Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auditd_sourcetype_update #3136

Open
wants to merge 26 commits into
base: develop
Choose a base branch
from
Open

auditd_sourcetype_update #3136

wants to merge 26 commits into from

Conversation

tccontre
Copy link
Contributor

@tccontre tccontre commented Sep 24, 2024

update sourcetype of auditd data sources base on [Splunk add-on for unix and linux].

    modified:   data_sources/linux_auditd_add_user.yml
    modified:   data_sources/linux_auditd_execve.yml
    modified:   data_sources/linux_auditd_path.yml
    modified:   data_sources/linux_auditd_proctitle.yml
    modified:   data_sources/linux_auditd_service_stop.yml
    modified:   data_sources/linux_auditd_syscall.yml
    modified:   macros/linux_auditd.yml
    
  
    # This script reads the auditd logs translated with ausearch
    [script://./bin/rlog.sh]
    sourcetype = auditd
    source = auditd
    interval = 60
    disabled = 1
  ```

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

@tccontre tccontre added WIP DO NOT MERGE Work in Progress and removed Datasource labels Sep 24, 2024
@tccontre tccontre self-assigned this Sep 24, 2024
@patel-bhavin
Copy link
Contributor

looks like unit testing is failing on all the detections affected by this change :( will need to debug locally!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Datasource Macros WIP DO NOT MERGE Work in Progress
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants