Add YAML Formatting Job #3889
Open
Add YAML Formatting Job #3889
+99,482
−128,037
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add yamlfmt configuration (.yamlfmt) with 4-space indent, LF line endings - Add yamllint configuration (.yamllint) for syntax validation (detections/ only) - Add pre-commit hook for automatic YAML formatting - Add CI validation script with unified error output - Add GitHub Actions workflow for PR validation - Add documentation for setup and usage - Support custom yamlfmt binary path via --yamlfmt-path flag
Contributor
Author
|
Versioning and the CI failure will be addressed after the release. |
Contributor
|
@nasbench - lets add a short update to the main read me as step 2 to install pre commit hook! other than that, LGTM! |
patel-bhavin
reviewed
Feb 6, 2026
| Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404). | ||
| description: The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture. | ||
| search: |- | ||
| | `cisco_duo_activity` "action.name"=admin_login NOT access_device.browser IN (Chrome) |
Contributor
There was a problem hiding this comment.
searches that start with a input_macro has an addtional | in the beginning, looks like a bunch of detections have that so lets update that bit!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a new CI, validation scrip and a pre-commit hook for YAML linting and validation.
It uses both
yamllintandyamlfmtto apply and verify yaml formatting and linting.Yamlfmt
We use
yamlfmtto apply formatting. A new config has been added in.yamlfmtthat ensures all the yaml has proper indentation and array nesting.Yamllint
We had to use
yamlfmtsince yamllint's ability/support for nested arrays is tricky to accommodate our format. Hence it's usage is for the other linting functionalities like duplicate keys and what not.Pre-commit Hook
A new pre-commit hook was introduced that apply that yamlfmt with the config to all yaml files sitting in the
detectionsfolder.New CI Job - Yaml Validation
A new CI job was added with a wrapper script
validate_yaml.pythat checks both configs mentioned above are applied.Docs
New documentation has been added describing how to use all of this in the
docs/cifolder.Changed Analytics
All the analytics residing in the
detectionsfolder have been touched and formatted accordingly.In addition to this a custom SPL search beautifying script (local) has been applied to all searches to make them use the
|-notation as well as make them more readable.This is only an initial effort to beautify the SPL. Since it is tricky to solve this for all generically, we will need to iterate on this a bit more.
Note for reviewers inspect the following commits de0d0ff and 734090a to verify the logic of the job and scripts to avoid confusion with the other many changes.