From c2f901a75f5497fcb1fbaff3e0f11b8cef2987f8 Mon Sep 17 00:00:00 2001 From: cwadhwani-splunk Date: Tue, 26 Nov 2024 15:28:47 +0530 Subject: [PATCH 1/2] fix: Non pri cef fix (#2641) * chore(deps): update dependency mkdocs-material to v9.5.42 (#2624) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update splunk/addonfactory-test-matrix-action action to v2.1.9 (#2620) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix: fix CISE_Alarm messages parsing (#2609) * fix: improve SC4S Dashboard performance (#2592) * docs: Removed reference of Cisco eStreamer for Splunk app from ASA/FTD doc (#2629) * docs: Removed reference of Cisco eStreamer for Splunk app * fix: Updated the regex for non pri cef formated logs such that a 'digit' date will be accepted * Updated the regex with some more constraints --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: wojtekzyla <108660584+wojtekzyla@users.noreply.github.com> Co-authored-by: mstopa-splunk <139441697+mstopa-splunk@users.noreply.github.com> --- .../conf.d/conflib/raw/app-raw-bsd_nopri.conf | 2 +- .../conf.d/conflib/raw/app-raw-bsd_nopri.conf | 2 +- tests/test_trellix.py | 34 +++++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf index fc0a6c679b..7f66031700 100644 --- a/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf +++ b/package/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf @@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() { }; application app-raw-bsd_nopri[sc4s-raw-syslog] { filter { - message('^\w\w\w \d\d \d\d:\d\d:\d\d '); + message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) '); }; parser { app-raw-bsd_nopri(); }; }; diff --git a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf index fc0a6c679b..7f66031700 100644 --- a/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf +++ b/package/lite/etc/conf.d/conflib/raw/app-raw-bsd_nopri.conf @@ -53,7 +53,7 @@ block parser app-raw-bsd_nopri() { }; application app-raw-bsd_nopri[sc4s-raw-syslog] { filter { - message('^\w\w\w \d\d \d\d:\d\d:\d\d '); + message('^\w{3} ([0 ][1-9]|[12]\d|3[01]) (0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d) '); }; parser { app-raw-bsd_nopri(); }; }; diff --git a/tests/test_trellix.py b/tests/test_trellix.py index 4f0a3dc968..c461e9ea0d 100644 --- a/tests/test_trellix.py +++ b/tests/test_trellix.py @@ -67,3 +67,37 @@ def test_trellix_cms( record_property("message", message) assert result_count == 1 + + +# Nov 2 00:00:00 trellix-host-xxxx CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt=1030482923264 cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects. +@pytest.mark.addons("trellix") +def test_trellix_cef(record_property, get_host_key, setup_splunk, setup_sc4s): + host = "trellix-host-" + get_host_key + + dt = datetime.datetime(2024, 11, 2, 0, 0) + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # hard coding the bsd to test single digit date (Nov 2 00:00:00) + bsd = "Nov 2 00:00:00" + # Tune time functions + epoch = epoch[:-3] + + mt = env.from_string( + "{{ bsd }} {{ host }} CEF:0|Trellix|Database Security|0.0.0|alert|DML Queries executed from the backend|3|externalId=53 rt={{ epoch }} cs1=Finacle Alert_DC_54 cs1Label=DBMS dst=10.10.10.10 src=10.10.10.11 duser=TESTUSER suser=testuser shost=KBPXXXUD00xx6 dproc=sxxxplus@KBPXXXUD00xx6 (TNS V1-V3) act=DELETE cs2=DELETE FROM TESTUSER.XXXX WHERE XXXX.ALERT_REFERENCE_NO \= :B1 cs2Label=SqlStatement cs3=XXXX|ALERT_HISTORY_TBL cs3Label=AccessedObjects." + ) + message = mt.render(bsd=bsd, host=host, epoch=epoch) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="cef"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 \ No newline at end of file From a67c59ed8e1ad51d354afda317d98ac4e46530ea Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 1 Dec 2024 13:10:08 +0000 Subject: [PATCH 2/2] chore(deps): update dependency pytest to v8.3.4 --- poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index 8167cbce42..a7af2e4fc7 100644 --- a/poetry.lock +++ b/poetry.lock @@ -910,13 +910,13 @@ diagrams = ["jinja2", "railroad-diagrams"] [[package]] name = "pytest" -version = "8.3.3" +version = "8.3.4" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.8" files = [ - {file = "pytest-8.3.3-py3-none-any.whl", hash = "sha256:a6853c7375b2663155079443d2e45de913a911a11d669df02a50814944db57b2"}, - {file = "pytest-8.3.3.tar.gz", hash = "sha256:70b98107bd648308a7952b06e6ca9a50bc660be218d53c257cc1fc94fda10181"}, + {file = "pytest-8.3.4-py3-none-any.whl", hash = "sha256:50e16d954148559c9a74109af1eaf0c945ba2d8f30f0a3d3335edde19788b6f6"}, + {file = "pytest-8.3.4.tar.gz", hash = "sha256:965370d062bce11e73868e0335abac31b4d3de0e82f4007408d242b4f8610761"}, ] [package.dependencies]