Merge pull request #685 from adplotzk/main

Firewall Profile Implementation

dictionary.json

@@ -2605,6 +2605,11 @@
       "description": "The rules that reported the events.",
       "type": "rule"
     },
+    "firewall_rule": {
+      "caption": "Firewall Rule",
+      "description": "The firewall rules that triggered the events.",
+      "type": "firewall_rule"
+    },
     "run_state": {
       "caption": "Run State",
       "description": "The state of the job or service, normalized to the caption of the run_state_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
@@ -3227,6 +3232,32 @@
       "caption": "Network Zone",
       "description": "The network zone or LAN segment.",
       "type": "string_t"
+    },
+    "condition": {
+      "caption": "Condition",
+      "description": "The rule trigger condition for the rule. For example: SQL_INJECTION.",
+      "type": "string_t"
+    },
+    "sensitivity": {
+      "caption": "Sensitivity",
+      "description": "The sensitivity of the firewall rule in the matched event. For example: HIGH.",
+      "type": "string_t"
+    },
+    "match_location": {
+      "caption": "Match Location",
+      "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
+      "type": "string_t"
+    },
+    "match_details": {
+      "caption": "Match Details",
+      "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.",
+      "is_array": true,
+      "type": "string_t"
+    },
+    "rate_limit": {
+      "caption": "Rate Limit",
+      "description": "The rate limit for a rate-based rule.",
+      "type": "integer_t"
     }
   },
   "types": {

events/network/http.json

@@ -1,10 +1,17 @@
 {
+  "description": "HTTP Activity events report HTTP connection and traffic information.",
+  "extends": "network_activity",
   "caption": "HTTP Activity",
-  "uid": 2,
   "name": "http_activity",
-  "extends": "network_activity",
-  "description": "HTTP Activity events report HTTP connection and traffic information.",
+  "category": "network",
+  "uid": 2,
+  "profiles": [
+    "firewall"
+  ],
   "attributes": {
+    "$include": [
+      "profiles/firewall.json"
+    ],
     "activity_id": {
       "$include": "enums/http_activity.json"
     },

objects/firewall_rule.json

@@ -0,0 +1,35 @@
+{
+  "caption": "Firewall Rule",
+  "name": "firewall_rule",
+  "description": "The firewall rule object associated with a policy or event.",
+  "extends": "rule",
+  "attributes": {
+    "condition": {
+      "requirement": "optional"
+    },
+    "sensitivity": {
+      "requirement": "optional"
+    },	
+    "match_location": {
+      "requirement": "optional"
+    },	
+    "match_details": {
+      "requirement": "optional"
+    },	
+    "rate_limit": {
+      "requirement": "optional"
+    },	
+    "status_code": {
+      "description": "The firewall event status code, detailing the rule action of the event source.",
+      "requirement": "optional"
+    },	
+    "response_time": {
+      "description": "The rule response time, usually used for challenge completion time.",
+      "requirement": "optional"
+    },	
+    "message": {
+      "description": "The description of the firewall event rule action, as defined by the event source.",
+      "requirement": "optional"
+    }
+  }
+}

profiles/firewall.json

@@ -0,0 +1,20 @@
+{
+  "description": "The attributes that identify firewall events such as firewall_rule.",
+  "meta": "profile",
+  "caption": "Firewall",
+  "name": "firewall",
+  "annotations": {
+    "group": "primary"
+  },
+  "attributes": {
+    "firewall_rule": {
+      "requirement": "required"
+    },
+    "disposition": {
+      "requirement": "optional"
+    },
+    "disposition_id": {
+      "requirement": "required"
+    }
+  }
+}