/// <summary> /// Generates a LocalUser snapshot /// The event payload is array of OS registered users, /// each user has its own payload entity which contains /// the user's username, userid, group ids and group names /// </summary> /// <returns>List of local users snapshot event, the list should contain only one element</returns> protected override List <IEvent> GetEventsImpl() { var users = _wmiUtils.RunWmiQuery("SELECT Name,Sid FROM Win32_UserAccount Where LocalAccount = True", NameKey, SidKey); var groups = _wmiUtils.RunWmiQuery("SELECT Name,Sid FROM Win32_Group Where LocalAccount = True", NameKey, SidKey); IEnumerable <LocalUsersPayload> localUsersPayloads = users.Select(user => GetUserPayload(user, groups)); return(new List <IEvent> { new LocalUsers( priority: Priority, payloads: localUsersPayloads.ToArray()) }); }
/// <inheritdoc /> public override IEnumerable <IEvent> GetEvents() { List <IEvent> events = new List <IEvent>(); foreach (ETWEventType etwEvent in ETWEvents) { var etwEvents = _wmiUtils.RunWmiQuery( $"SELECT Message,TimeGenerated FROM Win32_NTLogEvent Where Logfile = 'Security' AND Eventcode = '{(int)etwEvent}' AND {TimeGeneratedFieldName} > '{_lastRetrievedEventTimeStamps[etwEvent]}'", TimeGeneratedFieldName, MessageFieldName); if (etwEvents.Any()) { _lastRetrievedEventTimeStamps[etwEvent] = etwEvents.First()[TimeGeneratedFieldName]; } events.AddRange(etwEvents.Select(ev => EtwToIotEventConverters[etwEvent](ev))); } return(events); }