DNS message." }, @@ -31,14 +31,13 @@ }, { "name": "authority_answer_count", - "type": "required", + "type": "optional", "validity": "if(isnum(authority_answer_count),authority_answer_count,null())", "comment": "Number of entries in the 'authority' section of the DNS message." }, { "name": "dest", "type": "required", - "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the network resolution event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, { @@ -83,12 +82,100 @@ "type": "required", "expected_values": [ "A", - "DNAME", - "MX", "NS", - "PTR" + "MD", + "MF", + "CNAME", + "SOA", + "MB", + "MG", + "MR", + "NULL", + "WKS", + "PTR", + "HINFO", + "MINFO", + "MX", + "TXT", + "RP", + "AFSDB", + "X25", + "ISDN", + "RT", + "NSAP", + "NSAP-PTR", + "SIG", + "KEY", + "PX", + "GPOS", + "AAAA", + "LOC", + "NXT", + "EID", + "NIMLOC", + "SRV", + "ATMA", + "NAPTR", + "KX", + "CERT", + "A6", + "DNAME", + "SINK", + "OPT", + "APL", + "DS", + "SSHFP", + "IPSECKEY", + "RRSIG", + "NSEC", + "DNSKEY", + "DHCID", + "NSEC3", + "NSEC3PARAM", + "TLSA", + "SMIMEA", + "Unassigned", + "HIP", + "NINFO", + "RKEY", + "TALINK", + "CDS", + "CDNSKEY", + "OPENPGPKEY", + "CSYNC", + "ZONEMD", + "SVCB", + "HTTPS", + "SPF", + "UINFO", + "UID", + "GID", + "UNSPEC", + "NID", + "L32", + "L64", + "LP", + "EUI48", + "EUI64", + "TKEY", + "TSIG", + "IXFR", + "AXFR", + "MAILB", + "MAILA", + "*", + "URI", + "CAA", + "AVC", + "DOA", + "AMTRELAY", + "RESINFO", + "TA", + "DLV", + "Private use", + "Reserved" ], - "comment": "The DNS resource record type. For details, see the List of DNS record types on Wikipedia." + "comment": "The DNS resource record type. For details, see the List of DNS record types on Internet Assigned Numbers Authority (IANA) web site." }, { "name": "reply_code", @@ -102,15 +189,19 @@ "Refused", "YXDomain", "YXRRSet", + "NXRRSet", "NotAuth", "NotZone", + "DSOTYPENI", "BADVERS", "BADSIG", "BADKEY", "BADTIME", "BADMODE", "BADNAME", - "BADALG" + "BADALG", + "BADTRUNC", + "BADCOOKIE" ], "comment": "The return code for the response. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." }, @@ -118,29 +209,27 @@ "name": "reply_code_id", "type": "required", "expected_values": [ - "No Error", - "Format Error", - "Server Failure", - "Non-Existent Domain", - "NotImp", - "Refused", - "YXDomain", - "YXRRSet", - "NotAuth", - "NotZone", - "BADVERS", - "BADSIG", - "BADKEY", - "BADTIME", - "BADMODE", - "BADNAME", - "BADALG", - "0", "1", "2", - "3" + "3", + "4", + "5", + "6", + "7", + "8", + "9", + "10", + "11", + "16", + "17", + "18", + "19", + "20", + "21", + "22", + "23" ], - "comment": "The numerical id or name of a return code. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." + "comment": "The numerical id of a return code. For details, see the Domain Name System Parameters on the Internet Assigned Numbers Authority (IANA) web site." }, { "name": "response_time", @@ -151,7 +240,6 @@ { "name": "src", "type": "required", - "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source of the network resolution event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." }, { @@ -184,7 +272,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor product name of the DNS server. The Splunk platform can derive this field from the fields vendor and product in the raw data, if they exist." } ], diff --git a/pytest_splunk_addon/data_models/Network_Sessions.json b/pytest_splunk_addon/data_models/Network_Sessions.json index d869232ab..87c5addb1 100644 --- a/pytest_splunk_addon/data_models/Network_Sessions.json +++ b/pytest_splunk_addon/data_models/Network_Sessions.json @@ -11,7 +11,7 @@ { "name": "action", "type": "required", - "expected_values": ["added", "blocked"], + "expected_values": ["started", "ended", "blocked"], "comment": "The action taken by the reporting device." }, { @@ -29,6 +29,21 @@ "type": "required", "comment": "An indication of the type of network session event." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, + { + "name": "dest_nt_host", + "type": "optional", + "comment": "The NetBIOS name of the client initializing a network session." + }, + { + "name": "dest_dns", + "type": "optional", + "comment": "The domain name system address of the destination for a network session event." + }, { "name": "dest_priority", "type": "optional", @@ -51,15 +66,21 @@ "type": "optional", "comment": "The external domain name of the client initializing a network session. Not applicable for DHCP events." }, + { + "name": "src_nt_host", + "type": "optional", + "comment": "The NetBIOS name of the client initializing a network session. Not applicable for DHCP events." + }, { "name": "src_mac", "type": "optional", "condition": "tag != dhcp", + "validity": "if(match(src_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),src_mac,null())", "comment": "The MAC address of the client initializing a network session. Not applicable for DHCP events.Note: Always force lower case on this field.Note: Always use colons instead of dashes, spaces, or no separator." }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The full name of the Dynamic Host Configuration Protocol (DHCP) or DNS server involved in this event including vendor and product name, such as Microsoft DHCP or ISC BIND. This field is generated by combining the values of the vendor and product fields." }, { @@ -70,7 +91,8 @@ }, { "name": "user", - "type": "required", + "type": "conditional", + "condition": "tag=vpn", "comment": "The user in a network session event, where applicable. For example, a VPN session or an authenticated DHCP event." } ], @@ -105,7 +127,7 @@ }, { "name": "lease_scope", - "type": "required", + "type": "optional", "comment": "The consecutive range of possible IP addresses that the Dynamic Host Configuration Protocol (DHCP) server can lease to clients on a subnet. A lease_scope typically defines a single physical subnet on your network to which DHCP services are offered." }, { diff --git a/pytest_splunk_addon/data_models/Network_Traffic.json b/pytest_splunk_addon/data_models/Network_Traffic.json index 16b62ce39..f3f7de02a 100644 --- a/pytest_splunk_addon/data_models/Network_Traffic.json +++ b/pytest_splunk_addon/data_models/Network_Traffic.json @@ -53,7 +53,6 @@ { "name": "dest", "type": "required", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, { @@ -64,15 +63,15 @@ { "name": "dest_ip", "type": "conditional", - "condition": "dest_ip=*", - "validity": "if(match(dest_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),dest_ip,null())", + "condition": "| where match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "if((!isnull(dest_ip) AND dest == dest_ip), dest_ip, null())", "comment": "The IP address of the destination." }, { "name": "dest_mac", "type": "conditional", - "condition": "dest_mac=*", - "validity": "if(match(dest_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),dest_mac,null())", + "condition": "| where match(dest,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", + "validity": "if((!isnull(dest_mac) AND dest_mac == dest), dest_mac, null())", "comment": "The destination TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." }, { @@ -122,6 +121,11 @@ "type": "optional", "comment": "The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." }, + { + "name": "dvc_ip", + "type": "optional", + "comment": "The ip address of the device." + }, { "name": "dvc_zone", "type": "optional", @@ -165,10 +169,16 @@ "validity": "if(isnum(packets_out),packets_out,null())", "comment": "The total count of packets transmitted by this device/interface." }, + { + "name": "process_id", + "type": "optional", + "comment": "The numeric identifier of the process (PID) or service generating the network traffic." + }, { "name": "protocol", "type": "conditional", "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",protocol ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),protocol,true(), null())", "expected_values": ["ip", "icmp"], "comment": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx." }, @@ -177,7 +187,7 @@ "type": "conditional", "condition": "protocol=ip", "expected_values": ["ipv4", "ipv6"], - "comment": "Version of the OSI layer 3 protocol." + "comment": "Version of the OSI layer 3 protocol, in lower case." }, { "name": "response_time", @@ -198,7 +208,6 @@ { "name": "src", "type": "required", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.'" }, { @@ -220,12 +229,12 @@ }, { "name": "ssid", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The 802.11 service set identifier (ssid) assigned to a wireless session." }, { "name": "wifi", - "type": "not_allowed_in_search", + "type": "optional", "comment": "The wireless standard(s) in use, such as 802.11a, 802.11b, 802.11g, or 802.11n." }, { @@ -251,8 +260,13 @@ "comment": "The user that requested the traffic flow." }, { - "name": "vendor_product", + "name": "vendor_account", "type": "optional", + "comment": "The account associated with the network traffic. The account represents the organization, or a Cloud customer or a Cloud account." + }, + { + "name": "vendor_product", + "type": "required", "comment": "The vendor and product of the device generating the network event. This field can be automatically populated by vendor and product fields in your data." }, { @@ -263,21 +277,23 @@ { "name": "transport", "type": "required", + "condition": "", + "validity": "case(protocol==\"icmp\" AND transport==\"icmp\",transport ,protocol==\"ip\" AND (transport==\"tcp\" OR transport==\"udp\"),transport,true(), null())", "expected_values": ["tcp", "udp", "icmp"], "comment": "The OSI layer 4 (transport) protocol of the traffic observed, in lower case." }, { "name": "src_ip", "type": "conditional", - "condition": "src_ip=*", - "validity": "if(match(src_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),src_ip,null())", + "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "validity": "if((!isnull(src_ip) AND src == src_ip), src_ip, null())", "comment": "The ip address of the source." }, { "name": "src_mac", "type": "conditional", - "condition": "src_mac=*", - "validity": "if(match(src_mac,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\"),src_mac,null())", + "condition": "| where match(src,\"^([0-9A-F]{2}[:-]){5}([0-9A-F]{2})$\")", + "validity": "if((!isnull(src_mac) AND src_mac == src), src_mac, null())", "comment": "The source TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14. Note: Always force lower case on this field and use colons instead of dashes, spaces, or no separator." }, { diff --git a/pytest_splunk_addon/data_models/Performance.json b/pytest_splunk_addon/data_models/Performance.json new file mode 100644 index 000000000..7788967f5 --- /dev/null +++ b/pytest_splunk_addon/data_models/Performance.json @@ -0,0 +1,314 @@ +{ + "model_name": "Performance", + "version": "1.0.0", + "objects": [ + { + "name": "All_Performance", + "tags": [["performance"]], + "search_constraints": "tag=performance", + "fields_cluster": [], + "fields": [ + { + "name": "dest_should_timesync", + "type": "optional", + "comment": "Indicates whether or not the system where the performance event occurred should time sync. This field is automatically provided by Asset and Identity correlation features of applications like the Splunk App for Enterprise Security." + }, + { + "name": "dest_should_update", + "type": "optional", + "comment": "Indicates whether or not the system where the performance event occurred should update. This field is automatically provided by asset and identity correlation features of applications like Splunk Enterprise Security. Do not define extractions for this field when writing add-ons." + }, + { + "name": "hypervisor_id", + "type": "optional", + "comment": "The ID of the virtualization hypervisor." + }, + { + "name": "resource_type", + "type": "optional", + "comment": "The type of facilities resource involved in the performance event, such as a rack, room, or system." + }, + { + "name": "dest", + "type": "required", + "comment": "The system where the event occurred, usually a facilities resource such as a rack or room. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + } + ], + "child_dataset": [ + { + "name": "CPU", + "tags": [["cpu", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=cpu", + "fields": [ + { + "name": "cpu_load_mhz", + "type": "optional", + "comment": "The amount of CPU load reported by the controller in megahertz." + }, + { + "name": "cpu_load_percent", + "type": "required", + "comment": "The amount of CPU load reported by the controller in percentage points." + }, + { + "name": "cpu_time", + "type": "optional", + "comment": "The number of CPU seconds consumed by processes." + }, + { + "name": "cpu_user_percent", + "type": "optional", + "comment": "Percentage of CPU user time consumed by processes." + } + ], + "child_dataset": [] + }, + { + "name": "Facilities", + "tags": [["facilities", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=facilities", + "fields": [ + { + "name": "temperature", + "type": "required", + "comment": "Average temperature of the facilities resource, in degrees Celsius." + }, + { + "name": "power", + "type": "optional", + "comment": "Amount of power consumed by the facilities resource, in kW." + }, + { + "name": "fan_speed", + "type": "optional", + "comment": "The speed of the cooling fan in the facilities resource, in rotations per second." + } + ], + "child_dataset": [] + }, + { + "name": "Memory", + "tags": [["memory", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=memory", + "fields": [ + { + "name": "mem", + "type": "required", + "comment": "The total amount of memory capacity reported by the resource, in megabytes." + }, + { + "name": "mem_committed", + "type": "optional", + "comment": "The committed amount of memory reported by the resource, in megabytes." + }, + { + "name": "mem_free", + "type": "required", + "comment": "The free amount of memory reported by the resource, in megabytes." + }, + { + "name": "mem_used", + "type": "required", + "comment": "The used amount of memory reported by the resource, in megabytes." + }, + { + "name": "swap", + "type": "optional", + "comment": "The total swap space size, in megabytes, if applicable." + }, + { + "name": "swap_free", + "type": "optional", + "comment": "The free swap space size, in megabytes, if applicable." + }, + { + "name": "swap_used", + "type": "optional", + "comment": "The used swap space size, in megabytes, if applicable." + } + ], + "child_dataset": [] + }, + { + "name": "Storage", + "tags": [["storage", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=storage", + "fields": [ + { + "name": "array", + "type": "optional", + "comment": "The array that the resource is a member of, if applicable." + }, + { + "name": "blocksize", + "type": "optional", + "comment": "Block size used by the storage resource, in kilobytes." + }, + { + "name": "cluster", + "type": "optional", + "comment": "The cluster that the resource is a member of, if applicable." + }, + { + "name": "fd_max", + "type": "optional", + "comment": "The maximum number of available file descriptors." + }, + { + "name": "fd_used", + "type": "optional", + "comment": "The current number of open file descriptors." + }, + { + "name": "latency", + "type": "optional", + "comment": "The latency reported by the resource, in milliseconds." + }, + { + "name": "mount", + "type": "optional", + "comment": "The mount point of a storage resource." + }, + { + "name": "parent", + "type": "optional", + "comment": "A generic indicator of hierarchy. For instance, a disk event might include the array id here." + }, + { + "name": "read_blocks", + "type": "optional", + "comment": "Number of blocks read." + }, + { + "name": "read_latency", + "type": "optional", + "comment": "The latency of read operations, in milliseconds." + }, + { + "name": "read_ops", + "type": "optional", + "comment": "Number of read operations." + }, + { + "name": "storage", + "type": "optional", + "comment": "The total amount of storage capacity reported by the resource, in megabytes." + }, + { + "name": "storage_free", + "type": "required", + "comment": "The free amount of storage capacity reported by the resource, in megabytes." + }, + { + "name": "storage_free_percent", + "type": "required", + "comment": "The percentage of storage capacity reported by the resource that is free." + }, + { + "name": "storage_used", + "type": "required", + "comment": "The used amount of storage capacity reported by the resource, in megabytes." + }, + { + "name": "storage_used_percent", + "type": "required", + "comment": "The percentage of storage capacity reported by the resource that is used." + }, + { + "name": "write_blocks", + "type": "optional", + "comment": "The number of blocks written by the resource." + }, + { + "name": "write_latency", + "type": "optional", + "comment": "The latency of write operations, in milliseconds." + }, + { + "name": "write_ops", + "type": "optional", + "comment": "The total number of write operations processed by the resource." + } + ], + "child_dataset": [] + }, + { + "name": "Network", + "tags": [["network", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=network", + "fields": [ + { + "name": "thruput", + "type": "required", + "comment": "The current throughput reported by the service, in bytes." + }, + { + "name": "thruput_max", + "type": "optional", + "comment": "The maximum possible throughput reported by the service, in bytes." + } + ], + "child_dataset": [] + }, + { + "name": "OS", + "tags": [["os", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=os", + "fields": [ + { + "name": "signature", + "type": "required", + "comment": "The event description signature, if available." + }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + } + ], + "child_dataset": [ + { + "name": "Timesync", + "tags": [["performance", "os", "performance", "synchronize"]], + "fields_cluster": [], + "search_constraints": "tag=synchronize tag=time", + "fields": [ + { + "name": "action", + "type": "required", + "expected_values": [ + "success", + "failure" + ], + "comment": "The result of a time sync event." + } + ], + "child_dataset": [] + }, + { + "name": "Uptime", + "tags": [["uptime", "os", "performance"]], + "fields_cluster": [], + "search_constraints": "tag=uptime", + "fields": [ + { + "name": "uptime", + "type": "required", + "comment": "The uptime of the compute resource, in seconds." + } + ], + "child_dataset": [] + } + ] + } + + ] + } + ] +} diff --git a/pytest_splunk_addon/data_models/Ticket_Management.json b/pytest_splunk_addon/data_models/Ticket_Management.json new file mode 100644 index 000000000..fa809ad7e --- /dev/null +++ b/pytest_splunk_addon/data_models/Ticket_Management.json @@ -0,0 +1,129 @@ + +{ + "model_name": "Ticket_Management", + "version": "1.0.0", + "objects": [ + { + "name": "All_Ticket_Management", + "tags": [["ticketing"]], + "search_constraints": "tag=ticketing", + "fields_cluster": [], + "fields": [ + { + "name": "affect_dest", + "type": "optional", + "comment": "Destinations affected by the service request." + }, + { + "name": "comments", + "type": "optional", + "comment": "Comments about the service request." + }, + { + "name": "description", + "type": "optional", + "comment": "The description of the service request." + }, + { + "name": "priority", + "type": "required", + "comment": "The relative priority of the service request." + }, + { + "name": "severity", + "type": "required", + "comment": "The relative severity of the service request." + }, + { + "name": "severity_id", + "type": "required", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, + { + "name": "splunk_id", + "type": "optional", + "comment": "The unique identifier of the service request as it pertains to Splunk. For example, 14DA67E8-6084-4FA8-9568-48D05969C522@@_internal@@0533eff241db0d892509be46cd3126e30e0f6046." + }, + { + "name": "splunk_realm", + "type": "optional", + "comment": "The Splunk application or use case associated with the unique identifier (splunk_id). For example, es_notable." + }, + { + "name": "src_user", + "type": "optional", + "comment": "The user or entity that created or triggered the service request, if applicable." + }, + { + "name": "status", + "type": "required", + "comment": "The relative status of the service request." + }, + { + "name": "time_submitted", + "type": "optional", + "comment": "The time that the src_user submitted the service request." + }, + { + "name": "user", + "type": "optional", + "comment": "The name of the user or entity that is assigned to carry out the service request, if applicable." + }, + { + "name": "dest", + "type": "required", + "comment": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + }, + { + "name": "ticket_id", + "type": "required", + "comment": "An identification name, code, or number for the service request." + } + ], + "child_dataset": [ + { + "name": "Change", + "tags": [["change", "ticketing"]], + "search_constraints": "tag=change", + "fields_cluster": [], + "fields": [ + { + "name": "change", + "type": "optional", + "comment": "Designation for a request for change (RFC) that is raised to modify an IT service to resolve an incident or problem." + } + ], + "child_dataset": [] + }, + { + "name": "Incident", + "tags": [["incident", "ticketing"]], + "search_constraints": "tag=incident", + "fields_cluster": [], + "fields": [ + { + "name": "incident", + "type": "optional", + "comment": "The destination of the service request. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." + } + ], + "child_dataset": [] + }, + { + "name": "Problem", + "tags": [["problem", "ticketing"]], + "search_constraints": "tag=problem", + "fields_cluster": [], + "fields": [ + { + "name": "problem", + "type": "optional", + "comment": "When multiple occurrences of related incidents are observed, they are collectively designated with a single problem value. Problem management differs from the process of managing an isolated incident. Often problems are managed by a specific set of staff and through a problem management process." + } + ], + "child_dataset": [] + } + ] + } + ] +} \ No newline at end of file diff --git a/pytest_splunk_addon/data_models/Updates.json b/pytest_splunk_addon/data_models/Updates.json index 7478acb94..ba8e35601 100644 --- a/pytest_splunk_addon/data_models/Updates.json +++ b/pytest_splunk_addon/data_models/Updates.json @@ -42,6 +42,11 @@ ], "comment":"The severity associated with the patch event." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", @@ -67,7 +72,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment":"The vendor and product of the patch monitoring product, such as Lumension Patch Manager. This field can be automatically populated by vendor and product fields in your data." } ], diff --git a/pytest_splunk_addon/data_models/Vulnerabilities.json b/pytest_splunk_addon/data_models/Vulnerabilities.json index 16bdcc208..96eb322a1 100644 --- a/pytest_splunk_addon/data_models/Vulnerabilities.json +++ b/pytest_splunk_addon/data_models/Vulnerabilities.json @@ -69,11 +69,21 @@ ], "comment":"The severity of the vulnerability detection event. Specific values are required." }, + { + "name": "severity_id", + "type": "optional", + "comment": "The numeric or vendor specific severity indicator corresponding to the event severity." + }, { "name": "signature", "type": "required", "comment":"The name of the vulnerability detected on the host, such as HPSBMU02785 SSRT100526 rev.2 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS)." }, + { + "name": "signature_id", + "type": "optional", + "comment": "The unique identifier or event code of the event signature." + }, { "name": "url", "type": "optional", @@ -86,7 +96,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment":"The vendor and product that detected the vulnerability. This field can be automatically populated by vendor and product fields in your data." }, { diff --git a/pytest_splunk_addon/data_models/Web.json b/pytest_splunk_addon/data_models/Web.json index 05807c28a..0aaaf56aa 100644 --- a/pytest_splunk_addon/data_models/Web.json +++ b/pytest_splunk_addon/data_models/Web.json @@ -115,6 +115,11 @@ "type": "required", "comment": "The URL of the requested HTTP resource." }, + { + "name": "url_domain", + "type": "required", + "comment": "The domain name contained within the URL of the requested HTTP resource." + }, { "name": "url_length", "type": "optional", @@ -144,6 +149,21 @@ "validity": "if(isnum(bytes_out),bytes_out,null())", "comment": "The number of outbound bytes transferred." }, + { + "name": "http_method", + "type": "required", + "expected_values": [ + "GET", + "PUT", + "POST", + "DELETE", + "HEAD", + "OPTIONS", + "CONNECT", + "TRACE" + ], + "comment": "The HTTP method used in the request." + }, { "name": "http_user_agent", "type": "required", @@ -172,21 +192,6 @@ "type": "optional", "comment": "The content-type of the requested HTTP resource." }, - { - "name": "http_content_type", - "type": "optional", - "expected_values": [ - "GET", - "PUT", - "POST", - "DELETE", - "HEAD", - "OPTIONS", - "CONNECT", - "TRACE" - ], - "comment": "The HTTP method used in the request." - }, { "name": "response_time", "type": "optional", @@ -205,7 +210,7 @@ }, { "name": "vendor_product", - "type": "optional", + "type": "required", "comment": "The vendor and product of the proxy server, such as Squid Proxy Server. This field can be automatically populated by vendor and product fields in your data." }, { @@ -218,6 +223,11 @@ "type": "optional", "comment": "The HTTP referrer used in the request. The W3C specification and many implementations misspell this as http_referer. Use a FIELDALIAS to handle both key names." }, + { + "name": "http_referrer_domain", + "type": "optional", + "comment": "The domain name contained within the HTTP referrer used in the request." + }, { "name": "site", "type": "optional", @@ -232,9 +242,34 @@ "fields": [], "child_dataset": [], "search_constraints": "tag=proxy" + }, + { + "name": "Storage", + "tags": [["storage", "web"]], + "fields_cluster": [], + "fields":[ + { + "name": "error_code", + "type": "optional", + "comment": "The error code that occurred while accessing the storage account" + }, + { + "name": "operation", + "type": "optional", + "comment": "The operation performed on the storage account." + }, + { + "name": "storage_name", + "type": "optional", + "comment": "The name of the bucket or storage account." + } + ], + "child_dataset": [], + "search_constraints": "tag=storage" + } ], "search_constraints": "tag=web" } ] -} +} \ No newline at end of file diff --git a/pytest_splunk_addon/fields_tests/requirement_test_datamodel_tag_constants.py b/pytest_splunk_addon/fields_tests/requirement_test_datamodel_tag_constants.py index 6cee7b555..f1b66cdf3 100644 --- a/pytest_splunk_addon/fields_tests/requirement_test_datamodel_tag_constants.py +++ b/pytest_splunk_addon/fields_tests/requirement_test_datamodel_tag_constants.py @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# CIM 4.20.2 +# CIM 5.3.2 # Defines tags associated with data models. Used to determine the DM's associated with tags returned by the Splunk # search for eg: 'tag': "['authentication', 'insecure', 'network', 'resolution', 'dns', 'success']" matches # 'Authentication': ['authentication'], 'Authentication_Insecure_Authentication': ['authentication', 'insecure'], diff --git a/pytest_splunk_addon/fields_tests/test_templates.py b/pytest_splunk_addon/fields_tests/test_templates.py index 109ab77a2..c16cd11b0 100644 --- a/pytest_splunk_addon/fields_tests/test_templates.py +++ b/pytest_splunk_addon/fields_tests/test_templates.py @@ -20,12 +20,11 @@ import pprint import logging import pytest -from ..addon_parser import Field import json from itertools import chain +from ..addon_parser import Field from ..utilities.log_helper import get_table_output from ..utilities.log_helper import format_search_query_log - from .requirement_test_datamodel_tag_constants import dict_datamodel_tag TOP_FIVE_STRUCTURALLY_UNIQUE_EVENTS_QUERY_PART = " | dedup punct | head 5" diff --git a/pytest_splunk_addon/plugin.py b/pytest_splunk_addon/plugin.py index 5b136c27e..3926774d4 100644 --- a/pytest_splunk_addon/plugin.py +++ b/pytest_splunk_addon/plugin.py @@ -26,8 +26,6 @@ test_generator = None -EXC_MAP = [Exception] - def pytest_configure(config): """ @@ -122,7 +120,6 @@ def pytest_sessionstart(session): SampleXdistGenerator.tokenized_event_source = session.config.getoption( "tokenized_event_source" ).lower() - session.__exc_limits = EXC_MAP if ( SampleXdistGenerator.tokenized_event_source == "store_new" and session.config.getoption("ingest_events").lower() @@ -212,14 +209,3 @@ def init_pytest_splunk_addon_logger(): init_pytest_splunk_addon_logger() LOGGER = logging.getLogger("pytest-splunk-addon") - - -def pytest_exception_interact(node, call, report): - """ - Hook called when an exception is raised during a test. - If the number of occurrences for a specific exception exceeds the limit in session.__exc_limits, pytest exits - https://docs.pytest.org/en/stable/reference/reference.html#pytest.hookspec.pytest_exception_interact - """ - if call.excinfo.type in node.session.__exc_limits: - # pytest exits only for exceptions defined in EXC_MAP - pytest.exit(f"Exiting pytest due to: {call.excinfo.type}") diff --git a/pytest_splunk_addon/splunk.py b/pytest_splunk_addon/splunk.py index 1e77ad0ec..d81c03d3f 100644 --- a/pytest_splunk_addon/splunk.py +++ b/pytest_splunk_addon/splunk.py @@ -979,7 +979,7 @@ def is_responsive_hec(request, splunk): f'{request.config.getoption("splunk_hec_scheme")}://{splunk["forwarder_host"]}:{splunk["port_hec"]}/services/collector/health/1.0', verify=False, ) - LOGGER.debug("Status code: {}".format(response.status_code)) + LOGGER.debug("Status code: %d", response.status_code) if response.status_code in (200, 201): LOGGER.info("Splunk HEC is responsive.") return True @@ -1040,7 +1040,8 @@ def is_valid_hec(request, splunk): data={"event": "test_hec", "sourcetype": "hec_token_test"}, verify=False, ) - LOGGER.debug("Status code: {}".format(response.status_code)) + LOGGER.debug("Status code: %d", response.status_code) + if response.status_code == 200: LOGGER.info("Splunk HEC is valid.") else: diff --git a/pytest_splunk_addon/tools/cim_field_report.py b/pytest_splunk_addon/tools/cim_field_report.py deleted file mode 100644 index b5a55a356..000000000 --- a/pytest_splunk_addon/tools/cim_field_report.py +++ /dev/null @@ -1,558 +0,0 @@ -# -# Copyright 2024 Splunk Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -import os.path -import sys -import logging -import json -import argparse -import time -import traceback - -sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..")) - -from splunksplwrapper.manager.jobs import Jobs -from splunksplwrapper.splunk.cloud import CloudSplunk -from pytest_splunk_addon.addon_parser import AddonParser - -from splunklib import binding - -logging.basicConfig( - format="%(asctime)s.%(msecs)03d %(name)s %(levelname)s %(message)s", - datefmt="%Y-%m-%d %H:%M:%S", - level=logging.ERROR, -) - -LOGGER = logging.getLogger("cim-field-report") - - -def get_config(): - """Defines and collects and validates script command arguments - Additionally - set log level for script logging, - calls sys.exit if --splunk-app folder does not exist - - Returns - ------- - argparse.Namespace - the populated namespace. - """ - - parser = argparse.ArgumentParser( - description="Python Script to test Splunk functionality" - ) - - parser.add_argument( - "--splunk-index", - dest="splunk_index", - default="*", - type=str, - help="Splunk index to be used as a source for the report. Default is *", - ) - parser.add_argument( - "--splunk-web-scheme", - dest="splunk_web_scheme", - default="https", - type=str, - choices=["http", "https"], - help="Splunk connection schema https or http, default is https.", - ) - parser.add_argument( - "--splunk-host", - dest="splunk_host", - default="127.0.0.1", - type=str, - help="Address of the " - "Splunk REST API server host to connect. Default is 127.0.0.1", - ) - parser.add_argument( - "--splunk-port", - dest="splunk_port", - default="8089", - type=int, - help="Splunk Management port. default is 8089.", - ) - parser.add_argument( - "--splunk-user", - dest="splunk_user", - default="admin", - type=str, - help="Splunk login user. The user should have search capabilities.", - ) - parser.add_argument( - "--splunk-password", - dest="splunk_password", - type=str, - required=True, - help="Password of the Splunk user", - ) - parser.add_argument( - "--splunk-app", - dest="splunk_app", - type=str, - required=True, - help="Path to Splunk app package. The package " - "should have the configuration files in the default folder.", - ) - parser.add_argument( - "--splunk-report-file", - dest="splunk_report_file", - default="cim_field_report.json", - type=str, - help="Output file for cim field report. Default is: cim_field_report.json", - ) - parser.add_argument( - "--splunk-max-time", - dest="splunk_max_time", - default="120", - type=int, - help="Search query execution time out in seconds. Default is: 120", - ) - parser.add_argument( - "--log-level", - dest="log_level", - default="ERROR", - type=str, - choices=["CRITICAL", "ERROR", "WARNING", "INFO", "DEBUG"], - help="Logging level used by the tool", - ) - - args = parser.parse_args() - LOGGER.setLevel(args.log_level) - - if not os.path.exists(args.splunk_app) or not os.path.isdir(args.splunk_app): - msg = "There is no such directory: {}".format(args.splunk_app) - LOGGER.error(msg) - sys.exit(msg) - - return args - - -def collect_job_results(job, acc, fn): - """Collects all job results by requesting pages of 1000 items - - Parameters - ---------- - job : splunksplwrapper.manager.jobs.job - Finished job ready to collect results - acc : any - An accumulator object that collects job results - fn : function - External function that receives accumulator object and job results one by one. - This function controls how results are transformed and accumulated - - Returns - ------- - any - The accumulator object passes as argument acc - """ - - offset, count = 0, 1000 - while True: - records = job.get_results(offset=offset, count=count).as_list - LOGGER.debug( - f"Read fields: offset: {offset}, count: {count}, found: {len(records)}" - ) - fn(acc, records) - offset += count - if len(records) < count: - break - - return acc - - -def collect_punct_and_eventtype(data, records): - """Accumulator function to be used with collect_job_results. - - Accumulates punct and eventtype values, used in get_punct_by_eventtype - - Parameters - ---------- - data : [set(), {}] - Accumulator object to be updated (see collect_job_results acc argument) - records : list - SPL job result entries (result of job.get_results(...).as_list) - """ - - for record in records: - eventtype = record["eventtype"] - punct = record["punct"] - if isinstance(eventtype, list): - for entry in eventtype: - new_val = (entry, punct) - if new_val not in data: - data.append(new_val) - else: - new_val = (eventtype, punct) - if new_val not in data: - data.append(new_val) - - -def get_punct_by_eventtype(jobs, eventtypes, config): - """Runs SPL request to collect all unique eventtype+punct pairs from splunk instance - - Parameters - ---------- - jobs : splunksplwrapper.manager.jobs.Jobs - Jobs object capable to create a new splunk search job - eventtypes : list - List of splunk eventtypes names taken from TA configurations - config : dict - configuration settings mainly collected from command arguments - - Returns - ------- - list - list of tuples of 2 elements, representing collected unique pairs of eventtype+punct - None - if exception taks places during splunk search request - """ - - start = time.time() - eventtypes_str = ",".join(['"{}"'.format(et) for et in eventtypes]) - query = 'search (index="{}") eventtype IN ({}) | dedup punct,eventtype | table punct,eventtype'.format( - config.splunk_index, eventtypes_str - ) - LOGGER.debug(query) - try: - job = jobs.create(query, auto_finalize_ec=120, max_time=config.splunk_max_time) - job.wait(config.splunk_max_time) - result = collect_job_results(job, [], collect_punct_and_eventtype) - LOGGER.info( - "Time taken to collect eventtype & punct combinations: {} s".format( - time.time() - start - ) - ) - return result - except Exception as e: - LOGGER.error("Errors when executing search!!! Error: {}".format(e)) - LOGGER.debug(traceback.format_exc()) - - -def get_field_names(jobs, eventtypes, config): - """Runs SPL request to collect all field names from events with specific eventtypes - - Parameters - ---------- - jobs : splunksplwrapper.manager.jobs.Jobs - Jobs object capable to create a new splunk search job - eventtypes : list - List of splunk eventtypes names taken from TA configurations - config : dict - configuration settings mainly collected from command arguments - - Returns - ------- - list - collected field names - None - if exception taks places during splunk search request - """ - - start = time.time() - eventtypes_str = ",".join(['"{}"'.format(et) for et in eventtypes]) - query = 'search (index="{}") eventtype IN ({}) | fieldsummary'.format( - config.splunk_index, eventtypes_str - ) - LOGGER.debug(query) - try: - job = jobs.create(query, auto_finalize_ec=120, max_time=config.splunk_max_time) - job.wait(config.splunk_max_time) - result = collect_job_results( - job, [], lambda acc, recs: acc.extend([v["field"] for v in recs]) - ) - LOGGER.info( - "Time taken to collect field names: {} s".format(time.time() - start) - ) - return result - except Exception as e: - LOGGER.error("Errors when executing search!!! Error: {}".format(e)) - LOGGER.debug(traceback.format_exc()) - - -def update_summary(data, records): - """Accumulator function to be used with collect_job_results. - - Parameters - ---------- - data : [set(), {}] - Accumulator object to be updated (see collect_job_results acc argument) - records : list - SPL job result entries (result of job.get_results(...).as_list) - """ - - sourcetypes, summary = data - for entry in records: - if "sourcetype" in entry: - sourcetypes.add(entry.pop("sourcetype")) - - field_set = frozenset(entry.keys()) - if field_set in summary: - summary[field_set] += 1 - else: - summary[field_set] = 1 - - -def get_fieldsummary(jobs, punct_by_eventtype, config): - """Runs SPL request to extract events for specific punct+eventtype values combinations. - Builds fieldsummary information for each collected event group - - Parameters - ---------- - jobs : splunksplwrapper.manager.jobs.Jobs - Jobs object capable to create a new splunk search job - punct_by_eventtype : list - List of tuples of 2 elements, representing collected unique pairs of eventtype+punct - config : dict - configuration settings mainly collected from command arguments - - Returns - ------- - dict - dict key - eventtype, dict value - a list of fields summaries per punct - """ - start = time.time() - - result = {} - for eventtype, punct in punct_by_eventtype: - result[eventtype] = [] - query_templ = 'search (index="{}") eventtype="{}" punct="{}" | fieldsummary' - query = query_templ.format( - config.splunk_index, - eventtype, - punct.replace("\\", "\\\\").replace('"', '\\"'), - ) - LOGGER.debug(query) - try: - job = jobs.create( - query, auto_finalize_ec=120, max_time=config.splunk_max_time - ) - job.wait(config.splunk_max_time) - summary = collect_job_results(job, [], lambda acc, recs: acc.extend(recs)) - except Exception as e: - LOGGER.error("Errors executing search: {}".format(e)) - LOGGER.debug(traceback.format_exc()) - - try: - for f in summary: - f["values"] = json.loads(f["values"]) - result[eventtype].append(summary) - except Exception as e: - LOGGER.warn('Parameter "values" is not a json object: {}'.format(e)) - LOGGER.debug(traceback.format_exc()) - - LOGGER.info("Time taken to build fieldsummary: {}".format(time.time() - start)) - return result - - -def get_fieldsreport(jobs, eventtypes, fields, config): - """Runs SPL requests to prepare unique lists of extracted fields for each eventtype - - Parameters - ---------- - jobs : splunksplwrapper.manager.jobs.Jobs - Jobs object capable to create a new splunk search job - eventtypes : list - List of splunk eventtypes names taken from TA configurations - fields : list - List of expected field names - config : dict - configuration settings mainly collected from command arguments - - Returns - ------- - (dict, set) - Returns 2 values - extracted field lists per eventtype and set of unique sourcetypes collected in SPL requests - """ - - start = time.time() - report, sourcetypes = {}, set() - field_list = ",".join(['"{}"'.format(f) for f in fields]) - for eventtype, tags in eventtypes.items(): - query = 'search (index="{}") eventtype="{}" | table sourcetype,{}'.format( - config.splunk_index, eventtype, field_list - ) - try: - job = jobs.create( - query, auto_finalize_ec=120, max_time=config.splunk_max_time - ) - job.wait(config.splunk_max_time) - et_sourcetypes, et_summary = collect_job_results( - job, [set(), {}], update_summary - ) - sourcetypes = sourcetypes.union(et_sourcetypes) - report[eventtype] = { - "tags": tags, - "sourcetypes": list(et_sourcetypes), - "summary": [ - {"fields": sorted(list(k)), "count": v} - for k, v in et_summary.items() - ], - } - except Exception as e: - LOGGER.error("Errors when executing search!!! Error: {}".format(e)) - LOGGER.debug(traceback.format_exc()) - - LOGGER.info( - "Time taken to build fields extractions section: {} s".format( - time.time() - start - ) - ) - return report, sourcetypes - - -def read_ta_meta(config): - """Extracts TA's name and version from TA app.manifest file - - Parameters - ---------- - config : dict - configuration settings mainly collected from command arguments, - required to locate TA configuration files - - Returns - ------- - dict - { - "name": "", - "version": "" - } - """ - - app_manifest = os.path.join(config.splunk_app, "app.manifest") - with open(app_manifest) as f: - manifest = json.load(f) - - ta_id_info = manifest.get("info", {}).get("id", {}) - return {k: v for k, v in ta_id_info.items() if k in ["name", "version"]} - - -def build_report(jobs, eventtypes, config): - """Puts together all report sections (ta_name (meta), sourcetypes, - fieldsreport, fieldsummary), saves report to file - - Parameters - ---------- - jobs : splunksplwrapper.manager.jobs.Jobs - Jobs object capable to create a new splunk search job - eventtypes : list - List of splunk eventtypes names taken from TA configurations - config : dict - configuration settings mainly collected from command arguments - """ - - start = time.time() - - fields = get_field_names(jobs, eventtypes, config) - if fields: - fieldsreport, sourcetypes = get_fieldsreport(jobs, eventtypes, fields, config) - else: - fieldsreport, sourcetypes = "No field extractions discovered", [] - - punct_by_eventtype = get_punct_by_eventtype(jobs, eventtypes, config) - if punct_by_eventtype: - fieldsummary = get_fieldsummary(jobs, punct_by_eventtype, config) - else: - fieldsummary = "No punct by eventtype combinations discovered" - - summary = { - "ta_name": read_ta_meta(config), - "sourcetypes": list(sourcetypes), - "fieldsreport": fieldsreport, - "fieldsummary": fieldsummary, - } - - with open(config.splunk_report_file, "w") as f: - json.dump(summary, f, indent=4) - - LOGGER.info("Total time taken to generate report: {} s".format(time.time() - start)) - - -def get_addon_eventtypes(addon_path): - """Extracts TA specific eventtypes from the TA's conf files - - Parameters - ---------- - addon_path : str - path to TA package folder - - Returns - ------- - list - Eventtypes defined in the TA conf - """ - - parser = AddonParser(addon_path) - - eventtypes = { - eventtype["stanza"]: [] - for eventtype in parser.eventtype_parser.get_eventtypes() - } - - for item in parser.tags_parser.get_tags(): - stanza, tag, enabled = item["stanza"], item["tag"], item["enabled"] - parts = [s.strip().strip('"') for s in stanza.split("=", 1)] - if len(parts) > 1 and parts[0] == "eventtype": - eventtype = parts[1] - if enabled and eventtype in eventtypes and tag not in eventtypes[eventtype]: - eventtypes[eventtype].append(tag) - - LOGGER.debug(eventtypes) - return eventtypes - - -def main(): - """Main script method and entry point""" - - config = get_config() - - splunk_cfg = { - "splunkd_scheme": config.splunk_web_scheme, - "splunkd_host": config.splunk_host, - "splunkd_port": config.splunk_port, - "username": config.splunk_user, - "password": config.splunk_password, - } - - try: - eventtypes = get_addon_eventtypes(config.splunk_app) - - cloud_splunk = CloudSplunk(**splunk_cfg) - conn = cloud_splunk.create_logged_in_connector() - jobs = Jobs(conn) - - build_report(jobs, eventtypes, config) - - except (TimeoutError, ConnectionRefusedError) as error: - msg = "Failed to connect Splunk instance {}://{}:{}, make sure you provided correct connection information. {}".format( - config.splunk_web_scheme, config.splunk_host, config.splunk_port, error - ) - LOGGER.error(msg) - sys.exit(msg) - except binding.AuthenticationError as error: - msg = "Authentication to Splunk instance has failed, make sure you provided correct Splunk credentials. {}".format( - error - ) - LOGGER.error(msg) - sys.exit(msg) - except Exception as error: - msg = "Unexpected exception: {}".format(error) - LOGGER.error(msg) - LOGGER.debug(traceback.format_exc()) - sys.exit(msg) - - -if __name__ == "__main__": - main() diff --git a/tests/e2e/addons/TA_broken/default/transforms.conf b/tests/e2e/addons/TA_broken/default/transforms.conf index 0bd3e95cf..84b958b1a 100644 --- a/tests/e2e/addons/TA_broken/default/transforms.conf +++ b/tests/e2e/addons/TA_broken/default/transforms.conf @@ -48,4 +48,4 @@ case_sensitive_match = false # Expected result: FAIL [broken-NaN_lookup] filename = NaN.csv -case_sensitive_match = false +case_sensitive_match = false \ No newline at end of file diff --git a/tests/e2e/addons/TA_fiction/default/props.conf b/tests/e2e/addons/TA_fiction/default/props.conf index 718362600..22fd7537d 100644 --- a/tests/e2e/addons/TA_fiction/default/props.conf +++ b/tests/e2e/addons/TA_fiction/default/props.conf @@ -81,6 +81,9 @@ EXTRACT-fiction-fourteen = (?\d+-\d+-\d+).*in ho REPORT-fiction-tsc-delim-fields = fiction-tsc-delim-fields REPORT-fiction-tsc-sk-regex-format = fiction-tsc-sk-regex-format REPORT-fiction-tsc-sk-delim-format = fiction-tsc-sk-delim-format +REPORT-fiction-tsc-sk-delim-format-with-clean-keys = fiction-tsc-sk-delim-format-with-clean-keys +REPORT-fiction-tsc-non-alphanumeric = fiction-tsc-non-alphanumeric + ## multiple transforms stanza associated with REPORT REPORT-fiction-tsc-regex-format = fiction-tsc-regex, fiction-tsc-regex-format diff --git a/tests/e2e/addons/TA_fiction/default/transforms.conf b/tests/e2e/addons/TA_fiction/default/transforms.conf index 3fcacdabe..16ea02595 100644 --- a/tests/e2e/addons/TA_fiction/default/transforms.conf +++ b/tests/e2e/addons/TA_fiction/default/transforms.conf @@ -22,6 +22,23 @@ SOURCE_KEY = event_id DELIMS = "=" FIELDS = server_contact_mode, dest +# Component tested: REPORT, DELIM-FIELDS-SOURCE_KEY +# Scenario:# Similar to the above scenario +## Here as CLEAN_KEYS = false server-contact-mode will be searched as is instead of converting it. +[fiction-tsc-sk-delim-format-with-clean-keys] +CLEAN_KEYS = false +SOURCE_KEY = event_id +DELIMS = "=" +FIELDS = server-contact-mode, dest + +# Component tested: REPORT, DELIM +# Scenario: +## server-contact-mode should be searched as server_contact_mode as CLEAN_KEYS = true by default[fiction-tsc-non-alphanumeric] +[fiction-tsc-non-alphanumeric] +DELIMS = " " +FIELDS = server-contact, dest_1 + + # Component tested: REPORT, REGEX-FORMAT-SOURCE_KEY # Scenario: Source-key with regex and format ## An individual search for SOURCE_KEY and each field extracted in FORMAT and a single search of all the fields with SOURCE_KEY. diff --git a/tests/e2e/constants.py b/tests/e2e/constants.py index 3e6be5345..2cd7d5217 100644 --- a/tests/e2e/constants.py +++ b/tests/e2e/constants.py @@ -64,6 +64,11 @@ "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::dest* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::REPORT-fiction-tsc-regex-format::fiction-tsc-regex* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::REPORT-fiction-tsc-regex-format::fiction-tsc-regex-format* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::REPORT-fiction-tsc-sk-delim-format-with-clean-keys::fiction-tsc-sk-delim-format-with-clean-keys* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::server-contact-mode* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::server_contact* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::dest* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::dest_1* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::size1* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::size2* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields*splunkd::field::myeval* PASSED*", @@ -119,6 +124,11 @@ "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty**/opt/splunk/var/log/splunk/splunkd.log*::field::splunk_server* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty**/opt/splunk/var/log/splunk/splunkd_access.log*::field::splunk_server* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::EXTRACT-fiction-one* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::REPORT-fiction-tsc-sk-delim-format-with-clean-keys::fiction-tsc-sk-delim-format-with-clean-keys* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::field::server-contact-mode* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::field::dest* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::field::dest_1* PASSED*", + "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::field::server_contact* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::field::extractone* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::EXTRACT-fiction-two* PASSED*", "*test_splunk_app_fiction.py::Test_App::test_props_fields_no_dash_not_empty*splunkd::field::extracttwoA* PASSED*", @@ -776,6 +786,7 @@ '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::action* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::app* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::dest* PASSED*', + '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src_user* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::user* PASSED*', '*test_splunk_app_req.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Failed_Authentication* PASSED*', @@ -864,12 +875,12 @@ '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_port* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_translated_ip* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_translated_port* PASSED*', - '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::transport* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::Allowed_Traffic* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::Traffic_By_Action* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::action* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::app* PASSED*', + '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::dest* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::src_user* PASSED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="test_auth"::Authentication::user* PASSED*', @@ -911,7 +922,9 @@ '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::protocol* FAILED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src* FAILED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::src_zone* FAILED*', + '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::transport* FAILED*', '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::Blocked_Traffic* FAILED*', + '*test_splunk_app_req_broken.py::Test_App::test_cim_required_fields[eventtype="net"::All_Traffic::vendor_product* FAILED*', "*test_splunk_app_req_broken.py::Test_App::test_requirements_fields[sample_name::sample_modinput.xml::host::so13* FAILED*", "*test_splunk_app_req_broken.py::Test_App::test_cim_fields_recommended[Authentication-::sample_name::sample_modinput.xml::host::so11* FAILED*", "*test_splunk_app_req_broken.py::Test_App::test_datamodels[Network_Traffic::sample_name::syslog.xml::host::10.0.0.31* FAILED*", diff --git a/tests/e2e/test_splunk_addon.py b/tests/e2e/test_splunk_addon.py index a95820419..006e329fd 100644 --- a/tests/e2e/test_splunk_addon.py +++ b/tests/e2e/test_splunk_addon.py @@ -169,8 +169,8 @@ def empty_method(): assert result.ret == 0 -@pytest.mark.docker @pytest.mark.splunk_fiction_indextime_wrong_hec_token +@pytest.mark.external def test_splunk_fiction_indextime_wrong_hec_token(testdir, request): """Make sure that pytest accepts our fixture.""" @@ -205,7 +205,11 @@ def empty_method(): # run pytest with the following cmd args result = testdir.runpytest( f"--splunk-version={request.config.getoption('splunk_version')}", - "--splunk-type=docker", + "--splunk-type=external", + "--splunk-host=splunk", + "--splunk-port=8089", + "--splunk-forwarder-host=splunk", + "--splunk-hec-token=8b741d03-43e9-4164-908b-e09102327d22", "-v", "--search-interval=0", "--search-retry=0", @@ -213,9 +217,8 @@ def empty_method(): "--search-index=*,_internal", ) - result.assert_outcomes(errors=1, passed=0, failed=0, xfailed=0) result.stdout.fnmatch_lines( - "!!!!!! _pytest.outcomes.Exit: Exiting pytest due to: !!!!!!!" + "*_pytest.outcomes.Exit: Exiting pytest due to invalid HEC token value." ) assert result.ret != 0 diff --git a/tests/unit/tests_standard_lib/tests_tools/test_cim_report.py b/tests/unit/tests_standard_lib/test_utilities/test_cim_report.py similarity index 100% rename from tests/unit/tests_standard_lib/tests_tools/test_cim_report.py rename to tests/unit/tests_standard_lib/test_utilities/test_cim_report.py diff --git a/tests/unit/tests_standard_lib/tests_tools/test_data/sample_cim_report.md b/tests/unit/tests_standard_lib/test_utilities/test_data/sample_cim_report.md similarity index 100% rename from tests/unit/tests_standard_lib/tests_tools/test_data/sample_cim_report.md rename to tests/unit/tests_standard_lib/test_utilities/test_data/sample_cim_report.md diff --git a/tests/unit/tests_standard_lib/tests_tools/__init__.py b/tests/unit/tests_standard_lib/tests_tools/__init__.py deleted file mode 100644 index e69de29bb..000000000 diff --git a/tests/unit/tests_standard_lib/tests_tools/test_cim_field_report.py b/tests/unit/tests_standard_lib/tests_tools/test_cim_field_report.py deleted file mode 100644 index e3c50b63e..000000000 --- a/tests/unit/tests_standard_lib/tests_tools/test_cim_field_report.py +++ /dev/null @@ -1,344 +0,0 @@ -import pytest -from pytest_splunk_addon.tools import cim_field_report - - -@pytest.mark.parametrize( - "data, records, expected", - [ - ( - [], - [ - { - "punct": '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - "eventtype": "citrix_netscaler_ipfix_lb", - }, - { - "punct": '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - "eventtype": [ - "citrix_netscaler_ipfix_Web", - "citrix_netscaler_ipfix_lb", - "citrix_netscaler_ipfix_lb_web", - ], - }, - { - "punct": '="",="",="/",="",="",="",="",="",="",="",="--",=""', - "eventtype": [ - "citrix_netscaler_nitro_stat_lb", - "citrix_netscaler_nitro_stat_service", - ], - }, - { - "punct": '="",="",="",="",="",="",="",="",="",="",="",="",="', - "eventtype": "citrix_netscaler_nitro_stat_protocolip", - }, - ], - [ - ( - "citrix_netscaler_ipfix_lb", - '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - ), - ( - "citrix_netscaler_ipfix_Web", - '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - ), - ( - "citrix_netscaler_ipfix_lb_web", - '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - ), - ( - "citrix_netscaler_nitro_stat_lb", - '="",="",="/",="",="",="",="",="",="",="",="--",=""', - ), - ( - "citrix_netscaler_nitro_stat_service", - '="",="",="/",="",="",="",="",="",="",="",="--",=""', - ), - ( - "citrix_netscaler_nitro_stat_protocolip", - '="",="",="",="",="",="",="",="",="",="",="",="",="', - ), - ], - ) - ], -) -def test_collect_punct_and_eventtype(data, records, expected): - cim_field_report.collect_punct_and_eventtype(data, records) - assert expected == data - - -@pytest.mark.parametrize( - "data, records, expected", - [ - ( - (set(), {}), - [ - { - "sourcetype": "citrix:netscaler:ipfix", - "bytes_in": "57016", - "dest": "174.145.122.167", - "dest_ip": "174.145.122.167", - "dest_port": "39888", - "destinationIPv4Address": "174.145.122.167", - "destinationTransportPort": "39888", - "duration": "3346795.701375083", - "eventtype": [ - "citrix_netscaler_ipfix_Web", - "citrix_netscaler_ipfix_lb", - "citrix_netscaler_ipfix_lb_web", - ], - "flowEndMicroseconds": "8171933464.406442", - "flowStartMicroseconds": "4825137763.031359", - "host": "itgdi_citrix_netscaler_ipfix_unknown.samples_11", - "http_content_type": "text/html; charset=utf-8", - "index": "main", - "ipVersion": "4", - "linecount": "1", - "netscalerHttpContentType": "text/html; charset=utf-8", - "netscalerHttpRspLen": "57016", - "netscalerHttpRspStatus": "403", - "protocol_version": "4", - "punct": '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - "response_code": "403", - "source": "itgdi_citrix_netscaler_ipfix_unknown.samples", - "sourceIPv4Address": "120.109.26.123", - "sourceTransportPort": "504118", - "splunk_server": "splunk", - "src": "120.109.26.123", - "src_ip": "120.109.26.123", - "src_port": "504118", - "status": "403", - "tag": [ - "inventory", - "loadbalancer", - "loadbalancer_web", - "network", - "performance", - "web", - ], - "tag::eventtype": [ - "inventory", - "loadbalancer", - "loadbalancer_web", - "network", - "performance", - "web", - ], - "vendor": "Citrix Systems", - "vendor_product": "Citrix ADC", - }, - { - "sourcetype": "citrix:netscaler:ipfix", - "bytes_in": "23508", - "dest": "163.17.99.238", - "dest_ip": "163.17.99.238", - "dest_port": "49983", - "destinationIPv4Address": "163.17.99.238", - "destinationTransportPort": "49983", - "duration": "1188715.359898319", - "eventtype": [ - "citrix_netscaler_ipfix_Web", - "citrix_netscaler_ipfix_lb", - "citrix_netscaler_ipfix_lb_web", - ], - "flowEndMicroseconds": "8589329539.304007", - "flowStartMicroseconds": "7400614179.405687", - "host": "itgdi_citrix_netscaler_ipfix_unknown.samples_10", - "http_content_type": "image/png", - "index": "main", - "ipVersion": "4", - "linecount": "1", - "netscalerHttpContentType": "image/png", - "netscalerHttpRspLen": "23508", - "netscalerHttpRspStatus": "200", - "protocol_version": "4", - "punct": '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - "response_code": "200", - "source": "itgdi_citrix_netscaler_ipfix_unknown.samples", - "sourceIPv4Address": "115.79.46.87", - "sourceTransportPort": "992044", - "splunk_server": "splunk", - "src": "115.79.46.87", - "src_ip": "115.79.46.87", - "src_port": "992044", - "status": "200", - "tag": [ - "inventory", - "loadbalancer", - "loadbalancer_web", - "network", - "performance", - "web", - ], - "tag::eventtype": [ - "inventory", - "loadbalancer", - "loadbalancer_web", - "network", - "performance", - "web", - ], - "vendor": "Citrix Systems", - "vendor_product": "Citrix ADC", - }, - { - "sourcetype": "citrix:netscaler:ipfix", - "client_type": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36", - "dest": "199.33.23.11", - "dest_ip": "199.33.23.11", - "dest_port": "7234", - "destinationIPv4Address": "199.33.23.11", - "destinationTransportPort": "7234", - "duration": "-5248395.997224312", - "eventtype": [ - "citrix_netscaler_ipfix_Web", - "citrix_netscaler_ipfix_lb", - "citrix_netscaler_ipfix_lb_web", - ], - "flowEndMicroseconds": "2443005355.4003525", - "flowStartMicroseconds": "7691401352.624664", - "host": "itgdi_citrix_netscaler_ipfix_unknown.samples_9", - "http_content_type": "text/html; charset=UTF-8", - "http_method": "GET", - "http_referrer": "https://aaaaa/bbbbb/ccccc", - "http_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36", - "http_user_agent_length": "109", - "index": "main", - "ipVersion": "4", - "linecount": "1", - "netscalerAaaUsername": "anonymous", - "netscalerHttpContentType": "text/html; charset=UTF-8", - "netscalerHttpReqMethod": "GET", - "netscalerHttpReqReferer": "https://aaaaa/bbbbb/ccccc", - "netscalerHttpReqUrl": "aaaaa/bbbbb/ccccc", - "netscalerHttpReqUserAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36", - "protocol_version": "4", - "punct": '="";_="";_="";_="";_="";_="";_="";_="";_="";_="...', - "source": "itgdi_citrix_netscaler_ipfix_unknown.samples", - "sourceIPv4Address": "126.200.174.140", - "sourceTransportPort": "615762", - "splunk_server": "splunk", - "src": "126.200.174.140", - "src_ip": "126.200.174.140", - "src_port": "615762", - "tag": [ - "inventory", - "loadbalancer", - "loadbalancer_web", - "network", - "performance", - "web", - ], - "tag::eventtype": [ - "inventory", - "loadbalancer", - "loadbalancer_web", - "network", - "performance", - "web", - ], - "url": "aaaaa/bbbbb/ccccc", - "url_length": "17", - "user": "anonymous", - "vendor": "Citrix Systems", - "vendor_product": "Citrix ADC", - }, - ], - ( - {"citrix:netscaler:ipfix"}, - { - frozenset( - { - "dest_ip", - "linecount", - "netscalerHttpRspLen", - "src_ip", - "flowStartMicroseconds", - "dest", - "host", - "destinationTransportPort", - "tag", - "sourceIPv4Address", - "protocol_version", - "status", - "duration", - "vendor", - "flowEndMicroseconds", - "ipVersion", - "src", - "sourceTransportPort", - "destinationIPv4Address", - "bytes_in", - "source", - "splunk_server", - "tag::eventtype", - "vendor_product", - "dest_port", - "netscalerHttpRspStatus", - "index", - "response_code", - "punct", - "http_content_type", - "src_port", - "eventtype", - "netscalerHttpContentType", - } - ): 2, - frozenset( - { - "dest_ip", - "linecount", - "src_ip", - "netscalerHttpReqUrl", - "netscalerHttpReqUserAgent", - "netscalerAaaUsername", - "url", - "http_method", - "flowStartMicroseconds", - "dest", - "host", - "url_length", - "destinationTransportPort", - "tag", - "http_referrer", - "sourceIPv4Address", - "protocol_version", - "duration", - "vendor", - "http_user_agent", - "flowEndMicroseconds", - "ipVersion", - "src", - "sourceTransportPort", - "destinationIPv4Address", - "source", - "tag::eventtype", - "splunk_server", - "vendor_product", - "dest_port", - "client_type", - "index", - "http_user_agent_length", - "user", - "punct", - "http_content_type", - "netscalerHttpReqMethod", - "src_port", - "eventtype", - "netscalerHttpReqReferer", - "netscalerHttpContentType", - } - ): 1, - }, - ), - ) - ], -) -def test_update_summary(data, records, expected): - cim_field_report.update_summary(data, records) - real_sourcetypes, real_summary = data - expected_sourcetypes, expected_summary = expected - - assert real_sourcetypes == expected_sourcetypes - for k, v in expected_summary.items(): - assert real_summary.get(k) - assert real_summary[k] == v