private void updateExecutablesDictonary(AuditEvent auditEvent) { var hash = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ExecutableHash, false); if (hash != null) { hash = hash.Substring(7); var exec = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.FilePath); executableHash[exec] = hash; } }
private ConnectionsPayload CreateConnPayloadFromAuditEvent(AuditEvent auditEvent) { ConnectionsPayload payload = new ConnectionsPayload(); payload.Direction = GetConnectionDirection(); payload.Protocol = EProtocol.Tcp.ToString(); payload.Executable = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), Encoding.UTF8); payload.CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessTitle), Encoding.UTF8); payload.ProcessId = UInt32.Parse(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)); payload.UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId); return(payload); }
/// <summary> /// Converts an audit event to a device event /// </summary> /// <param name="auditEvent">Audit event to convert</param> /// <returns>Device event based on the input</returns> private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent) { ProcessCreationPayload payload = new ProcessCreationPayload { CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8), Executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)), ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)), Time = auditEvent.TimeUTC, UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId) }; return(new ProcessCreate(Priority, payload)); }
private LoginPayload.LoginResult GetAuditEventLoginResult(AuditEvent auditEvent) { string loginResultAuditProperty = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Result); return(loginResultAuditProperty == "success" ? LoginPayload.LoginResult.Success : LoginPayload.LoginResult.Fail); }
//For other famlies (non INET) that are required more investigation - send event with raw data (hex string) private ConnectionsPayload CreateNonInetConnPayloadFromAuditEvent(LinuxAddressFamily family, AuditEvent auditEvent) { ConnectionsPayload connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent); string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress); connectionPayload.ExtraDetails = new Dictionary <string, string> { { "familyName", family.ToString() }, { "saddr", hexStringSaddr } }; return(connectionPayload); }
/// <summary> /// Converts an audit event to a device event /// </summary> /// <param name="auditEvent">Audit event to convert</param> /// <returns>Device event based on the input</returns> private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent) { var executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable); bool isExecutableExist = executableHash.TryGetValue(executable, out string hash); hash = isExecutableExist ? hash : ""; ProcessCreationPayload payload = new ProcessCreationPayload { CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8), Executable = executable, ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)), ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)), Time = auditEvent.TimeUTC, UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId), ExtraDetails = new Dictionary <string, string>() { { "Hash", hash } } }; return(new ProcessCreate(Priority, payload)); }
/// <summary> /// Converts an audit event to a device event /// </summary> /// <param name="auditEvent">The audit event to be converted</param> /// <returns>Device event based on the input</returns> private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent) { string remoteAddress = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Address, throwIfNotExist: false); LoginPayload payload = new LoginPayload { Executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)), UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.LoginUserId, throwIfNotExist: false), UserName = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Account, throwIfNotExist: false), Result = GetAuditEventLoginResult(auditEvent), RemoteAddress = remoteAddress == "?" ? null : remoteAddress, Operation = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Operation, throwIfNotExist: false) }; return(new Login(Priority, payload, auditEvent.TimeUTC)); }
private ConnectionsPayload CreateInetConnPayloadFromAuditEvent(AuditEvent auditEvent) { ConnectionsPayload connectionPayload = null; string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress); try { ConnectionSaddr saddr = ConnectionSaddr.ParseSaddrToInetConnection(hexStringSaddr); if (!ConnectionSaddr.IsLocalIp(saddr.Ip)) //we don't send local connections { connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent); connectionPayload.RemoteAddress = saddr.Ip; connectionPayload.RemotePort = saddr.Port.ToString(); } } catch (Exception e) { SimpleLogger.Error($"Failed to parse saddr {hexStringSaddr}", exception: e); connectionPayload = null; } return(connectionPayload); }
/// <summary> /// This function recieve an event from the audit log file /// It filters out connections that are not relevant for security (e.g. local connects) /// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet /// </summary> /// <param name="auditEvent">A log event from the the audit event</param> /// <returns>A device event based on the input</returns> private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent) { ConnectionsPayload connectionPayload = null; ConnectionCreate retConnection = null; string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false); if (!string.IsNullOrEmpty(saddr)) { //Check the address family of the connection - extract from the saddr LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr); //According to the family type we create/don't create the event if (!family.IsToIgnore()) //irelevant connections - don't create events { if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event { connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent); } else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string) { connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent); } } } else { SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event"); } if (connectionPayload != null) { retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC); } return(retConnection); }