Update props.conf

derkkila · derkkila · commit bd3437d70937 · 2023-01-09T10:46:48.000-05:00
Added new entries to props.conf to include fields for Secret Scanning DM.
diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
@@ -55,7 +55,8 @@ EVAL-asset_uploader_login = if(isnotnull('release.assets{}.uploader.login'), 're
 EVAL-assigned_reviewers = if(isnotnull('pull_request.requested_reviewers{}.login'), 'pull_request.requested_reviewers{}.login', null())
 EVAL-assigned_user = if(isnotnull('issue.assignee.login'), 'issue.assignee.login', 'assignee.login')
 EVAL-branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', if(isnotnull('commit_branch'), 'ref', null()))
-EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", ""))
+EVAL-body = "Secrete Leakage: ".'alert.secret_type'
+EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency",  if(isnotnull(secret_type), "secret", "")))
 EVAL-closed_date = if(isnotnull('issue.closed_at'), 'issue.closed_at', null())
 EVAL-commit_branch = if((isnull('commit_branch') AND isnotnull('pull_request.head.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.head.ref', if((isnull('commit_branch') AND isnotnull('pull_request.base.ref') AND ('eventtype'=="GitHub::PullRequest" OR 'eventtype'=="GitHub::PullRequest::Review")), 'pull_request.base.ref', if((isnull('commit_branch') AND isnotnull('ref')), 'ref', 'commit_branch')))
 EVAL-commit_files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
@@ -71,6 +72,7 @@ EVAL-commits_message_list = if(isnotnull('commits{}.message'), 'commits{}.messag
 EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null())
 EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null())
 EVAL-current_push = if(isnotnull('after'), 'after', null())
+EVAL-description = "Secrete Leakage: ".'alert.secret_type'
 EVAL-dvc = replace(host, ":\d+", "")
 EVAL-earliest_commit_author_user = if(isnotnull(mvindex('commits{}.author.username', 0)), mvindex('commits{}.author.username', 0) , null())
 EVAL-earliest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', ""))
@@ -79,6 +81,7 @@ EVAL-earliest_commit_message = if(isnotnull(mvindex('commits{}.message', 0)), mv
 EVAL-files_added = if(isnotnull('commits{}.added{}'), 'commits{}.added{}', null())
 EVAL-files_modified = if(isnotnull('commits{}.modified{}'), 'commits{}.modified{}', null())
 EVAL-files_removed = if(isnotnull('commits{}.removed{}' ), 'commits{}.removed{}' , null())
+EVAL-id = organization."/".repository_name."/".'alert.number'
 EVAL-issue_assignees = if('issue.assignees{}.login'!="", 'issue.assignees{}.login', null)
 EVAL-issue_assigned_date = if("issue.updated_at"!="" AND action="assigned",  'issue.updated_at', null())
 EVAL-issue_description = if(isnotnull('issue.body'), 'issue.body', null())
@@ -117,7 +120,8 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization
 EVAL-result = "success"
 EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null())
 EVAL-review_state = if(isnotnull('review.state'), 'review.state', null())
-EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, true==true, 1)
+EVAL-severity = if(isnotnull(secret_type),"critical","")
+EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1)
 EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description)
 EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null())
 EVAL-status_current = if(action=="deleted", "deleted", 'issue.state')
@@ -128,6 +132,7 @@ EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_lo
 # Field Aliases
 FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
 FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
+FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
 FIELDALIAS-user = actor AS user
 FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
 # Field Extractions
