Ejemplos de KqlNode.AddCslFile en C# (CSharp)

Lenguaje de programación: C# (CSharp)

Clase / Tipo: KqlNode

Método / Función: AddCslFile

Ejemplos en hotexamples.com: 4

C# (CSharp) KqlNode.AddCslFile - 4 ejemplos encontrados. Estos son los ejemplos en C# (CSharp) del mundo real mejor valorados de KqlNode.AddCslFile extraídos de proyectos de código abierto. Puedes valorar ejemplos para ayudarnos a mejorar la calidad de los ejemplos.

Métodos usados con frecuencia

Mostrar Ocultar

Subscribe(11)

OnNext(10)

AddKqlQueryList(10)

AddCslFile(4)

AddKqlQuery(2)

AddKqlFunction(1)

GetKqlFunction(1)

OnCompleted(1)

RemoveKqlFunction(1)

Ejemplo n.º 1

Mostrar archivo

        private static void RunConsoleOutput(ConsoleOutput consoleOutput, IObservable <IDictionary <string, object> > records, string queryFile)
        {
            if (queryFile == null)
            {
                records.Subscribe(consoleOutput);
            }
            else
            {
                KqlNode preProcessor = new KqlNode();
                preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed;
                ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions));
                preProcessor.AddCslFile(queryFile);

                if (preProcessor.FailedKqlQueryList.Count > 0)
                {
                    foreach (var failedDetection in preProcessor.FailedKqlQueryList)
                    {
                        Console.WriteLine($"Message: {failedDetection.Message}");
                    }
                }

                // If we have atleast one valid detection there is a point in waiting otherwise exit
                if (preProcessor.KqlQueryList.Count > 0)
                {
                    var processed = preProcessor.Output.Select(e => e.Output);
                    processed.Subscribe(consoleOutput);
                    records.Subscribe(preProcessor);
                }
                else
                {
                    Console.WriteLine("No Queries are running. Press Enter to terminate");
                }
            }
        }

Ejemplo n.º 2

Mostrar archivo

Archivo: KqlNodeTest.cs Proyecto: niklasfp/KqlTools

        public void FunctionQueries()
        {
            KqlNode node = new KqlNode();

            // deserialize JSON to the runtime type, and iterate.
            var path      = Assembly.GetExecutingAssembly().Location;
            var directory = Path.GetDirectoryName(path);

            node.AddCslFile(Path.Combine(directory, "KqlFunctionTestFiles", "Rule_4720_UsrAcctCreation_WecExtract.csl"));

            Debug.Assert(GlobalFunctions.KqlFunctions.Count == 3, "Rx.Kql FILTER Functions are not loading correctly from CSL files!");
            Debug.Assert(node.KqlQueryList.Count > 0 || node.FailedKqlQueryList.Count == 0, "Kql query failed to load.  There is an Rx.Kql parsing bug!");

            string evt4720 =
                "<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\' xml:lang=\'en-US\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4720</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2017-08-31T19:38:21.509585500Z\'/><EventRecordID>2079336</EventRecordID><Correlation/><Execution ProcessID=\'2092\' ThreadID=\'42656\'/><Channel>Security</Channel><Computer>SN2SCH101140124.phx.gbl</Computer><Security/></System><EventData><Data Name=\'TargetUserName\'>QTU-bs_el_idsv-7</Data><Data Name=\'TargetDomainName\'>SN2SCH101140124</Data><Data Name=\'TargetSid\'>S-1-5-21-1266794097-2621680504-1140025688-1442</Data><Data Name=\'SubjectUserSid\'>S-1-5-21-606747145-1563985344-839522115-25776942</Data><Data Name=\'SubjectUserName\'>_qcloud1</Data><Data Name=\'SubjectDomainName\'>PHX</Data><Data Name=\'SubjectLogonId\'>0x21a3d239e</Data><Data Name=\'PrivilegeList\'>-</Data><Data Name=\'SamAccountName\'>QTU-bs_el_idsv-7</Data><Data Name=\'DisplayName\'>%%1793</Data><Data Name=\'UserPrincipalName\'>-</Data><Data Name=\'HomeDirectory\'>%%1793</Data><Data Name=\'HomePath\'>%%1793</Data><Data Name=\'ScriptPath\'>%%1793</Data><Data Name=\'ProfilePath\'>%%1793</Data><Data Name=\'UserWorkstations\'>%%1793</Data><Data Name=\'PasswordLastSet\'>%%1794</Data><Data Name=\'AccountExpires\'>%%1794</Data><Data Name=\'PrimaryGroupId\'>513</Data><Data Name=\'AllowedToDelegateTo\'>-</Data><Data Name=\'OldUacValue\'>0x0</Data><Data Name=\'NewUacValue\'>0x15</Data><Data Name=\'UserAccountControl\'>\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084</Data><Data Name=\'UserParameters\'>%%1793</Data><Data Name=\'SidHistory\'>-</Data><Data Name=\'LogonHours\'>%%1797</Data></EventData></Event>";

            dynamic eventDynamic = EvtxExtensions.Deserialize(evt4720);

            // Subscribe to the sucessful detections.
            var list = new List <object>();

            node.Subscribe(evt => { list.Add(evt); });

            node.OnNext((IDictionary <string, object>)eventDynamic);
        }

Ejemplo n.º 3

Mostrar archivo

        private static void RunUploader(BlockingKustoUploader ku, IObservable <IDictionary <string, object> > etw, string _queryFile)
        {
            if (_queryFile == null)
            {
                using (etw.Subscribe(ku))
                {
                    ku.Completed.WaitOne();
                }
            }
            else
            {
                KqlNode preProcessor = new KqlNode();
                preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed;
                ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions));
                preProcessor.AddCslFile(_queryFile);

                if (preProcessor.FailedKqlQueryList.Count > 0)
                {
                    foreach (var failedDetection in preProcessor.FailedKqlQueryList)
                    {
                        Console.WriteLine($"Message: {failedDetection.Message}");
                    }
                }

                // If we have atleast one valid detection there is a point in waiting otherwise exit
                if (preProcessor.KqlQueryList.Count > 0)
                {
                    var processed = preProcessor.Output.Select(e => e.Output);

                    using (processed.Subscribe(ku))
                    {
                        using (etw.Subscribe(preProcessor))
                        {
                            ku.Completed.WaitOne();
                        }
                    }
                }
                else
                {
                    Console.WriteLine("No Queries are running. Press Enter to terminate");
                }
            }
        }

Ejemplo n.º 4

Mostrar archivo

Archivo: KqlNodeTest.cs Proyecto: tatecksi/KqlTools

        public void SimpleQueries()
        {
            KqlNode node = new KqlNode();

            // deserialize JSON to the runtime type, and iterate.
            var path = Assembly.GetExecutingAssembly().Location;
            var directory = Path.GetDirectoryName(path);
            node.AddCslFile(Path.Combine(directory, "SimpleQueries.csl"));

            // Subscribe to the sucessful detections.
            var list = new List<object>();
            node.Subscribe(evt => { list.Add(evt); });

            // Add the detections.
            for (int i = 0; i < 10; i++)
            {
                dynamic evt = new ExpandoObject();
                evt.Seq = i;
                node.OnNext((IDictionary<string, object>) evt);
            }
        }