diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml index 80a681f..bb2742f 100644 --- a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml +++ b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml @@ -258,4 +258,4 @@ - + \ No newline at end of file diff --git a/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml b/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml index 5cadbbc..acf1518 100644 --- a/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml +++ b/github_app_for_splunk/default/data/ui/views/value_stream_analytics.xml @@ -21,8 +21,8 @@ repository.name `github_webhooks` eventtype="GitHub::Push"|dedup repository.name| table repository.name - -30d@d - now + $timeTkn.earliest$ + $timeTkn.latest$ All * @@ -139,4 +139,4 @@ - + \ No newline at end of file diff --git a/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml b/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml index e6ea68c..3890639 100644 --- a/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml +++ b/github_app_for_splunk/default/data/ui/views/workflow_analytics.xml @@ -30,7 +30,7 @@ Average Workflow Overview - `github_webhooks` eventtype="GitHub::Workflow" repository.name IN("$repoTkn$") | eval queued=if(action="queued",_time,NULL), started=if(action="in_progress",_time,NULL),completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(started) as started, min(completed) as completed by repository.name,workflow_job.name,workflow_job.id | eval queueTime=started-queued, runTime=completed-started, totalTime=completed-queued | fields repository.name,workflow_job.name, workflow_job.id, queueTime, runTime, totalTime | stats avg(queueTime) as queueTime, avg(runTime) as runTime, avg(totalTime) as totalTime | eval queueTime=toString(round(queueTime),"Duration"), runTime=toString(round(runTime),"Duration"),totalTime=toString(round(totalTime),"Duration") + `github_webhooks` eventtype="GitHub::Workflow" repository.name IN(""*"") | eval queued=if(action="requested",_time,NULL), completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(completed) as completed by repository.name,workflow_run.name,workflow_run.id | eval totalTime=completed-queued | fields repository.name,workflow_run.name, workflow_run.id, totalTime | stats avg(totalTime) as totalTime | eval totalTime=toString(round(totalTime),"Duration") $timeTkn.earliest$ $timeTkn.latest$ 1 @@ -60,7 +60,7 @@ Workflow Analytics by Job Name - `github_webhooks` eventtype="GitHub::Workflow" repository.name IN("$repoTkn$") | eval queued=if(action="queued",_time,NULL), started=if(action="in_progress",_time,NULL),completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(started) as started, min(completed) as completed by repository.full_name,workflow_job.name,workflow_job.id | eval queueTime=started-queued, runTime=completed-started, totalTime=completed-queued | fields repository.full_name,workflow_job.name, workflow_job.id, queueTime, runTime, totalTime | stats avg(queueTime) as queueTime, avg(runTime) as runTime, avg(totalTime) as totalTime by repository.full_name,workflow_job.name | eval queueTime=toString(round(queueTime),"Duration"), runTime=toString(round(runTime),"Duration"),totalTime=toString(round(totalTime),"Duration") + `github_webhooks` eventtype="GitHub::Workflow" repository.name IN(""*"") | eval queued=if(action="requested",_time,NULL),completed=if(action="completed",_time,NULL) | stats min(queued) as queued, min(completed) as completed by repository.full_name,workflow_run.name,workflow_run.id | eval totalTime=completed-queued | fields repository.full_name,workflow_run.name, workflow_run.id, totalTime | stats avg(totalTime) as totalTime by repository.full_name,workflow_run.name | eval totalTime=toString(round(totalTime),"Duration") $timeTkn.earliest$ $timeTkn.latest$ 1 @@ -76,4 +76,4 @@
- + \ No newline at end of file diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf index e46971e..47e3b42 100644 --- a/github_app_for_splunk/default/eventtypes.conf +++ b/github_app_for_splunk/default/eventtypes.conf @@ -5,7 +5,7 @@ search = `github_webhooks` ref_type=branch search = `github_source` action=* sourcetype="github:enterprise:audit" OR sourcetype="github_audit" [GitHub::CodeScanning] -search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=* +search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "commit_oid"=* [GitHub::CodeVulnerability] search = `github_webhooks` (eventtype="GitHub::CodeScanning") "alert.html_url"="*/security/code-scanning/*" diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf index 8b79c0e..8778338 100644 --- a/github_app_for_splunk/default/props.conf +++ b/github_app_for_splunk/default/props.conf @@ -1,6 +1,7 @@ [default] [GithubEnterpriseServerLog] +# Basic settings DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true @@ -8,6 +9,7 @@ category = Application pulldown_type = true TIME_FORMAT = TZ = +#Calculated Fields EXTRACT-audit_event = github_audit\[\d+\]\:\s(?.*) EXTRACT-audit_fields = \"(?<_KEY_1>.*?)\"\:\"*(?<_VAL_1>.*?)\"*, EXTRACT-github_log_type = \d+\:\d+\:\d+\s[\d\w\-]+\s(?.*?)\: @@ -16,14 +18,18 @@ FIELDALIAS-source = github_log_type AS source FIELDALIAS-user = actor AS user [GithubEnterpriseServerAuditLog] -EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?\S+)\s+(?[^:]+)+:\s+(?\S+) : TTY=(?\S+) ; PWD=(?\S+) ; USER=(?\S+) ; COMMAND=(?.*) -EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL)) -EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service" +#Calculated Fields EVAL-action = "success" +EVAL-signature = "Login by " + src_user + " to " + authentication_service + " service" EVAL-src = replace(source_host, "\-", ".") +EVAL-user = if(isnotnull(src_user), user, if(isnotnull(user), user, NULL)) +# Field Extractions +EXTRACT-source,app,authentication_service,authentication_method,path,user,service = \<\d+\>\w+\s\d+\s\d+:\d+:\d+ (?\S+)\s+(?[^:]+)+:\s+(?\S+) : TTY=(?\S+) ; PWD=(?\S+) ; USER=(?\S+) ; COMMAND=(?.*) +# Field Aliases FIELDALIAS-user = actor AS user [collectd_github] +# Basic settings ADD_EXTRA_TIME_FIELDS = false ANNOTATE_PUNCT = false BREAK_ONLY_BEFORE_DATE = @@ -35,13 +41,11 @@ NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Metrics description = Collectd daemon format. Uses the write_http plugin to send metrics data to a Splunk platform data input via the HTTP Event Collector. -disabled = false pulldown_type = 1 [github_json] # Basic settings TRUNCATE = 100000 -disabled = false KV_MODE = json pulldown_type = true DATETIME_CONFIG = @@ -54,6 +58,7 @@ EVAL-asset_name = if(isnotnull('release.assets{}.name'), 'release.assets{}.name' EVAL-asset_uploader_login = if(isnotnull('release.assets{}.uploader.login'), 'release.assets{}.uploader.login', null()) EVAL-assigned_reviewers = if(isnotnull('pull_request.requested_reviewers{}.login'), 'pull_request.requested_reviewers{}.login', null()) EVAL-assigned_user = if(isnotnull('issue.assignee.login'), 'issue.assignee.login', 'assignee.login') +EVAL-attempt_number = if(isnotnull('workflow_run.run_attempt'), 'workflow_run.run_attempt',null()) EVAL-branch = if(('ref_type'=="branch" AND 'ref'!=""), 'ref', if(isnotnull('commit_branch'), 'ref', null())) EVAL-body = "Secrete Leakage: ".'alert.secret_type' EVAL-category = if(isnotnull(alert_description), "code", if(isnotnull(affected_package_name), "dependency", if(isnotnull(secret_type), "secret", ""))) @@ -70,9 +75,11 @@ EVAL-commits_author_list = if(isnotnull('commits{}.author.username'), 'commits{} EVAL-commits_list = if(isnotnull('commits{}.id'), 'commits{}.id', null()) EVAL-commits_message_list = if(isnotnull('commits{}.message'), 'commits{}.message', null()) EVAL-commits_timestamp_list = if(isnotnull('commits{}.timestamp'), 'commits{}.timestamp', null()) +EVAL-completed = if(action="completed",_time, NULL) EVAL-current_priority = if('issue.labels{}.name' like "Priority%", mvfilter(match('issue.labels{}.name', "[pP]riority:\sLow|[pP]riority:\sHigh|[pP]riority:\sMedium")), null()) EVAL-current_push = if(isnotnull('after'), 'after', null()) EVAL-description = "Secrete Leakage: ".'alert.secret_type' +EVAL-dest = "((repo)|(full_name))":"(?[^/]+) EVAL-dvc = replace(host, ":\d+", "") EVAL-earliest_commit_author_user = if(isnotnull(mvindex('commits{}.author.username', 0)), mvindex('commits{}.author.username', 0) , null()) EVAL-earliest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', "")) @@ -94,9 +101,11 @@ EVAL-latest_commit_author_user = if((isnotnull('commits{}.id') AND isnull('commi EVAL-latest_commit_date = if((isnotnull('commits{}.id') AND isnull('commit_timestamp')), 'head_commit.timestamp', if((isnotnull('commits{}.id') AND isnotnull('commit_timestamp')), 'commit_timestamp', "")) EVAL-latest_commit_hash = if((isnotnull('commits{}.id') AND isnull('commit_hash')), 'head_commit.id', if((isnotnull('commits{}.id') AND isnotnull('commit_hash')), 'commit_hash', if(isnotnull(after), after, null()))) EVAL-latest_commit_message = if((isnotnull('commits{}.id') AND isnull('commit_message')), 'head_commit.message', if((isnotnull('commits{}.id') AND isnotnull('commit_message')), 'commit_message', "")) +EVAL-name = if(isnotnull('workflow_job.name'), 'workflow_job.name',if(isnotnull('workflow_run.name'), 'workflow_run.name',null())) EVAL-object_attrs = "branch:" + pull_request_title + "|business:" + business EVAL-object_category = if(isnotnull(workflow_run.event), "workflow", if(isnotnull(repo), "repository", "")) EVAL-organization_name = if(isnotnull('organization.login'), 'organization.login', null()) +EVAL-pipeline_id = if(isnotnull('workflow.id'), 'workflow.id', if(isnotnull('workflow_job.id'), 'workflow_job.id', null())) EVAL-pr_author_login = if(isnotnull('sender.login'), 'sender.login', null()) EVAL-pr_created_date = if(isnotnull('pull_request.created_at'), 'pull_request.created_at', null()) EVAL-pr_id = if((isnotnull('pull_request.number')), 'pull_request.number', if((isnotnull('number')), 'number', null())) @@ -120,56 +129,74 @@ EVAL-repository_organization = if(isnotnull('organization.login'), 'organization EVAL-result = "success" EVAL-review_author_login = if(isnotnull('review.user.login'), 'review.user.login', null()) EVAL-review_state = if(isnotnull('review.state'), 'review.state', null()) -EVAL-severity = if(isnotnull(secret_type),"critical","") +EVAL-run_id = if(isnotnull('workflow_job.run_id'), 'workflow_job.run_id', if(isnotnull('workflow_run.id'), 'workflow_run.id', null())) +EVAL-run_number = if(isnotnull('workflow_run.run_number'), 'workflow_run.run_number', null()) +EVAL-severity = if(isnotnull(secret_type),"critical",severity) EVAL-severity_id = CASE(severity=="critical",4, severity_level=="critical",4, severity=="high",3, severity_level=="high",3, severity=="moderate",2,severity_level=="moderate", 2, isnotnull(secret_type),4, true=true, 1) EVAL-signature = CASE(isnull(alert_description), UPPER(severity) + " Dependency Vulnerability on package " + affected_package_name, 1=1, alert_description) +EVAL-started = if(action="requested",_time, if(isnotnull('workflow_run.run_started_at'),round(strptime('workflow_run.run_started_at', "%Y-%m-%dT%H:%M:%SZ"),0), if(isnotnull('workflow_job.started_at'), round(strptime('workflow_job.started_at', "%Y-%m-%dT%H:%M:%SZ"),0), null()))) +EVAL-started_by_id = if(isnotnull('sender.login'), 'sender.login', null()) +EVAL-started_by_name = if(isnotnull('sender.login'), 'sender.login', null()) +EVAL-status = if(isnotnull('workflow_job.status'), 'workflow_job.status', if(isnotnull('workflow_run.status'), 'workflow_run.status', null())) EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), 'issue.updated_at', null()) EVAL-status_current = if(action=="deleted", "deleted", 'issue.state') EVAL-submitter_user = if(isnotnull('issue.user.login'), 'issue.user.login', null()) EVAL-submission_date = if(isnotnull('issue.created_at'), 'issue.created_at', null()) EVAL-vendor_product = "github" EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path) -# Field Aliases -FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user -FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name -FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user -FIELDALIAS-user = actor AS user -FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository # Field Extractions EXTRACT-change_type = "action":"(?[^\.]+).*","((actor)|(workflow)|(_document)) EXTRACT-commit_branch = (?(?<=refs\/heads\/)[\-\w\d\s]*) EXTRACT-commit_hash = | spath commits{} output=commits | mvexpand commits | rex field=commits "(?<=\"id\"\:\")(?\w*)" EXTRACT-release_tags = "ref":"refs\/tags\/(?[0-9|aA-zZ.]*)" EXTRACT-object = "repo":".+/{1}(?[^"]+)", +# Field Aliases +FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user +FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name +FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user +FIELDALIAS-user = actor AS user +FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository +# Other REPORT-issueNumber = issueNumber [github_audit] +# Basic settings KV_MODE = JSON -FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc -EVAL-command = mvdedup(action) -EXTRACT-change_type = "action":"[A-z0-9_]+\.(?[^"]+)"," +DATETIME_CONFIG = +LINE_BREAKER = ([\r\n]+) +SHOULD_LINEMERGE = false +pulldown_type = true +# Calculated Fields EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type) +EVAL-command = mvdedup(action) EVAL-dvc = replace(host, ":\d+", "") -EXTRACT-object_path,object = "repo":"(?[^"]+)/(?[^"]+)"," -EVAL-user = mvdedup(user) +EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL)))) EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL) +EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, ""))) EVAL-protocol = mvdedup(transport_protocol_name) -EVAL-object = if(change_type=="repo" OR change_type="repository_secret_scanning", repo, if(change_type=="integration_installation",name,if(isnotnull(org), org, if(isnotnull(name), name,NULL)))) -EVAL-vendor_product = "github" EVAL-status = "success" -EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, ""))) +EVAL-user = mvdedup(user) +EVAL-vendor_product = "github" +# Field Extractions +EXTRACT-change_type = "action":"[A-z0-9_]+\.(?[^"]+)"," +EXTRACT-object_path,object = "repo":"(?[^"]+)/(?[^"]+)"," +# Field Aliases +FIELDALIAS-user = actor AS user "data.public_repo" AS is_public_repo org AS vendor sc4s_container AS dvc [github:enterprise:audit] +# Calculated Fields +EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type) EVAL-command = mvdedup(action) +EVAL-dvc = replace(host, ":\d+", "") +EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, ""))) +EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL) +EVAL-protocol = mvdedup(transport_protocol_name) +EVAL-status = "success" EVAL-user = mvdedup(user) +EVAL-vendor_product = "github" +# Field Extractions EXTRACT-change_type = "action":"[A-z0-9_]+\.(?[^"]+)"," +EXTRACT-object_path,object = "repo":"(?[^"]+)/(?[^"]+)"," +# Field Aliases FIELDALIAS-field mapping = "data.public_repo" ASNEW is_public_repo org ASNEW vendor sc4s_container ASNEW dvc -EVAL-action = case(change_type="change_merge_setting", "modified", change_type="prepared_workflow_job", "modified", change_type="add_admin", "created", change_type="create", "created", change_type="invite_admin", "invite", change_type="invite_member", "invite", change_type="add_member", "modified", change_type="update_member", "modified", change_type="remove_member", "modified", change_type="grant", "modified", change_type="deauthorize", "modified", change_type="import_license_usage", "read", change_type="clone", "read", change_type="upload_license_usage", "read", change_type="repositories_added", "created", change_type="advanced_security_enabled", "modified", change_type="change_merge_setting", "modified", change_type="push", "modified", change_type="login", "logon", change_type="disabled", "modified", change_type="fetch", "read", change_type="disable", "modified", change_type="actions_enabled", "modified", change_type="add_organization", "modified", change_type="advanced_security_enabled_for_new_repos", "modified", change_type="advanced_security_policy_update", "modified", change_type="check", "read", change_type="authorized_users_teams", "modified", change_type="close", "modified", change_type="created_workflow_run", "created", change_type="enable", "modified", change_type="destroy", "deleted", change_type="enable_workflow", "modified", change_type="events_changed", "modified", change_type="completed_workflow_run", "modified", change_type="config_changed", "modified", change_type="merge", "modified", change_type="oauth_app_access_approved", "created", change_type="plan_change", "modified", change_type="remove organization", "modified", change_type="repositories_removed", "deleted", change_type="resolve", "updated", change_type="update", "updated", change_type="update_terms_of_service", "updated", change_type="remove_organization", "deleted", change_type="enable_saml", "modified", change_type="update_saml_provider_settings", "updated", change_type="disable_saml", "disabled", change_type="disable_oauth_app_restrictions", "disabled", change_type="oauth_app_access_denied", "denied", change_type="disable_two_factor_requirement", "disabled", change_type="enable_two_factor_requirement", "enable", 1=1, change_type) FIELDALIAS-user = actor AS user -EVAL-dvc = replace(host, ":\d+", "") -EXTRACT-object_path,object = "repo":"(?[^"]+)/(?[^"]+)"," -EVAL-protocol = mvdedup(transport_protocol_name) -EVAL-object_category = case( change_type=="repo", "repository", change_type=="integration_installation","integration", isnotnull(repo), "repository", isnotnull(permission), mvdedup(permission), 1=1, NULL) -EVAL-vendor_product = "github" -EVAL-status = "success" -EVAL-object_attrs = if(isnotnull(is_public_repo), "public:" + is_public_repo, if(isnotnull(repository_public), "public:" + repository_public, if(isnotnull(public_repo), "public:" + public_repo, ""))) diff --git a/github_app_for_splunk/default/transforms.conf b/github_app_for_splunk/default/transforms.conf index f80b081..37537ed 100644 --- a/github_app_for_splunk/default/transforms.conf +++ b/github_app_for_splunk/default/transforms.conf @@ -6,8 +6,8 @@ MV_ADD = true DELIMS = . FIELDS = change_type,command SOURCE_KEY = action -disabled = 1 + [issueNumber] MV_ADD = 1 -REGEX = (?(?<=refs\/heads\/|\"ref\":\")[\d]*) +REGEX = (?(?<=refs\/heads\/|\"ref\":\")[\d]*) \ No newline at end of file diff --git a/github_app_for_splunk/metadata/default.meta b/github_app_for_splunk/metadata/default.meta index 1c8f783..ba4dfaa 100644 --- a/github_app_for_splunk/metadata/default.meta +++ b/github_app_for_splunk/metadata/default.meta @@ -10,6 +10,11 @@ export = system [eventtypes] export = system +### TAGS + +[tags] +export = system + ### PROPS pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy