static SentinelWorkspaceLogHub()
{
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001);
string textOfJsonConfig = File.ReadAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"));
SentinelApiConfig = JsonConvert.DeserializeObject <SentinelApiConfig>(textOfJsonConfig);
// Turn on the KeyVault for use
KeyVault = new KeyVault(SentinelApiConfig);
// Create the processor
syslogToSentinelProcessor = new SyslogToSentinelProcessor(SentinelApiConfig);
// Create the storage container connection
syslogToAzureBlob = new SyslogToAzureBlob(SentinelApiConfig, GetKeyVaultSecret(SentinelApiConfig.SyslogToAzureBlobStorageSecret));
eventLogProcessor = new EventLogProcessor("Security", NewEventRecord, readEventLogFileFromBeginning);
using (var certificateManagement = new CertificateManagement())
{
AuthX509Certificate2 = certificateManagement.FindCertificateByThumbprint("MY", SentinelApiConfig.CertificateThumbprint, StoreLocation.LocalMachine);
}
// Get the certificate from KeyVault
string sentinalAuthCertEncoded = GetKeyVaultSecret($"{SentinelApiConfig.WorkspaceId.ToLower()}-wsid");
byte[] certFromKeyVault = Encoding.Unicode.GetBytes(sentinalAuthCertEncoded);
// AuthX509Certificate2 = new X509Certificate2(certFromKeyVault, "SecurePassword", X509KeyStorageFlags.Exportable);
// Get the current WorkspaceKey from KeyVault
sentinalAuthWorkspaceKey = GetKeyVaultSecret($"{SentinelApiConfig.WorkspaceId.ToLower()}-wskey");
}
public static async Task CefFilesToSentinelProcessor()
{
//X509Certificate2 cert;
GlobalLog.WriteToStringBuilderLog("Attempting to load CEF Files ", 14001);
// Update to LINQ query to prevent attempting to load ALL files during an iteration.
var directoryInfo = new DirectoryInfo(SentinelApiConfig.EnabledSentinelUploads.CefFileFolderToUpload);
var orderedFileList =
directoryInfo.EnumerateFiles("CefToSentinel*.json", SearchOption.TopDirectoryOnly)
.OrderBy(d => d.LastAccessTime)
.Select(d => d.FullName)
.Take(25)
.ToList();
if (orderedFileList.Count > 0)
{
foreach (string file in orderedFileList)
{
string jsonFinalString = File.ReadAllText(file);
UploadBatchWithSelfSignedJson(jsonFinalString, AuthX509Certificate2);
SentinelWorkspacePoc.PrintCustomMessage($"Uploading [{file}] LogManagement.CommonSecurityLog messages to Sentinel.", ConsoleColor.Green);
File.Delete(file);
}
}
}
public SyslogToSentinelProcessor(SentinelApiConfig sentinelApiConfig)
{
InvalidState = false;
SentinelApiConfig = sentinelApiConfig;
GlobalLog.WriteToStringBuilderLog("Loading sample Syslog XML [SampleCefRecords.txt].", 14001);
RawCefMessageList = new List <string>(File.ReadAllLines(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"SampleCefRecords.txt")));
}
public void SaveCurrentConfiguration()
{
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
GlobalLog.WriteToStringBuilderLog($"Saving configuration file [{configurationFile}].", 14001);
string textOfSentinelApiConfig = JsonConvert.SerializeObject(SentinelApiConfig, Formatting.Indented);
File.WriteAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"), textOfSentinelApiConfig);
}
public SentinelWorkspacePoc()
{
// The constructor for the service
string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"];
GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001);
string textOfJsonConfig = File.ReadAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"));
SentinelApiConfig = JsonConvert.DeserializeObject<SentinelApiConfig>(textOfJsonConfig);
// Turn on the KeyVault for use
this.KeyVault = new KeyVault(SentinelApiConfig);
// Use local certificate store, or KeyVault
if (SentinelApiConfig.UseKeyVaultForCertificates)
{
ManageOdsAuthenticationKeyVault();
}
else
{
ManageOdsAuthenticationCertStore();
}
}
private static void UploadEntireFileInBatches(string fileFullName, XmlCreationMechanism creationMechanism, int batchCount = 200)
{
WindowsEventPayload payload = GetNewPayloadObject();
bool useEventIngest = false;
// Set the ResourceId for upload
ResourceId = payload.GetLogAnalyticsResourceId(SentinelApiConfig.WorkspaceId);
Stopwatch fileStopwatch = new Stopwatch();
Stopwatch uploaderStopwatch = Stopwatch.StartNew();
try
{
fileStopwatch.Start();
var log = EvtxEnumerable.ReadEvtxFile(fileFullName);
Parallel.ForEach(log, new ParallelOptions
{
MaxDegreeOfParallelism = 8,
},
eventRecord => { payload.AddEvent(eventRecord, useEventIngest, creationMechanism); });
fileStopwatch.Stop();
if (useEventIngest)
{
//Console.WriteLine($"\tRecordCount: {payload.Uploader.ItemCount:N0}");
//Console.WriteLine(
// $"\tEPS for Conversion: {payload.Uploader.ItemCount / fileStopwatch.Elapsed.TotalSeconds:N3}");
//// Wait for upload to complete, and report
//payload.Uploader.OnCompleted();
//uploaderStopwatch.Stop();
//Console.WriteLine($"Upload Completed...");
//Console.WriteLine($"\tEPS for Upload with Event.Ingest to MMA-API: {payload.Uploader.ItemCount / uploaderStopwatch.Elapsed.TotalSeconds:N3}");
//Console.WriteLine($"\t Average for batch with Event.Ingest to MMA-API: {payload.BatchItemCount / payload.BatchTimeSpan.TotalSeconds:N3}");
}
else
{
Console.WriteLine($"\tRecordCount: {payload.DataItems.Count:N0}");
string output =
$"\tEPS for Conversion: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}";
Console.WriteLine(output);
}
// Split into upload chunks
var splitLIsts = payload.SplitListIntoChunks <string>(batchCount);
fileStopwatch.Restart();
Parallel.ForEach(splitLIsts, new ParallelOptions
{
MaxDegreeOfParallelism = 8,
},
singleBatch => { UploadBatchToLogAnalytics(payload.GetUploadBatch(singleBatch), AuthX509Certificate2); });
fileStopwatch.Stop();
Console.WriteLine($"\tEPS for Upload to MMA-API: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}");
}
catch (Exception e)
{
GlobalLog.WriteToStringBuilderLog(e.ToString(), 14008);
}
}
