Update props.conf

derkkila · derkkila · commit 171c55dbda30 · 2022-06-28T11:40:30.000-04:00
Merge recent props changes from dev environment
diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
@@ -1,4 +1,6 @@
 [default]
+FIELDALIAS-user = actor AS user
+
 [GithubEnterpriseServerLog]
 DATETIME_CONFIG =
 LINE_BREAKER = ([\r\n]+)
@@ -13,6 +15,13 @@ EXTRACT-github_log_type = \d+\:\d+\:\d+\s[\d\w\-]+\s(?<github_log_type>.*?)\:
 EXTRACT-github_document_id = \"_document_id\"\:\"(?<document_id>.*?)\"
 FIELDALIAS-source = github_log_type AS source
 
+[GithubEnterpriseServerAuditLog]
+EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
+EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
+EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
+EVAL-action = "success"
+EVAL-src = replace(source_host, "\-", ".")
+
 [collectd_github]
 ADD_EXTRA_TIME_FIELDS = false
 ANNOTATE_PUNCT = false
@@ -29,27 +38,50 @@ disabled = false
 pulldown_type = 1
 
 [github_json]
-DATETIME_CONFIG = CURRENT
-LINE_BREAKER = ([\r\n]+)
-NO_BINARY_CHECK = true
-TRUNCATE = 250000
-category = Application
-pulldown_type = 1
-REPORT-github_issue = extractIssueID
-EXTRACT-project_card_issue_number = (.*)\"content_url\":\"(?:.*?)\/issues\/(?<issueNumber>.*?)\"(.*)
-FIELDALIAS-issueNumber = "issue.number" ASNEW issueNumber
-
+FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.html_url" AS dest "repository.owner.login" AS user
+EVAL-dvc = replace(host, ":\d+", "")
+EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
+EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
+FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
+EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
+disabled = false
+pullrequest_base_sha =
+EVAL-pullrequest_base_sha = 'pull_request.base.sha'
+EVAL-pullrequest_base_user_login = 'pull_request.base.user.login'
+EVAL-repository_name = 'repository.name'
+KV_MODE = json
+EXTRACT-commit_hash = | spath commits{} output=commits  | mvexpand commits  | rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"
+EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned",  'issue.updated_at', null())
+EVAL-issue_tags = if(isnotnull('issue.labels{}.name'), 'issue.labels{}.name', null())
+EVAL-repository_organization = if(isnotnull('organization.login'), 'organization.login', null())
+EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
 
 [github_audit]
-DATETIME_CONFIG =
-KV_MODE = json
-LINE_BREAKER = ([\r\n]+)
-NO_BINARY_CHECK = true
-TIMESTAMP_FIELDS = @timestamp
-TIME_FORMAT = %s%3N
-TRUNCATE = 1000000
-TZ = GMT
-category = Application
-disabled = false
-pulldown_type = 1
-FIELDALIAS-user = actor AS user
+KV_MODE = JSON
+FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
+EVAL-command = mvdedup(action)
+EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
+EVAL-dvc = replace(host, ":\d+", "")
+EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
+EVAL-user = mvdedup(user)
+EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
+EVAL-protocol = mvdedup(transport_protocol_name)
+EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL))))
+EVAL-vendor_product = "github"
+EVAL-status = "success"
+EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
+
+[github:enterprise:audit]
+EVAL-command = mvdedup(action)
+EVAL-user = mvdedup(user)
+EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+FIELDALIAS-field mapping = "data.public_repo" ASNEW is_public_repo org ASNEW vendor sc4s_container ASNEW dvc
+EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
+EVAL-dvc = replace(host, ":\d+", "")
+EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
+EVAL-protocol = mvdedup(transport_protocol_name)
+EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
+EVAL-vendor_product = "github"
+EVAL-status = "success"
+EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
