kql-panopticon 0.3.0

KQL tooling for Azure Log Analytics - concurrent multi-workspace queries, chained investigations, HTTP enrichment, and automated reports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241

use crate::error::Result;
use crate::query_job::QuerySettings;
use serde::{Deserialize, Serialize};
use std::path::{Path, PathBuf};

/// A query pack containing one or more KQL queries
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct QueryPack {
    /// Pack name
    pub name: String,

    /// Optional description
    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,

    /// Optional author
    #[serde(skip_serializing_if = "Option::is_none")]
    pub author: Option<String>,

    /// Optional version
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,

    /// Single query (for simple packs)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query: Option<String>,

    /// Multiple queries (for complex packs)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub queries: Option<Vec<PackQuery>>,

    /// Execution settings (optional - uses defaults if omitted)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub settings: Option<QuerySettings>,

    /// Workspace scope (optional)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub workspaces: Option<WorkspaceScope>,
}

/// A single query within a pack
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PackQuery {
    pub name: String,

    #[serde(skip_serializing_if = "Option::is_none")]
    pub description: Option<String>,

    pub query: String,
}

/// Workspace selection scope
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "scope", rename_all = "lowercase")]
pub enum WorkspaceScope {
    /// Execute on all available workspaces
    All,

    /// Execute on specific workspace IDs
    Selected { ids: Vec<String> },

    /// Execute on workspaces matching pattern
    Pattern { pattern: String },
}

impl QueryPack {
    /// Load a query pack from a file
    pub fn load_from_file(path: &Path) -> Result<Self> {
        let content = std::fs::read_to_string(path)?;

        // Try YAML first, fall back to JSON
        if path.extension().and_then(|s| s.to_str()) == Some("json") {
            Ok(serde_json::from_str(&content)?)
        } else {
            // Default to YAML for .yaml, .yml, or no extension
            Ok(serde_yaml::from_str(&content)?)
        }
    }

    /// Save a query pack to a file
    #[allow(dead_code)]
    pub fn save_to_file(&self, path: &Path) -> Result<()> {
        let content = if path.extension().and_then(|s| s.to_str()) == Some("json") {
            serde_json::to_string_pretty(self)?
        } else {
            serde_yaml::to_string(self)?
        };

        std::fs::write(path, content)?;
        Ok(())
    }

    /// Get all queries from the pack (handles both single and multiple query formats)
    pub fn get_queries(&self) -> Vec<PackQuery> {
        if let Some(queries) = &self.queries {
            queries.clone()
        } else if let Some(query) = &self.query {
            vec![PackQuery {
                name: self.name.clone(),
                description: self.description.clone(),
                query: query.clone(),
            }]
        } else {
            vec![]
        }
    }

    /// Validate the query pack
    pub fn validate(&self) -> Result<()> {
        // Must have either query or queries
        if self.query.is_none() && self.queries.is_none() {
            return Err(crate::error::KqlPanopticonError::QueryPackValidation(
                "Query pack must contain either 'query' or 'queries' field".into(),
            ));
        }

        // Can't have both
        if self.query.is_some() && self.queries.is_some() {
            return Err(crate::error::KqlPanopticonError::QueryPackValidation(
                "Query pack cannot have both 'query' and 'queries' fields".into(),
            ));
        }

        // If queries array, must not be empty
        if let Some(queries) = &self.queries {
            if queries.is_empty() {
                return Err(crate::error::KqlPanopticonError::QueryPackValidation(
                    "Query pack 'queries' array cannot be empty".into(),
                ));
            }
        }

        Ok(())
    }

    /// Get the pack's file path in the standard library location
    pub fn get_library_path(relative_path: &str) -> Result<PathBuf> {
        let home =
            dirs::home_dir().ok_or(crate::error::KqlPanopticonError::HomeDirectoryNotFound)?;

        Ok(home.join(".kql-panopticon/packs").join(relative_path))
    }

    /// List all query packs in the library
    pub fn list_library_packs() -> Result<Vec<PathBuf>> {
        let packs_dir = Self::get_library_path("")?;

        if !packs_dir.exists() {
            std::fs::create_dir_all(&packs_dir)?;
            return Ok(vec![]);
        }

        let mut packs = Vec::new();

        // Recursively find all .yaml, .yml, .json files
        for entry in walkdir::WalkDir::new(&packs_dir)
            .into_iter()
            .filter_map(|e| e.ok())
        {
            if entry.file_type().is_file() {
                if let Some(ext) = entry.path().extension().and_then(|s| s.to_str()) {
                    if ext == "yaml" || ext == "yml" || ext == "json" {
                        packs.push(entry.path().to_path_buf());
                    }
                }
            }
        }

        Ok(packs)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_load_minimal_pack() {
        let yaml = r#"
name: "Test Query"
query: "SecurityEvent | limit 10"
"#;
        let pack: QueryPack = serde_yaml::from_str(yaml).unwrap();
        assert_eq!(pack.name, "Test Query");
        assert_eq!(pack.get_queries().len(), 1);
    }

    #[test]
    fn test_load_full_pack() {
        let yaml = r#"
name: "Security Hunt"
description: "Multi-query investigation"
queries:
  - name: "Query 1"
    query: "SecurityEvent | limit 5"
  - name: "Query 2"
    query: "SigninLogs | limit 5"
settings:
  timeout: 60
workspaces:
  scope: all
"#;
        let pack: QueryPack = serde_yaml::from_str(yaml).unwrap();
        assert_eq!(pack.get_queries().len(), 2);
        pack.validate().unwrap();
    }

    #[test]
    fn test_validate_empty_pack() {
        let pack = QueryPack {
            name: "Test".into(),
            description: None,
            author: None,
            version: None,
            query: None,
            queries: None,
            settings: None,
            workspaces: None,
        };
        assert!(pack.validate().is_err());
    }

    #[test]
    fn test_validate_both_query_and_queries() {
        let pack = QueryPack {
            name: "Test".into(),
            description: None,
            author: None,
            version: None,
            query: Some("SecurityEvent".into()),
            queries: Some(vec![PackQuery {
                name: "Q1".into(),
                description: None,
                query: "SigninLogs".into(),
            }]),
            settings: None,
            workspaces: None,
        };
        assert!(pack.validate().is_err());
    }
}