private void EnableWhenOnlyAuditCategoryIsEnabled(SqlAuditAdapter adapter, DiagnosticSettingsResource settings,
string oldEventHubName, string oldEventHubAuthorizationRuleId, string oldWorkspaceId)
{
settings.EventHubName = GetEventHubNameOnCreateOrUpdate(settings);
settings.EventHubAuthorizationRuleId = GetEventHubAuthorizationRuleIdOnCreateOrUpdate(settings);
settings.WorkspaceId = GetWorkspaceIdOnCreateOrUpdate(settings);
if (adapter.UpdateDiagnosticSettings(settings, this) == false)
{
throw DefinitionsCommon.UpdateDiagnosticSettingsException;
}
try
{
IsGlobalAuditEnabled = true;
IsAzureMonitorTargetEnabled = true;
if (SetAuditingPolicy(adapter) == false)
{
throw DefinitionsCommon.SetAuditingSettingsException;
}
}
catch (Exception)
{
try
{
settings.EventHubName = oldEventHubName;
settings.EventHubAuthorizationRuleId = oldEventHubAuthorizationRuleId;
settings.WorkspaceId = oldWorkspaceId;
adapter.UpdateDiagnosticSettings(settings, this);
}
catch (Exception) { }
throw;
}
}
private void EnableWhenDiagnosticsEnablingAuditCategoryDoNotExist(SqlAuditAdapter adapter, DiagnosticSettingsResource currentSettings = null)
{
if (adapter.CreateDiagnosticSettings(
GetEventHubNameOnCreateOrUpdate(currentSettings),
GetEventHubAuthorizationRuleIdOnCreateOrUpdate(currentSettings),
GetWorkspaceIdOnCreateOrUpdate(currentSettings),
this) == false)
{
throw DefinitionsCommon.CreateDiagnosticSettingsException;
}
try
{
IsGlobalAuditEnabled = true;
IsAzureMonitorTargetEnabled = true;
if (SetAuditingPolicy(adapter) == false)
{
throw DefinitionsCommon.SetAuditingSettingsException;
}
}
catch (Exception)
{
try
{
adapter.RemoveFirstDiagnosticSettings(this);
}
catch (Exception) { }
throw;
}
}
public SqlThreatDetectionAdapter(IAzureContext context)
{
Context = context;
ThreatDetectionCommunicator = new ThreatDetectionEndpointsCommunicator(Context);
AzureCommunicator = new AzureEndpointsCommunicator(Context);
AuditingAdapter = new SqlAuditAdapter(context);
}
internal virtual void PersistChanges(SqlAuditAdapter adapter)
{
VerifySettingsBeforePersistChanges();
IsGlobalAuditEnabled = AuditState == AuditStateType.Enabled ||
(IsGlobalAuditEnabled && IsAzureMonitorTargetEnabled == true);
if (SetAuditingPolicy(adapter) == false)
{
throw DefinitionsCommon.SetAuditingSettingsException;
}
}
private void ChangeWhenDiagnosticSettingsExist(SqlAuditAdapter adapter, DiagnosticSettingsResource settings)
{
if (SqlAuditAdapter.IsAnotherCategoryEnabled(settings))
{
ChangeWhenMultipleCategoriesAreEnabled(adapter, settings);
}
else
{
ChangeWhenOnlyAuditCategoryIsEnabled(adapter, settings);
}
}
private void ChangeWhenDiagnosticsEnablingAuditCategoryDoNotExist(SqlAuditAdapter adapter)
{
if (AuditState == AuditStateType.Enabled)
{
EnableWhenDiagnosticsEnablingAuditCategoryDoNotExist(adapter);
}
else
{
DisableWhenDiagnosticsEnablingAuditCategoryDoNotExist(adapter);
}
}
private bool SetAuditCategoryState(SqlAuditAdapter adapter, DiagnosticSettingsResource settings, bool isEenabled)
{
var log = settings?.Logs?.FirstOrDefault(l => string.Equals(l.Category, DefinitionsCommon.SQLSecurityAuditCategory));
if (log != null)
{
log.Enabled = isEenabled;
}
return(adapter.UpdateDiagnosticSettings(settings, this));
}
private void ChangeWhenOnlyAuditCategoryIsEnabled(SqlAuditAdapter adapter, DiagnosticSettingsResource settings)
{
string oldEventHubName = settings.EventHubName;
string oldEventHubAuthorizationRuleId = settings.EventHubAuthorizationRuleId;
string oldWorkspaceId = settings.WorkspaceId;
if (AuditState == AuditStateType.Enabled)
{
EnableWhenOnlyAuditCategoryIsEnabled(adapter, settings, oldEventHubName, oldEventHubAuthorizationRuleId, oldWorkspaceId);
}
else
{
DisableWhenOnlyAuditCategoryIsEnabled(adapter, settings, oldEventHubName, oldEventHubAuthorizationRuleId, oldWorkspaceId);
}
}
private void DisableWhenDiagnosticsEnablingAuditCategoryDoNotExist(SqlAuditAdapter adapter)
{
if (IsGlobalAuditEnabled == false ||
(IsAzureMonitorTargetEnabled != true && !string.IsNullOrEmpty(StorageAccountName)))
{
return;
}
IsAzureMonitorTargetEnabled = false;
if (string.IsNullOrEmpty(StorageAccountName))
{
IsGlobalAuditEnabled = false;
}
if (SetAuditingPolicy(adapter) == false)
{
throw DefinitionsCommon.SetAuditingSettingsException;
}
}
private void ChangeWhenMultipleCategoriesAreEnabled(SqlAuditAdapter adapter, DiagnosticSettingsResource settings)
{
if (adapter.DisableAuditCategory(this, settings) == false)
{
throw DefinitionsCommon.UpdateDiagnosticSettingsException;
}
try
{
if (AuditState == AuditStateType.Enabled)
{
EnableWhenDiagnosticsEnablingAuditCategoryDoNotExist(adapter, settings);
}
else
{
if (ShoudDiagnosticSettingsBeRemovedOnDisabledPolicy(settings))
{
DisableWhenDiagnosticsEnablingAuditCategoryDoNotExist(adapter);
}
else
{
if (adapter.CreateDiagnosticSettings(
GetEventHubNameOnDisablePolicy(settings),
GetEventHubAuthorizationRuleIdOnDisablePolicy(settings),
GetWorkspaceIdOnOnDisablePolicy(settings), this) == false)
{
throw DefinitionsCommon.CreateDiagnosticSettingsException;
}
}
}
}
catch (Exception)
{
try
{
adapter.EnableAuditCategory(this, settings);
}
catch (Exception) { }
throw;
}
}
protected void PersistDiagnosticSettingsChanges(SqlAuditAdapter adapter)
{
VerifySettingsBeforePersistChanges();
if (DiagnosticsEnablingAuditCategory != null && DiagnosticsEnablingAuditCategory.Count > 1)
{
throw DefinitionsCommon.MultipleDiagnosticsException;
}
DiagnosticSettingsResource currentSettings = DiagnosticsEnablingAuditCategory?.FirstOrDefault();
if (currentSettings == null)
{
ChangeWhenDiagnosticsEnablingAuditCategoryDoNotExist(adapter);
}
else
{
ChangeWhenDiagnosticSettingsExist(adapter, currentSettings);
}
}
private void DisableWhenOnlyAuditCategoryIsEnabled(SqlAuditAdapter adapter, DiagnosticSettingsResource settings, string oldEventHubName, string oldEventHubAuthorizationRuleId, string oldWorkspaceId)
{
if (ShoudDiagnosticSettingsBeRemovedOnDisabledPolicy(settings))
{
if (adapter.RemoveFirstDiagnosticSettings(this) == false)
{
throw new Exception("Failed to remove Diagnostic Settings");
}
try
{
DisableWhenDiagnosticsEnablingAuditCategoryDoNotExist(adapter);
}
catch (Exception)
{
try
{
adapter.CreateDiagnosticSettings(oldEventHubName,
oldEventHubAuthorizationRuleId, oldWorkspaceId, this);
}
catch (Exception) { }
throw;
}
}
else
{
settings.EventHubName = GetEventHubNameOnDisablePolicy(settings);
settings.EventHubAuthorizationRuleId = GetEventHubAuthorizationRuleIdOnDisablePolicy(settings);
settings.WorkspaceId = GetWorkspaceIdOnOnDisablePolicy(settings);
if (adapter.UpdateDiagnosticSettings(settings, this) == false)
{
throw DefinitionsCommon.UpdateDiagnosticSettingsException;
}
}
}
protected virtual bool SetAuditingPolicy(SqlAuditAdapter adapter) => adapter.SetAuditingPolicy(this);
protected override bool SetAuditingPolicy(SqlAuditAdapter adapter) => adapter.SetAuditingPolicy(this);
internal override void PersistChanges(SqlAuditAdapter adapter) => PersistDiagnosticSettingsChanges(adapter);
private bool DisableAuditCategory(SqlAuditAdapter adapter, DiagnosticSettingsResource settings)
{
return(SetAuditCategoryState(adapter, settings, false));
}