chore(release): making a new release v6.0.0 #898
Conversation
Updated 2 fields in Network Resolution model. - Added expected values for reply_code_id which has corresponding reply_code. - Added expected values for reply_code.
Added cim models for v5.3.1 and v5.3.2 Created a runbook:https://docs.google.com/document/d/1sOG0FWM9StzgNJx4tYzsX4Tur33D91V59v3SObrXvks/edit
Added support for cim v5.3.2. - Updated data-models with new child data set in various models. - Updated required fields with updated values as per v5.3.2. - Added optional fields as per v5.3.2 Detailed comparison and analysis between v4.15.0 and v5.3.2 can be found here: https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit#gid=1147250948
Added new data models: - Compute_Inventory - Data_Access - Databases - Event_Signatures - Interprocess Messaging - JVM - Performance - Ticket_Management Updated version in requirement_test_datamodel_tag_constants.py file
This PR removes the feature of generating cim-field-report. ref: [ADDON-73385](https://splunk.atlassian.net/browse/ADDON-73385) NOTE: - moved unit test file (test_report.py) of cim-compliance report generation test from test_tools folder to test_utilities
Added changes based on CIM 6.0.0 and CIM 5.3.2 changes Added Session ID in Authentication Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/545 Signature field description change in Intrusion Detection Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/542 Protocol Version description change in Network Traffic Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/544 Power field description change in Performance Model: https://cd.splunkdev.com/EnterpriseSecurity/sa-commoninformationmodel/-/merge_requests/543
chore: Downgrading Ubuntu version as python 3.7 is no longer supported on latest
dvarasani-crest
changed the title
- Update datamodel definition for CIM v5.3.2 according to the [sheet](https://docs.google.com/spreadsheets/d/1ZFDC0Efn-bHvcU1Qy78s95GCfWyxt6IUhTv94j3yagk/edit?gid=1873743384#gid=1873743384) - Add datamodel definition for CIM v6.0.0 - Update copyright year
This PR fixes the issue with the token replacement for the fields defined under `other_mappings` for the sample event. - Updated the e2e tests to cover the token replacement scenario for `other_mappings`
dvarasani-crest
requested review from
siddharth-khatsuriya,
harshilgajera-crest,
alexeisuv and
justin-splunk
| @@ -15,7 +15,7 @@ concurrency: | |||
|
|
|||
| jobs: | |||
| meta: | |||
| runs-on: ubuntu-latest | |||
| runs-on: ubuntu-22.04 | |||
There was a problem hiding this comment.
tagging latest is not a great plan for compatibility so this is a good change.
| "dest_nt_domain", | ||
| "src_nt_domain", | ||
| "src_user", | ||
| "src_user_name", |
There was a problem hiding this comment.
why are we removing this? looks like it's still here https://docs.splunk.com/Documentation/CIM/6.0.2/User/Change
There was a problem hiding this comment.
It was decided that the CIM datamodel jsons should be considered as single source of truth (reference) and the fields user_name and src_user_name are optional and not marked as recommended.
| } | ||
|
|
||
| datamodels["latest"] = datamodels["6.0.0"] |
There was a problem hiding this comment.
should we be using a latest tag?
There was a problem hiding this comment.
latest tag is being used when the sample event does not define which cim version to use and we pin it to the latest version that we support in the PSA.
| "type": "optional", | ||
| "expected_values": ["lockout"], | ||
| "condition": "status=failure", | ||
| "type": "conditional", |
There was a problem hiding this comment.
what is the meaning of type= conditional
There was a problem hiding this comment.
It means that the field is required under certain condition and the condition is also defined.
| "type": "optional", | ||
| "comment": "Original name of the file, not including path." |
There was a problem hiding this comment.
Original name of the file, not including path. Sometimes this field is similar to process name but the two do not always match, such as process_name=pwsh and original_file_name=powershell.exe to detect renamed instances of any process executing. per https://docs.splunk.com/Documentation/CIM/6.0.0/User/Endpoint
There was a problem hiding this comment.
This align with the description here. Also, these comments are not being used anywhere in the PSA tests.
| @@ -263,7 +329,7 @@ | |||
| }, | |||
| { | |||
| "name": "file_size", | |||
| "type": "optional", | |||
| "type": "required", | |||
There was a problem hiding this comment.
recommended not required per https://docs.splunk.com/Documentation/CIM/6.0.0/User/Endpoint
There was a problem hiding this comment.
It was decided here with alexei to keep this field for the "Filesystem" dataset as required
This PR updates the condition for the object_category field of the Change DataModel. Added e2e tests to cover this check.
props.conf had invalid syntax using line breakers (issue reported here: https://splunk.atlassian.net/browse/ADDON-72549 ). The incorrect format is causing warnings in the splunkd log, which could be easily prevented by correcting the props conf file like in this [example](https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/pull/1196/files). Related Jira: https://splunk.atlassian.net/browse/ADDON-77954 Example local run: <img width="1707" alt="image" src="https://github.com/user-attachments/assets/33e5247b-0f93-494c-9685-a48ddfb43a67" />
contains below PRs: