private static void RunConsoleOutput(ConsoleOutput consoleOutput, IObservable <IDictionary <string, object> > records, string queryFile)
{
if (queryFile == null)
{
records.Subscribe(consoleOutput);
}
else
{
KqlNode preProcessor = new KqlNode();
preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed;
ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions));
preProcessor.AddCslFile(queryFile);
if (preProcessor.FailedKqlQueryList.Count > 0)
{
foreach (var failedDetection in preProcessor.FailedKqlQueryList)
{
Console.WriteLine($"Message: {failedDetection.Message}");
}
}
// If we have atleast one valid detection there is a point in waiting otherwise exit
if (preProcessor.KqlQueryList.Count > 0)
{
var processed = preProcessor.Output.Select(e => e.Output);
processed.Subscribe(consoleOutput);
records.Subscribe(preProcessor);
}
else
{
Console.WriteLine("No Queries are running. Press Enter to terminate");
}
}
}
private void StartEtwListenerInstances()
{
// Get the current Sentinel config
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
bool useEventIngest = false;
GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001);
string textOfJsonConfig = File.ReadAllText(Path.Combine(LogAnalyticsOdsApiHarness.GetExecutionPath(), $"{configurationFile}"));
SentinelApiConfig sentinelApiConfig = JsonConvert.DeserializeObject <SentinelApiConfig>(textOfJsonConfig);
List <EtwListener> etwListeners = new List <EtwListener>();
// Add custom local functions to Rx.Kql
ScalarFunctionFactory.AddFunctions(typeof(LogAnalyticsOdsApiHarness));
string etwConfigurationFile = "EtwConfig-DNS-TCP.json";
GlobalLog.WriteToStringBuilderLog($"Loading ETW config [{etwConfigurationFile}].", 14001);
string textOfEtwConfigurationFile = File.ReadAllText(Path.Combine(LogAnalyticsOdsApiHarness.GetExecutionPath(), $"{etwConfigurationFile}"));
List <EtwListenerConfig> listEtwListenerConfigs = JsonConvert.DeserializeObject <List <EtwListenerConfig> >(textOfEtwConfigurationFile);
foreach (EtwListenerConfig config in listEtwListenerConfigs)
{
etwListeners.Add(new EtwListener(sentinelApiConfig, config, useEventIngest));
}
// Wait for the process to end
Thread.Sleep(Timeout.Infinite);
}
public bool ApplyRxKql()
{
List <string> queriesFullPath = new List <string>();
foreach (var query in _queries)
{
if (!string.IsNullOrEmpty(query))
{
var queryFullPath = Path.GetFullPath(query);
if (!File.Exists(queryFullPath))
{
_output.OutputError(new Exception($"ERROR! Query file {queryFullPath} does not seem to exist."));
return(false);
}
else
{
queriesFullPath.Add(queryFullPath);
}
}
}
// adding custom functions
if (_realTimeMode)
{
ScalarFunctionFactory.AddFunctions(typeof(RealTimeCustomScalarFunctions));
}
ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions));
// instantiating KqlNodeHub with input stream, output action, and query files
_kqlNodeHub = KqlNodeHub.FromFiles(_inputStream, _output.KqlOutputAction, _inputName, queriesFullPath.ToArray());
// checking if any queries failed
foreach (var query in _kqlNodeHub._node.FailedKqlQueryList)
{
_output.OutputError(query.FailureReason);
}
// return false if any queries failed
if (_kqlNodeHub._node.FailedKqlQueryList.Count > 0)
{
return(false);
}
// set up error handling for any runtime query errors
_kqlNodeHub._node.KqlKqlQueryFailed += KqlQueryFailedEventHandler;
_kqlNodeHub._node.EnableFailedKqlQueryEvents = true;
return(true);
}
private static void RunUploader(BlockingKustoUploader ku, IObservable <IDictionary <string, object> > etw, string _queryFile)
{
if (_queryFile == null)
{
using (etw.Subscribe(ku))
{
ku.Completed.WaitOne();
}
}
else
{
KqlNode preProcessor = new KqlNode();
preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed;
ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions));
preProcessor.AddCslFile(_queryFile);
if (preProcessor.FailedKqlQueryList.Count > 0)
{
foreach (var failedDetection in preProcessor.FailedKqlQueryList)
{
Console.WriteLine($"Message: {failedDetection.Message}");
}
}
// If we have atleast one valid detection there is a point in waiting otherwise exit
if (preProcessor.KqlQueryList.Count > 0)
{
var processed = preProcessor.Output.Select(e => e.Output);
using (processed.Subscribe(ku))
{
using (etw.Subscribe(preProcessor))
{
ku.Completed.WaitOne();
}
}
}
else
{
Console.WriteLine("No Queries are running. Press Enter to terminate");
}
}
}
