static SentinelWorkspaceLogHub() { string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"]; GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001); string textOfJsonConfig = File.ReadAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}")); SentinelApiConfig = JsonConvert.DeserializeObject <SentinelApiConfig>(textOfJsonConfig); // Turn on the KeyVault for use KeyVault = new KeyVault(SentinelApiConfig); // Create the processor syslogToSentinelProcessor = new SyslogToSentinelProcessor(SentinelApiConfig); // Create the storage container connection syslogToAzureBlob = new SyslogToAzureBlob(SentinelApiConfig, GetKeyVaultSecret(SentinelApiConfig.SyslogToAzureBlobStorageSecret)); eventLogProcessor = new EventLogProcessor("Security", NewEventRecord, readEventLogFileFromBeginning); using (var certificateManagement = new CertificateManagement()) { AuthX509Certificate2 = certificateManagement.FindCertificateByThumbprint("MY", SentinelApiConfig.CertificateThumbprint, StoreLocation.LocalMachine); } // Get the certificate from KeyVault string sentinalAuthCertEncoded = GetKeyVaultSecret($"{SentinelApiConfig.WorkspaceId.ToLower()}-wsid"); byte[] certFromKeyVault = Encoding.Unicode.GetBytes(sentinalAuthCertEncoded); // AuthX509Certificate2 = new X509Certificate2(certFromKeyVault, "SecurePassword", X509KeyStorageFlags.Exportable); // Get the current WorkspaceKey from KeyVault sentinalAuthWorkspaceKey = GetKeyVaultSecret($"{SentinelApiConfig.WorkspaceId.ToLower()}-wskey"); }
public static async Task CefFilesToSentinelProcessor() { //X509Certificate2 cert; GlobalLog.WriteToStringBuilderLog("Attempting to load CEF Files ", 14001); // Update to LINQ query to prevent attempting to load ALL files during an iteration. var directoryInfo = new DirectoryInfo(SentinelApiConfig.EnabledSentinelUploads.CefFileFolderToUpload); var orderedFileList = directoryInfo.EnumerateFiles("CefToSentinel*.json", SearchOption.TopDirectoryOnly) .OrderBy(d => d.LastAccessTime) .Select(d => d.FullName) .Take(25) .ToList(); if (orderedFileList.Count > 0) { foreach (string file in orderedFileList) { string jsonFinalString = File.ReadAllText(file); UploadBatchWithSelfSignedJson(jsonFinalString, AuthX509Certificate2); SentinelWorkspacePoc.PrintCustomMessage($"Uploading [{file}] LogManagement.CommonSecurityLog messages to Sentinel.", ConsoleColor.Green); File.Delete(file); } } }
public SyslogToSentinelProcessor(SentinelApiConfig sentinelApiConfig) { InvalidState = false; SentinelApiConfig = sentinelApiConfig; GlobalLog.WriteToStringBuilderLog("Loading sample Syslog XML [SampleCefRecords.txt].", 14001); RawCefMessageList = new List <string>(File.ReadAllLines(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"SampleCefRecords.txt"))); }
public void SaveCurrentConfiguration() { string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"]; GlobalLog.WriteToStringBuilderLog($"Saving configuration file [{configurationFile}].", 14001); string textOfSentinelApiConfig = JsonConvert.SerializeObject(SentinelApiConfig, Formatting.Indented); File.WriteAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}"), textOfSentinelApiConfig); }
public SentinelWorkspacePoc() { // The constructor for the service string configurationFile = ConfigurationManager.AppSettings["SentinelApiConfig"]; GlobalLog.WriteToStringBuilderLog($"Loading config [{configurationFile}].", 14001); string textOfJsonConfig = File.ReadAllText(Path.Combine(SentinelWorkspacePoc.GetExecutionPath(), $"{configurationFile}")); SentinelApiConfig = JsonConvert.DeserializeObject<SentinelApiConfig>(textOfJsonConfig); // Turn on the KeyVault for use this.KeyVault = new KeyVault(SentinelApiConfig); // Use local certificate store, or KeyVault if (SentinelApiConfig.UseKeyVaultForCertificates) { ManageOdsAuthenticationKeyVault(); } else { ManageOdsAuthenticationCertStore(); } }
private static void UploadEntireFileInBatches(string fileFullName, XmlCreationMechanism creationMechanism, int batchCount = 200) { WindowsEventPayload payload = GetNewPayloadObject(); bool useEventIngest = false; // Set the ResourceId for upload ResourceId = payload.GetLogAnalyticsResourceId(SentinelApiConfig.WorkspaceId); Stopwatch fileStopwatch = new Stopwatch(); Stopwatch uploaderStopwatch = Stopwatch.StartNew(); try { fileStopwatch.Start(); var log = EvtxEnumerable.ReadEvtxFile(fileFullName); Parallel.ForEach(log, new ParallelOptions { MaxDegreeOfParallelism = 8, }, eventRecord => { payload.AddEvent(eventRecord, useEventIngest, creationMechanism); }); fileStopwatch.Stop(); if (useEventIngest) { //Console.WriteLine($"\tRecordCount: {payload.Uploader.ItemCount:N0}"); //Console.WriteLine( // $"\tEPS for Conversion: {payload.Uploader.ItemCount / fileStopwatch.Elapsed.TotalSeconds:N3}"); //// Wait for upload to complete, and report //payload.Uploader.OnCompleted(); //uploaderStopwatch.Stop(); //Console.WriteLine($"Upload Completed..."); //Console.WriteLine($"\tEPS for Upload with Event.Ingest to MMA-API: {payload.Uploader.ItemCount / uploaderStopwatch.Elapsed.TotalSeconds:N3}"); //Console.WriteLine($"\t Average for batch with Event.Ingest to MMA-API: {payload.BatchItemCount / payload.BatchTimeSpan.TotalSeconds:N3}"); } else { Console.WriteLine($"\tRecordCount: {payload.DataItems.Count:N0}"); string output = $"\tEPS for Conversion: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}"; Console.WriteLine(output); } // Split into upload chunks var splitLIsts = payload.SplitListIntoChunks <string>(batchCount); fileStopwatch.Restart(); Parallel.ForEach(splitLIsts, new ParallelOptions { MaxDegreeOfParallelism = 8, }, singleBatch => { UploadBatchToLogAnalytics(payload.GetUploadBatch(singleBatch), AuthX509Certificate2); }); fileStopwatch.Stop(); Console.WriteLine($"\tEPS for Upload to MMA-API: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}"); } catch (Exception e) { GlobalLog.WriteToStringBuilderLog(e.ToString(), 14008); } }