예제 #1
0
        private ConnectionsPayload CreateConnPayloadFromAuditEvent(AuditEvent auditEvent)
        {
            ConnectionsPayload payload = new ConnectionsPayload();

            payload.Direction   = GetConnectionDirection();
            payload.Protocol    = EProtocol.Tcp.ToString();
            payload.Executable  = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable), Encoding.UTF8);
            payload.CommandLine = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessTitle), Encoding.UTF8);
            payload.ProcessId   = UInt32.Parse(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId));
            payload.UserId      = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId);

            return(payload);
        }
예제 #2
0
        /// <summary>
        /// Converts an audit event to a device event
        /// </summary>
        /// <param name="auditEvent">Audit event to convert</param>
        /// <returns>Device event based on the input</returns>
        private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
        {
            ProcessCreationPayload payload = new ProcessCreationPayload
            {
                CommandLine     = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8),
                Executable      = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable),
                ProcessId       = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
                ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)),
                Time            = auditEvent.TimeUTC,
                UserId          = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId)
            };

            return(new ProcessCreate(Priority, payload));
        }
예제 #3
0
        /// <summary>
        /// Converts an audit event to a device event
        /// </summary>
        /// <param name="auditEvent">Audit event to convert</param>
        /// <returns>Device event based on the input</returns>
        private IEvent AuditEventToDeviceEvent(AuditEvent auditEvent)
        {
            var  executable        = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.Executable);
            bool isExecutableExist = executableHash.TryGetValue(executable, out string hash);

            hash = isExecutableExist ? hash : "";

            ProcessCreationPayload payload = new ProcessCreationPayload
            {
                CommandLine     = EncodedAuditFieldsUtils.DecodeHexStringIfNeeded(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.CommandLine), Encoding.UTF8),
                Executable      = executable,
                ProcessId       = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ProcessId)),
                ParentProcessId = Convert.ToUInt32(auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.ParentProcessId)),
                Time            = auditEvent.TimeUTC,
                UserId          = auditEvent.GetPropertyValue(AuditEvent.AuditMessageProperty.UserId),
                ExtraDetails    = new Dictionary <string, string>()
                {
                    { "Hash", hash }
                }
            };

            return(new ProcessCreate(Priority, payload));
        }