private static void RunConsoleOutput(ConsoleOutput consoleOutput, IObservable <IDictionary <string, object> > records, string queryFile) { if (queryFile == null) { records.Subscribe(consoleOutput); } else { KqlNode preProcessor = new KqlNode(); preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed; ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions)); preProcessor.AddCslFile(queryFile); if (preProcessor.FailedKqlQueryList.Count > 0) { foreach (var failedDetection in preProcessor.FailedKqlQueryList) { Console.WriteLine($"Message: {failedDetection.Message}"); } } // If we have atleast one valid detection there is a point in waiting otherwise exit if (preProcessor.KqlQueryList.Count > 0) { var processed = preProcessor.Output.Select(e => e.Output); processed.Subscribe(consoleOutput); records.Subscribe(preProcessor); } else { Console.WriteLine("No Queries are running. Press Enter to terminate"); } } }
private void StartEtwListenerInstances() { // Get the current Sentinel config string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"]; bool useEventIngest = false; GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001); string textOfJsonConfig = File.ReadAllText(Path.Combine(LogAnalyticsOdsApiHarness.GetExecutionPath(), $"{configurationFile}")); SentinelApiConfig sentinelApiConfig = JsonConvert.DeserializeObject <SentinelApiConfig>(textOfJsonConfig); List <EtwListener> etwListeners = new List <EtwListener>(); // Add custom local functions to Rx.Kql ScalarFunctionFactory.AddFunctions(typeof(LogAnalyticsOdsApiHarness)); string etwConfigurationFile = "EtwConfig-DNS-TCP.json"; GlobalLog.WriteToStringBuilderLog($"Loading ETW config [{etwConfigurationFile}].", 14001); string textOfEtwConfigurationFile = File.ReadAllText(Path.Combine(LogAnalyticsOdsApiHarness.GetExecutionPath(), $"{etwConfigurationFile}")); List <EtwListenerConfig> listEtwListenerConfigs = JsonConvert.DeserializeObject <List <EtwListenerConfig> >(textOfEtwConfigurationFile); foreach (EtwListenerConfig config in listEtwListenerConfigs) { etwListeners.Add(new EtwListener(sentinelApiConfig, config, useEventIngest)); } // Wait for the process to end Thread.Sleep(Timeout.Infinite); }
public bool ApplyRxKql() { List <string> queriesFullPath = new List <string>(); foreach (var query in _queries) { if (!string.IsNullOrEmpty(query)) { var queryFullPath = Path.GetFullPath(query); if (!File.Exists(queryFullPath)) { _output.OutputError(new Exception($"ERROR! Query file {queryFullPath} does not seem to exist.")); return(false); } else { queriesFullPath.Add(queryFullPath); } } } // adding custom functions if (_realTimeMode) { ScalarFunctionFactory.AddFunctions(typeof(RealTimeCustomScalarFunctions)); } ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions)); // instantiating KqlNodeHub with input stream, output action, and query files _kqlNodeHub = KqlNodeHub.FromFiles(_inputStream, _output.KqlOutputAction, _inputName, queriesFullPath.ToArray()); // checking if any queries failed foreach (var query in _kqlNodeHub._node.FailedKqlQueryList) { _output.OutputError(query.FailureReason); } // return false if any queries failed if (_kqlNodeHub._node.FailedKqlQueryList.Count > 0) { return(false); } // set up error handling for any runtime query errors _kqlNodeHub._node.KqlKqlQueryFailed += KqlQueryFailedEventHandler; _kqlNodeHub._node.EnableFailedKqlQueryEvents = true; return(true); }
private static void RunUploader(BlockingKustoUploader ku, IObservable <IDictionary <string, object> > etw, string _queryFile) { if (_queryFile == null) { using (etw.Subscribe(ku)) { ku.Completed.WaitOne(); } } else { KqlNode preProcessor = new KqlNode(); preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed; ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions)); preProcessor.AddCslFile(_queryFile); if (preProcessor.FailedKqlQueryList.Count > 0) { foreach (var failedDetection in preProcessor.FailedKqlQueryList) { Console.WriteLine($"Message: {failedDetection.Message}"); } } // If we have atleast one valid detection there is a point in waiting otherwise exit if (preProcessor.KqlQueryList.Count > 0) { var processed = preProcessor.Output.Select(e => e.Output); using (processed.Subscribe(ku)) { using (etw.Subscribe(preProcessor)) { ku.Completed.WaitOne(); } } } else { Console.WriteLine("No Queries are running. Press Enter to terminate"); } } }