From 4d31402d01f9f7bc4c52348cc915dad28aa5bb29 Mon Sep 17 00:00:00 2001
From: Dan Shanahan <leftrightleft@github.com>
Date: Tue, 5 Apr 2022 16:27:49 -0700
Subject: [PATCH 1/5] narrow the code scanning event type def

fixes https://github.com/splunk/github_app_for_splunk/issues/34
---
 github_app_for_splunk/default/eventtypes.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
index 5ef01a1..00120e0 100644
--- a/github_app_for_splunk/default/eventtypes.conf
+++ b/github_app_for_splunk/default/eventtypes.conf
@@ -29,7 +29,7 @@ search = `github_webhooks`  action IN ("created","edited","moved","deleted") "pr
 search = `github_webhooks` action IN ("queued","created","in_progress","completed") workflow_job.id=*
 
 [GitHub::CodeScanning]
-search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
+search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "commit_oid"=*
 
 [GitHub::SecretScanning]
 search = `github_webhooks` action IN ("created", "resolved") "alert.secret_type"=*

From e1d047907efc0c68125becb8c5a420f490227aeb Mon Sep 17 00:00:00 2001
From: Dan Shanahan <leftrightleft@github.com>
Date: Tue, 5 Apr 2022 16:39:34 -0700
Subject: [PATCH 2/5] Capture Secret Scanning alerts

---
 .../default/data/ui/views/security_alert_overview.xml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
index 8ae4bab..9c2a31f 100644
--- a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
+++ b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
@@ -2,7 +2,14 @@
   <label>Advanced Security Overview</label>
   <search id="baseSearch">
     <query>
-      index=gh_vuln OR (`github_webhooks` alert.created_at=*) | eval reason=if(isnotnull('alert.affected_package_name'),'alert.affected_package_name','alert.rule.name'), id=if(isnotnull('alert.external_identifier'),'alert.external_identifier','alert.rule.id'), severity=if(isnotnull('alert.severity'),'alert.severity','alert.rule.security_severity_level'), type=if(isnotnull('alert.external_identifier'),"Dependabot Alert","Code Scanning Alert") | stats latest(action) as status, earliest(alert.created_at) as created_at, latest(alert.number) as number by repository.full_name, reason, id, type, severity | eval source=if(type=="Dependabot Alert","dependabot","code-scanning") | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration")
+    index=gh_vuln OR (`github_webhooks` alert.created_at=*) 
+    | eval type=case((eventtype="GitHub::CodeScanning"), "Code Scanning Alert", (eventtype="GitHub::VulnerabilityAlert"), "Dependabot Alert", (eventtype="GitHub::SecretScanning"), "Secret Scanning Alert") 
+    | eval reason=case((type="Dependabot Alert"),'alert.affected_package_name',(type="Code Scanning Alert"), 'alert.rule.name', (type="Secret Scanning Alert"), 'alert.secret_type'), id=case((type="Dependabot Alert"),'alert.external_identifier',(type="Code Scanning Alert"), 'alert.rule.id', (type="Secret Scanning Alert"), 'alert.number'), severity=case((type="Dependabot Alert"),'alert.severity',(type="Code Scanning Alert"), 'alert.rule.security_severity_level', (type="Secret Scanning Alert"), "high")
+    | stats latest(action) as status, earliest(alert.created_at) as created_at, latest(alert.number) as number by repository.full_name, reason, id, type, severity 
+    | eval source=type
+    | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration") 
+    | search severity IN("*") status IN("*") type IN("*") 
+    | sort -age
     </query>
     <earliest>$timeTkn.earliest$</earliest>
     <latest>$timeTkn.latest$</latest>
@@ -244,7 +251,7 @@
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>
         <format type="color" field="severity">
-          <colorPalette type="map">{"critical":#DC4E41,"high":#F1813F,"moderate":#F8BE34}</colorPalette>
+          <colorPalette type="map">{"critical":#DC4E41,"high":#F1813F,"moderate":#F8BE34, "medium":#F8BE34}</colorPalette>
         </format>
       </table>
     </panel>

From 0869c8ce791c9e4879f9589c050df4ecb80a16ee Mon Sep 17 00:00:00 2001
From: Dan Shanahan <leftrightleft@github.com>
Date: Tue, 5 Apr 2022 16:46:03 -0700
Subject: [PATCH 3/5] reverting

---
 .../default/data/ui/views/security_alert_overview.xml | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
index 9c2a31f..8ae4bab 100644
--- a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
+++ b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
@@ -2,14 +2,7 @@
   <label>Advanced Security Overview</label>
   <search id="baseSearch">
     <query>
-    index=gh_vuln OR (`github_webhooks` alert.created_at=*) 
-    | eval type=case((eventtype="GitHub::CodeScanning"), "Code Scanning Alert", (eventtype="GitHub::VulnerabilityAlert"), "Dependabot Alert", (eventtype="GitHub::SecretScanning"), "Secret Scanning Alert") 
-    | eval reason=case((type="Dependabot Alert"),'alert.affected_package_name',(type="Code Scanning Alert"), 'alert.rule.name', (type="Secret Scanning Alert"), 'alert.secret_type'), id=case((type="Dependabot Alert"),'alert.external_identifier',(type="Code Scanning Alert"), 'alert.rule.id', (type="Secret Scanning Alert"), 'alert.number'), severity=case((type="Dependabot Alert"),'alert.severity',(type="Code Scanning Alert"), 'alert.rule.security_severity_level', (type="Secret Scanning Alert"), "high")
-    | stats latest(action) as status, earliest(alert.created_at) as created_at, latest(alert.number) as number by repository.full_name, reason, id, type, severity 
-    | eval source=type
-    | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration") 
-    | search severity IN("*") status IN("*") type IN("*") 
-    | sort -age
+      index=gh_vuln OR (`github_webhooks` alert.created_at=*) | eval reason=if(isnotnull('alert.affected_package_name'),'alert.affected_package_name','alert.rule.name'), id=if(isnotnull('alert.external_identifier'),'alert.external_identifier','alert.rule.id'), severity=if(isnotnull('alert.severity'),'alert.severity','alert.rule.security_severity_level'), type=if(isnotnull('alert.external_identifier'),"Dependabot Alert","Code Scanning Alert") | stats latest(action) as status, earliest(alert.created_at) as created_at, latest(alert.number) as number by repository.full_name, reason, id, type, severity | eval source=if(type=="Dependabot Alert","dependabot","code-scanning") | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration")
     </query>
     <earliest>$timeTkn.earliest$</earliest>
     <latest>$timeTkn.latest$</latest>
@@ -251,7 +244,7 @@
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>
         <format type="color" field="severity">
-          <colorPalette type="map">{"critical":#DC4E41,"high":#F1813F,"moderate":#F8BE34, "medium":#F8BE34}</colorPalette>
+          <colorPalette type="map">{"critical":#DC4E41,"high":#F1813F,"moderate":#F8BE34}</colorPalette>
         </format>
       </table>
     </panel>

From 1016082377b4bb75b85f35bb786c561a002108f1 Mon Sep 17 00:00:00 2001
From: Dan Shanahan <leftrightleft@github.com>
Date: Tue, 5 Apr 2022 16:47:05 -0700
Subject: [PATCH 4/5] adding secret scanning to alert overview

---
 .../default/data/ui/views/security_alert_overview.xml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
index 8ae4bab..9c2a31f 100644
--- a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
+++ b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
@@ -2,7 +2,14 @@
   <label>Advanced Security Overview</label>
   <search id="baseSearch">
     <query>
-      index=gh_vuln OR (`github_webhooks` alert.created_at=*) | eval reason=if(isnotnull('alert.affected_package_name'),'alert.affected_package_name','alert.rule.name'), id=if(isnotnull('alert.external_identifier'),'alert.external_identifier','alert.rule.id'), severity=if(isnotnull('alert.severity'),'alert.severity','alert.rule.security_severity_level'), type=if(isnotnull('alert.external_identifier'),"Dependabot Alert","Code Scanning Alert") | stats latest(action) as status, earliest(alert.created_at) as created_at, latest(alert.number) as number by repository.full_name, reason, id, type, severity | eval source=if(type=="Dependabot Alert","dependabot","code-scanning") | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration")
+    index=gh_vuln OR (`github_webhooks` alert.created_at=*) 
+    | eval type=case((eventtype="GitHub::CodeScanning"), "Code Scanning Alert", (eventtype="GitHub::VulnerabilityAlert"), "Dependabot Alert", (eventtype="GitHub::SecretScanning"), "Secret Scanning Alert") 
+    | eval reason=case((type="Dependabot Alert"),'alert.affected_package_name',(type="Code Scanning Alert"), 'alert.rule.name', (type="Secret Scanning Alert"), 'alert.secret_type'), id=case((type="Dependabot Alert"),'alert.external_identifier',(type="Code Scanning Alert"), 'alert.rule.id', (type="Secret Scanning Alert"), 'alert.number'), severity=case((type="Dependabot Alert"),'alert.severity',(type="Code Scanning Alert"), 'alert.rule.security_severity_level', (type="Secret Scanning Alert"), "high")
+    | stats latest(action) as status, earliest(alert.created_at) as created_at, latest(alert.number) as number by repository.full_name, reason, id, type, severity 
+    | eval source=type
+    | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration") 
+    | search severity IN("*") status IN("*") type IN("*") 
+    | sort -age
     </query>
     <earliest>$timeTkn.earliest$</earliest>
     <latest>$timeTkn.latest$</latest>
@@ -244,7 +251,7 @@
         <option name="totalsRow">false</option>
         <option name="wrap">true</option>
         <format type="color" field="severity">
-          <colorPalette type="map">{"critical":#DC4E41,"high":#F1813F,"moderate":#F8BE34}</colorPalette>
+          <colorPalette type="map">{"critical":#DC4E41,"high":#F1813F,"moderate":#F8BE34, "medium":#F8BE34}</colorPalette>
         </format>
       </table>
     </panel>

From 2b78fc31112e76b7378cd428ef38e30dedd7928c Mon Sep 17 00:00:00 2001
From: Dan Shanahan <leftrightleft@github.com>
Date: Tue, 5 Apr 2022 16:52:11 -0700
Subject: [PATCH 5/5] Update eventtypes.conf

---
 github_app_for_splunk/default/eventtypes.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
index 00120e0..5ef01a1 100644
--- a/github_app_for_splunk/default/eventtypes.conf
+++ b/github_app_for_splunk/default/eventtypes.conf
@@ -29,7 +29,7 @@ search = `github_webhooks`  action IN ("created","edited","moved","deleted") "pr
 search = `github_webhooks` action IN ("queued","created","in_progress","completed") workflow_job.id=*
 
 [GitHub::CodeScanning]
-search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "commit_oid"=*
+search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
 
 [GitHub::SecretScanning]
 search = `github_webhooks` action IN ("created", "resolved") "alert.secret_type"=*