Update props.conf

derkkila · derkkila · commit c780fadb6315 · 2022-11-30T15:46:07.000-05:00
Added missing fields
diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
@@ -39,25 +39,104 @@ disabled = false
 pulldown_type = 1
 
 [github_json]
-FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.html_url" AS dest "repository.owner.login" AS user
-EVAL-dvc = replace(host, ":\d+", "")
-EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
-EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
-FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
-EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
+# Basic settings
+TRUNCATE = 100000
 disabled = false
-pullrequest_base_sha =
-EVAL-pullrequest_base_sha = 'pull_request.base.sha'
-EVAL-pullrequest_base_user_login = 'pull_request.base.user.login'
-EVAL-repository_name = 'repository.name'
 KV_MODE = json
-EXTRACT-commit_hash = | spath commits{} output=commits  | mvexpand commits  | rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"
+pulldown_type = true
+DATETIME_CONFIG =
+LINE_BREAKER = ([\r\n]+)
+SHOULD_LINEMERGE = false
+#Calculated Fields
+EVAL-action = if(isnotnull('action'), 'action', null())
+EVAL-asset_content_type = if(isnotnull('release.assets{}.content_type'), 'release.assets{}.content_type', null())
+EVAL-asset_name = if(isnotnull('release.assets{}.name'), 'release.assets{}.name', null())
+EVAL-asset_uploader_login = if(isnotnull('release.assets{}.uploader.login'), 'release.assets{}.uploader.login', null())
+EVAL-assigned_reviewers = if(isnotnull('pull_request.requested_reviewers{}.login'), 'pull_request.requested_reviewers{}.login', null())
+EVAL-assigned_user = if(isnotnull('issue.assignee.login'), 'issue.assignee.login', 'assignee.login')
+EVAL-branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', if(isnotnull('commit_branch'), 'ref', null()))
+EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
+EVAL-closed_date = if(isnotnull('issue.closed_at'), 'issue.closed_at', null())
+EVAL-commit_branch = if((isnull('commit_branch') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('commit_branch') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', if((isnull('commit_branch') AND isnotnull('ref')), 'ref', 'commit_branch')))
+EVAL-commit_files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
+EVAL-commit_files_modified = if(isnotnull('commits{}.modified{}'), 'commits{}.modified{}', null())
+EVAL-commit_files_removed = if(isnotnull('commits{}.removed{}'), 'commits{}.removed{}', null())
+EVAL-commit_hash = if(isnotnull('commits{}.id'), 'commits{}.id', null())
+EVAL-commit_message = if(isnotnull('commits{}.message'), 'commits{}.message', null())
+EVAL-commit_timestamp = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null())
+EVAL-commit_username = if(isnotnull('commits{}.author.username'), 'commits{}.author.username', null())
+EVAL-commits_author_list = if(isnotnull('commits{}.author.username'), 'commits{}.author.username', null())
+EVAL-commits_list = if(isnotnull('commits{}.id'), 'commits{}.id', null())
+EVAL-commits_message_list = if(isnotnull('commits{}.message'), 'commits{}.message', null())
+EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null())
+EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
+EVAL-current_push = if(isnotnull('after'), 'after', null())
+EVAL-dvc = replace(host, ":\d+", "")
+EVAL-earliest_commit_author_user = if(isnotnull(mvindex('commits{}.author.username', 0)), mvindex('commits{}.author.username', 0) , null())
+EVAL-earliest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))
+EVAL-earliest_commit_hash = if(isnotnull(mvindex('commits{}.id', 0)), mvindex('commits{}.id', 0) , null())
+EVAL-earliest_commit_message = if(isnotnull(mvindex('commits{}.message', 0)), mvindex('commits{}.message', 0) , null())
+EVAL-files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
+EVAL-files_modified = if(isnotnull('commits{}.modified{}'), 'commits{}.modified{}', null())
+EVAL-files_removed = if(isnotnull('commits{}.removed{}' ), 'commits{}.removed{}' , null())
+EVAL-issue_assignees = if('issue.assignees{}.login'!="", 'issue.assignees{}.login', null)
 EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned",  'issue.updated_at', null())
+EVAL-issue_description = if(isnotnull('issue.body'), 'issue.body', null())
+EVAL-issue_href = if(isnotnull('issue.html_url'), 'issue.html_url', null())
+EVAL-issue_subject = if(isnotnull('issue.title'), 'issue.title', null())
 EVAL-issue_tags = if(isnotnull('issue.labels{}.name'), 'issue.labels{}.name', null())
+EVAL-issueNumber = if(isnotnull('issue.number'), 'issue.number', 'issueNumber')
+EVAL-last_updated = if("issue.update_at"="*", 'issue.update_at', strftime(_time,"%Y-%m-%d %H:%M:%S"))
+EVAL-latest_commit_author_user = if((isnotnull('commits{}.id') AND isnull('commit_username')), 'head_commit.author.username', if((isnotnull('commits{}.id') AND isnotnull('commit_username')), 'commit_username', ""))
+EVAL-latest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))
+EVAL-latest_commit_hash = if((isnotnull('commits{}.id') AND isnull('commit_hash')), 'head_commit.id', if((isnotnull('commits{}.id') AND isnotnull('commit_hash')), 'commit_hash', if(isnotnull(after), after, null())))
+EVAL-latest_commit_message = if((isnotnull('commits{}.id') AND isnull('commit_message')), 'head_commit.message', if((isnotnull('commits{}.id') AND isnotnull('commit_message')), 'commit_message', ""))
+EVAL-object_attrs = "branch:" + pull_request_title + "|business:" + business
+EVAL-object_category = if(isnotnull(workflow_run.event), "workflow", if(isnotnull(repo), "repository", ""))
+EVAL-organization_name = if(isnotnull('organization.login'), 'organization.login', null())
+EVAL-pr_author_login = if(isnotnull('sender.login'), 'sender.login', null())
+EVAL-pr_created_date = if(isnotnull('pull_request.created_at'), 'pull_request.created_at', null())
+EVAL-pr_id = if((isnotnull('pull_request.number')), 'pull_request.number', if((isnotnull('number')), 'number', null()))
+EVAL-pr_message = if(isnotnull('pull_request.body'), 'pull_request.body', null())
+EVAL-previous_push = if(isnotnull('before'), 'before', null())
+EVAL-pullrequest_base_sha = 'pull_request.base.sha'
+EVAL-pullrequest_base_user_login = 'pull_request.base.user.login'
+EVAL-pull_request_merged = if(isnotnull('pull_request.merged'), 'pull_request.merged', null())
+EVAL-pull_request_merged_at = if(isnotnull('pull_request.merged_at'), 'pull_request.merged_at', null())
+EVAL-ref = if((isnull('ref') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('ref') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', 'ref'))
+EVAL-ref_tags = if((isnotnull('ref') AND eventtype="GitHub::Release::Push"), ref, null())
+EVAL-release_author = if(isnotnull('release.author.login'), 'release.author.login', null())
+EVAL-release_created_at = if(isnotnull('release.created_at'), 'release.created_at', null())
+EVAL-release_name = if(isnotnull('release.name'), 'release.name', null())
+EVAL-release_status = if(isnotnull('action'), 'action', null())
+EVAL-release_sender_name = if(isnotnull('sender.login'), 'sender.login', null())
+EVAL-release_tags = if(isnotnull('release.tag_name'), 'release.tag_name', if(isnotnull('release_tags'), release_tags, "beep"))
+EVAL-release_url = if(isnotnull('release.url'), 'release.url', null())
+EVAL-repository_name = if(isnotnull('repository.name'), 'repository.name', null())
 EVAL-repository_organization = if(isnotnull('organization.login'), 'organization.login', null())
-EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
+EVAL-result = "success"
+EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
+EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
+EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, true==true, 1)
+EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
+EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
+EVAL-status_current = if(action=="deleted", "deleted", 'issue.state')
+EVAL-submitter_user = if(isnotnull('issue.user.login'), 'issue.user.login', null())
+EVAL-submission_date = if(isnotnull('issue.created_at'), 'issue.created_at', null())
+EVAL-vendor_product = "github"
+EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
+# Field Aliases
+FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
+FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
 FIELDALIAS-user = actor AS user
-TRUNCATE = 100000
+FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
+# Field Extractions
+EXTRACT-change_type = "action":"(?<change_type>[^\.]+).*","((actor)|(workflow)|(_document))
+EXTRACT-commit_branch = (?<commit_branch>(?<=refs\/heads\/)[\-\w\d\s]*)
+EXTRACT-commit_hash = | spath commits{} output=commits  | mvexpand commits  | rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"
+EXTRACT-release_tags = "ref":"refs\/tags\/(?<release_tags>[0-9|aA-zZ.]*)"
+EXTRACT-object = "repo":".+/{1}(?<object>[^"]+)",
+REPORT-issueNumber = issueNumber
 
 [github_audit]
 KV_MODE = JSON
