Skip to content

Commit 171c55d

Browse files
committed
Update props.conf
Merge recent props changes from dev environment
1 parent 790c893 commit 171c55d

File tree

1 file changed

+54
-22
lines changed

1 file changed

+54
-22
lines changed
Lines changed: 54 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
[default]
2+
FIELDALIAS-user = actor AS user
3+
24
[GithubEnterpriseServerLog]
35
DATETIME_CONFIG =
46
LINE_BREAKER = ([\r\n]+)
@@ -13,6 +15,13 @@ EXTRACT-github_log_type = \d+\:\d+\:\d+\s[\d\w\-]+\s(?<github_log_type>.*?)\:
1315
EXTRACT-github_document_id = \"_document_id\"\:\"(?<document_id>.*?)\"
1416
FIELDALIAS-source = github_log_type AS source
1517

18+
[GithubEnterpriseServerAuditLog]
19+
EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?<source_host>\S+)\s+(?<app>[^:]+)+:\s+(?<authentication_service>\S+) : TTY=(?<authentication_method>\S+) ; PWD=(?<path>\S+) ; USER=(?<src_user>\S+) ; COMMAND=(?<service>.*)
20+
EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL))
21+
EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service"
22+
EVAL-action = "success"
23+
EVAL-src = replace(source_host, "\-", ".")
24+
1625
[collectd_github]
1726
ADD_EXTRA_TIME_FIELDS = false
1827
ANNOTATE_PUNCT = false
@@ -29,27 +38,50 @@ disabled = false
2938
pulldown_type = 1
3039

3140
[github_json]
32-
DATETIME_CONFIG = CURRENT
33-
LINE_BREAKER = ([\r\n]+)
34-
NO_BINARY_CHECK = true
35-
TRUNCATE = 250000
36-
category = Application
37-
pulldown_type = 1
38-
REPORT-github_issue = extractIssueID
39-
EXTRACT-project_card_issue_number = (.*)\"content_url\":\"(?:.*?)\/issues\/(?<issueNumber>.*?)\"(.*)
40-
FIELDALIAS-issueNumber = "issue.number" ASNEW issueNumber
41-
41+
FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.html_url" AS dest "repository.owner.login" AS user
42+
EVAL-dvc = replace(host, ":\d+", "")
43+
EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
44+
EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
45+
FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
46+
EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
47+
disabled = false
48+
pullrequest_base_sha =
49+
EVAL-pullrequest_base_sha = 'pull_request.base.sha'
50+
EVAL-pullrequest_base_user_login = 'pull_request.base.user.login'
51+
EVAL-repository_name = 'repository.name'
52+
KV_MODE = json
53+
EXTRACT-commit_hash = | spath commits{} output=commits | mvexpand commits | rex field=commits "(?<=\"id\"\:\")(?<commit_hash>\w*)"
54+
EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned", 'issue.updated_at', null())
55+
EVAL-issue_tags = if(isnotnull('issue.labels{}.name'), 'issue.labels{}.name', null())
56+
EVAL-repository_organization = if(isnotnull('organization.login'), 'organization.login', null())
57+
EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
4258

4359
[github_audit]
44-
DATETIME_CONFIG =
45-
KV_MODE = json
46-
LINE_BREAKER = ([\r\n]+)
47-
NO_BINARY_CHECK = true
48-
TIMESTAMP_FIELDS = @timestamp
49-
TIME_FORMAT = %s%3N
50-
TRUNCATE = 1000000
51-
TZ = GMT
52-
category = Application
53-
disabled = false
54-
pulldown_type = 1
55-
FIELDALIAS-user = actor AS user
60+
KV_MODE = JSON
61+
FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc
62+
EVAL-command = mvdedup(action)
63+
EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
64+
EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
65+
EVAL-dvc = replace(host, ":\d+", "")
66+
EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
67+
EVAL-user = mvdedup(user)
68+
EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
69+
EVAL-protocol = mvdedup(transport_protocol_name)
70+
EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL))))
71+
EVAL-vendor_product = "github"
72+
EVAL-status = "success"
73+
EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))
74+
75+
[github:enterprise:audit]
76+
EVAL-command = mvdedup(action)
77+
EVAL-user = mvdedup(user)
78+
EXTRACT-change_type = "action":"[A-z0-9_]+\.(?<change_type>[^"]+)","
79+
FIELDALIAS-field mapping = "data.public_repo" ASNEW is_public_repo org ASNEW vendor sc4s_container ASNEW dvc
80+
EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type)
81+
EVAL-dvc = replace(host, ":\d+", "")
82+
EXTRACT-object_path,object = "repo":"(?<object_path>[^"]+)/(?<object>[^"]+)","
83+
EVAL-protocol = mvdedup(transport_protocol_name)
84+
EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL)
85+
EVAL-vendor_product = "github"
86+
EVAL-status = "success"
87+
EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, "")))

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy