Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

fix tests

This commit is contained in:
Offir Shvartz 2020-09-10 16:13:11 +03:00
Родитель 7af8c2211d
Коммит 11ec709397
10 изменённых файлов: 253 добавлений и 3 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

69
.script/tests/KqlvalidationsTests/CustomTables/AzureDevOpsAuditing.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"Name": "AzureDevOpsAuditing",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Data",
"Type": "Dynamic"
},
{
"Name": "Area",
"Type": "String"
},
{
"Name": "OperationName",
"Type": "String"
},
{
"Name": "Details",
"Type": "String"
},
{
"Name": "GroupName",
"Type": "String"
},
{
"Name": "ActorUPN",
"Type": "String"
},
{
"Name": "ActorDisplayName",
"Type": "String"
},
{
"Name": "EntityName",
"Type": "String"
},
{
"Name": "AuthenticationMechanism",
"Type": "String"
},
{
"Name": "IpAddress",
"Type": "String"
},
{
"Name": "UserAgent",
"Type": "String"
},
{
"Name": "AuthenticationMechanism",
"Type": "String"
},
{
"Name": "ScopeDisplayName",
"Type": "String"
},
{
"Name": "ProjectName",
"Type": "String"
},
{
"Name": "ProjectId",
"Type": "String"
}
]
}

13
.script/tests/KqlvalidationsTests/CustomTables/ChatEvents.json Normal file
Просмотреть файл

@ -0,0 +1,13 @@
{
"Name": "ChatEvents",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "UserId",
"Type": "String"
}
]
}

30
.script/tests/KqlvalidationsTests/CustomTables/GitHubAudit.json Normal file
Просмотреть файл

@ -0,0 +1,30 @@
{
"Name": "GitHubAudit",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Country",
"Type": "String"
},
{
"Name": "Action",
"Type": "String"
},
{
"Name": "Actor",
"Type": "String"
},
{
"Name": "IPaddress",
"Type": "String"
},
{
"Name": "Repository",
"Type": "String"
}
]
}

46
.script/tests/KqlvalidationsTests/CustomTables/GitHubRepo.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
{
"Name": "GitHubRepo",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Action",
"Type": "String"
},
{
"Name": "DismmisedAt",
"Type": "DateTime"
},
{
"Name": "Reason",
"Type": "String"
},
{
"Name": "vulnerableManifestFilename",
"Type": "String"
},
{
"Name": "Description",
"Type": "String"
},
{
"Name": "Link",
"Type": "String"
},
{
"Name": "PublishedAt",
"Type": "DateTime"
},
{
"Name": "Severity",
"Type": "String"
},
{
"Name": "Summary",
"Type": "String"
}
]
}

29
.script/tests/KqlvalidationsTests/CustomTables/MeetingEvents.json Normal file
Просмотреть файл

@ -0,0 +1,29 @@
{
"Name": "MeetingEvents",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "event_type_s",
"Type": "String"
},
{
"Name": "username_s",
"Type": "String"
},
{
"Name": "object_uri_s",
"Type": "String"
},
{
"Name": "hostname_s",
"Type": "String"
},
{
"Name": "ipv4_s",
"Type": "String"
}
]
}

17
.script/tests/KqlvalidationsTests/CustomTables/TeamsData.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "TeamsData",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Operation",
"Type": "String"
},
{
"Name": "UserId",
"Type": "String"
}
]
}

46
.script/tests/KqlvalidationsTests/CustomTables/ZoomLogs.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
{
"Name": "ZoomLogs",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Event",
"Type": "Dynamic"
},
{
"Name": "MeetingEvents",
"Type": "String"
},
{
"Name": "ChatEvents",
"Type": "String"
},
{
"Name": "User",
"Type": "String"
},
{
"Name": "UserId",
"Type": "String"
},
{
"Name": "payload_object_settings_in_meeting_e2e_encryption_b",
"Type": "String"
},
{
"Name": "payload_object_participant_user_name_s",
"Type": "String"
},
{
"Name": "User1",
"Type": "String"
},
{
"Name": "payload_object_participant_user_name_s",
"Type": "String"
}
]
}

2
.script/tests/KqlvalidationsTests/KqlValidationTests.cs
Просмотреть файл

@ -13,7 +13,7 @@ namespace Kqlvalidations.Tests
{
private readonly IKqlQueryValidator _queryValidator;
//TODO: read from configuration
private readonly static IEnumerable<string> WhiteListTemplateIds = new string[] { "f948a32f-226c-4116-bddd-d95e91d97eb9", "39198934-62a0-4781-8416-a81265c03fd6", "3533f74c-9207-4047-96e2-0eb9383be587", "9fb57e58-3ed8-4b89-afcf-c8e786508b1c", "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c", "d6491be0-ab2d-439d-95d6-ad8ea39277c5", "0914adab-90b5-47a3-a79f-7cdcac843aa7", "06a9b845-6a95-4432-a78b-83919b28c375", "57e56fc9-417a-4f41-a579-5475aea7b8ce", "155f40c6-610d-497d-85fc-3cf06ec13256", "f2dd4a3a-ebac-4994-9499-1a859938c947", "884be6e7-e568-418e-9c12-89229865ffde", "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508", "0558155e-4556-447e-9a22-828f2a7de06b", "34663177-8abf-4db1-b0a4-5683ab273f44", "a9956d3a-07a9-44a6-a279-081a85020cae" };
private readonly static IEnumerable<string> WhiteListTemplateIds = new string[] { "aac495a9-feb1-446d-b08e-a1164a539452","f948a32f-226c-4116-bddd-d95e91d97eb9", "39198934-62a0-4781-8416-a81265c03fd6", "3533f74c-9207-4047-96e2-0eb9383be587", "9fb57e58-3ed8-4b89-afcf-c8e786508b1c", "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c", "d6491be0-ab2d-439d-95d6-ad8ea39277c5", "0914adab-90b5-47a3-a79f-7cdcac843aa7", "06a9b845-6a95-4432-a78b-83919b28c375", "57e56fc9-417a-4f41-a579-5475aea7b8ce", "155f40c6-610d-497d-85fc-3cf06ec13256", "f2dd4a3a-ebac-4994-9499-1a859938c947", "884be6e7-e568-418e-9c12-89229865ffde", "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508", "0558155e-4556-447e-9a22-828f2a7de06b", "34663177-8abf-4db1-b0a4-5683ab273f44", "a9956d3a-07a9-44a6-a279-081a85020cae" };
private static readonly string DetectionPath = DetectionsYamlFilesTestData.GetDetectionPath();
public KqlValidationTests()
{

2
Detections/CommonSecurityLog/Wazuh-Large Number of Web errors from an IP.yaml
Просмотреть файл

@ -20,7 +20,7 @@ query: |
| where Activity has "Web server 400 error code."
| where Message has "403"
| extend HostName=substring(split(DeviceCustomString1,")")[0],1)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(SourceIP) by HostName, SourceIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP
| where NumberOfErrors > 400
| sort by NumberOfErrors desc
| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP

2
Detections/ZoomLogs/JoiningMeetingFromAnotherTimeZone.yaml
Просмотреть файл

@ -25,7 +25,7 @@ query: |
| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId)
| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone));
ZoomLogs
| where TimeGenerated >=W ago(join_lookback)
| where TimeGenerated >= ago(join_lookback)
| where Event =~ "meeting.participant_joined"
| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone)
| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName)