Implement model substitution

[tobim]

📔 Description

This adds support for models to the resolve function of taxonomies. It can substitute records with either named or unnamed fields.

Notable supporting changes:

• Model Definitions are now a single list containing both concepts and other models
• The for_each_predicate helper has been updated to support failure.
• records can now contain multiple fields of the same name

📝 Checklist

• All user-facing changes have changelog entries.
• The changes are reflected on docs.tenzir.com/vast, if necessary.
• The PR description contains instructions for the reviewer, if necessary.
• Add unit tests
• Add integration tests

🎯 Review Instructions

It's probably best to go commit-by-commit, but be aware that later commits already contain some naming improvements and functional extensions. The "implement Model substitution" contains the change for the model definitions.

[dominiklohmann]

Nit: Can you move 6df0395 into a separate PR?

[tobim]

Nit: Can you move 6df0395 into a separate PR?

#1202

[mavam]

@tobim please rebase now that #1202 is merged.

[mavam]

I cannot get this to work with the instructions provided in the PR. Here's what I tried:

vast start
vast import suricata < M57
vast import zeek < M57
vast export json 'net.connection == <_, _, _, _, _>'

I don't get any results, but was expecting to see all events that contain flow information.

[mavam]

(It also looks like the YAML indentation is off.)

[mavam]

This looks good to me now. We are aware of the known deficiencies, and given that this is still marked as experimental features, we can merge this.

But it's nice queries like this now work, which I verified:

vast export json 'net.connection == <_, _, _, _, "icmp">'

Even though they still return a superset of the net.connection events, this is already really neat. Nice work!