static async Task Main(string[] args)
{
_Workspace = new AzureSentinelWorkspace();
_Workspace.SubscriptionId = Environment.GetEnvironmentVariable("AzureSubscriptionId");
_Workspace.ResourceGroup = Environment.GetEnvironmentVariable("AzureSentinelResourceGroup");
_Workspace.WorkspaceName = Environment.GetEnvironmentVariable("AzureSentinelWorkspaceName");
_Workspace.AppRegistration.DirectoryId = Environment.GetEnvironmentVariable("AppRegistrationDirectoryId");
_Workspace.AppRegistration.ClientId = Environment.GetEnvironmentVariable("AppRegistrationClientId");
_Workspace.AppRegistration.AppSecret = Environment.GetEnvironmentVariable("AppRegistrationSecret");
System.Console.WriteLine(String.Format("Azure Subscription Id: {0}", _Workspace.SubscriptionId));
System.Console.WriteLine(String.Format("Resource Group: {0}", _Workspace.ResourceGroup));
System.Console.WriteLine(String.Format("Workspace: {0}", _Workspace.WorkspaceName));
System.Console.WriteLine(String.Format("App Registration ClientId: {0}", _Workspace.AppRegistration.ClientId));
System.Console.WriteLine(String.Format("App Registration DirectoryId:: {0}", _Workspace.AppRegistration.DirectoryId));
System.Console.WriteLine(String.Format("Eventhub Name: {0}", Environment.GetEnvironmentVariable("EventHubName")));
_EventHubService = new EventHubService(Environment.GetEnvironmentVariable("EventHubConnectionString"), Environment.GetEnvironmentVariable("EventHubName"));
while (true)
{
await ProcessSentinelIncidentsAsync();
await Task.Delay(TimeSpan.FromSeconds(10));
}
}
/// <summary>
/// Get an incident from an Azure Sentinel Workspace
/// </summary>
/// <param name="IncidentId">The ID of the incident</param>
/// <param name="Workspace">The workspace in which the incident resides</param>
/// <returns></returns>
public async Task <SentinelIncident> GetIncidentAsync(string IncidentId, AzureSentinelWorkspace Workspace)
{
var httpClient = await GetAuthenticatedHttpClientAsync(Workspace.AppRegistration.DirectoryId, Workspace.AppRegistration.ClientId, Workspace.AppRegistration.AppSecret);
string url = String.Format("https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/incidents/{3}?api-version=2020-01-01",
Workspace.SubscriptionId,
Workspace.ResourceGroup,
Workspace.WorkspaceName,
IncidentId);
var response = await httpClient.GetAsync(url);
if (response.StatusCode == System.Net.HttpStatusCode.NotFound)
{
throw new ArgumentException(String.Format("Incident {0} not found in workspace {1}", IncidentId, Workspace.WorkspaceName));
}
if (response.StatusCode == System.Net.HttpStatusCode.Forbidden)
{
throw new ArgumentException(String.Format("Getting Incident {0} resulted in: 403 - Forbidden", IncidentId));
}
if (response.StatusCode == System.Net.HttpStatusCode.BadRequest)
{
var message = await response.Content.ReadAsStringAsync();
throw new ArgumentException(String.Format("Something went wrong: '{0}'", message));
}
var responseJson = await response.Content.ReadAsStringAsync();
var incident = JsonSerializer.Deserialize <SentinelIncident>(responseJson, GetJsonSerializerOptions());
return(incident);
}
/// <summary>
/// Get incidents from an Azure Sentinel Workspace
/// </summary>
/// <param name="status">The status of the incident</param>
/// <param name="limit">The amount of incidents to get</param>
/// <param name="Workspace">The workspace in which the incidents reside</param>
/// <returns></returns>
public async Task <List <SentinelIncident> > GetIncidentsAsync(IncidentStatus status, int limit, AzureSentinelWorkspace Workspace)
{
var httpClient = await GetAuthenticatedHttpClientAsync(Workspace.AppRegistration.DirectoryId, Workspace.AppRegistration.ClientId, Workspace.AppRegistration.AppSecret);
string url = String.Format("https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/status eq '{3}'&$top={4}&$orderby=properties/createdTimeUtc desc",
Workspace.SubscriptionId,
Workspace.ResourceGroup,
Workspace.WorkspaceName,
status.ToString(),
limit);
var response = await httpClient.GetAsync(url);
if (response.StatusCode == System.Net.HttpStatusCode.Forbidden)
{
throw new ArgumentException(String.Format("Getting incidents from workspace {0} resulted in: 403 - Forbidden", Workspace.WorkspaceName));
}
if (response.StatusCode == System.Net.HttpStatusCode.BadRequest)
{
var message = await response.Content.ReadAsStringAsync();
throw new ArgumentException(String.Format("Something went wrong: '{0}'", message));
}
var responseJson = await response.Content.ReadAsStringAsync();
var incidentsResult = JsonSerializer.Deserialize <SentinelList>(responseJson, GetJsonSerializerOptions());
return(incidentsResult.Value);
}
/// <summary>
/// Update an incident in a Azure Sentinel Workspace
/// </summary>
/// <param name="Incident">The incident</param>
/// <param name="IncidentId">The id of the incident</param>
/// <param name="Workspace">The workspace in which the incident resides</param>
/// <returns></returns>
public async Task UpdateIncidentAsync(SentinelIncident Incident, string IncidentId, AzureSentinelWorkspace Workspace)
{
var httpClient = await GetAuthenticatedHttpClientAsync(Workspace.AppRegistration.DirectoryId, Workspace.AppRegistration.ClientId, Workspace.AppRegistration.AppSecret);
string url = String.Format("https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/incidents/{3}?api-version=2020-01-01",
Workspace.SubscriptionId,
Workspace.ResourceGroup,
Workspace.WorkspaceName,
IncidentId);
var json = JsonSerializer.Serialize <SentinelIncident>(Incident, GetJsonSerializerOptions());
var content = new StringContent(json, System.Text.Encoding.UTF8, "application/json");
var response = await httpClient.PutAsync(url, content);
var message = await response.Content.ReadAsStringAsync();
if (response.StatusCode == System.Net.HttpStatusCode.Forbidden)
{
throw new ArgumentException(String.Format("Updating incident {0} resulted in: 403 - Forbidden", IncidentId));
}
if (response.StatusCode == System.Net.HttpStatusCode.BadRequest)
{
throw new ArgumentException(String.Format("Something went wrong: '{0}'", message));
}
}
