Skip to content

Commit a08707e

Browse files
xqi-splunkxqi-splunk
committed
Add response-templates schema validation workflow
1 parent 966743c commit a08707e

13 files changed

+4919
-1
lines changed

.github/workflows/validate-response-templates.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
name: Validate Response Templates
2+
3+
on:
4+
pull_request:
5+
types: [opened, reopened, synchronize]
6+
paths:
7+
- 'response_templates/**'
8+
- '.github/workflows/validate-response-templates.yml'
9+
push:
10+
branches:
11+
- develop
12+
paths:
13+
- 'response_templates/**'
14+
- '.github/workflows/validate-response-templates.yml'
15+
16+
jobs:
17+
validate:
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Check out the repository code
21+
uses: actions/checkout@v5
22+
23+
- name: Set up Python
24+
uses: actions/setup-python@v6
25+
with:
26+
python-version: '3.11'
27+
architecture: 'x64'
28+
29+
- name: Install dependencies
30+
run: |
31+
pip install pyyaml jsonschema
32+
33+
- name: Validate response templates
34+
run: |
35+
cd response_templates
36+
python validate_response_templates.py -s mcopenapi_public.yaml -d . -m merged_response_templates/manifest.json --merged-dir merged_response_templates

response_templates/GenericIncidentResponse_v1.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"id": "5d656a90-fe91-4c8f-8460-fa2599a17f75", "create_time": 1762280887.4139671, "update_time": 1762280887.4139671, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "2d4ceaab-2ab3-4e61-8997-2eec7b612c7b", "create_time": 1762280887.4145086, "update_time": 1762280887.414509, "name": "Detection", "order": 1, "tasks": [{"id": "8c73eaa4-8928-40de-8e3b-e130efc01bb8", "create_time": 1762280887.4141092, "update_time": 1762280887.41411, "name": "Report incident response execution", "order": 1, "tag": "e8d26ce8-a004-4621-8b40-0e95acd7638b", "description": "Alert appropriate parties that incident response is starting.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "feec4f53-67ef-405d-baf4-2c8a3ca8b486", "create_time": 1762280887.414233, "update_time": 1762280887.4142334, "name": "Document associated events", "order": 2, "tag": "afb0e39b-9bfe-4d02-a090-e3b9ca2386de", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "72a39d10-2941-4451-8973-7c82d9055cff", "create_time": 1762280887.4143443, "update_time": 1762280887.4143448, "name": "Document known attack surface and attacker information", "order": 3, "tag": "46211e09-e553-4c9f-a9a8-8383fec880a5", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5ae0daa1-b86a-4a60-93a1-20c8b5d963c2", "create_time": 1762280887.4144528, "update_time": 1762280887.4144533, "name": "Assign roles", "order": 4, "tag": "e70408a7-3062-474a-aaf0-460402f16f29", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f546ee59-0988-4b55-8166-8cac2a64b76f", "create_time": 1762280887.41606, "update_time": 1762280887.4160604, "name": "Analysis", "order": 2, "tasks": [{"id": "a8acff10-07f5-49af-a103-ce864235994b", "create_time": 1762280887.414614, "update_time": 1762280887.4146142, "name": "Research intelligence resources", "order": 1, "tag": "c291654f-4616-4cde-afcb-5f7352d3fb6c", "description": "Find out if this attacker is a known agent and gather associated tactics, techniques, and procedures (TTP) used.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4d7b78f-1cd0-47c2-b0e3-40933395688a", "create_time": 1762280887.4147215, "update_time": 1762280887.414722, "name": "Research proxy logs", "order": 2, "tag": "0c56f2ef-fa23-48f6-abe8-7e42ae12716c", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c5cee5b9-2ad7-4144-aa85-d746bae679ed", "create_time": 1762280887.41483, "update_time": 1762280887.4148307, "name": "Research firewall logs", "order": 3, "tag": "60405c0a-cbbf-4034-a4ec-d4f6f467b6e0", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92f68bd6-3b7d-4a58-ad55-4b3a36369526", "create_time": 1762280887.41496, "update_time": 1762280887.4149606, "name": "Research OS logs", "order": 4, "tag": "a8939de4-a990-4adf-83c6-d93f5b378ff1", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "61816baa-fc24-4f38-a6cd-7626561b48ff", "create_time": 1762280887.4152095, "update_time": 1762280887.41521, "name": "Research network logs", "order": 5, "tag": "027f7da1-76e1-4466-be1d-4b40771de133", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4811036e-781a-4885-bf38-32729a1a0ba1", "create_time": 1762280887.4153204, "update_time": 1762280887.4153206, "name": "Research endpoint protection logs", "order": 6, "tag": "afc28267-6231-4db6-a005-accabb008c7a", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79900180-4caf-4d96-9290-968d9f5aec84", "create_time": 1762280887.4154315, "update_time": 1762280887.415432, "name": "Determine infection vector", "order": 7, "tag": "af4db0e8-d1ac-4d98-82ec-939fa5d47a0b", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "09087e70-fd26-4484-b92a-33c8728d8719", "create_time": 1762280887.415541, "update_time": 1762280887.4155414, "name": "Document all attack targets", "order": 8, "tag": "14552467-8504-4196-9c18-46c68995c590", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a9878c0-5626-4350-a0b6-cd5fef767dda", "create_time": 1762280887.4156528, "update_time": 1762280887.4156535, "name": "Document all attacker sources and TTP", "order": 9, "tag": "9a83e045-a686-423a-b80b-1c7906d8b7b0", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3986bf6d-fc23-4296-8dbe-d2b7117c9ec3", "create_time": 1762280887.4157624, "update_time": 1762280887.415763, "name": "Document infected devices", "order": 10, "tag": "5888de1b-61c8-4ea4-90d8-aeb01ec4682f", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c7044f3e-f58b-4dcb-b1f2-c595a214ff9d", "create_time": 1762280887.4158719, "update_time": 1762280887.4158723, "name": "Determine full impact of attack", "order": 11, "tag": "b0cf76ae-1c67-4737-bf00-170971be80f3", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ca532eca-d263-4af9-9391-6d35b63c3627", "create_time": 1762280887.4160035, "update_time": 1762280887.4160042, "name": "Analyze malware samples", "order": 12, "tag": "e3b989b5-df17-4324-880d-10a5ac6c441d", "description": "Analyze discovered malware and document indicators of compromise (IOCs).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9bf6f73e-a5da-49ac-87a7-a2469155cf7b", "create_time": 1762280887.4164388, "update_time": 1762280887.4164393, "name": "Containment", "order": 3, "tasks": [{"id": "8bb468b3-8ac7-4e49-86d8-ca1513550c47", "create_time": 1762280887.4161665, "update_time": 1762280887.416167, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "28d74f7a-1aaf-4f44-8245-ed62a4720046", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d512b582-b030-486a-86b0-a8e656ea4542", "create_time": 1762280887.416276, "update_time": 1762280887.4162762, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "18ed5b52-40e5-4dc7-b3c5-09c85a8a4cca", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "002fc36e-8a96-40c9-8a1d-b38d4f57b61b", "create_time": 1762280887.416384, "update_time": 1762280887.4163842, "name": "Contain incident", "order": 3, "tag": "a34be9ce-1ac5-4b35-9720-f3d50a33243b", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f9af170b-9aa7-4914-9e7c-59ba2128d1da", "create_time": 1762280887.41683, "update_time": 1762280887.4168303, "name": "Eradication", "order": 4, "tasks": [{"id": "16fd1501-b42b-440f-a2d2-54e698e12892", "create_time": 1762280887.4165573, "update_time": 1762280887.4165576, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "d9e85137-1503-4f1f-8765-c580516814cb", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e43e6862-a78b-4eef-b5b1-63782650ea28", "create_time": 1762280887.4166672, "update_time": 1762280887.4166675, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "b6ef4c01-da86-4383-80c2-bf565a7124e3", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3b9148a5-2780-4eb9-9e21-908163e62d7a", "create_time": 1762280887.4167752, "update_time": 1762280887.4167757, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "9f3c7353-cc4b-4e1f-8f89-ccd153468278", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d9ad55cf-ece3-4090-bf43-5ef24995a891", "create_time": 1762280887.4172246, "update_time": 1762280887.4172251, "name": "Recovery", "order": 5, "tasks": [{"id": "7f3ccff8-bd53-44b4-8ef3-cc333aa1c6e1", "create_time": 1762280887.4169493, "update_time": 1762280887.4169497, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "dec11e17-d2b6-41e4-8490-a500262e1991", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0209cfd0-91b3-4d4c-a8a6-266cf0a2302d", "create_time": 1762280887.4170604, "update_time": 1762280887.4170609, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "cb1b051b-25d0-4fd3-b4bb-85c16c19d55b", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f55fd9d7-8fd5-4920-90e5-34bc82625e80", "create_time": 1762280887.4171677, "update_time": 1762280887.417168, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "59e40624-72dd-498a-bd4c-297cace98c29", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ec68a4cd-daca-4bc0-848b-b586a070c8e4", "create_time": 1762280887.4176192, "update_time": 1762280887.4176197, "name": "Post", "order": 6, "tasks": [{"id": "f6565b96-cd55-4264-b509-908e52a29e3a", "create_time": 1762280887.4173315, "update_time": 1762280887.4173317, "name": "Schedule after-action review meeting", "order": 1, "tag": "515c3f1b-d0ee-4866-8980-7704cd34c6d7", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e5e2f646-64bb-4c59-b10d-c497625327fd", "create_time": 1762280887.4174387, "update_time": 1762280887.417439, "name": "Generate incident response action report", "order": 2, "tag": "00fe59eb-19cd-45dc-ac55-66dfd78e3dbd", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d74ad240-caa8-4c00-91ab-ab033e7f38a1", "create_time": 1762280887.4175637, "update_time": 1762280887.4175642, "name": "Report incident response complete", "order": 3, "tag": "f8bfdc47-6329-4465-a93f-47e6fbadd006", "description": "Alert appropriate parties that incident response is complete.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "7bd3e9e3-414a-4075-8846-8573bc637192", "active": true, "used": false, "_user": "nobody", "_key": "5d656a90-fe91-4c8f-8460-fa2599a17f75"}

response_templates/SuspiciousEmail_v1.json

Lines changed: 1 addition & 0 deletions
Large diffs are not rendered by default.

response_templates/TestMultiVersion_v4.json

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
{
2+
"id": "27b78044-1eca-43c2-9207-b5afe3075a81",
3+
"create_time": 1762292283.131341,
4+
"update_time": 1762292294.8144422,
5+
"name": "Test%20Multi%20Version",
6+
"description": "",
7+
"template_status": "published",
8+
"creator": "zen_admin",
9+
"updated_by": "zen_admin",
10+
"is_default": false,
11+
"version": 4,
12+
"phases": [
13+
{
14+
"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15",
15+
"create_time": 1762292292.855246,
16+
"update_time": 1762292294.7901058,
17+
"name": "Test%20Phase",
18+
"order": 1,
19+
"tasks": [
20+
{
21+
"id": "096e2f14-866e-404e-819b-a1155ac0084b",
22+
"create_time": 1762292292.855151,
23+
"update_time": 1762292294.790007,
24+
"name": "Test%20Task",
25+
"order": 1,
26+
"tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a",
27+
"description": "",
28+
"owner": "",
29+
"is_note_required": true,
30+
"status": "Pending",
31+
"notes": [],
32+
"files": [],
33+
"suggestions": {
34+
"playbooks": [],
35+
"actions": [],
36+
"searches": []
37+
},
38+
"start_time": 0,
39+
"end_time": 0,
40+
"total_time_taken": 0
41+
}
42+
]
43+
}
44+
],
45+
"template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8",
46+
"active": true,
47+
"used": false,
48+
"_user": "nobody",
49+
"_key": "27b78044-1eca-43c2-9207-b5afe3075a81"
50+
}

response_templates/TestMultiVersion_v5.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292328.3112774, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 5, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292328.2866068, "update_time": 1762292328.2866073, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292328.2865093, "name": "Test%20Task%20V3", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"}

0 commit comments

Comments
 (0)