static SentinelWorkspaceLogHub()
{
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001);
string textOfJsonConfig = File.ReadAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"));
SentinelApiConfig = JsonConvert.DeserializeObject <SentinelApiConfig>(textOfJsonConfig);
// Turn on the KeyVault for use
KeyVault = new KeyVault(SentinelApiConfig);
// Create the processor
syslogToSentinelProcessor = new SyslogToSentinelProcessor(SentinelApiConfig);
// Create the storage container connection
syslogToAzureBlob = new SyslogToAzureBlob(SentinelApiConfig, GetKeyVaultSecret(SentinelApiConfig.SyslogToAzureBlobStorageSecret));
eventLogProcessor = new EventLogProcessor("Security", NewEventRecord, readEventLogFileFromBeginning);
using (var certificateManagement = new CertificateManagement())
{
AuthX509Certificate2 = certificateManagement.FindCertificateByThumbprint("MY", SentinelApiConfig.CertificateThumbprint, StoreLocation.LocalMachine);
}
// Get the certificate from KeyVault
string sentinalAuthCertEncoded = GetKeyVaultSecret($"{SentinelApiConfig.WorkspaceId.ToLower()}-wsid");
byte[] certFromKeyVault = Encoding.Unicode.GetBytes(sentinalAuthCertEncoded);
// AuthX509Certificate2 = new X509Certificate2(certFromKeyVault, "SecurePassword", X509KeyStorageFlags.Exportable);
// Get the current WorkspaceKey from KeyVault
sentinalAuthWorkspaceKey = GetKeyVaultSecret($"{SentinelApiConfig.WorkspaceId.ToLower()}-wskey");
}
public SyslogToSentinelProcessor(SentinelApiConfig sentinelApiConfig)
{
InvalidState = false;
SentinelApiConfig = sentinelApiConfig;
GlobalLog.WriteToStringBuilderLog("Loading sample Syslog XML [SampleCefRecords.txt].", 14001);
RawCefMessageList = new List <string>(File.ReadAllLines(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"SampleCefRecords.txt")));
}
public void SaveCurrentConfiguration()
{
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
GlobalLog.WriteToStringBuilderLog($"Saving configuration file [{configurationFile}].", 14001);
string textOfSentinelApiConfig = JsonConvert.SerializeObject(SentinelApiConfig, Formatting.Indented);
File.WriteAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"), textOfSentinelApiConfig);
}
public SentinelWorkspacePoc()
{
// The constructor for the service
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001);
string textOfJsonConfig = File.ReadAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"));
SentinelApiConfig = JsonConvert.DeserializeObject<SentinelApiConfig>(textOfJsonConfig);
// Turn on the KeyVault for use
this.KeyVault = new KeyVault(SentinelApiConfig);
// Use local certificate store, or KeyVault
if (SentinelApiConfig.UseKeyVaultForCertificates)
{
ManageOdsAuthenticationKeyVault();
}
else
{
ManageOdsAuthenticationCertStore();
}
}
public void GetNextBatchOfRecords()
{
// Initialize local dictionaries for this iteration.
CefDictionary = new List <Dictionary <string, object> >();
CustomLogDictionary = new List <Dictionary <string, object> >();
SyslogDictionary = new List <Dictionary <string, object> >();
Stopwatch queryTimer = Stopwatch.StartNew();
// Query file information
FileInfo fileInfo = new FileInfo(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"SyslogToSentinel.kql"));
string textOfKustoTemplate = File.ReadAllText(fileInfo.FullName);
// Create a single connection to be used for all queries.
string connectionString =
$"Data Source=https://{SentinelApiConfig.KustoDataSourceConfig.ClusterUri}:443;Initial Catalog={SentinelApiConfig.KustoDataSourceConfig.Database};AAD Federated Security=True";
var cslQueryProvider = KustoClientFactory.CreateCslQueryProvider(connectionString);
// Use the KustoTemplate functionality
QueryTemplate template = new QueryTemplate(textOfKustoTemplate);
List <Dictionary <string, object> > result = template.ExecuteForDictionary(cslQueryProvider, null);
queryTimer.Stop();
SentinelWorkspacePoc.PrintCustomMessage($"{fileInfo.Name} returned {result.Count} records in {queryTimer.Elapsed.TotalSeconds:N3} seconds.", ConsoleColor.Yellow);
// Massage the Syslog Dictionary
foreach (Dictionary <string, object> syslogRecordDictionary in result)
{
Dictionary <string, object> linuxSyslogRecord = new Dictionary <string, object>();
linuxSyslogRecord.Add("TimeStamp", syslogRecordDictionary["DeviceTimestamp"]);
linuxSyslogRecord.Add("Host", syslogRecordDictionary["HostName"]);
linuxSyslogRecord.Add("HostIp", syslogRecordDictionary["SourceIpAddress"]);
linuxSyslogRecord.Add("ProcessId", syslogRecordDictionary["ProcId"]);
linuxSyslogRecord.Add("Facility", syslogRecordDictionary["Facility"]);
linuxSyslogRecord.Add("Severity", syslogRecordDictionary["Severity"]);
linuxSyslogRecord.Add("Message", syslogRecordDictionary["Payload"]);
linuxSyslogRecord.Add("AppName", syslogRecordDictionary["AppName"]);
linuxSyslogRecord.Add("MsgId", syslogRecordDictionary["MsgId"]);
SyslogDictionary.Add(linuxSyslogRecord);
}
Random random = new Random();
SyslogToCef syslogToCef = new SyslogToCef();
// Massage the CEF Dictionary
foreach (Dictionary <string, object> cefRecordDictionary in result)
{
Dictionary <string, object> currentRecord = syslogToCef.ConvertSyslogToCef(cefRecordDictionary);
//CefDictionary.Add(currentRecord);
Dictionary <string, object> cefRecord = new Dictionary <string, object>();
cefRecord.Add("Timestamp", $"{DateTime.UtcNow:yyyy-MM-ddTHH:mm:ss.fffZ}");
cefRecord.Add("EventTime", cefRecordDictionary["DeviceTimestamp"]);
cefRecord.Add("Host", cefRecordDictionary["HostName"]);
cefRecord.Add("HostIP", cefRecordDictionary["SourceIpAddress"]);
cefRecord.Add("ident", "CEF");
cefRecord.Add("Facility", cefRecordDictionary["Facility"]);
cefRecord.Add("Severity", currentRecord["Severity"]);
cefRecord.Add("Message", currentRecord["Message"]);
CefDictionary.Add(cefRecord);
}
// Massage the CustomLog dictionary
foreach (Dictionary <string, object> customLogRecordsDictionary in result)
{
customLogRecordsDictionary["ExtractedData"] = JsonConvert.SerializeObject(customLogRecordsDictionary["ExtractedData"]);
customLogRecordsDictionary["LogFileLineage"] = JsonConvert.SerializeObject(customLogRecordsDictionary["LogFileLineage"]);
CustomLogDictionary.Add(customLogRecordsDictionary);
}
}