private BaseSecurityAlertPolicyProperties PopulatePolicyProperties(BaseThreatDetectionPolicyModel model, BaseSecurityAlertPolicyProperties properties)
{
properties.State = model.ThreatDetectionState.ToString();
properties.EmailAddresses = model.NotificationRecipientsEmails ?? "";
properties.EmailAccountAdmins = model.EmailAdmins ?
ThreatDetectionStateType.Enabled.ToString() :
ThreatDetectionStateType.Disabled.ToString();
properties.DisabledAlerts = ExtractExcludedDetectionType(model);
return properties;
}
/// <summary>
/// Extracts the detection types from the given model
/// </summary>
private string ExtractExcludedDetectionType(BaseThreatDetectionPolicyModel model)
{
if (model.ExcludedDetectionTypes == null)
{
return null;
}
if (model.ExcludedDetectionTypes.Any(t => t == DetectionType.None))
{
if (model.ExcludedDetectionTypes.Count() == 1)
{
return string.Empty;
}
if (model.ExcludedDetectionTypes.Any(t => t != DetectionType.None))
{
throw new Exception(Properties.Resources.InvalidDetectionTypeList);
}
}
return string.Join(";", model.ExcludedDetectionTypes.Select(t => t.ToString()));
}
/// <summary>
/// Updates the given model with all the disabled alerts information
/// </summary>
private static void ModelizeDisabledAlerts(BaseThreatDetectionPolicyModel model, string disabledAlerts)
{
Func<string, DetectionType> toDetectionType = (s) =>
{
DetectionType value;
Enum.TryParse(s.Trim(), true, out value);
return value;
};
if (string.IsNullOrEmpty(disabledAlerts))
{
model.ExcludedDetectionTypes = new DetectionType[] {};
}
else
{
model.ExcludedDetectionTypes = disabledAlerts.Split(';').Select(toDetectionType).ToArray();
}
}
/// <summary>
/// Transforms the given database policy object to its cmdlet model representation
/// </summary>
private BaseThreatDetectionPolicyModel ModelizeThreatDetectionPolicy(BaseSecurityAlertPolicyProperties threatDetectionProperties, BaseThreatDetectionPolicyModel model)
{
model.ThreatDetectionState = ModelizeThreatDetectionState(threatDetectionProperties.State);
model.NotificationRecipientsEmails = threatDetectionProperties.EmailAddresses;
model.EmailAdmins = ModelizeThreatDetectionEmailAdmins(threatDetectionProperties.EmailAccountAdmins);
ModelizeDisabledAlerts(model, threatDetectionProperties.DisabledAlerts);
return model;
}
/// <summary>
/// Extracts the detection types from the given model
/// </summary>
private string ExtractExcludedDetectionType(BaseThreatDetectionPolicyModel model)
{
if (model.ExcludedDetectionTypes == null)
{
return null;
}
StringBuilder detectionTypes = new StringBuilder();
if (IsDetectionTypeOn(DetectionType.Sql_Injection, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Sql_Injection).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Sql_Injection_Vulnerability, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Sql_Injection_Vulnerability).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Access_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Access_Anomaly).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Usage_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Usage_Anomaly).Append(";");
}
if (detectionTypes.Length != 0)
{
detectionTypes.Remove(detectionTypes.Length - 1, 1); // remove trailing semi-colon
}
return detectionTypes.ToString();
}
/// <summary>
/// Extracts the detection types from the given model
/// </summary>
private string ExtractExcludedDetectionType(BaseThreatDetectionPolicyModel model)
{
if (model.ExcludedDetectionTypes == null)
{
return null;
}
StringBuilder detectionTypes = new StringBuilder();
if (IsDetectionTypeOn(DetectionType.Successful_SQLi, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Successful_SQLi).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Attempted_SQLi, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Attempted_SQLi).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Client_GEO_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Client_GEO_Anomaly).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Failed_Logins_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Failed_Logins_Anomaly).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Failed_Queries_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Failed_Queries_Anomaly).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Data_Extraction_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Data_Extraction_Anomaly).Append(";");
}
if (IsDetectionTypeOn(DetectionType.Data_Alteration_Anomaly, model.ExcludedDetectionTypes))
{
detectionTypes.Append(SecurityConstants.Data_Alteration_Anomaly).Append(";");
}
if (detectionTypes.Length != 0)
{
detectionTypes.Remove(detectionTypes.Length - 1, 1); // remove trailing comma
}
return detectionTypes.ToString();
}
