-
Notifications
You must be signed in to change notification settings - Fork 477
Expand file tree
/
Copy pathCSVLookup.schema.json
More file actions
135 lines (135 loc) · 4.89 KB
/
Copy pathCSVLookup.schema.json
File metadata and controls
135 lines (135 loc) · 4.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
{
"additionalProperties": false,
"description": "Represents a CSV-backed Lookup object.",
"properties": {
"name": {
"description": "Each Security Content Object must have a unique name. Due to issues with how local/default stanzas are merged in the Splunk products, these names MUST NOT change between subsequent releases of content packs.",
"title": "Name",
"type": "string"
},
"id": {
"description": "Each Security Content Object must have a unique identifier. This is particularly important when leveraging many of the Content Versioning features built into Enterprise Security 8+. Unique ids may be generated with a python command such as `uuid.uuid4()` or similar.",
"format": "uuid",
"title": "Id",
"type": "string"
},
"version": {
"description": "The version of this object. This number MUST be incremented in the following circumstances:\n1. Any time the object in this file is modified\n2. Any time that the serialization logic for this object changes, changing what is written in its conf file stanza(s)\n3. Any time that an object this object references, for example via enrichment, causes a change in its associated conf file stanzas(s).\nThis final determination is challenging to make manually, so the `contentctl inspect command` will help identify when this a version increment is required.",
"exclusiveMinimum": 0,
"title": "Version",
"type": "integer"
},
"creation_date": {
"description": "The date that this object was created. This should NEVER be updated.",
"format": "date",
"title": "Creation Date",
"type": "string"
},
"modification_date": {
"description": "The date that this object was last modified. This should be updated whenever the object is modified.",
"format": "date",
"title": "Modification Date",
"type": "string"
},
"author": {
"description": "The author of this object. This is a freeform string that can be used to identify the author of the object. It will eventually be replaced by a more detailed Contributors list.",
"title": "Author",
"type": "string"
},
"description": {
"description": "A description of the Security Content Object. This should be a human-readable description of the object, including its purpose.",
"title": "Description",
"type": "string"
},
"references": {
"description": "A list of references to external resources that are relevant to this object. This can include links to documentation, blog posts, or other resources that provide additional context or information about the object.",
"items": {
"format": "uri",
"maxLength": 2083,
"minLength": 1,
"type": "string"
},
"minItems": 0,
"title": "References",
"type": "array",
"uniqueItems": true
},
"lookup_type": {
"const": "csv",
"default": "csv",
"title": "Lookup Type",
"type": "string"
},
"match_type": {
"items": {
"pattern": "(^WILDCARD|CIDR)\\(.+\\)$",
"type": "string"
},
"title": "Match Type",
"type": "array"
},
"min_matches": {
"anyOf": [
{
"minimum": 0,
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Min Matches"
},
"max_matches": {
"anyOf": [
{
"maximum": 1000,
"minimum": 1,
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Max Matches"
},
"default_match": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"description": "Warning - we often use the string 'false' for this field. This can cause some confusion as pyyaml read this from the file as the boolean value false. Be sure to wrap the value false in quotes in the yml file to prevent this. So instead of 'default_match: false' use 'default_match: \"false\"'.",
"title": "Default Match"
},
"case_sensitive_match": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "null"
}
],
"default": null,
"title": "Case Sensitive Match"
}
},
"required": [
"name",
"id",
"version",
"creation_date",
"modification_date",
"author",
"description"
],
"title": "CSVLookup",
"type": "object"
}