From 34783042eb777bafce967ccdf2b47c2409dde85d Mon Sep 17 00:00:00 2001 From: cwadhwani Date: Thu, 6 Feb 2025 12:27:10 +0530 Subject: [PATCH 1/2] feat: Added support for vectra json logs --- docs/sources/vendor/Vectra/cognito_json.md | 42 +++ .../syslog/app-syslog-vectra_json.conf | 104 ++++++ .../addons/vectra/app-syslog-vectra_json.conf | 104 ++++++ tests/test_vectra_json.py | 303 ++++++++++++++++++ 4 files changed, 553 insertions(+) create mode 100644 docs/sources/vendor/Vectra/cognito_json.md create mode 100644 package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf create mode 100644 package/lite/etc/addons/vectra/app-syslog-vectra_json.conf create mode 100644 tests/test_vectra_json.py diff --git a/docs/sources/vendor/Vectra/cognito_json.md b/docs/sources/vendor/Vectra/cognito_json.md new file mode 100644 index 0000000000..a113f823e4 --- /dev/null +++ b/docs/sources/vendor/Vectra/cognito_json.md @@ -0,0 +1,42 @@ +# Cognito JSON + +## Key facts + +* MSG Format based filter +* Legacy BSD Format default port 514 + +## Links + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Technology Add-On for Vectra Detect (JSON) | | + +## Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +|vectra:cognito:detect:json|| +|vectra:cognito:hostscoring:json|| +|vectra:cognito:hostdetect:json|| +|vectra:cognito:hostlockdown:json|| +|vectra:cognito:accountscoring:json|| +|vectra:cognito:accountdetect:json|| +|vectra:cognito:accountlockdown:json|| +|vectra:cognito:campaigns:json|| +|vectra:cognito:audit:json|| +|vectra:cognito:health:json|| + +### Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +|vectra_cognito detect_detect |vectra:cognito:detect:json |main| +|vectra_cognito detect_hostscoring |vectra:cognito:hostscoring:json |main| +|vectra_cognito detect_hostdetect |vectra:cognito:hostdetect:json |main| +|vectra_cognito detect_hostlockdown |vectra:cognito:hostlockdown:json |main| +|vectra_cognito detect_accountscoring |vectra:cognito:accountscoring:json |main| +|vectra_cognito detect_accountdetect |vectra:cognito:accountdetect:json |main| +|vectra_cognito detect_accountlockdown |vectra:cognito:accountlockdown:json |main| +|vectra_cognito detect_campaigns |vectra:cognito:campaigns:json |main| +|vectra_cognito detect_audit |vectra:cognito:audit:json |main| +|vectra_cognito detect_health |vectra:cognito:health:json |main| diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf new file mode 100644 index 0000000000..e618c550bd --- /dev/null +++ b/package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf @@ -0,0 +1,104 @@ +block parser app-syslog-vectra-json() { + channel { + parser { + regexp-parser( + prefix(".tmp.") + patterns('\"vectra_timestamp\"\:\s\"(?[^\"]+)\"') + template("$MESSAGE") + ); + date-parser-nofilter( + format('%s') + template("${.tmp.timestamp}") + ); + }; + + rewrite { + subst('\-\:\s',"",value("MESSAGE")); + }; + + rewrite { + r_set_splunk_dest_default( + index("main") + sourcetype('vectra:cognito:detect:json') + vendor("vectra") + product("cognito detect") + class('detect') + template("t_msg_only") + ); + }; + + if (message('\"host_\w+\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:hostscoring:json') + class('hostscoring') + condition(message('\"HOST\sSCORING\"')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:hostdetect:json') + class('hostdetect') + condition(message('\"detection_id\"\:')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:hostlockdown:json') + class('hostlockdown') + condition(message('\"success\"\:')) + ); + }; + } elif (message('\"account_uid\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:accountscoring:json') + class('accountscoring') + condition(message('\"ACCOUNT\sSCORING\"')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:accountdetect:json') + class('accountdetect') + condition(message('\"detection_id\"\:')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:accountlockdown:json') + class('accountlockdown') + condition(message('\"success\"\:')) + ); + }; + } elif (message('\"campaign_id\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:campaigns:json') + class('campaigns') + ); + }; + } elif (message('\"role\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:audit:json') + class('audit') + ); + }; + } elif (message('\"type\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:health:json') + class('health') + ); + }; + } else {}; + }; +}; + +application app-syslog-vectra-json[sc4s-syslog-pgm] { + filter { + program('vectra_json' type(string) flags(prefix)); + }; + parser { app-syslog-vectra-json(); }; +}; \ No newline at end of file diff --git a/package/lite/etc/addons/vectra/app-syslog-vectra_json.conf b/package/lite/etc/addons/vectra/app-syslog-vectra_json.conf new file mode 100644 index 0000000000..e618c550bd --- /dev/null +++ b/package/lite/etc/addons/vectra/app-syslog-vectra_json.conf @@ -0,0 +1,104 @@ +block parser app-syslog-vectra-json() { + channel { + parser { + regexp-parser( + prefix(".tmp.") + patterns('\"vectra_timestamp\"\:\s\"(?[^\"]+)\"') + template("$MESSAGE") + ); + date-parser-nofilter( + format('%s') + template("${.tmp.timestamp}") + ); + }; + + rewrite { + subst('\-\:\s',"",value("MESSAGE")); + }; + + rewrite { + r_set_splunk_dest_default( + index("main") + sourcetype('vectra:cognito:detect:json') + vendor("vectra") + product("cognito detect") + class('detect') + template("t_msg_only") + ); + }; + + if (message('\"host_\w+\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:hostscoring:json') + class('hostscoring') + condition(message('\"HOST\sSCORING\"')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:hostdetect:json') + class('hostdetect') + condition(message('\"detection_id\"\:')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:hostlockdown:json') + class('hostlockdown') + condition(message('\"success\"\:')) + ); + }; + } elif (message('\"account_uid\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:accountscoring:json') + class('accountscoring') + condition(message('\"ACCOUNT\sSCORING\"')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:accountdetect:json') + class('accountdetect') + condition(message('\"detection_id\"\:')) + ); + }; + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:accountlockdown:json') + class('accountlockdown') + condition(message('\"success\"\:')) + ); + }; + } elif (message('\"campaign_id\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:campaigns:json') + class('campaigns') + ); + }; + } elif (message('\"role\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:audit:json') + class('audit') + ); + }; + } elif (message('\"type\"\:')) { + rewrite { + r_set_splunk_dest_update_v2( + sourcetype('vectra:cognito:health:json') + class('health') + ); + }; + } else {}; + }; +}; + +application app-syslog-vectra-json[sc4s-syslog-pgm] { + filter { + program('vectra_json' type(string) flags(prefix)); + }; + parser { app-syslog-vectra-json(); }; +}; \ No newline at end of file diff --git a/tests/test_vectra_json.py b/tests/test_vectra_json.py new file mode 100644 index 0000000000..a01247ebf1 --- /dev/null +++ b/tests/test_vectra_json.py @@ -0,0 +1,303 @@ +import shortuuid +import pytest + +from jinja2 import Environment, select_autoescape + +from .sendmessage import sendsingle +from .splunkutils import splunk_single +from .timeutils import time_operations +import datetime + +env = Environment(autoescape=select_autoescape(default_for_string=False)) + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_v2 -: {"version": "$version", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "src_key_asset": $src_key_asset, "host_id": $host_id, "headend_addr": "$headend_addr", "category": "HOST SCORING", "dst_key_asset": $dst_key_asset, "privilege": $privilege, "certainty": $certainty, "score_decreases": $score_decreases, "vectra_timestamp": "$timestamp", "host_name": "$host_name", "threat": $threat} + +@pytest.mark.addons("vectra") +def test_vectra_ai_hostscoring_json(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_v2 -: {"version": "$version", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "src_key_asset": $src_key_asset, "host_id": $host_id, "headend_addr": "$headend_addr", "category": "HOST SCORING", "dst_key_asset": $dst_key_asset, "privilege": $privilege, "certainty": $certainty, "score_decreases": $score_decreases, "vectra_timestamp": "$timestamp", "host_name": "$host_name", "threat": $threat}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:hostscoring:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_account_v2 -: {"category": "ACCOUNT SCORING", "account_id": $account_id, "href": "$href", "certainty": $certainty, "privilege": $privilege, "score_decreases": $score_decreases, "version": "$version", "vectra_timestamp": "$timestamp", "headend_addr": "$headend_addr", "threat": $threat, "account_uid": "$account_uid"} +@pytest.mark.addons("vectra") +def test_vectra_ai_accountscoring_json(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_account_v2 -: {"category": "ACCOUNT SCORING", "account_id": $account_id, "href": "$href", "certainty": $certainty, "privilege": $privilege, "score_decreases": $score_decreases, "version": "$version", "vectra_timestamp": "$timestamp", "headend_addr": "$headend_addr", "threat": $threat, "account_uid": "$account_uid"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:accountscoring:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_v2 -: {"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "detection_id": $detection_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "severity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "version": "$version", "host_name": "$host_name", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "dd_proto": "$dd_proto", "d_type": "$d_type"} +@pytest.mark.addons("vectra") +def test_vectra_ai_hostdetect_json( + record_property, setup_splunk, setup_sc4s +): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_v2 -: {"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "host_ip": "$host_ip", "href": "$href", "detection_id": $detection_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "severity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "version": "$version", "host_name": "$host_name", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "dd_proto": "$dd_proto", "d_type": "$d_type"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:hostdetect:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_account_v2 -: {"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "href": "$href", "detection_id": $detect ion_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_ port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "sev erity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "account_uid": "$account_uid", "version": "$version", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "d_type": "$d_type"} +@pytest.mark.addons("vectra") +def test_vectra_ai_accountdetect_json( + record_property, setup_splunk, setup_sc4s +): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_account_v2 -: {"d_type_vname": "$d_type_vname", "dvchost": "$dvchost", "href": "$href", "detection_id": $detect ion_id, "dd_bytes_sent": $dd_bytes_sent, "headend_addr": "$headend_addr", "dd_dst_port": $dd_dst_ port, "category": "$category", "dd_bytes_rcvd": $dd_bytes_rcvd, "dd_dst_dns": "$dd_dst_dns", "sev erity": $severity, "certainty": $certainty, "triaged": $triaged, "vectra_timestamp": "$timestamp", "account_uid": "$account_uid", "version": "$version", "threat": $threat, "dd_dst_ip": "$dd_dst_ip", "d_type": "$d_type"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:accountdetect:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_v2 -: {"category": "$category ", "version": "$version", "success": "$success", "vectra_timestamp": "$UTCTime", "will_retry": "$retry", "href": "$href", "host_name": "$host_name", "action": "$action", "host_id": "$host_id", "headend_addr": "$headend_addr", "user": "$user"} +@pytest.mark.addons("vectra") +def test_vectra_ai_hostlockdown_json(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_v2 -: {"category": "$category ", "version": "$version", "success": "$success", "vectra_timestamp": "$UTCTime", "will_retry": "$retry", "href": "$href", "host_name": "$host_name", "action": "$action", "host_id": "$host_id", "headend_addr": "$headend_addr", "user": "$user"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:hostlockdown:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_account_v2 -: {"category": "$category", "account_id": $account_id, "success": $success, "href": "$href", "vectra_timestamp": "$UTCTime", "headend_addr": "$headend_addr", "user": "$user", "version": "$version", "action": "$action", "account_uid": "$account_name"} +@pytest.mark.addons("vectra") +def test_vectra_ai_accountlockdown_json(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_account_v2 -: {"category": "$category", "account_id": $account_id, "success": $success, "href": "$href", "vectra_timestamp": "$UTCTime", "headend_addr": "$headend_addr", "user": "$user", "version": "$version", "action": "$action", "account_uid": "$account_name"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:accountlockdown:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_v2 -: {"src_hid": "$src_hid", "timestamp": "$syslog_timestamp", "dvchost": "$dvchost", "campaign_id": "$campaign_id", "reason": "$reason", "src_name": "$src_name", "campaign_name": "$campaign_name", "campaign_link": "$campaign_link", "headend_addr": "$headend_addr", "dest_name": "$dest_name", "dest_id": "$dest_id", "vectra_timestamp": "$vectra_timestamp", "src_ip": "$src_ip", "version": "$version", "action": "$action", "dest_ip": "$dest_ip", "det_id": "$det_id"} +@pytest.mark.addons("vectra") +def test_vectra_ai_campaign_json(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_v2 -: {"src_hid": "$src_hid", "timestamp": "$syslog_timestamp", "dvchost": "$dvchost", "campaign_id": "$campaign_id", "reason": "$reason", "src_name": "$src_name", "campaign_name": "$campaign_name", "campaign_link": "$campaign_link", "headend_addr": "$headend_addr", "dest_name": "$dest_name", "dest_id": "$dest_id", "vectra_timestamp": "$vectra_timestamp", "src_ip": "$src_ip", "version": "$version", "action": "$action", "dest_ip": "$dest_ip", "det_id": "$det_id"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:campaigns:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_v2 -: {"source_ip": "$source_ip", "dvchost": "$dvchost", "version": "$version", "role": "$role", "user": "$user", "message": "$message", "vectra_timestamp": "$vectra_timestamp", "headend_addr": "$headend_addr", "result": "$result"} +@pytest.mark.addons("vectra") +def test_vectra_ai_audit_json(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_v2 -: {"source_ip": "$source_ip", "dvchost": "$dvchost", "version": "$version", "role": "$role", "user": "$user", "message": "$message", "vectra_timestamp": "$vectra_timestamp", "headend_addr": "$headend_addr", "result": "$result"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:audit:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 + + +# <13>Jan 16 11:51:35 xxxxxxx vectra_json_v2 -: {"vectra_timestamp": "$vectra_timestamp", "version": "$version", "result": "$result", "type": "$type", "source_ip": "$source_ip", "message": "$message", "dvchost": "$dvchost", "headend_addr": "$headend_addr"} +@pytest.mark.addons("vectra") +def test_vectra_ai_health(record_property, setup_splunk, setup_sc4s): + host = f"{shortuuid.ShortUUID().random(length=5).lower()}-{shortuuid.ShortUUID().random(length=5).lower()}" + + dt = datetime.datetime.now() + _, bsd, _, _, _, _, epoch = time_operations(dt) + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string( + '{{ mark }}{{ bsd }} {{ host }} vectra_json_v2 -: {"vectra_timestamp": "$vectra_timestamp", "version": "$version", "result": "$result", "type": "$type", "source_ip": "$source_ip", "message": "$message", "dvchost": "$dvchost", "headend_addr": "$headend_addr"}' + ) + message = mt.render(mark="<13>", bsd=bsd, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="vectra:cognito:health:json"' + ) + search = st.render(epoch=epoch, host=host) + + result_count, _ = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", result_count) + record_property("message", message) + + assert result_count == 1 From 09150ed837c1dc883dbdef3bc691b8d0b9845731 Mon Sep 17 00:00:00 2001 From: cwadhwani Date: Mon, 31 Mar 2025 16:23:40 +0530 Subject: [PATCH 2/2] Empty commit for triggering workflow