Skip to content

Commit

Permalink
Merge pull request #464 from splunk/main
Browse files Browse the repository at this point in the history
Email and some final schema updates
  • Loading branch information
mikeradka authored Jan 31, 2023
2 parents 7666d5c + 3cd9447 commit 5e05065
Show file tree
Hide file tree
Showing 10 changed files with 72 additions and 71 deletions.
55 changes: 55 additions & 0 deletions dictionary.json
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,16 @@
"description": "The arguments sent along with the HTTP request.",
"type": "string_t"
},
"attempt": {
"caption": "Attempt",
"description": "The delivery attempt.",
"type": "integer_t"
},
"banner": {
"caption": "SMTP Banner",
"description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
"type": "string_t"
},
"attacks": {
"caption": "Attacks",
"description": "An array of attacks associated with an event.",
Expand Down Expand Up @@ -1215,6 +1225,36 @@
"sibling": "disposition",
"type": "integer_t"
},
"dkim": {
"caption": "DKIM Status",
"description": "The DomainKeys Identified Mail (DKIM) status of the email.",
"type": "string_t"
},
"dkim_domain": {
"caption": "DKIM Domain",
"description": "The DomainKeys Identified Mail (DKIM) signing domain of the email.",
"type": "string_t"
},
"dkim_signature": {
"caption": "DKIM Signature",
"description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.",
"type": "string_t"
},
"dmarc": {
"caption": "DMARC Status",
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.",
"type": "string_t"
},
"dmarc_override": {
"caption": "DMARC Override",
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.",
"type": "string_t"
},
"dmarc_policy": {
"caption": "DMARC Policy",
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
"type": "string_t"
},
"domain": {
"caption": "Domain",
"description": "The name of the domain.",
Expand Down Expand Up @@ -1255,6 +1295,11 @@
"description": "The user's email address.",
"type": "email_t"
},
"email_auth": {
"caption": "Email Authentication",
"description": "The SPF, DKIM and DMARC attributes of an email.",
"type": "email_auth"
},
"end_time": {
"caption": "End Time",
"description": "The end time of a time period. See specific usage.",
Expand Down Expand Up @@ -2223,6 +2268,11 @@
"description": "The ctotal amount of installed RAM, in Megabytes. For example: <code>2048</code>.",
"type": "integer_t"
},
"raw_header": {
"caption": "Raw Header",
"description": "The email authentication header.",
"type": "string_t"
},
"raw_data": {
"caption": "Raw Data",
"description": "The event data as received from the event source.",
Expand Down Expand Up @@ -2652,6 +2702,11 @@
"description": " The Server Name Indication (SNI) extension sent by the client.",
"type": "string_t"
},
"spf": {
"caption": "SPF Status",
"description": "The Sender Policy Framework (SPF) status of the email.",
"type": "string_t"
},
"sp_name": {
"caption": "OS Service Pack",
"description": "The name of the latest Service Pack.",
Expand Down
1 change: 0 additions & 1 deletion events/network/email.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
],
"attributes": {
"$include": [
"includes/email.json",
"profiles/host.json",
"profiles/security_control.json"
],
Expand Down
56 changes: 3 additions & 53 deletions extensions/dev/dictionary.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,16 +24,6 @@
"description": "The name of the user who is assigned to the incident.",
"type": "string_t"
},
"attempt": {
"caption": "Attempt",
"description": "The delivery attempt.",
"type": "integer_t"
},
"banner": {
"caption": "SMTP Banner",
"description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
"type": "string_t"
},
"blue_pixel": {
"caption": "Blue Pixel Info",
"description": "The information pertaining to how a blue pixel was transmitted.",
Expand Down Expand Up @@ -99,46 +89,11 @@
"description": "The information that is displayed to the user that describes the impact of a client side override action.",
"type": "string_t"
},
"dkim": {
"caption": "DKIM Status",
"description": "The DomainKeys Identified Mail (DKIM) status of the email.",
"type": "string_t"
},
"dkim_domain": {
"caption": "DKIM Domain",
"description": "The DomainKeys Identified Mail (DKIM) signing domain of the email.",
"type": "string_t"
},
"dkim_signature": {
"caption": "DKIM Signature",
"description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.",
"type": "string_t"
},
"dmarc": {
"caption": "DMARC Status",
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.",
"type": "string_t"
},
"dmarc_override": {
"caption": "DMARC Override",
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.",
"type": "string_t"
},
"dmarc_policy": {
"caption": "DMARC Policy",
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
"type": "string_t"
},
"effective_time": {
"caption": "Effective Date",
"description": "The date and time that the specific policy and rule was applied and became operational. ",
"type": "timestamp_t"
},
"email_auth": {
"caption": "Email Authentication",
"description": "The SPF, DKIM and DMARC attributes of an email.",
"type": "email_auth"
},
"email_uid": {
"caption": "Email UID",
"description": "The unique identifier of the email, used to correlate related email alert and activity events.",
Expand Down Expand Up @@ -348,11 +303,6 @@
"description": "The unique identifier of the item that was quarantined or restored from quarantine.",
"type": "string_t"
},
"raw_header": {
"caption": "Raw Header",
"description": "The email authentication header.",
"type": "string_t"
},
"recovery_key_uid": {
"caption": "Recovery Key UID",
"description": "The unique identifier of the recovery key of the volume.",
Expand Down Expand Up @@ -434,9 +384,9 @@
"description": "The SMTP Transport Layer Security (TLS) attributes.",
"type": "smtp_tls"
},
"spf": {
"caption": "SPF Status",
"description": "The Sender Policy Framework (SPF) status of the email.",
"session_uid": {
"caption": "Session UID",
"description": "The unique ID of the user session, as reported by the OS.<br /><br /><u>Examples:</u> <ul><li><i><b>*nix: </b><i>Aug 10 17:31:16 ip-192-168-1-1 systemd[1]: Started Session 222 of User ubuntu.</li><ul><li><b>session_uid</b> == 222</li></ul><li><b>Windows:</b> Logon ID: 0xd22e9734</li><ul><li><b>session_uid</b> == 0xd22e9734</li></ul></ul>",
"type": "string_t"
},
"start_type": {
Expand Down
4 changes: 0 additions & 4 deletions extensions/dev/events/cloud/cloud_api.json
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,6 @@
"group": "primary",
"requirement": "optional"
},
"identity": {
"group": "primary",
"requirement": "required"
},
"resources": {
"group": "primary",
"requirement": "recommended"
Expand Down
5 changes: 4 additions & 1 deletion extensions/dev/events/network/email/email_file.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,17 @@
],
"attributes": {
"$include": [
"includes/email.json",
"profiles/host.json",
"profiles/security_control.json"
],
"file": {
"description": "The email file attachment.",
"group": "primary",
"requirement": "required"
},
"email_uid": {
"requirement": "recommended",
"group": "primary"
}
}
}
5 changes: 4 additions & 1 deletion extensions/dev/events/network/email/email_url.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,13 @@
],
"attributes": {
"$include": [
"includes/email.json",
"profiles/host.json",
"profiles/security_control.json"
],
"email_uid": {
"requirement": "recommended",
"group": "primary"
},
"url": {
"description": "The URL included in the email content.",
"group": "primary",
Expand Down
10 changes: 0 additions & 10 deletions includes/email.json

This file was deleted.

5 changes: 5 additions & 0 deletions objects/email.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@
},
"x_originating_ip": {
"requirement": "optional"
},
"uid": {
"caption": "Email UID",
"description": "The email unique identifier.",
"requirement": "recommended"
}
}
}
File renamed without changes.
2 changes: 1 addition & 1 deletion version.json
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"version": "0.57.0"
"version": "0.99.0"
}

0 comments on commit 5e05065

Please sign in to comment.