static async Task Main(string[] args)
{
var clientId = "c0b75ac5-9bae-44d5-a118-eea0ae39adfd";
var clientSecret = "@v0s8o81NA=-FCdtozuzNipy.Q2EGM==";
var domain = "wolterskluwer.onmicrosoft.com";
var authEndpoint = "https://login.microsoftonline.com";
var tokenAudience = "https://api.loganalytics.io/";
var workspaceId = "e4505189-dcc5-4d5d-9b36-b88a88afbdf3";
var serviceClientCredentials = GetServiceClientCredentials(clientId, clientSecret, domain, authEndpoint, tokenAudience);
var client = new OperationalInsightsDataClient(serviceClientCredentials)
{
WorkspaceId = workspaceId
};
var query = "search *\r\n| where Type == \"ETWEvent\" and Message contains \"MultiFieldSearch\" and TaskName == \"Message\" and Message contains \"QueryString\"\r\n| project TimeGenerated, SearchTerms=extract(\"\\\"QueryString\\\":\\\"([^\\\"]*?)\\\"\", 1, Message)\r\n| take 10";
// Run query and store results in log analyzer
QueryResults results = null;
try
{
results = await client.QueryAsync(query);
await ProcessQueryResults(results.Results);
}
catch (Exception e)
{
Console.WriteLine(e);
Environment.Exit(1);
}
}
public async Task <Table> RunLAQuery(string domain, string clientId, string clientSecret, string workspaceId)
{
var authEndpoint = "https://login.microsoftonline.com";
var tokenAudience = "https://api.loganalytics.io/";
var adSettings = new ActiveDirectoryServiceSettings
{
AuthenticationEndpoint = new Uri(authEndpoint),
TokenAudience = new Uri(tokenAudience),
ValidateAuthority = true
};
var creds = ApplicationTokenProvider.LoginSilentAsync(domain, clientId, clientSecret, adSettings).GetAwaiter().GetResult();
var LAclient = new OperationalInsightsDataClient(creds)
{
WorkspaceId = workspaceId
};
// Log Analytics Kusto query - look for user data in the past 24 hours
string query = @"
let lookback = timespan(24h);
let doclookup = InformationProtectionLogs_CL
| where ContentId_g != '' and ObjectId_s != ''
and TimeGenerated >= ago(90d)
| distinct ContentId_g, ObjectId_s;
let accesslookup = InformationProtectionLogs_CL
| where TimeGenerated >= ago(lookback)
| where Activity_s == 'AccessDenied'
| extend AccessCount = 1;
accesslookup
| join kind = inner(
doclookup
) on $left.ContentId_g == $right.ContentId_g
| extend FileName = extract('((([^\\/\\\\]*\\.[a-z]{1,4}$))|([[^\\/\\\\]*$))', 1, ObjectId_s1)
| summarize AccessCount = sum(AccessCount) by ContentId_g, FileName, LabelName_s, UserId_s, ProtectionOwner_s,
TimeGenerated, ProtectionTime_t, IPv4_s, Activity_s, Operation_s";
var outputTable = await LAclient.QueryAsync(query.Trim());
return(outputTable.Tables[0]);
}
public static async Task <QueryResults> RunLAQuery(string username)
{
var authEndpoint = "https://login.microsoftonline.com";
var tokenAudience = "https://api.loganalytics.io/";
var adSettings = new ActiveDirectoryServiceSettings
{
AuthenticationEndpoint = new Uri(authEndpoint),
TokenAudience = new Uri(tokenAudience),
ValidateAuthority = true
};
var creds = ApplicationTokenProvider.LoginSilentAsync(domain, clientId, clientSecret, adSettings).GetAwaiter().GetResult();
var LAclient = new OperationalInsightsDataClient(creds)
{
WorkspaceId = workspaceId
};
// Log Analytics Kusto query - look for user data in the past 20 days
string query = @"
InformationProtectionLogs_CL
| where TimeGenerated >= ago(20d)
| where UserId_s == '*****@*****.**'
| where ProtectionOwner_s == '*****@*****.**'
| where ObjectId_s != 'document1'
| where MachineName_s != ''
| extend FileName = extract('((([a-zA-Z0-9\\s_:]*\\.[a-z]{1,4}$))|([a-zA-Z0-9\\s_:]*$))', 1, ObjectId_s)
| distinct FileName, Activity_s, LabelName_s, TimeGenerated, Protected_b, MachineName_s
| sort by TimeGenerated desc nulls last";
// update the query with caller user's email
string query1 = query.Replace("*****@*****.**", username);
var outputTable = await LAclient.QueryAsync(query1.Trim());
return(outputTable);
}