public static string AverageDetectionsPerMonth()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
return(db.v_DetectionAverages.Select(x => x.Monthly).FirstOrDefault().Value.ToString());
}
}
public List <Detection> GetList()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
return(db.Detections.ToList());
}
}
public ActionResult Index(ScheduleViewModel[] schedules)
{
if (ModelState.IsValid)
{
try
{
FalconOrchestratorDB db = new FalconOrchestratorDB();
foreach (var line in schedules)
{
ResponderSchedule row = db.ResponderSchedules.Find(line.ScheduleId);
row.ResponderId = line.ResponderId != null ? (int?)Convert.ToInt32(line.ResponderId) : null;
db.Entry(row).State = System.Data.Entity.EntityState.Modified;
}
db.SaveChanges();
return(PartialView("_Success", "Schedule has been updated"));
}
catch (Exception e)
{
return(PartialView("_Error", e.Message));
}
}
List <string> errors = ModelState.Where(x => x.Value.Errors.Count > 0).SelectMany(x => x.Value.Errors).Select(x => x.ErrorMessage).ToList();
return(PartialView("_ValidationError", errors));
}
public static Responder GetAssignedResponder(string dayOfWeek)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
return(db.ResponderSchedules.Where(x => x.DayOfWeek.Equals(dayOfWeek)).Select(x => x.Responder).FirstOrDefault());
}
}
public override bool Exists()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
return(db.Detections.Any(x => x.Offset.Equals(Metadata.Offset)));
}
}
private int GetDetectionDeviceId()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
int detectDeviceId;
if (db.Devices.Any(x => x.Hostname.Equals(data.ComputerName)))
{
int deviceId = db.Devices.Where(x => x.Hostname.Equals(data.ComputerName)).Select(x => x.DeviceId).Single();
DetectionDevice detectDevice = new DetectionDevice();
detectDevice.DeviceId = deviceId;
detectDevice.IPAddress = data.IPAddress;
db.DetectionDevices.Add(detectDevice);
db.SaveChanges();
detectDeviceId = detectDevice.DetectionDeviceId;
}
else
{
Device device = new Device();
device.Hostname = data.ComputerName;
device.SensorId = data.SensorId;
device.Domain = data.MachineDomain;
db.Devices.Add(device);
DetectionDevice detectDevice = new DetectionDevice();
detectDevice.DeviceId = device.DeviceId;
db.DetectionDevices.Add(detectDevice);
db.SaveChanges();
detectDeviceId = detectDevice.DetectionDeviceId;
}
return(detectDeviceId);
}
}
public override bool Match()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
return(db.Whitelists.ToList().Any(x => Regex.IsMatch(model.Data.CommandLine, Regex.Replace(x.Value, @"\\", @"\\"))));
}
}
protected void CheckTaxonomy(string taxonomyTypeString, List <string> modelProperty)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
List <Taxonomy> patterns = db.Taxonomies.Where(x => x.TaxonomyType.Type.Equals(taxonomyTypeString)).ToList();
model.Data.TaxonomyIds = new List <int>();
foreach (Taxonomy p in patterns)
{
foreach (string line in modelProperty)
{
if (Regex.IsMatch(line, p.Value))
{
log.Debug("[" + model.Metadata.Offset + "]" + " detection matched a taxonomy rule " + p.Description);
if (p.Critical.Equals(true))
{
log.Debug("[" + model.Metadata.Offset + "]" + " detection matched a critical taxonomy rule " + p.Description);
model.Data.Severity = 5;
model.Data.SeverityName = "Critical";
}
;
model.Data.TaxonomyIds.Add(p.TaxonomyId);
}
}
}
}
}
public ActionResult Create()
{
FalconOrchestratorDB db = new FalconOrchestratorDB();
ViewBag.TypeId = new SelectList(db.TaxonomyTypes, "TaxTypeId", "Type", String.Empty);
return(View(new TaxonomyViewModel()));
}
public ActionResult Create()
{
FalconOrchestratorDB db = new FalconOrchestratorDB();
ViewBag.TypeId = new SelectList(db.WhitelistTypes, "WhitelistTypeId", "Type", String.Empty);
return(View());
}
public ActionResult DataTableHandler(JQueryDataTablesModel parameters)
{
FalconOrchestratorDB db = new FalconOrchestratorDB();
List <Detection> model = HttpContext.Application["Detections"] as List <Detection>;
if (!String.IsNullOrEmpty(parameters.sSearch))
{
model = model.Where(x => x.DetectionDevice.Device.Hostname.Contains(parameters.sSearch.ToLower()) ||
x.Account.AccountName.ToLower().Contains(parameters.sSearch.ToLower()) ||
x.Name.ToLower().Contains(parameters.sSearch.ToLower()) ||
x.FileName.ToLower().Contains(parameters.sSearch.ToLower())).ToList();
}
int sortingColumnIndex = parameters.iSortCol_0;
string sortDirection = parameters.sSortDir_0;
Func <Detection, string> orderingFunction = (x => sortingColumnIndex == 0 ? x.ProcessStartTime.Value.ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture) :
sortingColumnIndex == 1 ? x.Severity.SeverityType :
sortingColumnIndex == 2 ? x.Name :
sortingColumnIndex == 3 ? x.DetectionDevice.Device.Hostname :
sortingColumnIndex == 4 ? x.Account.AccountName :
sortingColumnIndex == 5 ? x.FileName :
sortingColumnIndex == 6 ? x.Status.StatusType :
x.Responder != null ? x.Responder.FirstName + " " + x.Responder.LastName : null);
if (sortDirection == "asc")
{
model = model.OrderBy(orderingFunction).ToList();
}
if (sortDirection == "desc")
{
model = model.OrderByDescending(orderingFunction).ToList();
}
var filteredModel = model.Skip(parameters.iDisplayStart)
.Take(parameters.iDisplayLength).ToList();
var data = filteredModel.Select(x => new DetectionListViewModel
{
DT_RowId = x.DetectionId,
DetectionName = x.Name,
FileName = x.FileName,
Responder = x.Responder != null ? x.Responder.FirstName + " " + x.Responder.LastName : null,
Hostname = x.DetectionDevice.Device.Domain != x.DetectionDevice.Device.Hostname ? x.DetectionDevice.Device.Domain + "\\" + x.DetectionDevice.Device.Hostname : x.DetectionDevice.Device.Hostname,
Severity = x.Severity.SeverityType,
Status = x.Status.StatusType,
Timestamp = x.ProcessStartTime.Value.ToLocalTime().ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture),
Username = x.Account.AccountName
});
return(Json(new
{
sEcho = parameters.sEcho,
iTotalRecords = model.Count,
iTotalDisplayRecords = model.Count,
aaData = data
},
JsonRequestBehavior.AllowGet));
}
private int GetAccountId()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
int accountId;
if (db.Accounts.Any(x => x.AccountName.Equals(data.UserName)))
{
accountId = db.Accounts.Where(x => x.AccountName.Equals(data.UserName)).Select(x => x.AccountId).FirstOrDefault();
}
else
{
Account user = new Account();
user.AccountName = data.UserName;
user.Timestamp = DateTime.UtcNow;
db.Accounts.Add(user);
db.SaveChanges();
accountId = user.AccountId;
if (data.AccountModel != null)
{
user.City = data.AccountModel.City;
user.Country = data.AccountModel.Country;
user.Department = data.AccountModel.Department;
user.EmailAddress = data.AccountModel.EmailAddress;
user.FirstName = data.AccountModel.FirstName;
user.JobTitle = data.AccountModel.JobTitle;
user.LastLogon = data.AccountModel.LastLogon != DateTime.MinValue ? data.AccountModel.LastLogon : null;
user.LastName = data.AccountModel.LastName;
user.Manager = data.AccountModel.Manager;
user.PhoneNumber = data.AccountModel.PhoneNumber;
user.StateProvince = data.AccountModel.StateProvince;
user.StreetAddress = data.AccountModel.StreetAddress;
user.OrganizationalUnit = data.AccountModel.OrganizationalUnit;
if (data.AccountModel.Groups != null)
{
foreach (string line in data.AccountModel.Groups)
{
int groupId = GetGroupId(line);
AccountGroup accountGroup = new AccountGroup();
accountGroup.AccountId = accountId;
accountGroup.GroupId = groupId;
db.AccountGroups.Add(accountGroup);
}
}
db.Entry(user).State = System.Data.Entity.EntityState.Modified;
db.SaveChanges();
}
}
return(accountId);
}
}
public void Update(TaxonomyViewModel model)
{
CheckADObjectExists(model);
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Taxonomy rule = db.Taxonomies.Find(model.TaxonomyId);
rule.Description = model.Description;
db.SaveChanges();
}
}
public static StackedColumnChartData[] DetectionsByHandlerAndStatus()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
StackedColumnChartData[] model = db.Detections
.GroupBy(x => new { FullName = x.Responder.Equals(null) ? "Unassigned" : x.Responder.FirstName + " " + x.Responder.LastName, x.Status.StatusType })
.Select(y => new StackedColumnChartData {
xValue = y.Key.FullName, seriesName = y.Key.StatusType, count = y.Count()
}).ToArray();
return(model);
}
}
public override void Save()
{
try
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
AuthenticationLog model = new AuthenticationLog();
model.Timestamp = Data.FormattedTimestamp;
model.Offset = Metadata.Offset;
model.OperationName = Data.OperationName;
model.ServiceName = Data.ServiceName;
model.Success = Data.Success;
model.UserId = Data.UserId;
model.UserIp = Data.UserIp;
model.CustomerId = Persistence.GetCustomerId(Metadata.CustomerIdString);
if (Data.AuditKeyValues != null)
{
model.TargetName = Data.AuditKeyValues.Where(x => x.Key.Equals("target_name")).Select(x => x.ValueString).FirstOrDefault();
model.Entitlement = Data.AuditKeyValues.Where(x => x.Key.Equals("entitlement")).Select(x => x.ValueString).FirstOrDefault();
model.EntitlementGroup = Data.AuditKeyValues.Where(x => x.Key.Equals("entitlementGroup")).Select(x => x.ValueString).FirstOrDefault();
}
else
{
model.TargetName = null;
model.Entitlement = null;
model.EntitlementGroup = null;
}
db.AuthenticationLogs.Add(model);
db.SaveChanges();
AppConfiguration.FALCON_STREAM_LAST_OFFSET = Metadata.Offset;
log.Debug("[" + Metadata.Offset + "] Authentication audit event saved to database");
}
}
catch (System.Data.Entity.Validation.DbEntityValidationException ex)
{
var errorMessages = ex.EntityValidationErrors
.SelectMany(x => x.ValidationErrors)
.Select(x => x.ErrorMessage);
var fullErrorMessage = string.Join("; ", errorMessages);
var exceptionMessage = string.Concat(ex.Message, " The validation errors are: ", fullErrorMessage);
throw new DbEntityValidationException(exceptionMessage, ex.EntityValidationErrors);
}
catch (Exception e)
{
log.Fatal("[" + Metadata.Offset + "] Error occured while trying to save authentication activity audit event to database", e);
System.Environment.Exit(1);
}
}
public void Update(WhitelistingViewModel model)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Whitelist rule = db.Whitelists.Find(model.WhitelistId);
rule.Creator = model.Creator;
rule.Reason = model.Reason;
rule.Value = model.Value;
rule.WhitelistTypeId = model.TypeId;
db.SaveChanges();
}
}
public Notification(Ticket _ticket, TicketViewModel model)
{
config = new AppConfiguration(System.Configuration.ConfigurationManager.AppSettings["CryptoKey"]);
ticket = _ticket;
//Severity and TicketRecipient navigation properties are not being loaded properly, this is a temp workaround
FalconOrchestratorDB db = new FalconOrchestratorDB();
severity = db.Severities.Where(x => x.SeverityId == ticket.SeverityId).Select(y => y.SeverityType).Single();
recipientAddress = db.TicketRecipients.Where(x => x.TicketRecipientId == ticket.TicketRecipientId).Select(y => y.EmailAddress).Single();
db.Dispose();
}
public ActionResult Edit(int?id)
{
if (id == null)
{
return(new HttpStatusCodeResult(HttpStatusCode.BadRequest));
}
FalconOrchestratorDB db = new FalconOrchestratorDB();
TaxonomyViewModel model = repo.Get(id);
ViewBag.TypeId = new SelectList(db.TaxonomyTypes, "TaxTypeId", "Type", model.TypeId);
return(View(model));
}
public static List <BarChartData> DetectionsByTaxonomy()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
List <BarChartData> model = db.DetectionTaxonomies
.GroupBy(x => x.Taxonomy.Description)
.Select(y => new BarChartData {
field = y.Key, count = y.Count()
})
.OrderByDescending(z => z.count).ToList();
return(model);
}
}
public void Delete(int?whitelistId)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Whitelist rule = new Whitelist()
{
WhitelistId = (int)whitelistId
};
db.Whitelists.Attach(rule);
db.Whitelists.Remove(rule);
db.SaveChanges();
}
}
public static List <BarChartMultiSeriesData> DetectionsByUserJobTitle()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
List <BarChartMultiSeriesData> model = db.Detections
.GroupBy(x => x.Account.JobTitle)
.Select(y => new BarChartMultiSeriesData {
field = y.Key, count = y.Count(), count2 = y.Select(x => x.AccountId).Distinct().Count()
})
.Where(z => z.field != null)
.OrderByDescending(z => z.count).ToList();
return(model);
}
}
public WhitelistingViewModel Get(int?whitelistId)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Whitelist rule = db.Whitelists.Find(whitelistId);
WhitelistingViewModel model = new WhitelistingViewModel();
model.WhitelistId = rule.WhitelistId;
model.Value = rule.Value;
model.Type = rule.WhitelistType.Type;
model.TypeId = rule.WhitelistTypeId;
model.Reason = rule.Reason;
return(model);
}
}
public static List <PieChartData> DetectionsByStatus()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
List <PieChartData> model = db.Detections
.GroupBy(x => x.Status.StatusType)
.Select(y => new PieChartData {
field = y.Key, count = y.Count()
})
.OrderByDescending(z => z.count).ToList();
return(model);
}
}
protected void Application_Start()
{
ViewEngines.Engines.Clear();
ExtendedRazorViewEngine engine = new ExtendedRazorViewEngine();
ViewEngines.Engines.Add(engine);
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
FalconOrchestratorDB db = new FalconOrchestratorDB();
Application["Detections"] = db.Detections.Include("DetectionDevice").Include("Account").ToList();
}
private void ApplyRetroactively(FalconOrchestratorDB db, WhitelistingViewModel model)
{
string name = db.WhitelistTypes.Where(x => x.WhitelistTypeId == model.TypeId).Select(x => x.Type).FirstOrDefault();
string prop = name.Replace(" ", String.Empty);
System.Reflection.PropertyInfo property = typeof(Detection).GetProperty(prop);
List <Detection> matchingDetects = db.Detections.ToList().Where(x => System.Text.RegularExpressions.Regex.IsMatch(property.GetValue(x).ToString(), System.Text.RegularExpressions.Regex.Replace(model.Value, @"\\", @"\\"))).ToList();
foreach (Detection line in matchingDetects)
{
line.StatusId = 7;
line.ClosedDate = DateTime.UtcNow;
}
db.SaveChanges();
}
public void Create(WhitelistingViewModel model)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Whitelist rule = new Whitelist();
rule.Reason = model.Reason;
rule.Creator = model.Creator;
rule.Timestamp = DateTime.UtcNow;
rule.Value = model.Value;
rule.WhitelistTypeId = model.TypeId;
db.Whitelists.Add(rule);
db.SaveChanges();
ApplyRetroactively(db, model);
}
}
public TaxonomyViewModel Get(int?id)
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Taxonomy rule = db.Taxonomies.Find(id);
TaxonomyViewModel model = new TaxonomyViewModel();
model.TaxonomyId = rule.TaxonomyId;
model.Creator = rule.Creator;
model.Critical = rule.Critical;
model.Description = rule.Description;
model.Type = rule.TaxonomyType.Type;
model.TypeId = rule.TaxTypeId;
model.Value = rule.Value;
return(model);
}
}
public void Create(TaxonomyViewModel model)
{
CheckADObjectExists(model);
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
Taxonomy rule = new Taxonomy();
rule.Value = model.Value;
rule.Timestamp = DateTime.UtcNow;
rule.TaxTypeId = model.TypeId;
rule.Description = model.Description;
rule.Critical = model.Critical;
rule.Creator = model.Creator;
db.Taxonomies.Add(rule);
db.SaveChanges();
ApplyRetoractively(db, model, rule.TaxonomyId);
}
}
public override void Execute()
{
using (FalconOrchestratorDB db = new FalconOrchestratorDB())
{
string dayOfWeek = model.Data.FormattedProcessStartTime.Value.DayOfWeek.ToString();
Responder responder = Persistence.GetAssignedResponder(dayOfWeek);
if (responder != null)
{
model.Data.ResponderId = responder.ResponderId;
log.Debug("Assign responder rule enabled, schedule has " + responder.FirstName + " " + responder.LastName + " assigned for " + dayOfWeek);
}
else
{
log.Warn("Assign responder rule enabled, however no responder has been scheduled for " + dayOfWeek);
}
}
}
public ActionResult Index()
{
FalconOrchestratorDB db = new FalconOrchestratorDB();
List <ResponderSchedule> handlerschedules = db.ResponderSchedules.ToList();
List <ScheduleViewModel> result = new List <ScheduleViewModel>();
foreach (var line in handlerschedules)
{
ScheduleViewModel model = new ScheduleViewModel();
model.DayOfWeek = line.DayOfWeek;
model.ScheduleId = line.ScheduleId;
model.FullName = line.Responder != null ? line.Responder.FirstName + " " + line.Responder.LastName : null;
model.ResponderId = line.ResponderId != null?line.ResponderId.ToString() : null;
result.Add(model);
}
return(View(result));
}
