private static void RunConsoleOutput(ConsoleOutput consoleOutput, IObservable <IDictionary <string, object> > records, string queryFile) { if (queryFile == null) { records.Subscribe(consoleOutput); } else { KqlNode preProcessor = new KqlNode(); preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed; ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions)); preProcessor.AddCslFile(queryFile); if (preProcessor.FailedKqlQueryList.Count > 0) { foreach (var failedDetection in preProcessor.FailedKqlQueryList) { Console.WriteLine($"Message: {failedDetection.Message}"); } } // If we have atleast one valid detection there is a point in waiting otherwise exit if (preProcessor.KqlQueryList.Count > 0) { var processed = preProcessor.Output.Select(e => e.Output); processed.Subscribe(consoleOutput); records.Subscribe(preProcessor); } else { Console.WriteLine("No Queries are running. Press Enter to terminate"); } } }
public void FunctionQueries() { KqlNode node = new KqlNode(); // deserialize JSON to the runtime type, and iterate. var path = Assembly.GetExecutingAssembly().Location; var directory = Path.GetDirectoryName(path); node.AddCslFile(Path.Combine(directory, "KqlFunctionTestFiles", "Rule_4720_UsrAcctCreation_WecExtract.csl")); Debug.Assert(GlobalFunctions.KqlFunctions.Count == 3, "Rx.Kql FILTER Functions are not loading correctly from CSL files!"); Debug.Assert(node.KqlQueryList.Count > 0 || node.FailedKqlQueryList.Count == 0, "Kql query failed to load. There is an Rx.Kql parsing bug!"); string evt4720 = "<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\' xml:lang=\'en-US\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4720</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2017-08-31T19:38:21.509585500Z\'/><EventRecordID>2079336</EventRecordID><Correlation/><Execution ProcessID=\'2092\' ThreadID=\'42656\'/><Channel>Security</Channel><Computer>SN2SCH101140124.phx.gbl</Computer><Security/></System><EventData><Data Name=\'TargetUserName\'>QTU-bs_el_idsv-7</Data><Data Name=\'TargetDomainName\'>SN2SCH101140124</Data><Data Name=\'TargetSid\'>S-1-5-21-1266794097-2621680504-1140025688-1442</Data><Data Name=\'SubjectUserSid\'>S-1-5-21-606747145-1563985344-839522115-25776942</Data><Data Name=\'SubjectUserName\'>_qcloud1</Data><Data Name=\'SubjectDomainName\'>PHX</Data><Data Name=\'SubjectLogonId\'>0x21a3d239e</Data><Data Name=\'PrivilegeList\'>-</Data><Data Name=\'SamAccountName\'>QTU-bs_el_idsv-7</Data><Data Name=\'DisplayName\'>%%1793</Data><Data Name=\'UserPrincipalName\'>-</Data><Data Name=\'HomeDirectory\'>%%1793</Data><Data Name=\'HomePath\'>%%1793</Data><Data Name=\'ScriptPath\'>%%1793</Data><Data Name=\'ProfilePath\'>%%1793</Data><Data Name=\'UserWorkstations\'>%%1793</Data><Data Name=\'PasswordLastSet\'>%%1794</Data><Data Name=\'AccountExpires\'>%%1794</Data><Data Name=\'PrimaryGroupId\'>513</Data><Data Name=\'AllowedToDelegateTo\'>-</Data><Data Name=\'OldUacValue\'>0x0</Data><Data Name=\'NewUacValue\'>0x15</Data><Data Name=\'UserAccountControl\'>\r\n\t\t%%2080\r\n\t\t%%2082\r\n\t\t%%2084</Data><Data Name=\'UserParameters\'>%%1793</Data><Data Name=\'SidHistory\'>-</Data><Data Name=\'LogonHours\'>%%1797</Data></EventData></Event>"; dynamic eventDynamic = EvtxExtensions.Deserialize(evt4720); // Subscribe to the sucessful detections. var list = new List <object>(); node.Subscribe(evt => { list.Add(evt); }); node.OnNext((IDictionary <string, object>)eventDynamic); }
private static void RunUploader(BlockingKustoUploader ku, IObservable <IDictionary <string, object> > etw, string _queryFile) { if (_queryFile == null) { using (etw.Subscribe(ku)) { ku.Completed.WaitOne(); } } else { KqlNode preProcessor = new KqlNode(); preProcessor.KqlKqlQueryFailed += PreProcessor_KqlKqlQueryFailed; ScalarFunctionFactory.AddFunctions(typeof(CustomScalarFunctions)); preProcessor.AddCslFile(_queryFile); if (preProcessor.FailedKqlQueryList.Count > 0) { foreach (var failedDetection in preProcessor.FailedKqlQueryList) { Console.WriteLine($"Message: {failedDetection.Message}"); } } // If we have atleast one valid detection there is a point in waiting otherwise exit if (preProcessor.KqlQueryList.Count > 0) { var processed = preProcessor.Output.Select(e => e.Output); using (processed.Subscribe(ku)) { using (etw.Subscribe(preProcessor)) { ku.Completed.WaitOne(); } } } else { Console.WriteLine("No Queries are running. Press Enter to terminate"); } } }
public void SimpleQueries() { KqlNode node = new KqlNode(); // deserialize JSON to the runtime type, and iterate. var path = Assembly.GetExecutingAssembly().Location; var directory = Path.GetDirectoryName(path); node.AddCslFile(Path.Combine(directory, "SimpleQueries.csl")); // Subscribe to the sucessful detections. var list = new List<object>(); node.Subscribe(evt => { list.Add(evt); }); // Add the detections. for (int i = 0; i < 10; i++) { dynamic evt = new ExpandoObject(); evt.Seq = i; node.OnNext((IDictionary<string, object>) evt); } }