public async Task <string> CreateTI(TiIndicator tiIndicator, string token)
{
//var token = await GetToken();
string url = string.Format("https://graph.microsoft.com/beta/security/tiIndicators");
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
var stringTIIndicator = JsonConvert.SerializeObject(tiIndicator);
request.Content = new StringContent(stringTIIndicator, Encoding.UTF8, "application/json");
HttpClient http = new HttpClient();
var response = await http.SendAsync(request);
if (!response.IsSuccessStatusCode)
{
string error = await response.Content.ReadAsStringAsync();
object formatted = JsonConvert.DeserializeObject(error);
return(JsonConvert.SerializeObject(formatted, Formatting.Indented));
}
string json = await response.Content.ReadAsStringAsync();
return(json);
}
public static async System.Threading.Tasks.Task RunAsync([TimerTrigger("0 */2 * * * *")] TimerInfo myTimer, ILogger log)
{
log.LogInformation($"C# Timer trigger function executed at: {DateTime.Now}");
// Step 1: Get Graph Token
var token = await GetToken();
//log.LogInformation($"MY TOKEN: {token.AccessToken}");
// Step 2: Get AIP Access Denied Activity
var accessDeniedActivity = new GetFilesActivity();
Table activityResults = await accessDeniedActivity.RunLAQuery(domain, clientId, clientSecret, workspaceId);
var jsonObj = JsonConvert.SerializeObject(activityResults);
var AIPQueryResults = JsonConvert.DeserializeObject <AIPFile.Table>(jsonObj);
// Iterate through each row and email each user
for (int i = 0; i < activityResults.Rows.Count; i++)
{
accessActivity = new AIPFile.Result
{
ContentId_g = activityResults.Rows[i][0],
FileName = activityResults.Rows[i][1],
LabelName_s = activityResults.Rows[i][2],
UserId_s = activityResults.Rows[i][3],
ProtectionOwner_s = activityResults.Rows[i][4],
TimeGenerated = activityResults.Rows[i][5],
ProtectionTime_t = activityResults.Rows[i][6],
IPv4_s = activityResults.Rows[i][7],
Activity_s = activityResults.Rows[i][8],
Operation_s = activityResults.Rows[i][9],
AccessCount = activityResults.Rows[i][10]
};
// Create New Email Message using Graph
var NewMessage = new Message
{
Subject = "AIP File Access Denied Alert",
Body = new ItemBody
{
ContentType = BodyType.Html,
Content = "<H2>A user was denied access to sensitive file you protected.</H2>" +
"<table>" +
"<tr>" +
"<td>" +
"User Name: " + "<b>" + accessActivity.UserId_s + "<b/>" +
"</td>" +
"<tr/>" +
"<tr>" +
"<td>" +
"File Name: " + "<b>" + accessActivity.FileName + "<b/>" +
"</td>" +
"<tr/>" +
"<tr>" +
"<td>" +
"Label Name: " + "<b>" + accessActivity.LabelName_s + "<b/>" +
"</td>" +
"<tr/>" +
"<tr>" +
"<td>" +
"Access Denied Date: " + "<b>" + DateTime.SpecifyKind(DateTime.Parse(accessActivity.TimeGenerated), DateTimeKind.Utc) + "<b/>" +
"</td>" +
"<tr/>" +
"<tr>" +
"<td>" +
"Protection Date: " + "<b>" + DateTime.SpecifyKind(DateTime.Parse(accessActivity.ProtectionTime_t), DateTimeKind.Utc) + "<b/>" +
"</td>" +
"<tr/>" +
"<tr>" +
"<td>" +
"Number of Attempts: " + "<b>" + accessActivity.AccessCount + "<b/>" +
"</td>" +
"<tr/>" +
"</table>"
},
ToRecipients = new List <Recipient>()
{
new Recipient
{
EmailAddress = new EmailAddress
{
Address = accessActivity.ProtectionOwner_s
}
}
},
};
var AlertAIPUser = new SendEmailController();
var myAlertResult = await AlertAIPUser.SendAIPEmailAlert(NewMessage, SenderEmail, token.AccessToken);
////// ************** Send securityAction to Microsoft Security Graph API *************
List <String> AIPEvent = new List <string>();
AIPEvent.Add(accessActivity.ContentId_g);
AIPEvent.Add(accessActivity.FileName);
AIPEvent.Add(accessActivity.LabelName_s);
AIPEvent.Add(accessActivity.UserId_s);
AIPEvent.Add(accessActivity.ProtectionOwner_s);
AIPEvent.Add(accessActivity.TimeGenerated);
AIPEvent.Add(accessActivity.ProtectionTime_t);
AIPEvent.Add(accessActivity.IPv4_s);
AIPEvent.Add(accessActivity.Activity_s);
AIPEvent.Add(accessActivity.AccessCount);
// BUILD NEW TI FOR AZURE SENTINEL
var newTIIndicator = new TiIndicator
{
Action = TiAction.Alert,
Confidence = 0,
Description = "AIP Access Denied Alert.",
ExpirationDateTime = DateTimeOffset.UtcNow.AddDays(7),
FileName = accessActivity.FileName,
NetworkIPv4 = accessActivity.IPv4_s,
ExternalId = accessActivity.ContentId_g,
Severity = 2,
Tags = AIPEvent,
TargetProduct = "Azure Sentinel",
ThreatType = "WatchList",
TlpLevel = TlpLevel.Green
};
// Send TI to Azure Sentinel via Microsoft Inelligent Security Graph
try
{
var AzSentinelTI = new TIIndicatorsController();
string MyTI = await AzSentinelTI.CreateTI(newTIIndicator, token.AccessToken);
log.LogInformation($"TI RESULTS: {MyTI}");
}
catch (Exception e)
{
log.LogInformation($"AIP TiIndicator ERROR: {e}");
}
}
}
