splunk · artemrys · Jun 28, 2024 · Jun 8, 2024 · Jun 18, 2024 · Jun 26, 2024
@@ -83,6 +83,7 @@
  </xs:sequence>
  </xs:complexType>
  </xs:element>
+ <xs:element type="xs:string" name="note"/>
  <xs:element type="xs:string" name="raw"/>
  <xs:element name="cim">
  <xs:complexType>
@@ -103,6 +104,7 @@
  <xs:extension base="xs:string">
  <xs:attribute type="xs:string" name="name" use="optional"/>
  <xs:attribute type="xs:string" name="value" use="optional"/>
+ <xs:attribute type="xs:string" name="note" use="optional"/>
  </xs:extension>
  </xs:simpleContent>
  </xs:complexType>

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<device>
+ <vendor>Microsoft</vendor>
+ <product>Sysmon</product>
+ <version id="15.0" />
+ <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format="">
+ <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" />
+ <NONEXISTING>HELLO</NONEXISTING>
+ <source>
+ <jira id="" />
+ <comment>lab, index = * EventCode=19</comment>
+ </source>
+ <note>Some event level note!!!</note>
+ <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw>
+ <cim>
+ <models>
+ <model>Change:Endpoint_Changes</model>
+ </models>
+ <cim_fields>
+ <field name="action" value="created" note="some field level note!!!" />
+ <field name="change_type" value="filesystem" />
+ <field name="dest" value="server1" />
+ <field name="dvc" value="server1" />
+ <field name="object_category" value="wmi" />
+ <field name="result" value="created" />
+ <field name="src" value="server1" />
+ <field name="status" value="success" />
+ <field name="user" value="Administrator" />
+ <field name="user_name" value="Administrator" />
+ <field name="vendor_product" value="Microsoft Sysmon" />
+ <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" />
+ <field name="signature_id" value="19" />
+ </cim_fields>
+ <missing_recommended_fields>
+ <field>command</field>
+ <field>object</field>
+ <field>object_attrs</field>
+ <field>object_id</field>
+ <field>object_path</field>
+ <field>result_id</field>
+ </missing_recommended_fields>
+ </cim>
+ </event>
+</device>
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<device>
+ <vendor>Microsoft</vendor>
+ <product>Sysmon</product>
+ <version id="15.0" />
+ <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format="">
+ <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" />
+ <source>
+ <jira id="" />
+ <comment>lab, index = * EventCode=19</comment>
+ </source>
+ <note>Some event level note!!!</note>
+ <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw>
+ <cim>
+ <models>
+ <model>Change:Endpoint_Changes</model>
+ </models>
+ <cim_fields>
+ <field name="action" value="created" note="some field level note!!!" />
+ <field name="change_type" value="filesystem" />
+ <field name="dest" value="server1" />
+ <field name="dvc" value="server1" />
+ <field name="object_category" value="wmi" />
+ <field name="result" value="created" />
+ <field name="src" value="server1" />
+ <field name="status" value="success" />
+ <field name="user" value="Administrator" />
+ <field name="user_name" value="Administrator" />
+ <field name="vendor_product" value="Microsoft Sysmon" />
+ <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" />
+ <field name="signature_id" value="19" />
+ </cim_fields>
+ <missing_recommended_fields>
+ <field>command</field>
+ <field>object</field>
+ <field>object_attrs</field>
+ <field>object_id</field>
+ <field>object_path</field>
+ <field>result_id</field>
+ </missing_recommended_fields>
+ </cim>
+ </event>
+</device>
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<device>
+ <vendor>Microsoft</vendor>
+ <product>Sysmon</product>
+ <version id="15.0" />
+ <event code="19" name="EventID_19_WmiEvent_(WmiEventFilter_activity_detected)" format="">
+ <transport type="windows_input" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host="SERVER1" />
+ <source>
+ <jira id="" />
+ <comment>lab, index = * EventCode=19</comment>
+ </source>
+ <note>Some event level note!!!</note>
+ <raw><![CDATA[<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>19</EventID><Version>3</Version><Level>4</Level><Task>19</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-08-24T08:52:46.446846100Z'/><EventRecordID>114712</EventRecordID><Correlation/><Execution ProcessID='1336' ThreadID='2120'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>server1</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiFilterEvent</Data><Data Name='UtcTime'>2023-08-24 08:52:46.443</Data><Data Name='Operation'>Created</Data><Data Name='User'>SERVER1\Administrator</Data><Data Name='EventNamespace'> "root\\cimv2"</Data><Data Name='Name'> "ServiceFilter_creation_for_EventID19"</Data><Data Name='Query'> "select Look_ME_UP_eventID19 from __instanceModificationEvent within 5 where targetInstance isa 'non_existent'"</Data></EventData></Event>]]></raw>
+ <cim>
+ <models>
+ <model>Change:Endpoint_Changes</model>
+ </models>
+ <cim_fields>
+ <field name="action" value="created" note="some field level note!!!" />
+ <field name="change_type" value="filesystem" />
+ <field name="dest" value="server1" />
+ <field name="dvc" value="server1" />
+ <field name="object_category" value="wmi" />
+ <field name="result" value="created" />
+ <field name="src" value="server1" />
+ <field name="status" value="success" />
+ <field name="user" value="Administrator" />
+ <field name="user_name" value="Administrator" />
+ <field name="vendor_product" value="Microsoft Sysmon" />
+ <field name="signature" value="WmiEvent (WmiEventFilter activity detected)" />
+ <field name="signature_id" value="19" />
+ </cim_fields>
+ <missing_recommended_fields>
+ <field>command</field>
+ <field>object</field>
+ <field>object_attrs</field>
+ <field>object_id</field>
+ <field>object_path</field>
+ <field>result_id</field>
+ </missing_recommended_fields>
+ </cim>
+ </event>
+</device>
@@ -0,0 +1,31 @@
+import os.path
+
+import pytest
+from xmlschema import XMLSchema, XMLSchemaChildrenValidationError
+
+from pytest_splunk_addon.standard_lib.sample_generation.pytest_splunk_addon_data_parser import (
+ SCHEMA_PATH,
+)
+
+
+@pytest.fixture
+def validator() -> XMLSchema:
+ return XMLSchema(SCHEMA_PATH)
+
+
+def get_xml(name: str) -> str:
+ with open(os.path.join(os.path.dirname(__file__), "test_data", "xmls", name)) as fp:
+ return fp.read()
+
+
+def test_validate_schema(validator):
+ validator.validate(get_xml("lr_without_notes.xml"))
+
+
+def test_validate_schema_incorrect_event_element(validator):
+ with pytest.raises(XMLSchemaChildrenValidationError):
+ validator.validate(get_xml("lr_incorrect.xml"))
+
+
+def test_validate_schema_notes(validator):
+ validator.validate(get_xml("lr_notes.xml"))