-
Notifications
You must be signed in to change notification settings - Fork 304
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validation of the YAML structure of query files (#660)
* Update first version of query schema * Adding JSON Schema library to dependencies * Add tests to validate the correctness of existing queries * Fix typos & missing description in queries * Convert path to Path type * If path is not a dir, use relative path from config file * Update validation method to handle expected fails * Fix path resolution for custom queries Handle expected failures * Add missing keys Ensure parameters are always defined * Fix incorrect type names * Remove empty parameters from query files * Fixing typo * Adding new metadata fields * Remove empty parameters replace tabs with spaces * Add SQL data environment * Ignore folder containing Sentinel queries * Fix call to absolute * Update JSON validation schema to have an open list of providers * Replacing tabs with spaces * s/oneOf/anyOf/ * Rework condition to ignore sentinel_query_import_data * Simplify comparison for python 3.8 * Increasing the size of description to 1024 characters * Adding metadata, sources and defaults as mandatory * Ignore msticpyconfig files * Remove defaults as a required key * Created dedicated tests for query validation * Add multiple sample of valid and invalid queries * Update test_pkg_config based on commit's comments --------- Co-authored-by: Florian Bracq <florian.bracq+github@gmail.com> Co-authored-by: Ian Hellen <ianhelle@microsoft.com>
- Loading branch information
1 parent
ff77bdd
commit 6cd72dc
Showing
38 changed files
with
596 additions
and
164 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,270 @@ | ||
{ | ||
"$schema": "http://json-schema.org/draft-07/schema", | ||
"type": "object", | ||
"properties": { | ||
"metadata": { | ||
"$ref": "#/$defs/metadata" | ||
}, | ||
"defaults": { | ||
"type": "object", | ||
"properties": { | ||
"metadata": { | ||
"type": "object", | ||
"properties": { | ||
"data_source": { | ||
"type": "string" | ||
}, | ||
"data_families": { | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
"pivot": { | ||
"type": "object", | ||
"patternProperties": { | ||
".*": { | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
} | ||
} | ||
}, | ||
"top": { | ||
"type": "integer" | ||
} | ||
} | ||
}, | ||
"parameters": { | ||
"$ref": "#/$defs/parameter" | ||
} | ||
} | ||
}, | ||
"sources": { | ||
"type": "object", | ||
"patternProperties": { | ||
".*": { | ||
"$ref": "#/$defs/query" | ||
} | ||
} | ||
} | ||
}, | ||
"required": [ | ||
"metadata", | ||
"sources" | ||
], | ||
"$defs": { | ||
"description": { | ||
"type": "string", | ||
"minLength": 5, | ||
"maxLength": 1024 | ||
}, | ||
"metadata": { | ||
"type": "object", | ||
"properties": { | ||
"version": { | ||
"type": "integer" | ||
}, | ||
"description": { | ||
"$ref": "#/$defs/description" | ||
}, | ||
"data_environments": { | ||
"type": "array", | ||
"items": { | ||
"anyOf": [ | ||
{ | ||
"enum": [ | ||
"AzureSecurityCenter", | ||
"AzureSentinel", | ||
"Cybereason", | ||
"Elastic", | ||
"Kusto", | ||
"LocalData", | ||
"LogAnalytics", | ||
"M365D", | ||
"MDATP", | ||
"MDE", | ||
"Mordor", | ||
"MSGraph", | ||
"MSSentinel", | ||
"OSQueryLogs", | ||
"OTRF", | ||
"ResourceGraph", | ||
"SecurityGraph", | ||
"Splunk", | ||
"Sumologic" | ||
] | ||
}, | ||
{ | ||
"type": "string" | ||
} | ||
] | ||
} | ||
}, | ||
"data_families": { | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
"tags": { | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
"aliases": { | ||
"oneOf": [ | ||
{ | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
{ | ||
"type": "string" | ||
} | ||
] | ||
}, | ||
"cluster": { | ||
"type": "string" | ||
}, | ||
"clusters": { | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
"cluster_groups": { | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
"database": { | ||
"type": "string" | ||
} | ||
}, | ||
"additionalProperties": false, | ||
"required": [ | ||
"version", | ||
"description", | ||
"data_environments", | ||
"data_families" | ||
] | ||
}, | ||
"parameter": { | ||
"type": "object", | ||
"patternProperties": { | ||
".*": { | ||
"type": "object", | ||
"properties": { | ||
"description": { | ||
"$ref": "#/$defs/description" | ||
}, | ||
"type": { | ||
"type": "string", | ||
"enum": [ | ||
"str", | ||
"datetime", | ||
"int", | ||
"float", | ||
"list" | ||
] | ||
}, | ||
"default": { | ||
"oneOf": [ | ||
{ | ||
"type": "string" | ||
}, | ||
{ | ||
"type": "array" | ||
}, | ||
{ | ||
"type": "integer" | ||
} | ||
] | ||
}, | ||
"aliases": { | ||
"oneOf": [ | ||
{ | ||
"type": "array", | ||
"items": { | ||
"type": "string" | ||
} | ||
}, | ||
{ | ||
"type": "string" | ||
} | ||
] | ||
} | ||
}, | ||
"additionalProperties": false, | ||
"required": [ | ||
"description", | ||
"type" | ||
] | ||
} | ||
} | ||
}, | ||
"query": { | ||
"type": "object", | ||
"properties": { | ||
"description": { | ||
"$ref": "#/$defs/description" | ||
}, | ||
"metadata": { | ||
"anyOf": [ | ||
{ | ||
"$ref": "#/$defs/metadata" | ||
}, | ||
true | ||
] | ||
}, | ||
"parameters": { | ||
"$ref": "#/$defs/parameter" | ||
}, | ||
"args": { | ||
"type": "object", | ||
"properties": { | ||
"query": { | ||
"type": "string" | ||
}, | ||
"uri": { | ||
"type": "string" | ||
} | ||
}, | ||
"required": [ | ||
"query" | ||
] | ||
}, | ||
"query_macros": { | ||
"patternProperties": { | ||
".*": { | ||
"type": "object", | ||
"properties": { | ||
"description": { | ||
"$ref": "#/$defs/description" | ||
}, | ||
"value": { | ||
"type": "string" | ||
} | ||
}, | ||
"additionalProperties": false, | ||
"required": [ | ||
"description", | ||
"value" | ||
] | ||
} | ||
} | ||
} | ||
}, | ||
"additionalProperties": false, | ||
"required": [ | ||
"description", | ||
"args" | ||
] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.