Merge branch 'main' into renovate/actions-checkout-5.x

Author: AmyLGalles

.github/CODEOWNERS

@@ -9,3 +9,9 @@
 
 # Shared workflows ownership
 .github/workflows/build.yml @bitwarden/dept-bre @bitwarden/team-admin-console-dev
+
+# Docker-related files
+**/Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.dockerignore @bitwarden/team-appsec @bitwarden/dept-bre
+**/entrypoint.sh @bitwarden/team-appsec @bitwarden/dept-bre
+**/docker-compose.yml @bitwarden/team-appsec @bitwarden/dept-bre

.github/workflows/build.yml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install cloc
         run: |
@@ -33,6 +35,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install poetry
         run: pipx install poetry
@@ -64,8 +68,8 @@ jobs:
         run: |
           mkdir package/bin
           cp -R src/* package/bin/
-          export APP_VERSION=$(poetry version | awk -F ' ' '{print $2}')
-          poetry run ucc-gen build --ta-version ${APP_VERSION}
+          APP_VERSION=$(poetry version | awk -F ' ' '{print $2}')
+          poetry run ucc-gen build --ta-version "${APP_VERSION}"
           # cleanup python files
           rm -rf output/bitwarden_event_logs/{bin,lib}/__pycache__
           rm -rf output/bitwarden_event_logs/bin/{bitwarden_event_logs_rh_settings.py,import_declare_test.py}

dev/docker-compose.yml

@@ -2,6 +2,17 @@ name: splunk
 
 services:
   splunk:
+    image: splunk/splunk:10.0
+    container_name: splunk
+    platform: linux/amd64
+    ports:
+      - "8001:8000"
+      - "8089:8089"
+    environment:
+      SPLUNK_GENERAL_TERMS: "--accept-sgt-current-at-splunk-com"
+      SPLUNK_START_ARGS: "--accept-license"
+      SPLUNK_PASSWORD: password
+  splunk93:
     image: splunk/splunk:9.3
     container_name: splunk
     platform: linux/amd64

package/default/props.conf

@@ -5,7 +5,8 @@ TRUNCATE = 5000
 KV_MODE = json
 FIELDALIAS-alias_1 = ipAddress AS src
 FIELDALIAS-alias_2 = date AS timestamp
-EVAL-typeName = coalesce(case(type==1000,"User_LoggedIn",\
+EVAL-typeName = coalesce(case(\
+    type==1000,"User_LoggedIn",\
     type==1001,"User_ChangedPassword",\
     type==1002,"User_Updated2fa",\
     type==1003,"User_Disabled2fa",\
@@ -16,6 +17,7 @@ EVAL-typeName = coalesce(case(type==1000,"User_LoggedIn",\
     type==1008,"User_UpdatedTempPassword",\
     type==1009,"User_MigratedKeyToKeyConnector",\
     type==1010,"User_RequestedDeviceApproval",\
+    type==1011,"User_TdeOffboardingPasswordSet",\
     type==1100,"Cipher_Created",\
     type==1101,"Cipher_Updated",\
     type==1102,"Cipher_Deleted",\
@@ -55,6 +57,8 @@ EVAL-typeName = coalesce(case(type==1000,"User_LoggedIn",\
     type==1512,"OrganizationUser_Restored",\
     type==1513,"OrganizationUser_ApprovedAuthRequest",\
     type==1514,"OrganizationUser_RejectedAuthRequest",\
+    type==1515,"OrganizationUser_Deleted",\
+    type==1516,"OrganizationUser_Left",\
     type==1600,"Organization_Updated",\
     type==1601,"Organization_PurgedVault",\
     type==1602,"Organization_ClientExportedVault",\
@@ -65,6 +69,14 @@ EVAL-typeName = coalesce(case(type==1000,"User_LoggedIn",\
     type==1607,"Organization_DisabledKeyConnector",\
     type==1608,"Organization_SponsorshipsSynced",\
     type==1609,"Organization_CollectionManagement_Updated",\
+    type==1610,"Organization_CollectionManagement_LimitCollectionCreationEnabled",\
+    type==1611,"Organization_CollectionManagement_LimitCollectionCreationDisabled",\
+    type==1612,"Organization_CollectionManagement_LimitCollectionDeletionEnabled",\
+    type==1613,"Organization_CollectionManagement_LimitCollectionDeletionDisabled",\
+    type==1614,"Organization_CollectionManagement_LimitItemDeletionEnabled",\
+    type==1615,"Organization_CollectionManagement_LimitItemDeletionDisabled",\
+    type==1616,"Organization_CollectionManagement_AllowAdminAccessToAllCollectionItemsEnabled",\
+    type==1617,"Organization_CollectionManagement_AllowAdminAccessToAllCollectionItemsDisabled",\
     type==1700,"Policy_Updated",\
     type==1800,"ProviderUser_Invited",\
     type==1801,"ProviderUser_Confirmed",\
@@ -78,7 +90,16 @@ EVAL-typeName = coalesce(case(type==1000,"User_LoggedIn",\
     type==2001,"OrganizationDomain_Removed",\
     type==2002,"OrganizationDomain_Verified",\
     type==2003,"OrganizationDomain_NotVerified",\
-    type==2100,"Secret_Retrieved"\
+    type==2100,"Secret_Retrieved",\
+    type==2101,"Secret_Created",\
+    type==2102,"Secret_Edited",\
+    type==2103,"Secret_Deleted",\
+    type==2104,"Secret_Permanently_Deleted",\
+    type==2105,"Secret_Restored",\
+    type==2200,"Project_Retrieved",\
+    type==2201,"Project_Created",\
+    type==2202,"Project_Edited",\
+    type==2203,"Project_Deleted"\
     ), type)
 EVAL-deviceName = coalesce(case(device==0,"Android",\
     device==1,"iOS",\
@@ -105,7 +126,8 @@ EVAL-deviceName = coalesce(case(device==0,"Android",\
     device==22,"Server",\
     device==23,"Windows CLI",\
     device==24,"MacOs CLI",\
-    device==25,"Linux CLI"\
+    device==25,"Linux CLI",\
+    device==26,"DuckDuckGo"\
     ), device)
 TIME_PREFIX = "date":"
 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z

poetry.lock

@@ -25,7 +25,7 @@ optional = true
 python = ">=3.9, <3.11"
 python-dotenv = "1.1.0"
 types-requests = "2.31.0.6"
-splunk-add-on-ucc-framework = "5.61.0"
+splunk-add-on-ucc-framework = "5.69.1"
 splunk-appinspect = "4.0.2"
 
 [tool.poetry.group.splunkslim]

pyproject.toml

@@ -34,7 +34,10 @@ def get_bitwarden_event(data: Dict[str, Any]):
                           memberId=data.get("memberId", None),
                           actingUserId=data.get("actingUserId", None),
                           device=device,
-                          ipAddress=data.get("ipAddress", None))
+                          ipAddress=data.get("ipAddress", None),
+                          secretId=data.get("secretId", None),
+                          projectId=data.get("projectId", None),
+                          serviceAccountId=data.get("serviceAccountId", None))
 
 
 def get_bitwarden_group(data: Dict[str, Any]):

src/mappers.py

@@ -44,7 +44,9 @@ class BitwardenEvent:
     actingUserId: Optional[str]
     device: Optional[int]
     ipAddress: Optional[str]
-
+    secretId: Optional[str]
+    projectId: Optional[str]
+    serviceAccountId: Optional[str]
 
 @dataclass
 class BitwardenEnhancedEvent(BitwardenEvent):