public void denormalizedRecordJsonTest()
{
DenormalizedRecord denormalizedRecordV2 = EcsTest.createDenormalizedRecordV2();
var outgoingJson = JsonConvert.SerializeObject(denormalizedRecordV2, new JsonSerializerSettings
{
NullValueHandling = NullValueHandling.Ignore
});
String expected = "{\"time\":\"2020-01-15T07:00:00.5173253Z\",\"category\":\"NetworkSecurityGroupFlowEvent\",\"operationName\":\"NetworkSecurityGroupFlowEvents\",\"resourceId\":\"/SUBSCRIPTIONS/F087A016-314D-482C-93F1-88665DAFBA23/RESOURCEGROUPS/MC_MDRNWRK-DEV-AKS-RESOURCES_MDRNWRK-DEV-AKS_UKSOUTH/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AKS-AGENTPOOL-14244569-NSG\",\"version\":2.0,\"nsgRuleName\":\"DefaultRule_AllowVnetOutBound\",\"mac\":\"000D3R5F1340\",\"startTime\":\"1578673962\",\"sourceAddress\":\"10.244.0.40\",\"destinationAddress\":\"10.244.1.68\",\"sourcePort\":\"36098\",\"destinationPort\":\"25227\",\"transportProtocol\":\"T\",\"deviceDirection\":\"I\",\"deviceAction\":\"A\",\"flowState\":\"E\",\"packetsStoD\":\"3\",\"bytesStoD\":\"206\",\"packetsDtoS\":\"2\",\"bytesDtoS\":\"140\"}";
Assert.Equal(expected, outgoingJson);
}
public void denormalizedRecordToEcsTest()
{
DenormalizedRecord denormalizedRecordV2 = EcsTest.createDenormalizedRecordV2();
EcsAll ecsAll = EcsFactory.createEcsAll(denormalizedRecordV2);
var outgoingJson = JsonConvert.SerializeObject(ecsAll, new JsonSerializerSettings
{
NullValueHandling = NullValueHandling.Ignore,
Formatting = Newtonsoft.Json.Formatting.Indented,
});
output.WriteLine(outgoingJson);
Assert.Equal(denormalizedRecordV2.time, ecsAll.@timestamp);
Assert.Equal("AzureNetworkWatcherNSGFlowLogsConnector", ecsAll.agent.name);
Assert.Equal(denormalizedRecordV2.nsgRuleName, ecsAll.rule.name);
Assert.Equal("1.0.0", ecsAll.ecs.version);
Assert.Equal(denormalizedRecordV2.mac, ecsAll.client.mac);
Assert.Equal(denormalizedRecordV2.category, ecsAll.ecsevent.category);
Assert.Equal(denormalizedRecordV2.operationName, ecsAll.ecsevent.action);
Assert.Equal("allowed", ecsAll.ecsevent.outcome);
Assert.Equal("nsg.access", ecsAll.ecsevent.dataset);
Assert.Equal("2020-01-10T16:32:42.0000000Z", ecsAll.ecsevent.start);
Assert.Equal(denormalizedRecordV2.resourceId, ecsAll.resource.id);
Assert.Equal("F087A016-314D-482C-93F1-88665DAFBA23", ecsAll.resource.subscription);
Assert.Equal("AKS-AGENTPOOL-14244569-NSG", ecsAll.resource.nsg);
Assert.Equal("10.244.0.40", ecsAll.source.address);
Assert.Equal("10.244.0.40", ecsAll.source.ip);
Assert.Equal("10.244.1.68", ecsAll.destination.address);
Assert.Equal("10.244.1.68", ecsAll.destination.ip);
Assert.Equal(36098, ecsAll.source.port);
Assert.Equal(25227, ecsAll.destination.port);
Assert.Equal(3, ecsAll.source.packets);
Assert.Equal(2, ecsAll.destination.packets);
Assert.Equal(206, ecsAll.source.bytes);
Assert.Equal(140, ecsAll.destination.bytes);
Assert.Equal("tcp", ecsAll.network.transport);
Assert.Equal("inbound", ecsAll.network.direction);
Assert.Equal("transport", ecsAll.network.protocol);
Assert.Equal(5, ecsAll.network.packets);
Assert.Equal(346, ecsAll.network.bytes);
Assert.Equal("E", ecsAll.network.flowstate);
}