Eventtype Update

derkkila · derkkila · commit 20df6c319dd6 · 2022-06-28T11:33:21.000-04:00
Updated Eventtype list and added tags.conf to tag eventtypes for data model use in the future.
diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
@@ -1,9 +1,27 @@
+[GitHub::Change]
+search = `github_source` action=* sourcetype="github:enterprise:audit" OR sourcetype="github_audit"
+
+[GitHub::CodeScanning]
+search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
+
+[GitHub::CodeVulnerability]
+search = `github_webhooks` (eventtype="GitHub::CodeScanning") "alert.html_url"="*/security/code-scanning/*"
+
 [GitHub::Issue]
 search = `github_webhooks` action IN ("opened","edited","deleted","pinned","unpinned","closed","reopened","assigned","unassigned","labeled","unlabeled","locked","unlocked","transferred","milestoned","demilestoned") "issue.number"=* NOT "comment.body"=*
 
 [GitHub::Issue::Comment]
 search = `github_webhooks` action IN ("created","edited","deleted") "issue.number"=* "comment.body"=*
 
+[GitHub::Project]
+search = `github_webhooks` action IN ("created","edited","closed","reopenend","deleted") "project.number"=*
+
+[GitHub::Project::Card]
+search = `github_webhooks` action IN ("created","edited","moved","converted","deleted") "project_card.id"=*
+
+[GitHub::Project::Column]
+search = `github_webhooks`  action IN ("created","edited","moved","deleted") "project_column.id"=*
+
 [GitHub::PullRequest]
 search = `github_webhooks` action IN ("opened","edited","closed","assigned","unassigned","review_requested","review_request_removed","ready_for_review","converted_to_draft","labeled","unlabeled","synchronize","auto_merge_enabled","auto_merge_disabled","locked","unlocked","reopened") number=* "pull_request.id"=*
 
@@ -13,29 +31,23 @@ search = `github_webhooks` action IN ("submitted","edited","dismissed") pull_req
 [GitHub::Push]
 search = `github_webhooks` after=* before=* "commits{}.id"=* ref=* "pusher.name"=*
 
-[GitHub::Repo]
-search = `github_webhooks` action IN ("created","deleted","archived","unarchived","edited","renamed","transferred","publicized","privatized") "repository.name"=* NOT "pull_request.id"=* NOT "project_card.id"=* NOT "project.number"=* NOT "project_column.id"=* NOT "check_run.id"=* NOT "alert.created_at"=* NOT "alert.number"=*
-
-[GitHub::Project]
-search = `github_webhooks` action IN ("created","edited","closed","reopenend","deleted") "project.number"=*
-
-[GitHub::Project::Card]
-search = `github_webhooks` action IN ("created","edited","moved","converted","deleted") "project_card.id"=*
-
-[GitHub::Project::Column]
-search = `github_webhooks`  action IN ("created","edited","moved","deleted") "project_column.id"=*
+[GitHub::Release]
+search = `github_webhooks` action IN ("released","published") release.id=*
 
-[GitHub::Workflow]
-search = `github_webhooks` action IN ("queued","created","in_progress","completed") workflow_job.id=*
+[GitHub::Release::Push]
+search = `github_webhooks` after=* before=* ref=refs/tags*
 
-[GitHub::CodeScanning]
-search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
+[GitHub::Repo]
+search = `github_webhooks` action IN ("created","deleted","archived","unarchived","edited","renamed","transferred","publicized","privatized") "repository.name"=* NOT "pull_request.id"=* NOT "project_card.id"=* NOT "project.number"=* NOT "project_column.id"=* NOT "check_run.id"=* NOT "alert.created_at"=* NOT "alert.number"=*
 
 [GitHub::SecretScanning]
 search = `github_webhooks` action IN ("created", "resolved") "alert.secret_type"=*
 
 [GitHub::VulnerabilityAlert]
 search = `github_webhooks` action IN ("create", "dismiss", "resolve") "alert.external_identifier"=*
 
-[GitHub::Release]
-search = `github_webhooks` action IN ("released","published") release.id=*
+[GitHub::Workflow]
+search = `github_webhooks` action IN ("queued","created","in_progress","completed") workflow_job.id=*
+
+[github:enterprise:authentication]
+search = `github_source` sourcetype=GithubEnterpriseServerAuditLog app=* authentication_service=* signature=*
diff --git a/github_app_for_splunk/default/tags.conf b/github_app_for_splunk/default/tags.conf
@@ -0,0 +1,20 @@
+[sourcetype =%20github_audit]
+
+[sourcetype=github_audit]
+audit = enabled
+change = enabled
+
+[eventtype=GitHub%3A%3AVulnerabilityAlert]
+report = enabled
+vulnerability = enabled
+
+[eventtype=GitHub%3A%3AChange]
+change = enabled
+audit = enabled
+
+[eventtype=GitHub%3A%3ACodeVulnerability]
+report = enabled
+vulnerability = enabled
+
+[eventtype=github%3Aenterprise%3Aauthentication]
+authentication = enabled
