public void InitializeEtwListener()
{
payload = GetNewPayloadObject();
var configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
EtwProviderSession(EtwListenerConfig.SessionName, EtwListenerConfig.ProviderId, true);
var _etw = EtwTdhObservable.FromSession(EtwListenerConfig.SessionName);
KqlNodeHub = KqlNodeHub.FromKqlQuery(_etw, DefaultOutput, EtwListenerConfig.ObservableName,
EtwListenerConfig.KqlQuery);
GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001);
var textOfJsonConfig =
File.ReadAllText(Path.Combine(LogAnalyticsOdsApiHarness.GetExecutionPath(), $"{configurationFile}"));
SentinelApiConfig = JsonConvert.DeserializeObject <SentinelApiConfig>(textOfJsonConfig);
if (SentinelApiConfig.UseMmaCertificate)
{
logAnalyticsX509Certificate2 =
CertificateManagement.FindOdsCertificateByWorkspaceId(SentinelApiConfig.WorkspaceId);
}
else
{
logAnalyticsX509Certificate2 = CertificateManagement.FindCertificateByThumbprint("MY",
SentinelApiConfig.CertificateThumbprint, StoreLocation.LocalMachine);
}
GlobalLog.WriteToStringBuilderLog($"SampleData load [{configurationFile}].", 14001);
var sampleData =
File.ReadAllText(Path.Combine(LogAnalyticsOdsApiHarness.GetExecutionPath(), $"XMLFile1.xml"));
UploadBatchToLogAnalytics(sampleData, logAnalyticsX509Certificate2);
}
public EventProcessor(
IObservable <IDictionary <string, object> > inputStream,
string inputName,
IOutput output,
bool realTimeMode,
params string[] queries)
{
_inputStream = inputStream;
_inputName = inputName;
_output = output;
_realTimeMode = realTimeMode;
_queries = queries;
_kqlNodeHub = null;
}
public bool ApplyRxKql()
{
List <string> queriesFullPath = new List <string>();
foreach (var query in _queries)
{
if (!string.IsNullOrEmpty(query))
{
var queryFullPath = Path.GetFullPath(query);
if (!File.Exists(queryFullPath))
{
_output.OutputError(new Exception($"ERROR! Query file {queryFullPath} does not seem to exist."));
return(false);
}
else
{
queriesFullPath.Add(queryFullPath);
}
}
}
// adding custom functions
if (_realTimeMode)
{
ScalarFunctionFactory.AddFunctions(typeof(RealTimeCustomScalarFunctions));
}
ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions));
// instantiating KqlNodeHub with input stream, output action, and query files
_kqlNodeHub = KqlNodeHub.FromFiles(_inputStream, _output.KqlOutputAction, _inputName, queriesFullPath.ToArray());
// checking if any queries failed
foreach (var query in _kqlNodeHub._node.FailedKqlQueryList)
{
_output.OutputError(query.FailureReason);
}
// return false if any queries failed
if (_kqlNodeHub._node.FailedKqlQueryList.Count > 0)
{
return(false);
}
// set up error handling for any runtime query errors
_kqlNodeHub._node.KqlKqlQueryFailed += KqlQueryFailedEventHandler;
_kqlNodeHub._node.EnableFailedKqlQueryEvents = true;
return(true);
}
