Beispiel #1
0
    public void denormalizedRecordJsonTest()
    {
        DenormalizedRecord denormalizedRecordV2 = EcsTest.createDenormalizedRecordV2();

        var outgoingJson = JsonConvert.SerializeObject(denormalizedRecordV2, new JsonSerializerSettings
        {
            NullValueHandling = NullValueHandling.Ignore
        });

        String expected = "{\"time\":\"2020-01-15T07:00:00.5173253Z\",\"category\":\"NetworkSecurityGroupFlowEvent\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"resourceId\":\"/SUBSCRIPTIONS/F087A016-314D-482C-93F1-88665DAFBA23/RESOURCEGROUPS/MC_MDRNWRK-DEV-AKS-RESOURCES_MDRNWRK-DEV-AKS_UKSOUTH/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AKS-AGENTPOOL-14244569-NSG\",\"version\":2.0,\"nsgRuleName\":\"DefaultRule_AllowVnetOutBound\",\"mac\":\"000D3R5F1340\",\"startTime\":\"1578673962\",\"sourceAddress\":\"10.244.0.40\",\"destinationAddress\":\"10.244.1.68\",\"sourcePort\":\"36098\",\"destinationPort\":\"25227\",\"transportProtocol\":\"T\",\"deviceDirection\":\"I\",\"deviceAction\":\"A\",\"flowState\":\"E\",\"packetsStoD\":\"3\",\"bytesStoD\":\"206\",\"packetsDtoS\":\"2\",\"bytesDtoS\":\"140\"}";

        Assert.Equal(expected, outgoingJson);
    }
Beispiel #2
0
    public void denormalizedRecordToEcsTest()
    {
        DenormalizedRecord denormalizedRecordV2 = EcsTest.createDenormalizedRecordV2();

        EcsAll ecsAll = EcsFactory.createEcsAll(denormalizedRecordV2);

        var outgoingJson = JsonConvert.SerializeObject(ecsAll, new JsonSerializerSettings
        {
            NullValueHandling = NullValueHandling.Ignore,
            Formatting        = Newtonsoft.Json.Formatting.Indented,
        });

        output.WriteLine(outgoingJson);
        Assert.Equal(denormalizedRecordV2.time, ecsAll.@timestamp);
        Assert.Equal("AzureNetworkWatcherNSGFlowLogsConnector", ecsAll.agent.name);
        Assert.Equal(denormalizedRecordV2.nsgRuleName, ecsAll.rule.name);
        Assert.Equal("1.0.0", ecsAll.ecs.version);
        Assert.Equal(denormalizedRecordV2.mac, ecsAll.client.mac);
        Assert.Equal(denormalizedRecordV2.category, ecsAll.ecsevent.category);
        Assert.Equal(denormalizedRecordV2.operationName, ecsAll.ecsevent.action);
        Assert.Equal("allowed", ecsAll.ecsevent.outcome);
        Assert.Equal("nsg.access", ecsAll.ecsevent.dataset);
        Assert.Equal("2020-01-10T16:32:42.0000000Z", ecsAll.ecsevent.start);
        Assert.Equal(denormalizedRecordV2.resourceId, ecsAll.resource.id);
        Assert.Equal("F087A016-314D-482C-93F1-88665DAFBA23", ecsAll.resource.subscription);
        Assert.Equal("AKS-AGENTPOOL-14244569-NSG", ecsAll.resource.nsg);
        Assert.Equal("10.244.0.40", ecsAll.source.address);
        Assert.Equal("10.244.0.40", ecsAll.source.ip);
        Assert.Equal("10.244.1.68", ecsAll.destination.address);
        Assert.Equal("10.244.1.68", ecsAll.destination.ip);
        Assert.Equal(36098, ecsAll.source.port);
        Assert.Equal(25227, ecsAll.destination.port);
        Assert.Equal(3, ecsAll.source.packets);
        Assert.Equal(2, ecsAll.destination.packets);
        Assert.Equal(206, ecsAll.source.bytes);
        Assert.Equal(140, ecsAll.destination.bytes);
        Assert.Equal("tcp", ecsAll.network.transport);
        Assert.Equal("inbound", ecsAll.network.direction);
        Assert.Equal("transport", ecsAll.network.protocol);
        Assert.Equal(5, ecsAll.network.packets);
        Assert.Equal(346, ecsAll.network.bytes);
        Assert.Equal("E", ecsAll.network.flowstate);
    }