Skip to content
This repository has been archived by the owner on Jan 17, 2024. It is now read-only.

Commit

Permalink
Merge pull request #36 from CrowdStrike/develop
Browse files Browse the repository at this point in the history 
Merge Develop to Master
  • Loading branch information
@mr-burnse
mr-burnse authored Jun 5, 2017
2 parents a3ce1ee + 4dda5d6 commit d3cac2e
Show file tree
Hide file tree
Showing 3 changed files with 111 additions and 18 deletions.
15 changes: 9 additions & 6 deletions FalconOrchestrator.Client/FalconOrchestratorService.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,9 +71,10 @@ public static void Invoke()
{
try
{
string randomized = Guid.NewGuid().ToString().Substring(0, 5);
AppConfiguration appConfig = new AppConfiguration(ConfigurationManager.AppSettings["CryptoKey"]);
Authentication config = new Authentication(
String.Concat(appConfig.FALCON_STREAM_URL, "?appId=falcon_orchestrator"),
String.Concat(appConfig.FALCON_STREAM_URL, "?appId=falcon_orchestrator_", randomized),
appConfig.FALCON_STREAM_UUID,
appConfig.FALCON_STREAM_KEY);

Expand All @@ -82,7 +83,7 @@ public static void Invoke()
}
catch (Exception e)
{
log.Fatal("An unhandled error occured",e);
log.Fatal("An unhandled error occured", e);
Environment.Exit(1);
}
}
Expand All @@ -109,23 +110,25 @@ private static void ProcessStream(Stream firehose)
continue;
}

//This should be removed afterwards
model.Save();
}

catch (System.Data.Entity.Validation.DbEntityValidationException)
catch (System.Data.Entity.Validation.DbEntityValidationException ex)
{
log.Fatal("Error saving detection event to database");
log.Fatal(JsonConvert.SerializeObject(data, Formatting.Indented));
log.Fatal("Error saving detection event to database: "+ ex.Message);
log.Fatal(JsonConvert.SerializeObject(line, Formatting.Indented));
Environment.Exit(1);
}


catch (NotSupportedException)
{
log.Warn("[" + data.Metadata.Offset + "]" + "Unhandled mapping for event type " + data.Metadata.EventType);
}
}
}
}
}
}
}
}
110 changes: 100 additions & 10 deletions FalconOrchestrator.Client/Models.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@
using Newtonsoft.Json;
using FalconOrchestrator.DAL;
using log4net;
using System.Data.Entity;
using System.Data.Entity.Validation;
using FalconOrchestrator.IOC;
using FalconOrchestrator.LDAP;

namespace FalconOrchestrator.Client
{
Expand Down Expand Up @@ -77,6 +81,18 @@ public override void Save()
db.SaveToDatabase(Metadata.CustomerIdString, Metadata.Offset);
log.Debug("[" + Metadata.Offset + "] Detection event saved to database");
}

catch (System.Data.Entity.Validation.DbEntityValidationException ex)
{
var errorMessages = ex.EntityValidationErrors
.SelectMany(x => x.ValidationErrors)
.Select(x => x.ErrorMessage);

var fullErrorMessage = string.Join("; ", errorMessages);
var exceptionMessage = string.Concat(ex.Message, " The validation errors are: ", fullErrorMessage);
throw new DbEntityValidationException(exceptionMessage, ex.EntityValidationErrors);
}

catch (Exception e)
{
log.Fatal("[" + Metadata.Offset + "] Error occured while trying to save detection event to database", e);
Expand Down Expand Up @@ -133,6 +149,18 @@ public override void Save()
log.Debug("[" + Metadata.Offset + "] Authentication audit event saved to database");
}
}

catch (System.Data.Entity.Validation.DbEntityValidationException ex)
{
var errorMessages = ex.EntityValidationErrors
.SelectMany(x => x.ValidationErrors)
.Select(x => x.ErrorMessage);

var fullErrorMessage = string.Join("; ", errorMessages);
var exceptionMessage = string.Concat(ex.Message, " The validation errors are: ", fullErrorMessage);
throw new DbEntityValidationException(exceptionMessage, ex.EntityValidationErrors);
}

catch (Exception e)
{
log.Fatal("[" + Metadata.Offset + "] Error occured while trying to save authentication activity audit event to database", e);
Expand Down Expand Up @@ -187,6 +215,18 @@ public override void Save()
log.Debug("[" + Metadata.Offset + "] User activity audit event saved to database");
}
}

catch (System.Data.Entity.Validation.DbEntityValidationException ex)
{
var errorMessages = ex.EntityValidationErrors
.SelectMany(x => x.ValidationErrors)
.Select(x => x.ErrorMessage);

var fullErrorMessage = string.Join("; ", errorMessages);
var exceptionMessage = string.Concat(ex.Message, " The validation errors are: ", fullErrorMessage);
throw new DbEntityValidationException(exceptionMessage, ex.EntityValidationErrors);
}

catch (Exception e)
{
log.Fatal("[" + Metadata.Offset + "] Error occured while trying to save user activity audit event to database", e);
Expand Down Expand Up @@ -295,6 +335,8 @@ class AccountModel

class NetworkAccessesModel
{
protected readonly ILog log = LogManager.GetLogger(typeof(NetworkAccessesModel));

[JsonProperty("AccessTimestamp")]
public string Timestamp { get; set; }
public int AccessType { get; set; }
Expand All @@ -309,14 +351,24 @@ public DateTime FormattedTimestamp
{
get
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
try
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
}
catch (ArgumentOutOfRangeException)
{
log.Warn("Malformed network access timestamp, failing over to current time");
return DateTime.UtcNow;
}
}
}
}

class DnsRequestsModel
{
protected readonly ILog log = LogManager.GetLogger(typeof(DnsRequestsModel));

[JsonProperty("LoadTime")]
public string Timestamp { get; set; }
public bool CausedDetect { get; set; }
Expand All @@ -327,38 +379,66 @@ public DateTime FormattedTimestamp
{
get
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
try
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
}
catch (ArgumentOutOfRangeException)
{
log.Warn("Malformed DNS timestamp, failing over to current time");
return DateTime.UtcNow;
}
}
}
}

class DocumentsAccessedModel
{
protected readonly ILog log = LogManager.GetLogger(typeof(DocumentsAccessedModel));

public string Timestamp { get; set; }
public string FileName { get; set; }
public string FilePath { get; set; }
public DateTime FormattedTimestamp
{
get
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
try
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
}
catch (ArgumentOutOfRangeException)
{
log.Warn("Malformed Document access timestamp, failing over to current time");
return DateTime.UtcNow;
}
}
}
}

class ExecutableWrittenModel
{
protected readonly ILog log = LogManager.GetLogger(typeof(ExecutableWrittenModel));

public string Timestamp { get; set; }
public string FileName { get; set; }
public string FilePath { get; set; }
public DateTime FormattedTimestamp
{
get
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
try
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
}
catch (ArgumentOutOfRangeException)
{
log.Warn("Malformed executable written timestamp, failing over to current time");
return DateTime.UtcNow;
}
}
}
}
Expand All @@ -372,6 +452,8 @@ class ScanResultsModel

class AuditEvent
{
protected readonly ILog log = LogManager.GetLogger(typeof(AuditEvent));

public string UserId { get; set; }
public string UserIp { get; set; }
public string OperationName { get; set; }
Expand All @@ -383,8 +465,16 @@ public DateTime FormattedTimestamp
{
get
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
try
{
DateTime dateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc);
return dateTime.AddSeconds(Convert.ToDouble(Timestamp)).ToUniversalTime();
}
catch (ArgumentOutOfRangeException)
{
log.Warn("Malformed audit event timestamp, failing over to current time");
return DateTime.UtcNow;
}
}
}
public AuditKeyValues[] AuditKeyValues { get; set; }
Expand Down
4 changes: 2 additions & 2 deletions FalconOrchestrator.Client/Rules.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ public override bool IsEnabled()

public override void Execute()
{
if (model.Data.Severity >= Convert.ToInt32(config.RULE_NOTIFICATION_THRESHOLD))
if (model.Data.Severity >= Convert.ToInt32(config.RULE_NOTIFICATION_THRESHOLD) && model.Data.StatusId != 7)
{
log.Debug("Notification rule is enabled and severity of " + model.Data.SeverityName + " is above threshold, attempting to send email");
try
Expand Down Expand Up @@ -223,7 +223,7 @@ public override void Execute()
}
else
{
log.Debug("AD Lookup rule enabled, account " + model.Data.UserName + " does not exists in database, attemping LDAP query for metadata");
log.Debug("AD Lookup rule enabled, account " + model.Data.UserName + " does not exist in LDAP database");
LdapQuery();

}
Expand Down

0 comments on commit d3cac2e

Please sign in to comment.