Update props.conf

derkkila · derkkila · commit f893a05da311 · 2023-09-25T15:47:43.000-04:00
diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
@@ -1,13 +1,15 @@
 [default]
 
 [GithubEnterpriseServerLog]
+# Basic settings
 DATETIME_CONFIG =
 LINE_BREAKER = ([\r\n]+)
 NO_BINARY_CHECK = true
 category = Application
 pulldown_type = true
 TIME_FORMAT =
 TZ =
+#Calculated Fields
 EXTRACT-audit_event = github_audit\[\d+\]\:\s(?<audit_event>.*)
 EXTRACT-audit_fields = \"(?<_KEY_1>.*?)\"\:\"*(?<_VAL_1>.*?)\"*,
 EXTRACT-github_log_type = \d+\:\d+\:\d+\s[\d\w\-]+\s(?<github_log_type>.*?)\:
@@ -16,14 +18,18 @@ FIELDALIAS-source = github_log_type AS source
 FIELDALIAS-user = actor AS user
 
 [GithubEnterpriseServerAuditLog]
-EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
-EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
-EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
+#Calculated Fields
 EVAL-action = "success"
+EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
 EVAL-src = replace(source_host, "\-", ".")
+EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
+# Field Extractions
+EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
+# Field Aliases
 FIELDALIAS-user = actor AS user
 
 [collectd_github]
+# Basic settings
 ADD_EXTRA_TIME_FIELDS = false
 ANNOTATE_PUNCT = false
 BREAK_ONLY_BEFORE_DATE =
@@ -119,7 +125,6 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
 EVAL-result = "success"
 EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
 EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
-EVAL-severity = if(isnotnull(secret_type),"critical",severity)
 EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
 EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
 EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
@@ -128,47 +133,59 @@ EVAL-submitter_user = if(isnotnull('issue.user.login'), 'issue.user.login', null
 EVAL-submission_date = if(isnotnull('issue.created_at'), 'issue.created_at', null())
 EVAL-vendor_product = "github"
 EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
-# Field Aliases
-FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
-FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
-FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
-FIELDALIAS-user = actor AS user
-FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
 # Field Extractions
 EXTRACT-change_type = "action":"(?<change_type>[^\.]+).*","((actor)|(workflow)|(_document))
 EXTRACT-commit_branch = (?<commit_branch>(?<=refs\/heads\/)[\-\w\d\s]*)
 EXTRACT-commit_hash = | spath commits{} output=commits  | mvexpand commits  | rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"
 EXTRACT-release_tags = "ref":"refs\/tags\/(?<release_tags>[0-9|aA-zZ.]*)"
 EXTRACT-object = "repo":".+/{1}(?<object>[^"]+)",
+# Field Aliases
+FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
+FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
+FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
+FIELDALIAS-user = actor AS user
+FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
+# Other
 REPORT-issueNumber = issueNumber
 
 [github_audit]
+# Basic settings
 KV_MODE = JSON
-FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
-EVAL-command = mvdedup(action)
-EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+DATETIME_CONFIG = 
+LINE_BREAKER = ([\r\n]+)
+SHOULD_LINEMERGE = false
+pulldown_type = true
+# Calculated Fields
 EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
+EVAL-command = mvdedup(action)
 EVAL-dvc = replace(host, ":\d+", "")
-EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
-EVAL-user = mvdedup(user)
+EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL))))
 EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
+EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
 EVAL-protocol = mvdedup(transport_protocol_name)
-EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL))))
-EVAL-vendor_product = "github"
 EVAL-status = "success"
-EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
+EVAL-user = mvdedup(user)
+EVAL-vendor_product = "github"
+# Field Extractions
+EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
+# Field Aliases
+FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
 
 [github:enterprise:audit]
+# Calculated Fields
+EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
 EVAL-command = mvdedup(action)
+EVAL-dvc = replace(host, ":\d+", "")
+EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
+EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
+EVAL-protocol = mvdedup(transport_protocol_name)
+EVAL-status = "success"
 EVAL-user = mvdedup(user)
+EVAL-vendor_product = "github"
+# Field Extractions
 EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
+EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
+# Field Aliases
 FIELDALIAS-field mapping = "data.public_repo" ASNEW is_public_repo org ASNEW vendor sc4s_container ASNEW dvc
-EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
 FIELDALIAS-user = actor AS user
-EVAL-dvc = replace(host, ":\d+", "")
-EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
-EVAL-protocol = mvdedup(transport_protocol_name)
-EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
-EVAL-vendor_product = "github"
-EVAL-status = "success"
-EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
