This NQE will validate that only the SSID’s in allowedSSID’s can be used, if it does not exists in the list it will fail the query.
Taking advice from an earlier post I have used blockMatches this time, there is some tuning required to remove the duplicates as a result of the table have the entry for each
/**
* @intent Validate that the arista AP's have only the approved SSID's configured
* @description This will check each arista AP for the approved SSIDs and violate when ther SSID does not match
* the allowedSSID list.
*
* You will get multiple entries due to the VAPS list having an entry for each frequency. This will be a future
* fix to show only once when the unauthoirised SSID exists
*/
pattern =
```
VAP-ID : {VAPId:string} ESSID : {SSID:string}
```;
// Replace the SSID's with your own.
allowedSSID = I"ssid1","ssid2","ssid3"];
foreach endpoint in network.endpoints
where endpoint.profileName == "Arista Wireless AP's"
foreach command in endpoint.cliCommandResponses
where command.command == "show vaps"
let parsed = parseConfigBlocks(OS.UNKNOWN,command.response)
let matches = blockMatches(parsed,pattern)
foreach match in matches
where match.data.SSID not in allowedSSID
let Unauthorised = match.data.SSID
select {
violation: length(Unauthorised) > 0,
name: endpoint.name,
location: endpoint.locationName,
UnauthorisedSSID: Unauthorised
}