*: addressing review findings from 2023-09-26

* re-added previously removed sample table data * removed function output schema from CustomFunction for ASimDnsMicrosoftNXLog Signed-off-by: Janos Szigetvari <janos.szigetvari@nxlog.org>
Azure · Sep 27, 2023 · 86be3c7 · 86be3c7
1 parent 102d6a8
commit 86be3c7
Show file tree

Hide file tree

Showing 2 changed files with 145 additions and 182 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/ASimDnsMicrosoftNXLog.json b/.script/tests/KqlvalidationsTests/CustomFunctions/ASimDnsMicrosoftNXLog.json
diff --git a/Sample Data/Custom/DNS_Logs_CL.json b/Sample Data/Custom/DNS_Logs_CL.json
@@ -0,0 +1,145 @@
+[
+  {
+    "SourceName": "Microsoft-Windows-DNSServer",
+    "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
+    "EventID": 515,
+    "Version": 0,
+    "ChannelID": 17,
+    "OpcodeValue": 0,
+    "TaskValue": 5,
+    "Keywords": "4611686018428436480",
+    "EventTime": "2020-11-10T22:19:15.593643-06:00",
+    "ExecutionProcessID": 1840,
+    "ExecutionThreadID": 2244,
+    "EventType": "INFO",
+    "SeverityValue": 2,
+    "Severity": "INFO",
+    "Hostname": "WIN-FFMCPAJ76HP",
+    "Domain": "WIN-FFMCPAJ76HP",
+    "AccountName": "Administrator",
+    "UserID": "S-1-5-21-1830054504-3820897498-340727717-500",
+    "AccountType": "User",
+    "Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)",
+    "Type": "1",
+    "NAME": "u16nxlog-1.example.com",
+    "TTL": "604800",
+    "BufferSize": "4",
+    "RDATA": "0xC0A80133",
+    "Zone": "example.com",
+    "ZoneScope": "Default",
+    "VirtualizationID": ".",
+    "EventReceivedTime": "2020-11-10T22:19:17.605206-06:00",
+    "SourceModuleName": "DNS_Logs",
+    "SourceModuleType": "im_etw",
+    "DNS_LogType": "Audit"
+  },
+  {
+    "SourceName": "Microsoft-Windows-DNSServer",
+    "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
+    "EventID": 561,
+    "Version": 0,
+    "ChannelID": 17,
+    "OpcodeValue": 0,
+    "TaskValue": 5,
+    "Keywords": "4611686018427912192",
+    "EventTime": "2020-11-10T22:28:44.905235-06:00",
+    "ExecutionProcessID": 1840,
+    "ExecutionThreadID": 2792,
+    "EventType": "INFO",
+    "SeverityValue": 2,
+    "Severity": "INFO",
+    "Hostname": "WIN-FFMCPAJ76HP",
+    "Domain": "WIN-FFMCPAJ76HP",
+    "AccountName": "Administrator",
+    "UserID": "S-1-5-21-1830054504-3820897498-340727717-500",
+    "AccountType": "User",
+    "Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)",
+    "Zone": "example.com",
+    "FilePath": "example.com.dns",
+    "VirtualizationID": ".",
+    "EventReceivedTime": "2020-11-10T22:28:47.058402-06:00",
+    "SourceModuleName": "DNS_Logs",
+    "SourceModuleType": "im_etw",
+    "DNS_LogType": "Audit"
+  },
+  {
+    "SourceName": "Microsoft-Windows-DNSServer",
+    "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
+    "EventID": 257,
+    "Version": 0,
+    "ChannelID": 16,
+    "OpcodeValue": 0,
+    "TaskValue": 1,
+    "Keywords": "9223372036854775810",
+    "EventTime": "2020-10-04T13:34:15.571565-05:00",
+    "ExecutionProcessID": 1888,
+    "ExecutionThreadID": 2364,
+    "EventType": "INFO",
+    "SeverityValue": 2,
+    "Severity": "INFO",
+    "Hostname": "WIN-FFMCPAJ76HP",
+    "Domain": "NT AUTHORITY",
+    "AccountName": "SYSTEM",
+    "UserID": "S-1-5-18",
+    "AccountType": "User",
+    "Flags": "34176",
+    "TCP": "0",
+    "InterfaceIP": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c",
+    "Destination": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c",
+    "AA": "1",
+    "AD": "0",
+    "QNAME": "central-logger.example.com.",
+    "QTYPE": "28",
+    "XID": "5961",
+    "DNSSEC": "0",
+    "RCODE": "0",
+    "Port": "65535",
+    "Scope": "Default",
+    "Zone": "example.com",
+    "PolicyName": "NULL",
+    "BufferSize": "73",
+    "PacketData": "0x1749858000010001000000000E63656E7472616C2D6C6F67676572076578616D706C6503636F6D00001C0001C00C0005000100093A8000110E7562756E747531382D6E786C6F67C01B",
+    "AdditionalInfo": "VirtualizationInstance:.",
+    "GUID": "{E1A9924F-0EF9-4B72-8FFC-169CEF8F124F}",
+    "EventReceivedTime": "2020-10-04T13:34:16.894967-05:00",
+    "SourceModuleName": "DNSServer",
+    "SourceModuleType": "im_etw",
+    "DNSSeverType": "Analytical"
+  },
+  {
+    "SourceName": "Microsoft-Windows-DNSServer",
+    "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
+    "EventID": 279,
+    "Version": 0,
+    "ChannelID": 16,
+    "OpcodeValue": 0,
+    "TaskValue": 1,
+    "Keywords": "9223372071214514176",
+    "EventTime": "2020-11-10T22:46:18.010625-06:00",
+    "ExecutionProcessID": 1840,
+    "ExecutionThreadID": 2332,
+    "EventType": "INFO",
+    "SeverityValue": 2,
+    "Severity": "INFO",
+    "Hostname": "WIN-FFMCPAJ76HP",
+    "Domain": "NT AUTHORITY",
+    "AccountName": "SYSTEM",
+    "UserID": "S-1-5-18",
+    "AccountType": "User",
+    "Flags": "33152",
+    "TCP": "0",
+    "InterfaceIP": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c",
+    "Source": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c",
+    "RD": "1",
+    "QNAME": "wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com.",
+    "QTYPE": "1",
+    "Port": "62232",
+    "XID": "28344",
+    "BufferSize": "36",
+    "PacketData": "0x6EB8818000010002000000000477646370096D6963726F736F667403636F6D0000010001",
+    "EventReceivedTime": "2020-11-10T22:46:19.013423-06:00",
+    "SourceModuleName": "DNS_Logs",
+    "SourceModuleType": "im_etw",
+    "DNS_LogType": "Analytical"
+  }
+]