From 86be3c7891dcd9a4ede1ad511e6e6cd2f32bc29b Mon Sep 17 00:00:00 2001 From: Janos Szigetvari Date: Wed, 27 Sep 2023 07:09:09 +0200 Subject: [PATCH] *: addressing review findings from 2023-09-26 * re-added previously removed sample table data * removed function output schema from CustomFunction for ASimDnsMicrosoftNXLog Signed-off-by: Janos Szigetvari --- .../ASimDnsMicrosoftNXLog.json | 182 ------------------ Sample Data/Custom/DNS_Logs_CL.json | 145 ++++++++++++++ 2 files changed, 145 insertions(+), 182 deletions(-) delete mode 100644 .script/tests/KqlvalidationsTests/CustomFunctions/ASimDnsMicrosoftNXLog.json create mode 100644 Sample Data/Custom/DNS_Logs_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/ASimDnsMicrosoftNXLog.json b/.script/tests/KqlvalidationsTests/CustomFunctions/ASimDnsMicrosoftNXLog.json deleted file mode 100644 index bcaf12ed17e..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomFunctions/ASimDnsMicrosoftNXLog.json +++ /dev/null @@ -1,182 +0,0 @@ -{ - "FunctionName": "ASimDnsMicrosoftNXLog", - "FunctionParameters": [], - "FunctionResultColumns": [ - { - "Name": "TimeGenerated", - "Type": "DateTime" - }, - { - "Name": "EventOriginalType", - "Type": "Double" - }, - { - "Name": "DnsQuery", - "Type": "String" - }, - { - "Name": "DnsQueryType", - "Type": "Int32" - }, - { - "Name": "DnsResponseCode", - "Type": "Int32" - }, - { - "Name": "eventtype", - "Type": "String" - }, - { - "Name": "SrcPortNumber", - "Type": "Int32" - }, - { - "Name": "DvcHostname", - "Type": "String" - }, - { - "Name": "EventEndTime", - "Type": "DateTime" - }, - { - "Name": "EventProduct", - "Type": "String" - }, - { - "Name": "EventSchemaVersion", - "Type": "String" - }, - { - "Name": "EventVendor", - "Type": "String" - }, - { - "Name": "EventSchema", - "Type": "String" - }, - { - "Name": "EventCount", - "Type": "Int32" - }, - { - "Name": "NetworkProtocol", - "Type": "Int32" - }, - { - "Name": "TransactionIdHex", - "Type": "String" - }, - { - "Name": "DnsFlagsAuthenticated", - "Type": "Boolean" - }, - { - "Name": "DnsFlagsAuthoritative", - "Type": "Boolean" - }, - { - "Name": "DnsFlagsRecursionDesired", - "Type": "Boolean" - }, - { - "Name": "EventResult", - "Type": "String" - }, - { - "Name": "ResponseCodeName", - "Type": "String" - }, - { - "Name": "EventResultDetails", - "Type": "String" - }, - { - "Name": "Domain", - "Type": "String" - }, - { - "Name": "DnsResponseCodeName", - "Type": "String" - }, - { - "Name": "DnsQueryTypeName", - "Type": "String" - }, - { - "Name": "IpAddr", - "Type": "String" - }, - { - "Name": "Src", - "Type": "String" - }, - { - "Name": "QueryType", - "Type": "Int32" - }, - { - "Name": "QueryTypeName", - "Type": "String" - }, - { - "Name": "ResponseCode", - "Type": "Int32" - }, - { - "Name": "ProviderGuid_g", - "Type": "Guid" - }, - { - "Name": "Level", - "Type": "String" - }, - { - "Name": "Category", - "Type": "String" - }, - { - "Name": "EventStartTime", - "Type": "DateTime" - }, - { - "Name": "Dvc", - "Type": "String" - }, - { - "Name": "DnsFlags", - "Type": "String" - }, - { - "Name": "SrcIpAddr", - "Type": "String" - }, - { - "Name": "DnsResponseName", - "Type": "String" - }, - { - "Name": "EventOriginalUid", - "Type": "Guid" - }, - { - "Name": "EventReceivedTime_t", - "Type": "DateTime" - }, - { - "Name": "Type", - "Type": "String" - }, - { - "Name": "EventType", - "Type": "String" - }, - { - "Name": "EventSubType", - "Type": "String" - }, - { - "Name": "_ResourceId", - "Type": "String" - } - ] -} diff --git a/Sample Data/Custom/DNS_Logs_CL.json b/Sample Data/Custom/DNS_Logs_CL.json new file mode 100644 index 00000000000..4517849700e --- /dev/null +++ b/Sample Data/Custom/DNS_Logs_CL.json @@ -0,0 +1,145 @@ +[ + { + "SourceName": "Microsoft-Windows-DNSServer", + "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", + "EventID": 515, + "Version": 0, + "ChannelID": 17, + "OpcodeValue": 0, + "TaskValue": 5, + "Keywords": "4611686018428436480", + "EventTime": "2020-11-10T22:19:15.593643-06:00", + "ExecutionProcessID": 1840, + "ExecutionThreadID": 2244, + "EventType": "INFO", + "SeverityValue": 2, + "Severity": "INFO", + "Hostname": "WIN-FFMCPAJ76HP", + "Domain": "WIN-FFMCPAJ76HP", + "AccountName": "Administrator", + "UserID": "S-1-5-21-1830054504-3820897498-340727717-500", + "AccountType": "User", + "Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)", + "Type": "1", + "NAME": "u16nxlog-1.example.com", + "TTL": "604800", + "BufferSize": "4", + "RDATA": "0xC0A80133", + "Zone": "example.com", + "ZoneScope": "Default", + "VirtualizationID": ".", + "EventReceivedTime": "2020-11-10T22:19:17.605206-06:00", + "SourceModuleName": "DNS_Logs", + "SourceModuleType": "im_etw", + "DNS_LogType": "Audit" + }, + { + "SourceName": "Microsoft-Windows-DNSServer", + "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", + "EventID": 561, + "Version": 0, + "ChannelID": 17, + "OpcodeValue": 0, + "TaskValue": 5, + "Keywords": "4611686018427912192", + "EventTime": "2020-11-10T22:28:44.905235-06:00", + "ExecutionProcessID": 1840, + "ExecutionThreadID": 2792, + "EventType": "INFO", + "SeverityValue": 2, + "Severity": "INFO", + "Hostname": "WIN-FFMCPAJ76HP", + "Domain": "WIN-FFMCPAJ76HP", + "AccountName": "Administrator", + "UserID": "S-1-5-21-1830054504-3820897498-340727717-500", + "AccountType": "User", + "Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)", + "Zone": "example.com", + "FilePath": "example.com.dns", + "VirtualizationID": ".", + "EventReceivedTime": "2020-11-10T22:28:47.058402-06:00", + "SourceModuleName": "DNS_Logs", + "SourceModuleType": "im_etw", + "DNS_LogType": "Audit" + }, + { + "SourceName": "Microsoft-Windows-DNSServer", + "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", + "EventID": 257, + "Version": 0, + "ChannelID": 16, + "OpcodeValue": 0, + "TaskValue": 1, + "Keywords": "9223372036854775810", + "EventTime": "2020-10-04T13:34:15.571565-05:00", + "ExecutionProcessID": 1888, + "ExecutionThreadID": 2364, + "EventType": "INFO", + "SeverityValue": 2, + "Severity": "INFO", + "Hostname": "WIN-FFMCPAJ76HP", + "Domain": "NT AUTHORITY", + "AccountName": "SYSTEM", + "UserID": "S-1-5-18", + "AccountType": "User", + "Flags": "34176", + "TCP": "0", + "InterfaceIP": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c", + "Destination": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c", + "AA": "1", + "AD": "0", + "QNAME": "central-logger.example.com.", + "QTYPE": "28", + "XID": "5961", + "DNSSEC": "0", + "RCODE": "0", + "Port": "65535", + "Scope": "Default", + "Zone": "example.com", + "PolicyName": "NULL", + "BufferSize": "73", + "PacketData": "0x1749858000010001000000000E63656E7472616C2D6C6F67676572076578616D706C6503636F6D00001C0001C00C0005000100093A8000110E7562756E747531382D6E786C6F67C01B", + "AdditionalInfo": "VirtualizationInstance:.", + "GUID": "{E1A9924F-0EF9-4B72-8FFC-169CEF8F124F}", + "EventReceivedTime": "2020-10-04T13:34:16.894967-05:00", + "SourceModuleName": "DNSServer", + "SourceModuleType": "im_etw", + "DNSSeverType": "Analytical" + }, + { + "SourceName": "Microsoft-Windows-DNSServer", + "ProviderGuid": "{EB79061A-A566-4698-9119-3ED2807060E7}", + "EventID": 279, + "Version": 0, + "ChannelID": 16, + "OpcodeValue": 0, + "TaskValue": 1, + "Keywords": "9223372071214514176", + "EventTime": "2020-11-10T22:46:18.010625-06:00", + "ExecutionProcessID": 1840, + "ExecutionThreadID": 2332, + "EventType": "INFO", + "SeverityValue": 2, + "Severity": "INFO", + "Hostname": "WIN-FFMCPAJ76HP", + "Domain": "NT AUTHORITY", + "AccountName": "SYSTEM", + "UserID": "S-1-5-18", + "AccountType": "User", + "Flags": "33152", + "TCP": "0", + "InterfaceIP": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c", + "Source": "abba:cafe:4400:82a:90c6:851e:73fe:3d5c", + "RD": "1", + "QNAME": "wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com.", + "QTYPE": "1", + "Port": "62232", + "XID": "28344", + "BufferSize": "36", + "PacketData": "0x6EB8818000010002000000000477646370096D6963726F736F667403636F6D0000010001", + "EventReceivedTime": "2020-11-10T22:46:19.013423-06:00", + "SourceModuleName": "DNS_Logs", + "SourceModuleType": "im_etw", + "DNS_LogType": "Analytical" + } +]