@quantum-sec/kql-test-harness
v2.1.1
Published
Test harness for running Microsoft Log Analytics queries and verifying outputs.
Downloads
126
Readme
kql-test-harness
Test harness for running Microsoft Log Analytics queries and verifying outputs.
Prerequisites
- Directory names should be kebab-case
./parsers or rules/<DEVICE_TYPE>/<PRODUCT_NAME>/<PRODUCT_VERSION>/
- if the product doesn't have versions omit that portion of the path
- if all versions of a product are compatible with one another, omit that portion of the path
Each bottom-level directory should contain:
- The parser (
.kql
) or rule (.yaml
) itself as a file:- This file should be the PascalCase name of the function suffixed with
_Security
- This file should contain a Jasmine spec file containing integration tests for the parser.
- This file should contain a
metadata.json
file containingtargetSchema
andschemaVersion
.targetSchema
should be suffixed with_Security
appended with_Schema
.schemaVersion
should be the git revision of the schema being reference with.- Note: To maintain backward compatibility both
targetSchema
andschemaVersion
can be defined in the KQL parser file.
- This file should be the PascalCase name of the function suffixed with
Running Integration Tests
Create a service principal in Azure Active Directory using App Registration option.
Add API permission
Read Log Analytics data as user
to service principal. This can be found in Log Analytics API from the list.Give the service principal access in Azure log analytics workspace with
Contributor
role.Configure your connection to Azure by setting the following environment variables:
AAD_TENANT_ID
- Azure Active Directory Tenant ID.AAD_CLIENT_ID
- Client ID of Service principal created.AAD_CLIENT_SECRET
- Client Secret of service principal created.ALA_WORKSPACE_ID
- Azure Log Analytics Workspace ID to be used for running KQL queries.
Usage
To install this package in your project, simply use NPM:
npm install --save @quantum-sec/kql-test-harness
Note: You may also need to install peer dependencies.
These will be listed in the output of the npm install
command.
Once the package is installed in your project, you can import the classes or types you want to use:
import { ILogAnalyticsQueryContext, KqlTestHarness, KqlTestParserHarness } from '@quantum-sec/kql-test-harness';
Currently this package supports testing for KQL rules and parsers.
Creating a Test Harness for Parsers
const harness: KqlTestHarness = new KqlTestParserHarness();
or
const harness: KQLTestHarness = new KQLTestHarness({ source: KqlSource.Parser });
Creating a Test Harness for Rules
const harness: KqlTestHarness = new KqlTestRuleHarness();
or
const harness: KQLTestHarness = new KQLTestHarness({ source: KqlSource.Rule });
Initializer
The Test Harness takes an initializer that exposes options for specifying
schemaPath
: The path to the base of the schemas directory. This is a relative path from your spec file.source
: The KQLSource. Current supported sources areParser
andRule
.source
is only available onKQLTestHarness
.KqlTestParserHarness
andKqlTestRuleHarness
will pass their respective source when constructed.dataTypeFactoryDelegate
: A delegate function to override types assigned to column names that are discovered from sample data.defaultTimeOutInterval
: Number of milliseconds the test will wait for an asyncronous spec. Seejasmine.DEFAULT_TIMEOUT_INTERVAL
Check these example tests files for parsers and rules
You can add supporting functions for a KQL query that are placed in a different KQL file by using utility functions. You can pass utility functions as an argument in harness initialization. Example:
beforeAll(async () => {
await harness.init({
utilityFunctions: [
'LinuxAuditd_Security_Common',
'LinuxAuditd_Security_Projection',
],
});
});
Utilize the harness to construct result objects. Example:
harness.registerSuite('LinuxAuditdEventTypeData', 'LinuxAuditLog_CL', (context: ILogAnalyticsQueryContext) => {
let result: any;
beforeEach(() => {
result = harness.constructResultObject(context.result)[0];
});
To add sample data you can either use a .JSON
file or generate a sample data in test file. For later below is the example:
Here Signature is the values we want to find a specific rule to pass.
Example query : Antivirus_Security | where (Signature contains @"MeteTool" or Signature contains @"MPreter")
const baseSampleData = [{
'TimeGenerated': '2021-07-11T21:41:59.88Z',
'SourceSystem': 'RestAPI',
}];
const signatures = [
'MeteTool',
'MPreter',
];
const SampleData = baseSampleData.map((row) => {
(row as any).Signature = Signature;
return row;
});
For negative testing, you can add any value to the array to fail the rule beacuse of absent value in sample data.
You can refer to sample tests in source code parsers & rules directory.
Development
To add additional resources to this module, simply add the code files desired and ensure that they're
exported from index.ts
in the root of the src
directory. If you are using sub-modules, ensure that
they're exported from that module's index.ts
and then subsequently from the root index.ts
.
Once you've added your code, make sure it builds and passes ESLint rules and unit tests:
npm run build
npm run lint
npm run test