public void Validate_DetectionQueries_SkippedTemplatesDoNotHaveValidKql(string fileName, string encodedFilePath)
{
var res = ReadAndDeserializeYaml(encodedFilePath);
var queryStr = (string)res["query"];
var id = (string)res["id"];
//Templates that are in the skipped templates should not pass the validation (if they pass, why skip?)
if (ShouldSkipTemplateValidation(id))
{
var validationRes = _queryValidator.ValidateSyntax(queryStr);
Assert.False(validationRes.IsValid, $"Template Id:{id} is valid but it is in the skipped validation templates. Please remove it from the templates that are skipped since it is valid.");
}
}
public void Validate_DetectionQueries_HaveValidKql(string detectionsYamlFileName)
{
var detectionsYamlFile = Directory.GetFiles(DetectionPath, detectionsYamlFileName, SearchOption.AllDirectories).Single();
var yaml = File.ReadAllText(detectionsYamlFile);
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize <dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
//we ignore known issues (in progress)
if (TemplatesToSkipValidationReader.WhiteListTemplateIds.Contains(id))
{
return;
}
var lines = Regex.Split(queryStr, @"\n\r?");
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line : 0, Col : 0);
if (!validationRes.IsValid)
{
firstErrorLocation = GetLocationInQuery(queryStr, validationRes.Diagnostics.First(d => d.Severity == "Error").Start);
}
Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : $"Template Id:{id} is not valid in Line:{firstErrorLocation.Line} col:{firstErrorLocation.Col} Errors:{validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}");
}
public void Validate_DetectionQueries_HaveValidKql(string detectionsYamlFileName)
{
var detectionsYamlFile = getDetectionsYamlFile(detectionsYamlFileName);
var yaml = File.ReadAllText(detectionsYamlFile);
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize <dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
//we ignore known issues
if (ShouldSkipTemplateValidation(id))
{
return;
}
var validationRes = _queryValidator.ValidateSyntax(queryStr);
var firstErrorLocation = (Line : 0, Col : 0);
if (!validationRes.IsValid)
{
firstErrorLocation = GetLocationInQuery(queryStr, validationRes.Diagnostics.First(d => d.Severity == "Error").Start);
}
Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : $"Template Id:{id} is not valid in Line:{firstErrorLocation.Line} col:{firstErrorLocation.Col} Errors:{validationRes.Diagnostics.Select(d => d.ToString()).ToList().Aggregate((s1, s2) => s1 + "," + s2)}");
}
public void Validate_DetectionQueries_HaveValidKql(string detectionsYamlFileName)
{
var detectionsYamlFile = Directory.GetFiles(DetectionPath, detectionsYamlFileName, SearchOption.AllDirectories).Single();
var yaml = File.ReadAllText(detectionsYamlFile);
var deserializer = new DeserializerBuilder().Build();
var res = deserializer.Deserialize <dynamic>(yaml);
string queryStr = res["query"];
string id = res["id"];
//we ignore known issues (in progress)
if (TemplatesToSkipValidationReader.WhiteListTemplateIds.Contains(id))
{
return;
}
var validationRes = _queryValidator.ValidateSyntax(queryStr);
Assert.True(validationRes.IsValid, validationRes.IsValid ? string.Empty : validationRes.Diagnostics.Select(d => d.Message).ToList().Aggregate((s1, s2) => s1 + "," + s2));
}