sivanguetta · sivanguetta · May 3, 2022 · May 4, 2022 · May 5, 2022 · May 6, 2022
diff --git a/.azure-pipelines/ConvertYamlToObject.ps1 b/.azure-pipelines/ConvertYamlToObject.ps1
@@ -0,0 +1,95 @@
+<#
+.SYNOPSIS
+    Convert YAML file to object
+.DESCRIPTION
+    This function converts the Microsoft Sentinel rules published on Microsoft Sentinel GitHub in YAML format to the right ARM JSON format
+.EXAMPLE
+    ConvertSentinelRuleFrom-Yaml -Path './PathToYamlFolder'
+    In This example all the YAML files in the folder will be converted to the right JSON format in the same folder
+.EXAMPLE
+    ConvertSentinelRuleFrom-Yaml -Path './pathToYAMLFolder' -OutputFolder ./PathToJsonFolder
+    In this example all the YAML files in the fodler will be converted to JSON and exported to the OutPutFolder
+.EXAMPLE
+    ConvertSentinelRuleFrom-Yaml -Path './.tmp/ASimDNS/imDns_DomainEntity_DnsEvents.yaml'
+    In this example one specific YAML file will be converted to the right JSON format
+.PARAMETER Path
+    Specifies the object to be processed.  ou can also pipe the objects to this command.
+.OUTPUTS
+    Output is the JSON file
+.NOTES
+    AUTHOR: P.Khabazi
+    LASTEDIT: 16-03-2022
+#>
+
+param($Path)
+
+function ConvertYamlToObject {
+    [CmdletBinding()]
+    param (
+        [System.IO.FileInfo] $Path
+    )
+
+    if (Get-Module -ListAvailable -Name powershell-yaml) {
+        Write-Host "Module already installed"
+    }
+    else {
+        Write-Host "Installing PowerShell-YAML module"
+        try {
+            Install-Module powershell-yaml -AllowClobber -Force -ErrorAction Stop
+            Import-Module powershell-yaml
+        }
+        catch {
+            Write-Error $_.Exception.Message
+            break
+        }
+    }
+
+    <#
+        Test if path exists and extract the data from folder or file
+    #>
+    if ($Path.Extension -in '.yaml', '.yml') {
+        Write-Verbose "Singel YAML file selected"
+        try {
+            $content = Get-Item -Path $Path -ErrorAction Stop
+        }
+        catch {
+            Write-Error $_.Exception.Message
+        }
+    }
+    elseif ($Path.Extension -in '') {
+        Write-Verbose "Folder defined"
+        try {
+            $content = Get-ChildItem -Path $Path -Filter *.yaml -Recurse -ErrorAction Stop
+        }
+        catch {
+            Write-Error $_.Exception.Message
+        }
+    }
+    else {
+        Write-Error 'Wrong Path please see example'
+    }
+
+    <#
+        If any YAML file found starte lopp to process all the files
+    #>
+    if ($content) {
+        Write-Host "'$($content.count)' templates found to convert"
+
+        $data = @()
+        # Start Loop
+        $content | ForEach-Object {
+            # Update the template format with the data from YAML file
+            $convert = $_ | Get-Content -Raw | ConvertFrom-Yaml -ErrorAction Stop
+            $data += $convert
+
+        }
+    }
+    else {
+        Write-Error "No YAML templates found"
+        break
+    }
+
+    return $data
+}
+
+ConvertYamlToObject -Path $Path
diff --git a/.azure-pipelines/convertYamlToLetStatements.ps1 b/.azure-pipelines/convertYamlToLetStatements.ps1
@@ -0,0 +1,91 @@
+Class Parser{
+    [string] $Name;
+    [string] $OriginalQuery;
+    [string] $Schema;
+    [System.Collections.Generic.List`1[System.Object]] $Parameters
+    Parser([string] $Name, [string] $OriginalQuery, [string] $Schema, [System.Collections.Generic.List`1[System.Object]] $Parameters) {
+        $this.Name = $Name;
+        $this.OriginalQuery = $OriginalQuery;
+        $this.Schema = $Schema;
+        $this.Parameters = $Parameters;
+    }
+
+    Test() {
+        Write-Host "Testing parser- '$($this.Name)'"
+        $letStatementName = "generated$($this.Name)"
+        $parserAsletStatement = "let $($letStatementName)= ($(getParameters($this.Parameters))) { $($this.OriginalQuery) };"
+
+        Write-Host "-- Running schema test for '$($this.Name)'"
+        $schemaTest = "$($parserAsletStatement)`n$($letStatementName) | getschema | invoke ASimSchemaTester('$($this.Schema)')"
+        invokeTest $schemaTest $this.Name "schema"
+
+        Write-Host "-- Running data test for '$($this.Name)'"
+        $dataTest = "$($parserAsletStatement)`n$($letStatementName) | invoke ASimDataTester('$($this.Schema)')"
+        invokeTest $dataTest  $this.Name "data"
+    }
+}
+
+function invokeTest([string] $test, [string] $name, [string] $kind) {
+    $query = $test + " | where Result startswith '(0) Error:'"
+    try {
+        # $rawResults = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId "6b57e303-6aa4-4f18-b3ba-b2f816756897" -Query $query -ErrorAction Stop
+        $rawResults = Invoke-AzureRmOperationalInsightsQuery -WorkspaceId "059f037c-1b3b-42b1-bb90-e340e8c3142c" -Query $query -ErrorAction Stop
+        if ($rawResults.Results)
+        {
+            $resultsArray = [System.Linq.Enumerable]::ToArray($rawResults.Results)
+            if ($resultsArray.count) {  
+                $errorMessage = "`n$($name) $($kind)- test failed with $($resultsArray.count) errors:`n"        
+                $resultsArray | ForEach-Object { $errorMessage += "$($_.Result)`n" } 
+                Write-Error $errorMessage
+            } else {
+                Write-Host "  -- $($name) $($kind) test done successfully"
+            }
+        }    
+    } catch {
+        Write-Error $_.Exception
+    }
+
+
+}
+
+function run {
+    # $subscription = Select-AzureRmSubscription -SubscriptionId "de5fb112-5d5d-42d4-a9ea-5f3b1359c6a6"
+    $subscription = Select-AzureRmSubscription -SubscriptionId "419581d6-4853-49bd-83b6-d94bb8a77887"
+    $schemas = ("DNS", "WebSession", "NetworkSession");
+    $schemas | ForEach-Object { testSchema($_) }
+}
+
+function testSchema([string] $schema) {
+    $parsersObjects = & "./ConvertYamlToObject.ps1" -Path "../../../Parsers/ASim$($schema)/Parsers"
+    Write-Host "Testing $($schema) schema, $($parsersObjects.count) parsers were found"
+    $parsersObjects | ForEach-Object {
+        $functionName = "$($_.EquivalentBuiltInParser)V$($_.Parser.Version.Replace('.',''))"
+        if ($_.Parsers){
+            Write-Host "The parser '$($functionName)' is a main parser, ignoring it"
+        } else {
+            $parser = [Parser]::new($functionName, $_.ParserQuery, $schema, $_.ParserParams)
+            $parser.Test()
+        }
+    }
+}
+
+function getParameters {
+    param (
+        [System.Collections.Generic.List`1[System.Object]] $parserParams
+    )
+
+    $paramsArray = @()
+    if ($parserParams){
+        $parserParams | ForEach-Object {
+            if ($_.Type -eq "string") {
+                $_.Default = "'{0}'" -f $_.Default
+            }
+            $paramsArray += ("{0}:{1}= {2}" -f $_.Name,$_.Type,$_.Default)
+        }
+
+        return $paramsArray -join ','
+    }
+    return $paramsString
+}
+
+run
diff --git a/.github/workflows/runAsimTesters.yaml b/.github/workflows/runAsimTesters.yaml
@@ -0,0 +1,29 @@
+name: Run ASIM testers on "eco-connector-test" workspace
+on:
+  pull_request
+
+permissions:
+      id-token: write
+      contents: read
+
+jobs: 
+  runAsimTesters:
+      runs-on: windows-latest
+      steps:
+        - name: Checkout repo        
+          uses: actions/checkout@v2
+        - name: Login to Azure Public Cloud with AzPowershell
+          uses: azure/login@v1
+          with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
+            enable-AzPSSession: true
+        - name: Run Asim testers
+          uses: azure/powershell@v1
+          with:
+             inlineScript: |
+              & ".script/tests/asimParsersTest/runAsimTesters.ps1"
+             azPSVersion: "latest"
+             errorActionPreference : continue
+             failOnStandardError: false
diff --git a/.script/tests/asimParsersTest/convertYamlToObject.ps1 b/.script/tests/asimParsersTest/convertYamlToObject.ps1
@@ -0,0 +1,42 @@
+Param([string]$Path)
+function convertYamlToObject([System.IO.FileInfo] $Path) {
+    if (Get-Module -ListAvailable -Name powershell-yaml) {
+        Write-Verbose "Module already installed"
+    }
+    else {
+        Write-Verbose "Installing PowerShell-YAML module"
+        try {
+            Install-Module powershell-yaml -AllowClobber -Force -ErrorAction Stop
+            Import-Module powershell-yaml
+        }
+        catch {
+            Write-Error $_.Exception.Message
+            break
+        }
+    }
+
+    try {
+        $content = Get-ChildItem -Path $Path -Filter *.yaml -Recurse -ErrorAction Stop
+    }
+    catch {
+        Write-Error $_.Exception.Message
+    }
+
+    if ($content) {
+        Write-Host "'$($content.count)' templates found to convert"
+
+        $data = @()
+        $content | ForEach-Object {
+            $convert = $_ | Get-Content -Raw | ConvertFrom-Yaml -ErrorAction Stop
+            $data += $convert
+
+        }
+    }
+    else {
+        Write-Error "No YAML templates found"
+        break
+    }
+    return $data
+}
+
+convertYamlToObject $Path
diff --git a/.script/tests/asimParsersTest/runAsimTesters.ps1 b/.script/tests/asimParsersTest/runAsimTesters.ps1
@@ -0,0 +1,91 @@
+$global:failed=0
+$global:subscriptionId="419581d6-4853-49bd-83b6-d94bb8a77887"
+$global:workspaceId="059f037c-1b3b-42b1-bb90-e340e8c3142c"
+
+Class Parser {
+    [string] $Name;
+    [string] $OriginalQuery;
+    [string] $Schema;
+    [System.Collections.Generic.List`1[System.Object]] $Parameters
+    Parser([string] $Name, [string] $OriginalQuery, [string] $Schema, [System.Collections.Generic.List`1[System.Object]] $Parameters) {
+        $this.Name = $Name;
+        $this.OriginalQuery = $OriginalQuery;
+        $this.Schema = $Schema;
+        $this.Parameters = $Parameters;
+    }
+}
+
+function run {
+    $subscription = Select-AzSubscription -SubscriptionId $global:subscriptionId
+    $schemas = ("DNS", "WebSession", "NetworkSession");
+    $schemas | ForEach-Object { testSchema($_) }
+}
+
+function testSchema([string] $schema) {
+    $parsersAsObjects = & "$($PSScriptRoot)/convertYamlToObject.ps1"  -Path "$($PSScriptRoot)/../../../Parsers/ASim$($schema)/Parsers"
+    Write-Host "Testing $($schema) schema, $($parsersAsObjects.count) parsers were found"
+    $parsersAsObjects | ForEach-Object {
+        $functionName = "$($_.EquivalentBuiltInParser)V$($_.Parser.Version.Replace('.',''))"
+        if ($_.Parsers) {
+            Write-Host "The parser '$($functionName)' is a main parser, ignoring it"
+        }
+        else {
+            testParser([Parser]::new($functionName, $_.ParserQuery, $schema, $_.ParserParams))
+        }
+    }
+}
+
+function testParser([Parser] $parser) {
+    Write-Host "Testing parser- '$($parser.Name)'"
+    $letStatementName = "generated$($parser.Name)"
+    $parserAsletStatement = "let $($letStatementName)= ($(getParameters($parser.Parameters))) { $($parser.OriginalQuery) };"
+
+    Write-Host "-- Running schema test for '$($parser.Name)'"
+    $schemaTest = "$($parserAsletStatement)`r`n$($letStatementName) | getschema | invoke ASimSchemaTester('$($parser.Schema)')"
+    invokeAsimTester $schemaTest $parser.Name "schema"
+
+    Write-Host "-- Running data test for '$($parser.Name)'"
+    $dataTest = "$($parserAsletStatement)`r`n$($letStatementName) | invoke ASimDataTester('$($parser.Schema)')"
+    invokeAsimTester $dataTest  $parser.Name "data"
+}
+
+function invokeAsimTester([string] $test, [string] $name, [string] $kind) {
+    $query = $test + " | where Result startswith '(0) Error:'"
+    try {
+        $rawResults = Invoke-AzOperationalInsightsQuery -WorkspaceId $global:workspaceId -Query $query -ErrorAction Stop
+        if ($rawResults.Results) {
+            $resultsArray = [System.Linq.Enumerable]::ToArray($rawResults.Results)
+            if ($resultsArray.count) {  
+                $errorMessage = "`r`n$($name) $($kind)- test failed with $($resultsArray.count) errors:`r`n"        
+                $resultsArray | ForEach-Object { $errorMessage += "$($_.Result)`r`n" } 
+                Write-Host $errorMessage
+                $global:failed = 1
+            }
+            else {
+                Write-Host "  -- $($name) $($kind) test done successfully"
+            }
+        }    
+    }
+    catch {
+        Write-Host $_
+        $global:failed = 1
+    }
+}
+
+function getParameters([System.Collections.Generic.List`1[System.Object]] $parserParams) {
+    $paramsArray = @()
+    if ($parserParams) {
+        $parserParams | ForEach-Object {
+            if ($_.Type -eq "string") {
+                $_.Default = "'$($_.Default)'"
+            }
+            $paramsArray += "$($_.Name):$($_.Type)= $($_.Default)"
+        }
+
+        return $paramsArray -join ','
+    }
+    return $paramsString
+}
+
+run
+exit $global:failed