private void updateExecutablesDictonary(AuditEvent auditEvent)
{
var hash = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ExecutableHash, false);
if (hash != null)
{
hash = hash.Substring(7);
var exec = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.FilePath);
executableHash[exec] = hash;
}
}
private ConnectionsPayload CreateConnPayloadFromAuditEvent(AuditEvent auditEvent)
{
ConnectionsPayload payload = new ConnectionsPayload();
payload.Direction = GetConnectionDirection();
payload.Protocol = EProtocol.Tcp.ToString();
payload.Executable = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), Encoding.UTF8);
payload.CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessTitle), Encoding.UTF8);
payload.ProcessId = UInt32.Parse(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId));
payload.UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId);
return(payload);
}
/// <summary>
/// Converts an audit event to a device event
/// </summary>
/// <param name="auditEvent">Audit event to convert</param>
/// <returns>Device event based on the input</returns>
private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
{
ProcessCreationPayload payload = new ProcessCreationPayload
{
CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8),
Executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable),
ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)),
Time = auditEvent.TimeUTC,
UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId)
};
return(new ProcessCreate(Priority, payload));
}
private LoginPayload.LoginResult GetAuditEventLoginResult(AuditEvent auditEvent)
{
string loginResultAuditProperty = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Result);
return(loginResultAuditProperty == "success"
? LoginPayload.LoginResult.Success
: LoginPayload.LoginResult.Fail);
}
//For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
private ConnectionsPayload CreateNonInetConnPayloadFromAuditEvent(LinuxAddressFamily family, AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent);
string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress);
connectionPayload.ExtraDetails = new Dictionary <string, string>
{
{ "familyName", family.ToString() },
{ "saddr", hexStringSaddr }
};
return(connectionPayload);
}
/// <summary>
/// Converts an audit event to a device event
/// </summary>
/// <param name="auditEvent">Audit event to convert</param>
/// <returns>Device event based on the input</returns>
private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
{
var executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable);
bool isExecutableExist = executableHash.TryGetValue(executable, out string hash);
hash = isExecutableExist ? hash : "";
ProcessCreationPayload payload = new ProcessCreationPayload
{
CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8),
Executable = executable,
ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)),
Time = auditEvent.TimeUTC,
UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId),
ExtraDetails = new Dictionary <string, string>()
{
{ "Hash", hash }
}
};
return(new ProcessCreate(Priority, payload));
}
/// <summary>
/// Converts an audit event to a device event
/// </summary>
/// <param name="auditEvent">The audit event to be converted</param>
/// <returns>Device event based on the input</returns>
private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
{
string remoteAddress = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Address, throwIfNotExist: false);
LoginPayload payload = new LoginPayload
{
Executable = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable),
ProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
UserId = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.LoginUserId, throwIfNotExist: false),
UserName = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Account, throwIfNotExist: false),
Result = GetAuditEventLoginResult(auditEvent),
RemoteAddress = remoteAddress == "?" ? null : remoteAddress,
Operation = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Operation, throwIfNotExist: false)
};
return(new Login(Priority, payload, auditEvent.TimeUTC));
}
private ConnectionsPayload CreateInetConnPayloadFromAuditEvent(AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = null;
string hexStringSaddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress);
try
{
ConnectionSaddr saddr = ConnectionSaddr.ParseSaddrToInetConnection(hexStringSaddr);
if (!ConnectionSaddr.IsLocalIp(saddr.Ip)) //we don't send local connections
{
connectionPayload = CreateConnPayloadFromAuditEvent(auditEvent);
connectionPayload.RemoteAddress = saddr.Ip;
connectionPayload.RemotePort = saddr.Port.ToString();
}
}
catch (Exception e)
{
SimpleLogger.Error($"Failed to parse saddr {hexStringSaddr}", exception: e);
connectionPayload = null;
}
return(connectionPayload);
}
/// <summary>
/// This function recieve an event from the audit log file
/// It filters out connections that are not relevant for security (e.g. local connects)
/// It then returns "ConnectionCreate" event type that represent a succefull open connection from/to the internet
/// </summary>
/// <param name="auditEvent">A log event from the the audit event</param>
/// <returns>A device event based on the input</returns>
private IEvent CreateEventFromAuditRecord(AuditEvent auditEvent)
{
ConnectionsPayload connectionPayload = null;
ConnectionCreate retConnection = null;
string saddr = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.SocketAddress, throwIfNotExist: false);
if (!string.IsNullOrEmpty(saddr))
{
//Check the address family of the connection - extract from the saddr
LinuxAddressFamily family = ConnectionSaddr.ExtractFamilyFromSaddr(saddr);
//According to the family type we create/don't create the event
if (!family.IsToIgnore()) //irelevant connections - don't create events
{
if (ConnectionSaddr.IsInetFamliy(family)) //internet connections - create correlated event
{
connectionPayload = CreateInetConnPayloadFromAuditEvent(auditEvent);
}
else //For other famlies (non INET) that are required more investigation - send event with raw data (hex string)
{
connectionPayload = CreateNonInetConnPayloadFromAuditEvent(family, auditEvent);
}
}
}
else
{
SimpleLogger.Debug($"{nameof(GetType)}: Saddr is null or empty, dropping event");
}
if (connectionPayload != null)
{
retConnection = new ConnectionCreate(Priority, connectionPayload, auditEvent.TimeUTC);
}
return(retConnection);
}