@@ -123,6 +123,7 @@ jobs:
123123 outputs :
124124 execute-knowledge-labeled : ${{ steps.configure-tests-on-labels.outputs.execute_knowledge_labeled }}
125125 execute-escu-labeled : ${{ steps.configure-tests-on-labels.outputs.execute_escu_labeled }}
126+ execute-spl2-escu-labeled : ${{ steps.configure-tests-on-labels.outputs.execute_spl2_escu_labeled }}
126127 execute-ui-labeled : ${{ steps.configure-tests-on-labels.outputs.execute_ui_labeled }}
127128 execute-modinput-labeled : ${{ steps.configure-tests-on-labels.outputs.execute_modinput_functional_labeled }}
128129 execute-ucc-modinput-labeled : ${{ steps.configure-tests-on-labels.outputs.execute_ucc_modinput_functional_labeled }}
@@ -157,7 +158,7 @@ jobs:
157158 run : |
158159 set +e
159160 declare -A EXECUTE_LABELED
160- TESTSET=("execute_knowledge" "execute_escu" "execute_ui" "execute_modinput_functional" "execute_ucc_modinput_functional" "execute_scripted_inputs" "execute_requirement_test" "execute_upgrade")
161+ TESTSET=("execute_knowledge" "execute_escu" "execute_spl2_escu" " execute_ui" "execute_modinput_functional" "execute_ucc_modinput_functional" "execute_scripted_inputs" "execute_requirement_test" "execute_upgrade")
161162 for test_type in "${TESTSET[@]}"; do
162163 EXECUTE_LABELED["$test_type"]="false"
163164 done
@@ -426,6 +427,155 @@ jobs:
426427 import yaml
427428 import os
428429 import configparser
430+ import re
431+
432+ # Parse app.conf get the appid of the TA.
433+ config = configparser.ConfigParser(strict=False)
434+ config.read("package/default/app.conf")
435+ APP_ID = config.get("id", "name")
436+
437+ # Read the file and remove trailing backslashes
438+ with open("package/default/props.conf", "r") as f:
439+ content = f.read()
440+
441+ # Remove trailing backslashes followed by a newline
442+ updated_content = re.sub(r"\\\n", "", content)
443+
444+ # Write the cleaned content to a new file
445+ with open("package/default/props.conf", "w") as f:
446+ f.write(updated_content)
447+
448+ # Parse props.conf and collect all the sourcetypes in a list.
449+ config = configparser.ConfigParser(strict=False)
450+ config.read("package/default/props.conf")
451+ sourcetypes = config.sections()
452+
453+ # Load the YAML content
454+ with open("security_content/contentctl.yml", "r") as file:
455+ data = yaml.safe_load(file)
456+
457+ for app in data["apps"]:
458+ if app['appid'] == APP_ID:
459+ app['hardcoded_path'] = ADDON_URL
460+
461+ # Write the modified data to the contentctl.yml file
462+ with open("security_content/contentctl.yml", "w") as file:
463+ yaml.dump(data,file,sort_keys=False)
464+
465+ # Filter out the detections based on the collected sourcetypes
466+ base_dir = "security_content/detections"
467+ detection_files = ""
468+
469+ for root, dirs, files in os.walk(base_dir):
470+ for file in files:
471+ file_path = os.path.join(root, file)
472+
473+ try:
474+ with open(file_path, "r") as file:
475+ file_content = yaml.safe_load(file)
476+ if file_content["tests"][0]["attack_data"][0]["sourcetype"] in sourcetypes or file_content["tests"][0]["attack_data"][0]["source"] in sourcetypes:
477+ detection_files += file_path.replace("security_content/", "") + " "
478+
479+
480+ except Exception as e:
481+ continue
482+
483+ # Save detection_files as an output variable
484+ with open(os.getenv('GITHUB_OUTPUT'), 'w') as output_file:
485+ output_file.write(f"DETECTION_FILES={detection_files}")
486+
487+ print(f"Filtered Detection files = {detection_files}")
488+
489+ name : Run ESCU Tests
490+ run : |
491+
492+ cd security_content
493+ echo "Content of contentctl.yml file"
494+ cat contentctl.yml
495+
496+ echo "contentctl test --container-settings.num-containers 4 --post-test-behavior never_pause --verbose --container-settings.no-leave-running mode:selected --mode.files ${{ steps.filter-detection-files.outputs.DETECTION_FILES }}"
497+
498+ contentctl test --container-settings.num-containers 4 --post-test-behavior never_pause --verbose --container-settings.no-leave-running mode:selected --mode.files ${{ steps.filter-detection-files.outputs.DETECTION_FILES }}
499+
500+ - uses : actions/upload-artifact@v4
501+ with :
502+ name : escu_test_summary_results
503+ path : |
504+ security_content/test_results/summary.yml
505+ security_content/dist/DA-ESS-ContentUpdate-latest.tar.gz
506+ continue-on-error : true
507+
508+ run-spl2-escu-tests :
509+ if : ${{ !cancelled() && needs.setup-workflow.outputs.execute-spl2-escu-labeled == 'true' }}
510+ needs :
511+ - build
512+ - setup-workflow
513+ - setup
514+
515+ runs-on : ubuntu-latest
516+ strategy :
517+ fail-fast : false
518+ matrix :
519+ python-version :
520+ - " 3.11"
521+ permissions :
522+ actions : read
523+ deployments : read
524+ contents : read
525+ packages : read
526+ statuses : read
527+ checks : write
528+ steps :
529+ - uses : actions/checkout@v4
530+ - uses : actions/setup-python@v5
531+ with :
532+ python-version : ${{ matrix.python-version }}
533+
534+ - name : Install Python Dependencies and ContentCTL
535+ run : |
536+ python -m pip install --upgrade pip
537+ pip install contentctl==5.0.0
538+ git clone https://github.com/splunk/security_content.git
539+
540+
541+ name : Download TA Build Artifact
542+ uses : actions/download-artifact@v4
543+ with :
544+ name : package-splunkbase
545+ path : ta_build
546+
547+ - name : Get the build path
548+ run : |
549+ TA_BUILD=$(ls ta_build)
550+ TA_BUILD_PATH="${{ github.workspace }}/ta_build/$TA_BUILD"
551+ echo "TA_BUILD_PATH=$TA_BUILD_PATH" >> $GITHUB_ENV
552+
553+ pwd
554+
555+ echo ',,978075574018620,TRAFFIC,drop,10.0,,141.151.140.150,198.0.181.90,0.0.0.0,0.0.0.0,Advanced-human-resource-product,davis/duncanashley,,nielsenrebecca,vsys1,Streamlined-asymmetric-methodology,User-friendly-next-generation-structure,,,fL-logger,,1452,1,56710,389,0,0,5002,udp,allow,6134,3098,3036,7623,2022/02/23 20:30:51,5807,any,,3053,-216944275885572,ZW,ID,,6153,1470,Unknown,0,0,0,0,,PA-uw,Unknown,,,0,,0,,hrs-oL-wDV' > detection.log
556+
557+ pwd
558+ ls
559+
560+ name : Run Python Script
561+ id : filter-detection-files
562+ shell : python
563+ run : |
564+ import yaml
565+ import os
566+ import configparser
567+ import re
568+
569+ # Read the file and remove trailing backslashes
570+ with open("package/default/props.conf", "r") as f:
571+ content = f.read()
572+
573+ # Remove trailing backslashes followed by a newline
574+ updated_content = re.sub(r"\\\n", "", content)
575+
576+ # Write the cleaned content to a new file
577+ with open("package/default/props.conf", "w") as f:
578+ f.write(updated_content)
429579
430580 # Parse props.conf and collect all the sourcetypes in a list.
431581 config = configparser.ConfigParser(strict=False)
@@ -436,12 +586,24 @@ jobs:
436586 with open("security_content/contentctl.yml", "r") as file:
437587 data = yaml.safe_load(file)
438588
589+ data["container_settings"]["full_image_path"] = data["container_settings"]["full_image_path"].replace("9.3", "9.4")
590+
439591 data["apps"] = [{'uid': 1621, 'title': "Splunk Common Information Model (CIM)", 'version': "6.0.1", 'appid': "Splunk_SA_CIM", 'hardcoded_path': "https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_601.tgz"}, {'title': ${{ needs.setup.outputs.addon-name }}, 'version': "default", 'appid': ${{ needs.setup.outputs.addon-name }}, 'hardcoded_path': "${{ env.TA_BUILD_PATH }}"}]
440592
441593 # Write the modified data to the contentctl.yml file
442594 with open("security_content/contentctl.yml", "w") as file:
443595 yaml.dump(data,file,sort_keys=False)
444596
597+ # Load the YAML content
598+ with open("security_content/detections/network/detect_outbound_ldap_traffic.yml", "r") as file:
599+ data = yaml.safe_load(file)
600+
601+ data["tests"][0]["attack_data"][0]["data"] = "${{ github.workspace }}/detection.log"
602+
603+ # Write the modified data to the contentctl.yml file
604+ with open("security_content/detections/network/detect_outbound_ldap_traffic.yml", "w") as file:
605+ yaml.dump(data,file,sort_keys=False)
606+
445607 # Filter out the detections based on the collected sourcetypes
446608 base_dir = "security_content/detections"
447609 detection_files = ""
@@ -470,12 +632,25 @@ jobs:
470632 run : |
471633
472634 cd security_content
635+
473636 echo "Content of contentctl.yml file"
474637 cat contentctl.yml
475638
476- echo "contentctl test --post-test-behavior never_pause --verbose --container-settings.no-leave-running mode:selected --mode.files ${{ steps.filter-detection-files.outputs.DETECTION_FILES }}"
639+ echo "Content of etect_outbound_ldap_traffic.yml file"
640+ cat detections/network/detect_outbound_ldap_traffic.yml
641+
642+ echo "contentctl test --post-test-behavior never_pause --verbose --container-settings.no-leave-running mode:selected --mode.files detections/network/detect_outbound_ldap_traffic.yml"
477643
478- contentctl test --post-test-behavior never_pause --verbose --container-settings.no-leave-running mode:selected --mode.files ${{ steps.filter-detection-files.outputs.DETECTION_FILES }}
644+ contentctl test --post-test-behavior never_pause --verbose --container-settings.no-leave-running mode:selected --mode.files detections/network/detect_outbound_ldap_traffic.yml
645+
646+ - uses : actions/upload-artifact@v4
647+ with :
648+ name : spl2_escu_test_summary_results
649+ path : |
650+ test_results/summary.yml
651+ dist/DA-ESS-ContentUpdate-latest.tar.gz
652+ continue-on-error : true
653+
479654
480655 run-unit-tests :
481656 name : test-unit-python3-${{ matrix.python-version }}
0 commit comments