/// <summary>
/// Get information about alert statistics
/// </summary>
/// <returns>Statistics Data</returns>
public async Task <AlertStatisticModel> GetStatisticAsync(int topAlertAmount)
{
// Select all unresolved alerts
var filter = new AlertFilterModel {
Top = topAlertAmount
};
filter.Add(
"Status",
new List <AlertFilterProperty>()
{
{
new AlertFilterProperty(new AlertFilterPropertyDescription("Status", AlertFilterOperator.NotEquals), "resolved")
}
});
var unresolvedAlerts = await this.GetAlerts(filter);
//// Select all secure scores
string accessToken = await SampleAuthProvider.Instance.GetUserAccessTokenAsync();
var secureScores = await this.GetSecureScore(accessToken, "?$top=100");
var latestSecureScore = secureScores.OrderByDescending(rec => rec.CreatedDateTime).FirstOrDefault();
var secureScoreModel = latestSecureScore != null
? new SecureScoreStatisticModel {
Current = latestSecureScore.CurrentScore ?? 0, Max = latestSecureScore.MaxScore ?? 0
}
: null;
var activeAlerts = new Dictionary <string, int>();
var usersAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var hostsAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var providersAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var ipAlerts = new StatisticCollectionModel <SeveritySortOrder>();
if (unresolvedAlerts != null && unresolvedAlerts.Item1 != null)
{
foreach (var alert in unresolvedAlerts.Item1)
{
// Calculate active alerts
if (!activeAlerts.ContainsKey(alert.Severity.ToString()))
{
activeAlerts.Add(alert.Severity.ToString(), 1);
}
else
{
++activeAlerts[alert.Severity.ToString()];
}
// Calculate users with the most alerts
var userPrincipalName = alert.UserStates?.FirstOrDefault()?.UserPrincipalName;
if (!string.IsNullOrWhiteSpace(userPrincipalName))
{
usersAlerts.Add(userPrincipalName, alert.Severity.ToString());
}
// Calculate destination ip address with the most alerts
var ipAddress = alert.NetworkConnections?.FirstOrDefault()?.DestinationAddress;
if (!string.IsNullOrWhiteSpace(ipAddress))
{
ipAlerts.Add(ipAddress, alert.Severity.ToString());
}
// Calculate hosts with the most alerts
var hostName = alert.HostStates?.FirstOrDefault()?.Fqdn;
if (!string.IsNullOrWhiteSpace(hostName))
{
hostsAlerts.Add(hostName, alert.Severity.ToString());
}
// Calculate providers with the most alerts
var provider = alert.VendorInformation.Provider;
if (!string.IsNullOrWhiteSpace(provider))
{
providersAlerts.Add(provider, alert.Severity.ToString());
}
}
}
// Get top of the sorted users with the most alerts
var sortedTopUserAlertsWithPrincipalNames = usersAlerts.GetSortedTopValues(4);
var sortedTopUserAlert = new Dictionary <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >();
// Get additional information about each user from top list
var users = await this.GetUserDisplayNames(sortedTopUserAlertsWithPrincipalNames.Select(rec => rec.Key));
//// Replaced UserPrincipalName to DisplayName if it is possible
if (users != null)
{
foreach (var rec in sortedTopUserAlertsWithPrincipalNames)
{
var newKey = users.ContainsKey(rec.Key) && !users[rec.Key].Equals(rec.Key, StringComparison.CurrentCultureIgnoreCase) ? users[rec.Key] : rec.Key;
sortedTopUserAlert.Add(new KeyValuePair <string, string>(newKey, rec.Key), rec.Value);
}
}
return(new AlertStatisticModel
{
ActiveAlerts = activeAlerts,
SecureScore = secureScoreModel,
UsersWithTheMostAlerts = sortedTopUserAlert,
HostsWithTheMostAlerts = hostsAlerts.GetSortedTopValues(4)
.Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key.Split('.').FirstOrDefault() ?? rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
ProvidersWithTheMostAlerts = providersAlerts.GetSortedTopValues(4).Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
IPWithTheMostAlerts = ipAlerts.GetSortedTopValues(4)
.Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key.Split('.').FirstOrDefault() ?? rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
});
}
/// <summary>
/// Get information about alert statistics
/// </summary>
/// <returns>Statistics Data</returns>
public async Task <AlertStatisticModel> GetStatisticAsync(int topAlertAmount)
{
try
{
var startDateTime = DateTime.Now;
// Select all unresolved alerts
var allAlertsFilter = new AlertFilterModel {
Top = topAlertAmount
};
var allAlerts = await GetAlertsAsync(allAlertsFilter);
var unresolvedAlerts = allAlerts?.Item1?.Where(alert => alert.Status != AlertStatus.Resolved);
var newAlerts = allAlerts?.Item1?.Where(alert => alert.Status == AlertStatus.NewAlert);
var inProgressAlerts = allAlerts?.Item1?.Where(alert => alert.Status == AlertStatus.InProgress);
var resolvedAlerts = allAlerts?.Item1?.Where(alert => alert.Status == AlertStatus.Resolved);
//// Get top secure score
var secureScores = await GetSecureScoresAsync($"?$top={topAlertAmount}");
var latestSecureScore = secureScores.OrderByDescending(rec => rec.CreatedDateTime).FirstOrDefault();
Dictionary <string, int> res = new Dictionary <string, int>();
foreach (var comparativeScore in latestSecureScore?.AverageComparativeScores)
{
res.Add(comparativeScore.Basis, (int)comparativeScore.AverageScore);
}
var secureScoreModel = latestSecureScore != null
? new SecureScoreStatisticModel
{
Current = latestSecureScore.CurrentScore ?? 0,
Max = latestSecureScore.MaxScore ?? 0,
ComparativeScores = res,
}
: null;
var activeAlerts = new Dictionary <string, int>();
var newAlertsD = new Dictionary <string, int>();
var inProgressAlertsD = new Dictionary <string, int>();
var resolcedAlertsD = new Dictionary <string, int>();
var usersAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var hostsAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var providersAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var ipAlerts = new StatisticCollectionModel <SeveritySortOrder>();
var domainAlerts = new StatisticCollectionModel <SeveritySortOrder>();
if (unresolvedAlerts != null)
{
foreach (var alert in unresolvedAlerts)
{
// Calculate users with the most alerts
var userPrincipalName = alert.UserStates?.FirstOrDefault()?.UserPrincipalName;
if (!string.IsNullOrWhiteSpace(userPrincipalName))
{
usersAlerts.Add(userPrincipalName, alert.Severity.ToString());
}
// Calculate destination ip address with the most alerts
var ipAddress = alert.NetworkConnections?.FirstOrDefault()?.DestinationAddress;
if (!string.IsNullOrWhiteSpace(ipAddress))
{
ipAlerts.Add(ipAddress, alert.Severity.ToString());
}
// Calculate hosts with the most alerts
var hostName = alert.HostStates?.FirstOrDefault()?.Fqdn;
if (!string.IsNullOrWhiteSpace(hostName))
{
hostsAlerts.Add(hostName, alert.Severity.ToString());
}
// Calculate providers with the most alerts
var provider = alert.VendorInformation.Provider;
if (!string.IsNullOrWhiteSpace(provider))
{
providersAlerts.Add(provider, alert.Severity.ToString());
}
// Calculate domain with the most alerts
var domainName = alert.NetworkConnections?.FirstOrDefault()?.DestinationDomain;
if (!string.IsNullOrWhiteSpace(domainName))
{
domainAlerts.Add(domainName, alert.Severity.ToString());
}
}
}
if (newAlerts != null)
{
foreach (var alert in newAlerts)
{
// Calculate active alerts
if (!newAlertsD.ContainsKey(alert.Severity.ToString()))
{
newAlertsD.Add(alert.Severity.ToString(), 1);
}
else
{
++newAlertsD[alert.Severity.ToString()];
}
}
}
if (inProgressAlerts != null)
{
foreach (var alert in inProgressAlerts)
{
// Calculate active alerts
if (!inProgressAlertsD.ContainsKey(alert.Severity.ToString()))
{
inProgressAlertsD.Add(alert.Severity.ToString(), 1);
}
else
{
++inProgressAlertsD[alert.Severity.ToString()];
}
}
}
if (resolvedAlerts != null)
{
foreach (var alert in resolvedAlerts)
{
// Calculate active alerts
if (!resolcedAlertsD.ContainsKey(alert.Severity.ToString()))
{
resolcedAlertsD.Add(alert.Severity.ToString(), 1);
}
else
{
++resolcedAlertsD[alert.Severity.ToString()];
}
}
}
// Get top of the sorted users with the most alerts
var sortedTopUserAlertsWithPrincipalNames = usersAlerts.GetSortedTopValues(4);
var sortedTopUserAlert = new Dictionary <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >();
var usersList = sortedTopUserAlertsWithPrincipalNames.Select(rec => rec.Key);
// Get additional information about each user from top list
var users = await GetUserDisplayNamesAsync(usersList);
//// Replaced UserPrincipalName to DisplayName if it is possible
if (users != null)
{
foreach (var rec in sortedTopUserAlertsWithPrincipalNames)
{
var newKey = users.ContainsKey(rec.Key) && !users[rec.Key].Equals(rec.Key, StringComparison.CurrentCultureIgnoreCase) ? users[rec.Key] : rec.Key;
sortedTopUserAlert.Add(new KeyValuePair <string, string>(newKey, rec.Key), rec.Value);
}
}
Debug.WriteLine($"GraphService/GetStatisticAsync topAlertAmount: {topAlertAmount}, execution time: {DateTime.Now - startDateTime}");
return(new AlertStatisticModel
{
NewAlerts = newAlertsD,
InProgressAlerts = inProgressAlertsD,
ResolvedAlerts = resolcedAlertsD,
SecureScore = secureScoreModel,
UsersWithTheMostAlerts = sortedTopUserAlert,
HostsWithTheMostAlerts = hostsAlerts.GetSortedTopValues(4)
.Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key.Split('.').FirstOrDefault() ?? rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
ProvidersWithTheMostAlerts = providersAlerts.GetSortedTopValues(topAlertAmount).Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
IPWithTheMostAlerts = ipAlerts.GetSortedTopValues(4)
.Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key.Split('.').FirstOrDefault() ?? rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
DomainsWithTheMostAlerts = domainAlerts.GetSortedTopValues(4)
.Select(rec => new KeyValuePair <KeyValuePair <string, string>, Dictionary <SeveritySortOrder, int> >(
new KeyValuePair <string, string>(
rec.Key.Split('.').FirstOrDefault() ?? rec.Key,
rec.Key),
rec.Value)).ToDictionary(rec => rec.Key, rec => rec.Value),
});
}
catch (Exception exception)
{
Trace.WriteLine(exception.Message);
return(null);
}
}
