Add VectraStream_CL and ignore 'vimNetworkSessionMD4IoT'

2022-04-10 14:17:12 +03:00 · 2022-04-10 14:17:12 +03:00 · 1bccb9711b
--- a/.script/tests/KqlvalidationsTests/CustomTables/VectraStream_CL.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/VectraStream_CL.json
@ -0,0 +1,857 @@
+{
+  "Name": "VectraStream_CL",
+  "Properties": [
+    {
+      "Name": "TenantId",
+      "Type": "String"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "String"
+    },
+    {
+      "Name": "MG",
+      "Type": "String"
+    },
+    {
+      "Name": "ManagementGroupName",
+      "Type": "String"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "Computer",
+      "Type": "String"
+    },
+    {
+      "Name": "RawData",
+      "Type": "String"
+    },
+    {
+      "Name": "client_dig_product_id_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_dig_protocol_id_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_name_s",
+      "Type": "String"
+    },
+    {
+      "Name": "dir_confidence_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "san_ip_s",
+      "Type": "String"
+    },
+    {
+      "Name": "host_key_s",
+      "Type": "String"
+    },
+    {
+      "Name": "application_s",
+      "Type": "String"
+    },
+    {
+      "Name": "error_msg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "reply_to_s",
+      "Type": "String"
+    },
+    {
+      "Name": "useragent_s",
+      "Type": "String"
+    },
+    {
+      "Name": "second_received_s",
+      "Type": "String"
+    },
+    {
+      "Name": "spf_mailfrom_s",
+      "Type": "String"
+    },
+    {
+      "Name": "x_originating_ip_s",
+      "Type": "String"
+    },
+    {
+      "Name": "first_received_s",
+      "Type": "String"
+    },
+    {
+      "Name": "in_reply_to_s",
+      "Type": "String"
+    },
+    {
+      "Name": "rcpt_to_s",
+      "Type": "String"
+    },
+    {
+      "Name": "to_s",
+      "Type": "String"
+    },
+    {
+      "Name": "date_s",
+      "Type": "String"
+    },
+    {
+      "Name": "from_s",
+      "Type": "String"
+    },
+    {
+      "Name": "helo_s",
+      "Type": "String"
+    },
+    {
+      "Name": "mail_from_s",
+      "Type": "String"
+    },
+    {
+      "Name": "msgid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "tls_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "proxied_s",
+      "Type": "String"
+    },
+    {
+      "Name": "error_s",
+      "Type": "String"
+    },
+    {
+      "Name": "matched_dn_s",
+      "Type": "String"
+    },
+    {
+      "Name": "referrer_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_build_s",
+      "Type": "String"
+    },
+    {
+      "Name": "desktop_height_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "desktop_width_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "keyboard_layout_s",
+      "Type": "String"
+    },
+    {
+      "Name": "beacon_type_s",
+      "Type": "String"
+    },
+    {
+      "Name": "beacon_uid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "first_event_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "last_event_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "orig_ip_bytes_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "resp_domains_s",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_ip_bytes_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "session_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "resp_filename_s",
+      "Type": "String"
+    },
+    {
+      "Name": "response_content_disposition_s",
+      "Type": "String"
+    },
+    {
+      "Name": "cookie_s",
+      "Type": "String"
+    },
+    {
+      "Name": "cookie_vars_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_mime_types_s",
+      "Type": "String"
+    },
+    {
+      "Name": "domain_s",
+      "Type": "String"
+    },
+    {
+      "Name": "status_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "username_s",
+      "Type": "String"
+    },
+    {
+      "Name": "cipher_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "compression_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "hassh_g",
+      "Type": "String"
+    },
+    {
+      "Name": "hasshServer_g",
+      "Type": "String"
+    },
+    {
+      "Name": "host_key_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "kex_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "mac_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "server_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_s",
+      "Type": "String"
+    },
+    {
+      "Name": "data_source_s",
+      "Type": "String"
+    },
+    {
+      "Name": "error_code_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_host_observed_privilege_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "protocol_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "rep_cipher_s",
+      "Type": "String"
+    },
+    {
+      "Name": "reply_timestamp_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "req_ciphers_s",
+      "Type": "String"
+    },
+    {
+      "Name": "request_type_s",
+      "Type": "String"
+    },
+    {
+      "Name": "success_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "attributes_s",
+      "Type": "String"
+    },
+    {
+      "Name": "bind_error_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "encrypted_sasl_payload_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "is_close_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "is_query_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "logon_failure_error_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "message_id_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "query_scope_s",
+      "Type": "String"
+    },
+    {
+      "Name": "request_bytes_s",
+      "Type": "String"
+    },
+    {
+      "Name": "response_bytes_s",
+      "Type": "String"
+    },
+    {
+      "Name": "result_s",
+      "Type": "String"
+    },
+    {
+      "Name": "result_code_s",
+      "Type": "String"
+    },
+    {
+      "Name": "result_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "base_object_s",
+      "Type": "String"
+    },
+    {
+      "Name": "endpoint_s",
+      "Type": "String"
+    },
+    {
+      "Name": "operation_s",
+      "Type": "String"
+    },
+    {
+      "Name": "rtt_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "action_s",
+      "Type": "String"
+    },
+    {
+      "Name": "delete_on_close_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "name_s",
+      "Type": "String"
+    },
+    {
+      "Name": "hostname_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_issuer_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_subject_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_serial_g",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_mime_types_s",
+      "Type": "String"
+    },
+    {
+      "Name": "response_cache_control_s",
+      "Type": "String"
+    },
+    {
+      "Name": "lease_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "mac_s",
+      "Type": "String"
+    },
+    {
+      "Name": "assigned_ip_s",
+      "Type": "String"
+    },
+    {
+      "Name": "dhcp_server_ip_s",
+      "Type": "String"
+    },
+    {
+      "Name": "dns_server_ips_s",
+      "Type": "String"
+    },
+    {
+      "Name": "request_cache_control_s",
+      "Type": "String"
+    },
+    {
+      "Name": "response_expires_s",
+      "Type": "String"
+    },
+    {
+      "Name": "user_agent_s",
+      "Type": "String"
+    },
+    {
+      "Name": "path_s",
+      "Type": "String"
+    },
+    {
+      "Name": "host_s",
+      "Type": "String"
+    },
+    {
+      "Name": "host_multihomed_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "is_proxied_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "method_s",
+      "Type": "String"
+    },
+    {
+      "Name": "request_body_len_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "request_header_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "response_body_len_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "response_header_count_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "status_code_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "status_msg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "uri_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_curve_s",
+      "Type": "String"
+    },
+    {
+      "Name": "AA_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "RA_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "RD_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "TC_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "TTLs_s",
+      "Type": "String"
+    },
+    {
+      "Name": "answers_s",
+      "Type": "String"
+    },
+    {
+      "Name": "auth_s",
+      "Type": "String"
+    },
+    {
+      "Name": "qclass_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "qclass_name_s",
+      "Type": "String"
+    },
+    {
+      "Name": "qtype_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "qtype_name_s",
+      "Type": "String"
+    },
+    {
+      "Name": "query_s",
+      "Type": "String"
+    },
+    {
+      "Name": "rcode_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "rcode_name_s",
+      "Type": "String"
+    },
+    {
+      "Name": "rejected_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "saw_query_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "saw_reply_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "total_answers_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "total_replies_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "trans_id_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "issuer_s",
+      "Type": "String"
+    },
+    {
+      "Name": "next_protocol_s",
+      "Type": "String"
+    },
+    {
+      "Name": "subject_s",
+      "Type": "String"
+    },
+    {
+      "Name": "basic_constraints_ca_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "basic_constraints_path_len_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "certificate_cn_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_exponent_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_issuer_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_key_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_key_length_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_key_type_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_not_valid_after_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "certificate_not_valid_before_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "certificate_self_issued_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "certificate_serial_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_sig_alg_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_subject_s",
+      "Type": "String"
+    },
+    {
+      "Name": "certificate_version_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "san_dns_s",
+      "Type": "String"
+    },
+    {
+      "Name": "san_other_fields_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "community_id_s",
+      "Type": "String"
+    },
+    {
+      "Name": "conn_state_s",
+      "Type": "String"
+    },
+    {
+      "Name": "duration_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "first_orig_resp_data_pkt_s",
+      "Type": "String"
+    },
+    {
+      "Name": "first_orig_resp_data_pkt_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "first_orig_resp_pkt_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "first_resp_orig_data_pkt_s",
+      "Type": "String"
+    },
+    {
+      "Name": "first_resp_orig_data_pkt_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "first_resp_orig_pkt_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "id_ip_ver_s",
+      "Type": "String"
+    },
+    {
+      "Name": "id_orig_h_s",
+      "Type": "String"
+    },
+    {
+      "Name": "id_orig_p_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "id_resp_h_s",
+      "Type": "String"
+    },
+    {
+      "Name": "id_resp_p_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "local_orig_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "local_resp_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "metadata_type_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_hostname_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_huid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_ip_bytes_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_pkts_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "orig_sluid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "orig_vlan_id_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "proto_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "protoName_s",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_domain_s",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_ip_bytes_s",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_multihomed_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "resp_pkts_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "resp_vlan_id_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "sensor_uid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "service_s",
+      "Type": "String"
+    },
+    {
+      "Name": "session_start_time_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "ts_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "uid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "cipher_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_curve_num_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_ec_point_format_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_extension_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_version_s",
+      "Type": "String"
+    },
+    {
+      "Name": "client_version_num_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "curve_s",
+      "Type": "String"
+    },
+    {
+      "Name": "established_b",
+      "Type": "SByte"
+    },
+    {
+      "Name": "ja3_g",
+      "Type": "String"
+    },
+    {
+      "Name": "ja3s_g",
+      "Type": "String"
+    },
+    {
+      "Name": "server_extensions_s",
+      "Type": "String"
+    },
+    {
+      "Name": "server_name_s",
+      "Type": "String"
+    },
+    {
+      "Name": "version_s",
+      "Type": "String"
+    },
+    {
+      "Name": "version_num_d",
+      "Type": "Double"
+    },
+    {
+      "Name": "resp_hostname_s",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_huid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "resp_sluid_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Type",
+      "Type": "String"
+    },
+    {
+      "Name": "_ResourceId",
+      "Type": "String"
+    }
+  ]
+}
--- a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs
+++ b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs
@ -115,8 +115,17 @@ namespace Kqlvalidations.Tests
            Dictionary<object, object> yaml = ReadAndDeserializeYaml(encodedFilePath);
            var queryParamsAsLetStatements = GenerateFunctionParametersAsLetStatements(yaml);
            var queryStr = queryParamsAsLetStatements + (string)yaml["ParserQuery"];
-            var id = (string)yaml["ParserName"];
-            ValidateKql(id, queryStr);
+
+            //Ignore known issues
+            object id;
+            yaml.TryGetValue("Id", out id);
+            if (id != null && ShouldSkipTemplateValidation((string)yaml["Id"]))
+            {
+                return;
+            }
+
+            var parserName = (string)yaml["ParserName"];
+            ValidateKql(parserName, queryStr);
        }

        private void ValidateKql(string id, string queryStr)
--- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
+++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
@ -23,5 +23,10 @@
    "id": "ac9e233e-44d4-45eb-b522-6e47445f6582",
    "templateName": "CrashdumpdisabledonhostASIM.yaml",
    "validationFailReason": "Valid imTable"
+  },
+  {
+    "id": "bca035b7-7292-4145-ae8b-b7216bec9dd1",
+    "templateName": "vimNetworkSessionMicrosoftMD4IoT.yaml",
+    "validationFailReason": "The name 'LocalPort' does not refer to any known column, table, variable or function."
  }
 ]
--- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftMD4IoT.yaml
+++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionMicrosoftMD4IoT.yaml
@ -1,3 +1,4 @@
+Id: bca035b7-7292-4145-ae8b-b7216bec9dd1
 Parser:
  Title:  Network Session ASIM filtering parser for Microsoft Defender for IoT
  Version: '0.2'